MSSQL语句执行工具asp版

    之前自己网上找各种方法拼拼凑凑出来的一个脚本,目的是在asp环境下连接mssql并执行命令。

    因为不是webshell所以不用考虑过狗不过狗,过不过WAF,安全狗之类的WAF是不会杀的。但我们要执行sql语句,势必要传递sql语句,传递sql语句的过程中可能被狗的防注入机制拦截(所谓的误杀),所以我又做了一个编码传递的方式,将待执行的SQL语句编码成ascii码再传递,这样就不会被WAF误杀了。

    程序的界面就是这样,简洁干净:

    02.jpg

    如上图,执行结果用表格的形式显示出来。

    执行xp_cmdshell的效果如图:

    01.jpg

    我一向是个不支持低版本浏览器的,所以我也没用低版本浏览器做测试,我只保证在chrome、firefox下可用。

    服务端我测试的环境是windows2003 + IIS6 + MSSQL 2005,其他环境自测。

    代码如下:

<%
''''''''''''''''''''''
' MSSQL语句执行工具asp版 by phithon
' blog: www.leavesongs.com 
' github: https://github.com/phith0n/asp_mssql_tool
''''''''''''''''''''''
showcss()
Dim Sql_serverip,Sql_linkport,Sql_username,Sql_password,Sql_database,Sql_content

Sql_serverip=Trim(Request("Sql_serverip"))
Sql_linkport=Trim(Request("Sql_linkport"))
Sql_username=Trim(Request("Sql_username"))
Sql_password=Trim(Request("Sql_password"))
Sql_database=Trim(Request("Sql_database"))
Sql_content =Trim(Request("Sql_content"))

If Sql_linkport="" Then Sql_linkport="1433"

If Sql_serverip<>"" and Sql_linkport<>"" and Sql_username<>"" and Sql_password<>"" and Sql_content<>"" Then
	if Request("method")="encode" then
		dim sqlarr
		sqlarr = Split(Sql_content, "")
		Sql_content = ""
		for each x in sqlarr
			if IsNumeric(x) then
			Sql_content = Sql_content & chr(cint(x))
			else
			Sql_content = Sql_content & x
			end if
		next
	end if

	Response.Write "<hr width='100%'><b>执行结果:</b><hr width='100%'>"
	Dim SQL,conn,linkStr
	SQL=Sql_content
	
	set conn=Server.createobject("adodb.connection")
	If Len(Sql_database)=0 Then
		linkStr="driver={SQL Server};Server=" & Sql_serverip & "," & Sql_linkport & ";uid=" & Sql_username & ";pwd=" & Sql_password
	Else
		linkStr="driver={SQL Server};Server=" & Sql_serverip & "," & Sql_linkport & ";uid=" & Sql_username & ";pwd=" & Sql_password & ";database=" & Sql_database
	End If
	conn.open linkStr
	
	' "Driver={SQL Server};SERVER=IP,端口号;UID=sa;PWD=xxxx;DATABASE=DB"
	' update [user] set [name]='admin' where uid=1
	set rs = Server.CreateObject("ADODB.recordset")
	rs.open SQL, conn
	on error resume next
		if err<>0 then
		   response.write "错误:"&err.Descripting
		else
			response.write Replace(SQL,vbcrlf,"<br>") & "   成功!<br /><br />"
			dim record 
			record = rs.fields.count
			if record>0 then
			dim i
			i = 0 %>
			<table class="gridtable">  
			<tr>
			<%for each x in rs.fields
				response.write("<th style=""min-width: 80px"">" & x.name & "</th>")
			  next%>
			</tr>
			<%do until rs.EOF%>
				<tr>
			<%for each x in rs.Fields%>
			  <td><%Response.Write(x.value)%></td>
			<%next
			rs.MoveNext%>
			</tr>
			<%loop%>
			</table>
			<%
			end if
			rs.close
			conn.close
			
		end if
	Response.End
	
End If

If Request("do")<>"" Then
	Response.Write "请填写数据库连接参数"
	Response.End
End If

Sub showcss()
%>
<style>
textarea{resize:none;}
table.gridtable {
	font-family: verdana,arial,sans-serif;
	font-size:11px;
	color:#333333;
	border-width: 1px;
	border-color: #666666;
	border-collapse: collapse;
}
table.gridtable th {
	border-width: 1px;
	padding: 5px 8px;
	border-style: solid;
	border-color: #666666;
	background-color: #dedede;
}
table.gridtable td {
	border-width: 1px;
	padding: 5px 8px;
	border-style: solid;
	border-color: #666666;
	background-color: #ffffff;
}
</style>
<%
End Sub

%>

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<meta http-equiv="pragma" content="no-cache">
<meta http-equiv="Cache-Control" content="no-cache, must-revalidate">
<meta http-equiv="expires" content="Wed, 26 Feb 2006 00:00:00 GMT">
<% showcss() %>
<title>MSSQL语句执行工具asp版 by phithon</title>
<script>
function encode(s){
	var r = "";
	for(var i = 0; i < s.length ; i++){
		var a = s.charCodeAt(i);
		if(a < 128 && a > 0){
			r += "\" + a;
		}else{
			r += "\" + s[i];
		}
	}
	return r;
}
</script>
</head>
<body>

<hr width="100%">

<form method="post" action="<%=Request.ServerVariables("SCRIPT_NAME")%>?do=exec" target="ResultFrame" id="submitf">
	<table class="gridtable" width="100%" style="FILTER: progid:DXImageTransform.Microsoft.Shadow(color:#f6ae56,direction:145,strength:15);">
		<tr>
		<td colspan="2" align="center">
			<h2>MSSQL语句执行工具asp版 by <a href="https://www.leavesongs.com" target="_blank">phithon</a></h2>
		</td>
		</tr>
		<tr>
		<td>
			<table class="gridtable">
			<tr><th colspan="2" align="center">数据库连接设置</th></tr>
			<tr><td width="80">SERVERIP:</td><td><input type="text"  value="127.0.0.1"   name="Sql_serverip"  style="width:150px;"></td></tr>
			<tr><td width="80">LINKPORT:</td><td><input type="text"  value="1433"   name="Sql_linkport"  style="width:150px;"></td></tr>
			<tr><td width="80">USERNAME:</td><td><input type="text"  value="sa"   name="Sql_username"  style="width:150px;"></td></tr>
			<tr><td width="80">PASSWORD:</td><td><input type="password" name="Sql_password"  style="width:150px;"></td></tr>
			<tr><td width="80">DATABASE:</td><td><input type="text"     name="Sql_database"  style="width:150px;"></td></tr>
			</table>
		</td>
		<td width="100%">
			<DIV align=center
			style='
			color: #990099;
			background-color: #E6E6FA;
			width: 100%;
			height: 180px;
			scrollbar-face-color: #DDA0DD;
			scrollbar-shadow-color: #3D5054;
			scrollbar-highlight-color: #C3D6DA;
			scrollbar-3dlight-color: #3D5054;
			scrollbar-darkshadow-color: #85989C;
			scrollbar-track-color: #D8BFD8;
			scrollbar-arrow-color: #E6E6FA;
			'>
			<textarea name="Sql_content" id="sqlc" style='width:100%;height:100%;'>输入你要执行的sql语句</textarea>
			</DIV>
			<input type="hidden" id="method" name="method" value="common">
			<input type="submit" value="普通执行(可能被WAF拦截)">
			<input type="button" onclick="var a=sqlc.value;method.value='encode';sqlc.value=encode(a);submitf.submit();method.value='common';sqlc.value = a;" value="编码执行(可绕过WAF)">
		</td>
		</tr>
	</table>
</form>

<hr width="100%">
<iframe name="ResultFrame" frameborder="0" width="100%" style="min-height: 300px;" src="<%=Request.ServerVariables("SCRIPT_NAME")%>?do=exec"></iframe>
</body>
</html>

    问题与说明及后续的BUG处理都在 https://github.com/phith0n/asp_mssql_tool 。

相关推荐: Nonecms 1.3 后台CSRF漏洞【CVE-2018-7219】

漏洞代码位于application/admin/controller/Admin.php 第62行 /** * 修改用户信息 */ public function edit($id) { if (request()->isPost()) { $param…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享
评论 抢沙发

请登录后发表评论