Use Winsock to inject website database data

By: JsuFcz http://jsufcz.21xcn.net

Before writing this article, it is necessary to elaborate on the word "injection. Unlike SQL injection, the injection only constructs HTTP request packets and replaces the WEB Submission page as a program to automatically submit data. Hey hey, speaking of this, I saw a strange smile. We only need to write a loop and use the language in which you have the say. It takes several minutes to send an HTTP message to a specific WEB page, oh, his book went viral, and ...... hey, hey, hey ...... I have a cup of tea, and I will try again later.

First, review the HTTP protocol. When we open a website, such as a http://www.163.com, IE is actually a client, it will send the following request message to the server (occasionally intercepted by sniffer ):

GET, HTTP, 1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-
Powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwave-flash ,*/*
Accept-Language: zh-cn
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: www.163.com
Connection: Keep-Alive
Cookie: NETEASE_SSN = jsufcz; NETEASE_ADV = 11 & 22; Province = 0; City = 0; NTES_UV_COOKIE = YES

We can see that there are many fields in the above message, of course, many of them are not necessary. If we program ourselves, just focus on the necessary. The HTTP/1.1 protocol specifies that the minimum request message is composed of a Method Field (GET/POST/HEAD) and a HOST field (HOST. Above
GET, HTTP, 1.1
HOST: www.163.com
However, in HTTP/1.0, the HOST field is not mandatory. Why can't it be saved? I believe you know it too. If you don't know it, don't press it. Let's take a look.

To send data to the server, the browser usually uses the GET or POST method to submit packets to the server. After receiving the packet, the server decodes and analyzes the required data and processes it. Finally, the server returns the result. Usually we can see such http://xxx.xxx.xxx.xxx/show.asp? Id = xxx URL request. We can construct the following message to complete the request.

GET/show. asp? Id = xxhttp/1.1
HOST: xxx. xxx

Because the URL length is 1024, The GET method can only submit a small amount of data. If we enter an article, we can only use the POST method. Before explaining some of the POST methods, let's take a look at the POST request message, so that we can have a general understanding of the POST message. (The following is my message to a certain book. I used sniffer to cut it down)

POST/gbook/add. php HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-
Powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwav
E-flash ,*/*
Referer: http: // 218.76.65.47/gbook/add. php
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)
Host: 218.76.65.47
Content-Length: 115
Connection: Keep-Alive

Name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say.gif & comment = test & passw
Ord = & doadd = % B7 % A2 % CB % CD % C1 % F4 % D1 % D4

Compared with the GET method, there is a piece of content below the field, which is the data we submit to the Message book. If there is a Chinese character, it must undergo urlencode encoding. Similarly, we can avoid unnecessary fields and construct a minimum POST request.

POST/gbook/add. php HTTP/1.1
Host: 218.76.65.47
Content-Type: application/x-www-form-urlencoded
Content-Length: 115

Name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say.gif & comment = test & passw
Ord = & doadd = % B7 % A2 % CB % CD % C1 % F4 % D1 % D4

The Content-Type field above indicates the POST form Type, and Content-Length is of course the Length of the object data. It cannot be less here, otherwise it will not be able to receive it correctly. In this way, the server processing page will receive the data you submitted and receive the data for processing. If it is a message book, It will be written into the database. If you send such a message to a text book at a very high speed, you have actually swallowed up the text.

Whining, I don't even know what I 've been talking about. I just want to make it clear, even if I fail to pass the college entrance examination, I hope you will forgive me. After talking about sending the client, let's talk about the server's receiving problem.

When the packet data arrives at the server, the underlying process of the server receives the data and puts it in a specific buffer zone. At the same time, some environmental variables, such as "CONTENT_LENGTH" and "QUERY_STRING", are set, of course, this still shields some underlying details, such as how the data submitted by the client is reset to the standard input on the requested page, and even cannot be clarified, write to the operating system. Then, high-level applications such as CGI, ASP, and PHP extract data. CGI must also perform Unencode decoding and string extraction on its own. If I leave a message to an ASP book, I have submitted the name and body fields and submitted them using the POST form method. In the ASP program, I should receive the following message:
Name = request. form ("name ")
Body = request. form ("body ")
And add it to the database.
Rs. addnew
Rs ("name") = name
Rs ("body") = body
Rs. update

At this point, the lecture is basically finished, but note that when sending packets, the "name = value" URLEncode code of the submit button must be added to the object content. Otherwise, it may not be written to the database. Why? I am finding the reason!

　

　

The source code is as follows:

/* Encode. h */

/* Unencode URL encoding function */
/*
Note that when processing Chinese characters, the compiler automatically reads
Or two characters. At this time, the unsigned char * can be forcibly used to read a character.
*/

Int isT (char ch)
{
If (ch = | ch = % | ch =/| ch & 0x80) return 1;
Else return 0;
}

Int encode (char * s, char * d)
{
If (! S |! D) return 0;
For (; * s! = 0; s ++)
{
Unsigned char * p = (unsigned char *) s;
If (* p =)
{
* D = %;
* (D + 1) = 2;
* (D + 2) = 0;
D + = 3;
}
Else if (isT (* p ))
{
Char a [3];
* D = %;
Sprintf (a, "% 02x", * p );
* (D + 1) = a [0];
* (D + 2) = a [1];
D + = 3;
}
Else
{
* D = * p;
D ++;
}
}
* D = 0;
Return 1;
}

/* Unencode URL Decoding function */

Int unencode (char * s, char * d)
{
If (! S |! D) return 0;
For (; * s! = 0; s ++)
{
If (* s = +)
{
* D =;
D ++;
}
Else if (* s = %)
{
Int code;
If (sscanf (s + 1, "% 02x", & code )! = 1) code = ?;
* D = code;
S + = 2;
D ++;
}
Else
{