/* Preia un doc parsat deja cu Html Agility Pack, si o lista prin referinta.
* Cauta form-uri si ancore care se potrivesc a fi vulnerabile.
* La gasirea lor se adauga in lista de posibile puncte de injectie
*/
private void searchInjectionPoints(HtmlDocument doc, ref List<InjectionPoint> lista)
{
//Caut toate elementele de tip "input" si iau numele lor, actiune formului si metoda formului
//caut toate form-urile
HtmlNode.ElementsFlags.Remove("form");
HtmlNode[] formNodes = doc.DocumentNode.SelectNodes("//form") != null ? doc.DocumentNode.SelectNodes("//form").ToArray() : null;
if (formNodes != null)//daca avem form-uri in pagina
{
foreach (HtmlNode form in formNodes)//selectam fiecare form
{
//pentru fiecare form iau urmatorii parametrii: action si method
String method = form.Attributes["method"] != null ? form.Attributes["method"].Value.ToString() : "GET";
String actionUrl = form.Attributes["action"] != null ? form.Attributes["action"].Value.ToString() : "";
HtmlNode[] inputNodes = form.Descendants("input").ToArray();//si iau fiecare input al formului
foreach (HtmlNode input in inputNodes)//si pentru fiecare input iau numele si valoarea curenta si adaug la injection points
{
String name = input.Attributes["name"] != null ? input.Attributes["name"].Value.ToString() : "";
String value = input.Attributes["value"] != null ? input.Attributes["value"].Value.ToString() : "";
InjectionPoint aux = new InjectionPoint();
aux.formMethod = method;
aux.ParameterName = name;
aux.ParameterValueAsEncountered = value;
aux.UrlAction = actionUrl;
aux.Origin = 1;
//Daca nu avem deja un parametru cu acelasi nume adaugat, il adaugam
if (!lista.Exists(i => i.ParameterName == name))
lista.Add(aux);
}
}
}
//Caut elementele de tip "a" care contin parametrii in url si iau numele parametrilor, url-ul in sine si metoda=GET
HtmlNode[] nodes = doc.DocumentNode.SelectNodes("//a").ToArray();
foreach (HtmlNode node in nodes)
{
var auxUrl = node.Attributes["href"];
//Daca gasesc ancore fara camp de href (poate sa aiba definit un event Onclick sau similar) trec la urmatoarea iteratie a foreach-ului
if (auxUrl == null)
continue;
String url=node.Attributes["href"].Value.ToString();
int hasParams = url.IndexOf('?');
//Daca URL-ul nu are parametrii, nu are rost sa il tratam (-1=nu am gasim ? in URL)
if (hasParams!=-1)
{
var q = url.Substring(url.IndexOf('?'));
var query = HttpUtility.ParseQueryString(q);
foreach (String c in query.Keys)
{
if (c != null)
{
InjectionPoint aux = new InjectionPoint();
aux.formMethod = "GET";
aux.ParameterName = c;
aux.ParameterValueAsEncountered = query[c];
aux.UrlAction = url.Substring(0, url.IndexOf("?"));
aux.Origin = 2;
//Daca nu exista deja parametrul cu acelasi nume ( spre ex: "page" este prezent la toate linkurile din menu la Mutillidae)
if (!lista.Exists(i=>i.ParameterName==c))
lista.Add(aux);
}
}
}
}
}
/* Verifica daca URL-ul de start, este el in sine vulnerabil prin parametrii din el
* si adauga la aceasi lista de injectie toti parametrii din URL
*/
private void checkUrlParameters(String Url, ref List<InjectionPoint>lista)
{
var uri = new Uri(Url);
var query = HttpUtility.ParseQueryString(uri.Query);
foreach (String c in query.Keys)
{
InjectionPoint aux = new InjectionPoint();
aux.formMethod = "GET";
aux.ParameterName = c.ToString();
aux.ParameterValueAsEncountered = query[c];
aux.UrlAction= Url.Substring(0, Url.IndexOf("?"));
aux.Origin = 2;
if (!lista.Exists(i => i.ParameterName == c))
lista.Add(aux);
}
}
/* Functia care verifica daca un punct de injectie este intr-adevar o vulnerabilitate
* Preia un element de tip InjectionPoin si faca request-urile cu parametrii potriviti
* si se verifica raspunsul
*
*/
private void checkVulnerability(InjectionPoint i, ref List<ScanResult> vulnerabilitati)
{
//Trebuie sa verific un parametru pentru toate cele trei tipuri de vulnerabilitati
String DummyParamString= buildDummyParamString(i.ParameterName);
String sqliParam = i.ParameterName+"="+ "\'"+DummyParamString;
String cmdiParam = i.ParameterName+"="+ "x;+ping+-c+1+127.0.0.1" + DummyParamString;
String lfliParam = i.ParameterName + "=" + "../../../../../../../etc/passwd" + DummyParamString;
if (i.formMethod.ToUpper() == "GET")
{
//Fac cele 3 request-uri
String response1 = responseOfGetHtmlUrl(i.UrlAction, this.CookieForPage, sqliParam);
String response2 = responseOfGetHtmlUrl(i.UrlAction, this.CookieForPage, cmdiParam);
String response3 = responseOfGetHtmlUrl(i.UrlAction, this.CookieForPage, lfliParam);
//Verific fiecare response daca contine stringurile care marcheaza prezenta vulnerabilitatii
String responseCheck1 = VulnerabilityTypeCheck(response1);
String responseCheck2 = VulnerabilityTypeCheck(response2);
String responseCheck3 = VulnerabilityTypeCheck(response3);
//Daca exista vreo vulnerabilitate, adaug in lista de vulnerabilitati
if (responseCheck1 != String.Empty)
{
ScanResult rezultat = new ScanResult(responseCheck1, this.UrlToScan, i.ParameterName);
vulnerabilitati.Add(rezultat);
}
if (responseCheck2 != String.Empty)
{
ScanResult rezultat = new ScanResult(responseCheck2, this.UrlToScan, i.ParameterName);
vulnerabilitati.Add(rezultat);
}
if (responseCheck3 != String.Empty)
{
ScanResult rezultat = new ScanResult(responseCheck3, this.UrlToScan, i.ParameterName);
vulnerabilitati.Add(rezultat);
}
}
else if (i.formMethod.ToUpper() == "POST")
{
//Fac cele 3 request-uri
String response1 = responseOfPostHtmlUrl(i.UrlAction, this.CookieForPage, sqliParam);
String response2 = responseOfPostHtmlUrl(i.UrlAction, this.CookieForPage, cmdiParam);
String response3 = responseOfPostHtmlUrl(i.UrlAction, this.CookieForPage, lfliParam);
//Verific fiecare response daca contine stringurile care marcheaza prezenta vulnerabilitatii
String responseCheck1 = VulnerabilityTypeCheck(response1);
String responseCheck2 = VulnerabilityTypeCheck(response2);
String responseCheck3 = VulnerabilityTypeCheck(response3);
//Daca exista vreo vulnerabilitate, adaug in lista de vulnerabilitati
if (responseCheck1 != String.Empty)
{
ScanResult rezultat = new ScanResult(responseCheck1, this.UrlToScan, i.ParameterName);
vulnerabilitati.Add(rezultat);
}
if (responseCheck2 != String.Empty)
{
ScanResult rezultat = new ScanResult(responseCheck2, this.UrlToScan, i.ParameterName);
vulnerabilitati.Add(rezultat);
}
if (responseCheck3 != String.Empty)
{
ScanResult rezultat = new ScanResult(responseCheck3, this.UrlToScan, i.ParameterName);
vulnerabilitati.Add(rezultat);
}
}
}
