Skip to content

Commit

Permalink
update 20190110
Browse files Browse the repository at this point in the history 
20190110 V1.0 正式版---
修复MySQL,由于库名或表名存在特殊字符,如“-”时,导致SQL语法错误而无法获取数据的情况,使用`转义符。
修复代理验证完成后,未关闭socket连接问题。
修复MySQL部分情况下判断Union注入使用注释符错误的问题。
优化自动识别注入时填充的字符长度,防止列长度较高时,GET请求长度超出限制。
  • Loading branch information
@shack2
shack2 committed Jan 10, 2019
1 parent b571785 commit 57f7951
Show file tree
Hide file tree
Showing 8 changed files with 164 additions and 144 deletions.
10 changes: 3 additions & 7 deletions SuperSQLInjection/Main.Designer.cs
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 15 additions & 12 deletions SuperSQLInjection/Main.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -298,7 +298,7 @@ public static String getSid()
return sid;
}

public static int version = 20190108;
public static int version = 20190110;
public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=SSuperSQLInjection&NO=" + URLEncode.UrlEncode(getSid()) + "&VERSION=" + version;
//检查更新
public void checkUpdate()
Expand Down Expand Up @@ -6358,7 +6358,8 @@ public void checkInject()
if (errorServer.body.IndexOf(pals[1]) != -1)
{
this.txt_log.Invoke(new showLogDelegate(log), "发现" + pals[2], LogLevel.success);
selectDB(pals[3]);
currentDB = pals[3];
selectDB(currentDB);
//标记注入
selectInjectType(InjectType.Error);
errorInject = true;
Expand Down Expand Up @@ -6439,9 +6440,10 @@ public void checkInject()
{
break;
}
int basestr = 1111111;
String rand = Tools.RandNum(5);
String charRand = Tools.strToChr(rand, "UTF-8", "||");

String unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTest(i, basestr + ""));
String unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTest(i, rand + ""));

if (DBType.Oracle.ToString().Equals(currentDB))
{
Expand All @@ -6451,10 +6453,10 @@ public void checkInject()
{
//%16不能被URL编码
payload_request = request.Replace(strparam, payload_location + "%16");
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTest(i, basestr + "") + " from MSysAccessObjects");
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTest(i, rand + "") + " from MSysAccessObjects");
}


if (DBType.Oracle.ToString().Equals(currentDB)|| DBType.PostgreSQL.ToString().Equals(currentDB) || DBType.DB2.ToString().Equals(currentDB))
{
for (int j = 1; j <= i; j++)
Expand All @@ -6467,9 +6469,9 @@ public void checkInject()
//获得所有组合情况
List<String> tp_list = Tools.getDB2UnionTemplates(i, j);
foreach (String tp in tp_list) {
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTestByDB2(tp, "chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)"));
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTestByDB2(tp, charRand));
ServerInfo cunionServer = HTTP.sendRequestRetry(config.useSSL, config.reTry, config.domain, config.port, unionPayload, payload_request, config.timeOut, config.encoding, config.is_foward_302, config.redirectDoGet);
if (cunionServer.code == 200 && cunionServer.body.IndexOf("1111111111") != -1)
if (cunionServer.code == 200 && cunionServer.body.IndexOf(rand) != -1)
{
isFind = true;
newParam = strparam.Replace(param, param + "<Encode>" + payload.Replace("{payload}", setInjectStr) + "</Encode>");
Expand All @@ -6486,16 +6488,16 @@ public void checkInject()
{
if (DBType.Oracle.ToString().Equals(currentDB))
{
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTestByOracle(i, j, "chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)"));
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTestByOracle(i, j, charRand));

}

else if (DBType.PostgreSQL.ToString().Equals(currentDB))
{
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTest(i, j, "chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)||chr(49)"));
unionPayload = payload.Replace("{payload}", Comm.unionColumnCountTest(i, j, charRand));
}
ServerInfo unionServer = HTTP.sendRequestRetry(config.useSSL, config.reTry, config.domain, config.port, unionPayload, payload_request, config.timeOut, config.encoding, config.is_foward_302, config.redirectDoGet);
if (unionServer.code == 200 && unionServer.body.IndexOf("1111111111") != -1)
if (unionServer.code == 200 && unionServer.body.IndexOf(rand) != -1)
{
isFind = true;
newParam = strparam.Replace(param, param + "<Encode>" + payload.Replace("{payload}", setInjectStr) + "</Encode>");
Expand All @@ -6514,7 +6516,7 @@ public void checkInject()
ServerInfo unionServer = HTTP.sendRequestRetry(config.useSSL, config.reTry, config.domain, config.port, unionPayload, payload_request, config.timeOut, config.encoding, config.is_foward_302, config.redirectDoGet);
for (int j = 1; j <= i; j++)
{
String basecolumn = (basestr + j).ToString();
String basecolumn = (Tools.convertToInt(rand) + j).ToString();
if (unionServer.code == 200 && unionServer.body.IndexOf((basecolumn)) != -1)
{
isFind = true;
Expand Down Expand Up @@ -10075,6 +10077,7 @@ private void checkOneProxy(ListViewItem lvi) {
if (client != null)
{
istrue = sp.ConnectProxyServer(config.proxy_check_host, config.proxy_check_port, client, proxy.username, proxy.password, config.timeOut);
client.Close();
proxy.useTime = sp.ConectProxyUseTime;
}
}
Expand Down
Loading

0 comments on commit 57f7951

Please sign in to comment.