找资料时,发现了一款有意思的工具,宣称“内网渗透中快速获取数据库所有库名,表名,列名;具体判断后再去翻数据,节省时间;适用于mysql,mssql”。感觉不错,源码是用C#写的,推荐给大家,在实际中还是挺有用的。
通过学习这个工具源码,我们要慢慢地学会看代码,而不是只是获得一个工具,那不是我们学习的本意。
一、源码
https://github.com/uknowsec/SharpSQLDump
二、编译
用vs2019编译时,发现会出现“MySql.Data.MySqlClient”找不到引用的问题,
我的解决办法是“选定我们的.net平台的版本,再将mysql.data.dll文件重新引用”即可。我这里用的是.net 4.8版本。
三、运行
出现帮助提示,如图。
搭建个mysql的来试下效果,
确实很快就浏览到了数据库名、表名、列名;
Mssql没有环境,就没有测试了。
四、剖析代码
连接数据库的代码,简单看下,
static void Main(string[] args)
{
if (args.Length != 7)
{
System.Console.WriteLine("Usage: SharpSQLDump.exe -h ip -u username -p password -mysql");
System.Console.WriteLine(" SharpSQLDump.exe -h ip -u username -p password -mssql");
}
if (args.Length >= 7 && (args[6] == "-mysql"))
{
Console.WriteLine("rn==================== SharpSQLDump --> MySQL ====================rn");
MySql(args[1],args[3],args[5]);
Console.ForegroundColor = ConsoleColor.White;
}
if (args.Length >= 7 && (args[6] == "-mssql"))
{
Console.WriteLine("rn==================== SharpSQLDump --> MsSQL========== ==========rn");
MsSql(args[1], args[3], args[5]);
Console.ForegroundColor = ConsoleColor.White;
}
}
=============================================
public static void MySql(String host, String username, String password)
{
ArrayList Datebase = MySQL_DateBase(host, username, password);
foreach (string date in Datebase)
{
Console.ForegroundColor = ConsoleColor.Red;
Console.WriteLine("nn[*] DataBases: " + date + " ");
ArrayList Tables = MySQL_Table(host, username, password, date);
foreach (string table in Tables)
{
ArrayList Columns = MySQL_Column(host, username, password, date, table);
int count = MySQL_Count(host, username, password, date, table);
Console.ForegroundColor = ConsoleColor.Green;
Console.Write("nt[+] Tables: " + String.Format("{0,-12}", table));
Console.ForegroundColor = ConsoleColor.Blue;
Console.WriteLine("nttCount: " + count + "n");
Console.ForegroundColor = ConsoleColor.White;
Console.Write("tt[-] Columns: [");
foreach (string column in Columns)
{
Console.Write(column+" ");
}
Console.WriteLine("]");
}
}
}
=============================================
public static ArrayList MySQL_DateBase(string server,string username,string password,string port="3306")
{
//Ip+端口+数据库名+用户名+密码
string connectStr = "server=" + server + ";port=" + port + ";database=information_schema" + ";user=" + username + ";password=" + password + ";";
ArrayList datebase = new ArrayList();
MySqlConnection conn = new MySqlConnection(connectStr); ;
try
{
conn.Open();//跟数据库建立连接,并打开连接
string sql = "select schema_name from information_schema.schemata";
MySqlCommand cmd = new MySqlCommand(sql, conn);
MySql.Data.MySqlClient.MySqlDataReader msqlReader = cmd.ExecuteReader();
while (msqlReader.Read())
{ //do something with each record
// Console.WriteLine(" Datebase: " + msqlReader[0]);
if ((msqlReader[0].ToString() != "information_schema") && (msqlReader[0].ToString() != "mysql") && (msqlReader[0].ToString() != "performance_schema") && (msqlReader[0].ToString() != "sys"))
{
datebase.Add(msqlReader[0]);
}
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
finally
{
conn.Clone();
}
return datebase;
}
=============================================
public static ArrayList MySQL_Table(string server, string username, string password,string database, string port = "3306")
{
//Ip+端口+数据库名+用户名+密码
string connectStr = "server=" + server + ";port=" + port + ";database=information_schema" + ";user=" + username + ";password=" + password + ";";
ArrayList tables = new ArrayList();
MySqlConnection conn = new MySqlConnection(connectStr); ;
try
{
conn.Open();//跟数据库建立连接,并打开连接
string sql = "select table_name from information_schema.tables where table_schema='" + database + "';";
MySqlCommand cmd = new MySqlCommand(sql, conn);
MySql.Data.MySqlClient.MySqlDataReader msqlReader = cmd.ExecuteReader();
while (msqlReader.Read())
{ //do something with each record
tables.Add(msqlReader[0]);
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
finally
{
conn.Clone();
}
return tables;
}
=============================================
public static ArrayList MySQL_Column(string server, string username, string password, string database,string table ,string port = "3306")
{
//Ip+端口+数据库名+用户名+密码
string connectStr = "server=" + server + ";port=" + port + ";database=information_schema" + ";user=" + username + ";password=" + password + ";";
ArrayList columns = new ArrayList();
MySqlConnection conn = new MySqlConnection(connectStr); ;
try
{
conn.Open();//跟数据库建立连接,并打开连接
string sql = "select column_name from information_schema.columns where table_schema='" + database + "' and table_name='" + table + "'";
MySqlCommand cmd = new MySqlCommand(sql, conn);
MySql.Data.MySqlClient.MySqlDataReader msqlReader = cmd.ExecuteReader();
while (msqlReader.Read())
{ //do something with each record
columns.Add(msqlReader[0]);
}
}
catch (Exception e)
{
Console.WriteLine(e.ToString());
}
finally
{
conn.Clone();
}
return columns;
}
=============================================
public static int MySQL_Count(string server, string username, string password, string database, string table, string port = "3306")
{
string connectStr = "server=" + server + ";port=" + port + ";database=" + database + ";user=" + username + ";password=" + password + ";";
// server=127.0.0.1/localhost 代表本机,端口号port默认是3306可以不写
MySqlConnection conn = new MySqlConnection(connectStr);
try
{
conn.Open();//打开通道,建立连接,可能出现异常,使用try catch语句
string sql = "select count(*) from " + table;
MySqlCommand cmd = new MySqlCommand(sql, conn);
Object result = cmd.ExecuteScalar();//执行查询,并返回查询结果集中第一行的第一列。所有其他的列和行将被忽略。select语句无记录返回时,ExecuteScalar()返回NULL值
if (result != null)
{
int count = int.Parse(result.ToString());
return count;
}
}
catch (MySqlException ex)
{
Console.WriteLine(ex.Message);
}
finally
{
conn.Close();
}
return 0;
}
纵观整个代码,还是非常清晰明了,也是非常简单,我们不禁感叹,编程也很简单啊!哈哈。。。
下载地址:
链接:https://pan.baidu.com/s/11DoU-PgraWrR5hKLxBZuVw
提取码:gn8v
感谢无糖学院导师戴华老师分享。
欢迎关注公众号MicroPest
原文始发于微信公众号(无糖反网络犯罪研究中心):工具:渗透内网快速浏览数据库表列名
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论