public static void AuthenticationSql(string urlToCheck, ref string result, ref List<string> array)
{
string actionUrl;
result = "By Pass Authentication SQL Injection started!!";
var uri = new Uri(urlToCheck); // Find the length of the hostname
//string urlOfSite = uri.Scheme + "://www." + uri.Host;
string urlOfSite = uri.Host;
//Load the html document from the url
var webGet = new HtmlWeb();
HtmlNode.ElementsFlags.Remove("form");
HtmlDocument document = webGet.Load(urlToCheck);
//Array containing all form objects found
List<FormDataStore> arrayOfForms = new List<FormDataStore>();
//Array containing all input fields
List<InputDataStore> arrayOfInputFields = new List<InputDataStore>();
//$log->lwrite("Searching $postUrl for forms");
result = "Searching " + urlToCheck + " for forms...." ;
int formNum = 0;//Must use an integer to identify form as forms could have same names and ids
#region Find all HtmlForms and their inputs
HtmlNodeCollection nodeCollection = document.DocumentNode.SelectNodes("//form");
for (int nodeNum = 0; nodeCollection != null && nodeNum < nodeCollection.Count; nodeNum++)
{
HtmlNode form = nodeCollection[nodeNum];
//HtmlForm form = (HtmlForm)form.FindControl("form");
formId = (form.Attributes["id"] != null) ? form.Attributes["id"].Value : "";
formName = (form.Attributes["name"] != null) ? form.Attributes["name"].Value : "";
formMethod = (form.Attributes["method"] != null) ? form.Attributes["method"].Value : "get";
formAction = (form.Attributes["action"] != null) ? form.Attributes["action"].Value : "";
formMethod = formMethod.ToLower();
//If the action of the form is empty, set the action equal to everything
//after the URL that the user entered
if (String.IsNullOrEmpty(formAction))
{
int strLengthUrl = urlToCheck.Length;
int strLengthSite = urlOfSite.Length;
int firstIndexOfSlash = urlToCheck.IndexOf('/', strLengthSite - 1);
formAction = urlToCheck.Substring(firstIndexOfSlash + 1, strLengthUrl);
}
FormDataStore newArr = new FormDataStore(formId, formName, formMethod, formAction, formNum);
arrayOfForms.Add(newArr);
HtmlNodeCollection nodeCollectionInput = form.SelectNodes("//input");
for (int nodeInput = 0; nodeCollectionInput != null && nodeInput < nodeCollectionInput.Count; nodeInput++)
{
HtmlNode input = nodeCollectionInput[nodeInput];
// HtmlInputControl input = (HtmlInputControl)input.FindControl("input");
inputId = (input.Attributes["id"] != null) ? input.Attributes["id"].Value : "";
inputName = (input.Attributes["name"] != null) ? input.Attributes["name"].Value : "";
inputValue = (input.Attributes["value"] != null) ? input.Attributes["value"].Value : "";
inputType = (input.Attributes["type"] != null) ? input.Attributes["type"].Value : "";
InputDataStore newarr = new InputDataStore(inputId, inputName, formId, formName, inputValue, inputType, formNum);
arrayOfInputFields.Add(newarr);
}
formNum++;
}
#endregion
//At this stage, we should have captured all forms and their input fields into the appropriate arrays
//Begin testing each of the forms
//Check if the URL passed into this function displays the same webpage at different intervals
//If it does then attempt to login and if this URL displays a different page, the vulnerability is present
//e.g. a login page would always look different when you are and are not logged in
//*$log->lwrite("Checking if $urlToCheck displays the same page at different intervals");
List<String> responseBodies = new List<String>(); //$responseBodies = array();
for (int a = 0; a < 3; a++)
{
// Creates an HttpWebRequest for the specified URL.
HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(urlToCheck);
// Sends the HttpWebRequest and waits for a response.
HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
Stream receiveStream = myHttpWebResponse.GetResponseStream();
StreamReader reader = new StreamReader(receiveStream, Encoding.UTF8);
String body = reader.ReadToEnd();
if (body.Length > 0)
{
responseBodies.Add(body);
}
myHttpWebResponse.Close();
}
bool pageChanges = true;
string bodyOfUrl = "";
if ((responseBodies[0] == responseBodies[1]) && (responseBodies[1] == responseBodies[2]))
{
bodyOfUrl = responseBodies[0];
pageChanges = false;
}
//Begin testing each of the forms
//$log->lwrite("Beginning testing of forms");
for (int i = 0; i < arrayOfForms.Count; i++)
{
//$currentForm = arrayOfForms[i];
string currentFormId = arrayOfForms[i].getId;
string currentFormName = arrayOfForms[i].getName;
string currentFormMethod = arrayOfForms[i].getMethod;
string currentFormAction = arrayOfForms[i].getAction;
int currentFormNum = arrayOfForms[i].getFormNum;
//$arrayOfCurrentFormsInputs = array();
List<InputDataStore> arrayOfCurrentFormsInputs = new List<InputDataStore>();
result = "Beginning test of form....";
//$log->lwrite("Beginning testing of form on $postUrl: $currentFormId $currentFormName $currentFormMethod $currentFormAction");
//echo sizeof($arrayOfInputFields) . "<br>";
for (int j = 0; j < arrayOfInputFields.Count; j++)
{
//$currentInput = arrayOfInputFields[j];
string currentInputIdOfForm = arrayOfInputFields[j].getIdOfForm;
string currentInputNameOfForm = arrayOfInputFields[j].getNameOfForm;
int currentInputFormNum = arrayOfInputFields[j].getFormNum;
//Check if the current input field belongs to the current form and add to array if it does
if (currentFormNum == currentInputFormNum)
{
arrayOfCurrentFormsInputs.Add(arrayOfInputFields[j]);
}
}
//$log->lwrite("Beginning testing input fields of form on $postUrl: $currentFormId $currentFormName $currentFormMethod $currentFormAction");
foreach (string currentPayload in arrayOfAuthenticationPayloads)
{
//echo sizeof($arrayOfCurrentFormsInputs) . '<br>';
List<PostOrGetObject> arrayOfValues = new List<PostOrGetObject>();
for (int k = 0; k < arrayOfCurrentFormsInputs.Count; k++)
{
//$currentFormInput = $arrayOfCurrentFormsInputs[k];
string currentFormInputName = arrayOfCurrentFormsInputs[k].getName;
string currentFormInputType = arrayOfCurrentFormsInputs[k].getType;
string currentFormInputValue = arrayOfCurrentFormsInputs[k].getValue;
if (currentFormInputType != "reset")
{
//$log->lwrite("Using payload: $currentPayload, to all input fields of form w/ action: $currentFormAction");
//Add current input and other inputs to array of post values and set their values
if (currentFormInputType == "text" || currentFormInputType == "password")
{
PostOrGetObject postObject = new PostOrGetObject(currentFormInputName, currentPayload);
arrayOfValues.Add(postObject);
}
else if (currentFormInputType == "checkbox" || currentFormInputType == "submit")
{
PostOrGetObject postObject = new PostOrGetObject(currentFormInputName, currentFormInputValue);
arrayOfValues.Add(postObject);
}
else if (currentFormInputType == "radio")
{
PostOrGetObject postObject = new PostOrGetObject(currentFormInputName, currentFormInputValue);
//Check if a radio button in the radio group has already been added
bool found = false;
for (int n = 0; n < arrayOfValues.Count; n++)
{
if (arrayOfValues[n].gpName == postObject.gpName)
{
found = true;
break;
}
}
if (!found)
arrayOfValues.Add(postObject);//array_push($arrayOfValues, $postObject);
}
}
}
if (currentFormMethod == "get")
{
//Build query string and submit it at end of URL
if (!currentFormAction.Contains(urlOfSite))
{
if (urlOfSite[urlOfSite.Length - 1] == '/')
actionUrl = urlOfSite + currentFormAction;
else
actionUrl = urlOfSite + "/" + currentFormAction;
}
else
{
actionUrl = currentFormAction;
}
totalTestStr = "";//Compile a test string to show the user how the vulnerability was tested for
for (int p = 0; p < arrayOfValues.Count; p++)
{
string currentPostValueName = arrayOfValues[p].gpName;
string currentPostValueValue = arrayOfValues[p].gpValue;
totalTestStr += currentPostValueName;
totalTestStr += '=';
totalTestStr += currentPostValueValue;
if (p != (arrayOfValues.Count - 1))
totalTestStr += '&';
}
actionUrl += '?';
actionUrl += totalTestStr;
// Creates an HttpWebRequest for the specified URL.
HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(actionUrl);
// Sends the HttpWebRequest and waits for a response.
HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
Stream receiveStream = myHttpWebResponse.GetResponseStream();
StreamReader reader = new StreamReader(receiveStream, Encoding.UTF8);
String body = reader.ReadToEnd();
if (body.Length > 0)
{
myHttpWebResponse.Close();
vulnerabilityFound = checkIfVulnerabilityFound(urlToCheck, pageChanges, bodyOfUrl, currentPayload);
if (vulnerabilityFound)
{
totalTestStr = "";//Make a test string to show the user how the vulnerability was tested for
for (int p = 0; p < arrayOfValues.Count; p++)
{
string currentPostValueName = arrayOfValues[p].gpName;
string currentPostValueValue = arrayOfValues[p].gpValue;
totalTestStr += currentPostValueName;
totalTestStr += '=';
totalTestStr += currentPostValueValue;
if (p != (arrayOfValues.Count - 1))
totalTestStr += '&';
}
numFound++;
StringBuilder str = new StringBuilder();
str.Append("<br><span style='font-size:medium;font-style: bold;color:red;'>" + numFound.ToString() + " Found Broken Authentication SQL Injection Present!" + "</span><br>" + "Query:" + urlToCheck + "<br>");
str.Append("Method: GET <br>");
str.Append("Url: " + totalTestStr + "<br>");
str.Append("Error:"+currentPayload+"<br>");
result = str.ToString();
array.Add(urlToCheck);
Thread.Sleep(1000);
break;
}
}
//myHttpWebResponse.Close();
}
else if (currentFormMethod == "post")//Send data in body of request
{
//Build query string and submit it at end of URL
if (!currentFormAction.Contains(urlOfSite))
{
if (urlOfSite[urlOfSite.Length - 1] == '/')
actionUrl = urlOfSite + currentFormAction;
else
actionUrl = urlOfSite + "/" + currentFormAction;
}
else
{
actionUrl = currentFormAction;
}
totalTestStr = "";//Compile a test string to show the user how the vulnerability was tested for
for (int p = 0; p < arrayOfValues.Count; p++)
{
string currentPostValueName = arrayOfValues[p].gpName;
string currentPostValueValue = arrayOfValues[p].gpValue;
totalTestStr += currentPostValueName;
totalTestStr += '=';
totalTestStr += currentPostValueValue;
if (p != (arrayOfValues.Count - 1))
totalTestStr += '&';
}
//create the constructor with post type and few data
MyWebRequest myRequest = new MyWebRequest(actionUrl, "POST", totalTestStr);
//show the response string on the console screen.
String body = myRequest.GetResponse();
if (body.Length > 0)
{
//myHttpWebResponse.Close();
vulnerabilityFound = checkIfVulnerabilityFound(urlToCheck, pageChanges, bodyOfUrl, currentPayload);
if (vulnerabilityFound)
{
totalTestStr = "";//Make a test string to show the user how the vulnerability was tested for
for (int p = 0; p < arrayOfValues.Count; p++)
{
string currentPostValueName = arrayOfValues[p].gpName;
string currentPostValueValue = arrayOfValues[p].gpValue;
totalTestStr += currentPostValueName;
totalTestStr += '=';
totalTestStr += currentPostValueValue;
if (p != (arrayOfValues.Count - 1))
totalTestStr += '&';
}
numFound++;
StringBuilder str = new StringBuilder();
str.Append("<br><span style='font-size:medium;font-style: bold;color:red;'>" + numFound.ToString() + " Found Broken Authentication SQL Injection Present!" + "</span><br>" + "Query:" + urlToCheck + "<br>");
str.Append("Method: POST <br>");
str.Append("Url: " + totalTestStr + "<br>");
str.Append("Error:" + currentPayload + "<br>");
result = str.ToString();
array.Add(urlToCheck);
Thread.Sleep(1000);
break;
}
}
}
}
}
}
public static void DetectSql(string urlToCheck, ref string result, ref List<string> array)
{
//array = new List<string>();
//First check does the URL passed into this function contain parameters and submit payloads as those parameters if it does
Uri uri = new Uri(urlToCheck);
string query = uri.Query.Replace("?", "");
NameValueCollection Parms = HttpUtility.ParseQueryString(query);
result = string.Format("Check if {0} contains parameters", urlToCheck);
Thread.Sleep(1000);
if (Parms != null && Parms.Count > 0)
{
//MessageBox.Show("$urlToCheck does contain parameters");
Thread.Sleep(1000);
result = string.Format("{0} does contain parameters", urlToCheck);
Thread.Sleep(1000);
string scheme = uri.Scheme;
string host = uri.Host;
string path = HttpUtility.UrlDecode(uri.AbsolutePath);
string originalQuery = query;
foreach (string currentPayload in arrayOfPayloads)
{
foreach (string x in Parms.AllKeys)
{
query = originalQuery;
string newQuery = query.Replace(Parms[x], currentPayload);
query = newQuery;
string testUrl = scheme + "://" + host + path + '?' + query;
//MessageBox.Show("URL to be requested is: ",testUrl);
result = string.Format("URL to be requested is: " + testUrl);
Thread.Sleep(1000);
string error;
HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(testUrl);
HttpWebResponse myHttpWebResponse;
try
{
myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
Stream receiveStream = myHttpWebResponse.GetResponseStream();
StreamReader reader = new StreamReader(receiveStream, Encoding.UTF8);
String body = reader.ReadToEnd();
if (body.Length > 0)
{
vulnerabilityFound = false;
string regularExpression = "";
for (int warningIndex = 0; warningIndex < arrayOfSQLWarnings.Length; warningIndex++)
{
regularExpression = arrayOfSQLWarnings[warningIndex];
if (body.Contains(regularExpression))//if (Regex.IsMatch(regularExpression, body))
{
//MessageBox.Show("Found regular expression: $regularExpression, in body of HTTP response");
vulnerabilityFound = true;
break;
}
}
//showExtractConetent.InnerHtml += "<h1 class=bold>Links of Pages</h1>";
//Vulnerability details
if (vulnerabilityFound)
{
numFound++;
StringBuilder str = new StringBuilder();
str.Append("<br><span style='font-size:medium;font-weight: bold;color:red;'>" + numFound.ToString() + " Found SQL Injection Present!" + "</span><br>" + "Query:" + urlToCheck + "<br>");
str.Append("Method: GET <br>");
str.Append("Url: " + testUrl + "<br>");
str.Append("Error: " + regularExpression + "<br>");
result = str.ToString();
array.Add(urlToCheck);
Thread.Sleep(1000);
/*
showExtractConetent.InnerHtml = "<br>SQL Injection Present!<br>Query:" + urlToCheck + "<br>";
showExtractConetent.InnerHtml = "Method: GET <br>";
showExtractConetent.InnerHtml = "Url: " + testUrl + "<br>";
showExtractConetent.InnerHtml = "Error: " + regularExpression + "<br>";
*/
myHttpWebResponse.Close();
return;
}
}
myHttpWebResponse.Close();
}
catch (WebException ex)
{
myHttpWebResponse = ex.Response as HttpWebResponse;
result = ex.Message;
}
}
}
}
//begin form testing
string actionUrl;
var uri1 = new Uri(urlToCheck); // Find the length of the hostname
//string urlOfSite = uri.Scheme + "://www." + uri.Host;
string urlOfSite = uri1.Host;
//Load the html document from the url
var webGet = new HtmlWeb();
HtmlNode.ElementsFlags.Remove("form");
HtmlDocument document = webGet.Load(urlToCheck);
List<FormDataStore> arrayOfForms = new List<FormDataStore>(); //Array containing all form objects found
List<InputDataStore> arrayOfInputFields = new List<InputDataStore>(); //Array containing all input fields
int formNum = 0;//Must use an integer to identify form as forms could have same names and ids
#region Find all HtmlForms and their inputs
HtmlNodeCollection nodeCollection = document.DocumentNode.SelectNodes("//form");
for (int nodeNum = 0; nodeCollection != null && nodeNum < nodeCollection.Count; nodeNum++)
{
HtmlNode form = nodeCollection[nodeNum];
//HtmlForm form = (HtmlForm)form.FindControl("form");
formId = (form.Attributes["id"] != null) ? form.Attributes["id"].Value : "";
formName = (form.Attributes["name"] != null) ? form.Attributes["name"].Value : "";
formMethod = (form.Attributes["method"] != null) ? form.Attributes["method"].Value : "get";
formAction = (form.Attributes["action"] != null) ? form.Attributes["action"].Value : "";
formMethod = formMethod.ToLower();
//If the action of the form is empty, set the action equal to everything
//after the URL that the user entered
if (String.IsNullOrEmpty(formAction))
{
int strLengthUrl = urlToCheck.Length;
int strLengthSite = urlOfSite.Length;
int firstIndexOfSlash = urlToCheck.IndexOf('/', strLengthSite - 1);
formAction = urlToCheck.Substring(firstIndexOfSlash + 1, strLengthUrl);
}
FormDataStore newArr = new FormDataStore(formId, formName, formMethod, formAction, formNum);
arrayOfForms.Add(newArr);
HtmlNodeCollection nodeCollectionInput = form.SelectNodes("//input");
for (int nodeInput = 0; nodeCollectionInput != null && nodeInput < nodeCollectionInput.Count; nodeInput++)
{
HtmlNode input = nodeCollectionInput[nodeInput];
// HtmlInputControl input = (HtmlInputControl)input.FindControl("input");
inputId = (input.Attributes["id"] != null) ? input.Attributes["id"].Value : "";
inputName = (input.Attributes["name"] != null) ? input.Attributes["name"].Value : "";
inputValue = (input.Attributes["value"] != null) ? input.Attributes["value"].Value : "";
inputType = (input.Attributes["type"] != null) ? input.Attributes["type"].Value : "";
InputDataStore newarr = new InputDataStore(inputId, inputName, formId, formName, inputValue, inputType, formNum);
arrayOfInputFields.Add(newarr);
}
formNum++;
}
#endregion
//Begin testing each of the forms
for (int i = 0; i < arrayOfForms.Count; i++)
{
string currentFormId = arrayOfForms[i].getId;
string currentFormName = arrayOfForms[i].getName;
string currentFormMethod = arrayOfForms[i].getMethod;
string currentFormAction = arrayOfForms[i].getAction;
int currentFormNum = arrayOfForms[i].getFormNum;
List<InputDataStore> arrayOfCurrentFormsInputs = new List<InputDataStore>();
for (int j = 0; j < arrayOfInputFields.Count; j++)
{
string currentInputIdOfForm = arrayOfInputFields[j].getIdOfForm;
string currentInputNameOfForm = arrayOfInputFields[j].getNameOfForm;
int currentInputFormNum = arrayOfInputFields[j].getFormNum;
//Check if the current input field belongs to the current form and add to array if it does
if (currentFormNum == currentInputFormNum)
{
arrayOfCurrentFormsInputs.Add(arrayOfInputFields[j]);
}
}
for (int k = 0; k < arrayOfCurrentFormsInputs.Count; k++)
{
for (int plIndex = 0; plIndex < arrayOfPayloads.Length; plIndex++)//foreach(string currentPayload in arrayOfAuthenticationPayloads)
{
string currentFormInputName = arrayOfCurrentFormsInputs[k].getName;
string currentFormInputType = arrayOfCurrentFormsInputs[k].getType;
string currentFormInputValue = arrayOfCurrentFormsInputs[k].getValue;
if (currentFormInputType != "reset")
{
string defaultStr = "Abc123";
List<PostOrGetObject> arrayOfValues = new List<PostOrGetObject>();
List<InputDataStore> otherInputs = new List<InputDataStore>();
for (int l = 0; l < arrayOfCurrentFormsInputs.Count; l++)
{
if (currentFormInputName != arrayOfCurrentFormsInputs[l].getName)
{
otherInputs.Add(arrayOfCurrentFormsInputs[l]);
}
}
PostOrGetObject postObject = new PostOrGetObject(currentFormInputName, arrayOfPayloads[plIndex]);
//Add current input and other to array of post values and set their values
arrayOfValues.Add(postObject);
for (int m = 0; m < otherInputs.Count; m++)
{
string currentOtherType = otherInputs[m].getType;
string currentOtherName = otherInputs[m].getName;
string currentOtherValue = otherInputs[m].getValue;
if (currentOtherType == "text" || currentOtherType == "password")
{
PostOrGetObject postObject1 = new PostOrGetObject(currentOtherName, defaultStr);
arrayOfValues.Add(postObject1);
}
else if (currentOtherType == "checkbox" || currentOtherType == "submit")
{
PostOrGetObject postObject1 = new PostOrGetObject(currentOtherName, currentOtherValue);
arrayOfValues.Add(postObject1);
}
else if (currentOtherType == "radio")
{
PostOrGetObject postObject1 = new PostOrGetObject(currentOtherName, currentOtherValue);
//Check if a radio button in the radio group has already been added
bool found = false;
for (int n = 0; n < arrayOfValues.Count; n++)
{
if (arrayOfValues[n].gpName == postObject.gpName)
{
found = true;
break;
}
}
if (!found)
arrayOfValues.Add(postObject1);
}
}
if (currentFormMethod == "get")
{
//Build query string and submit it at end of URL
if (!currentFormAction.Contains(urlOfSite))
{
if (urlOfSite[urlOfSite.Length - 1] == '/')
actionUrl = urlOfSite + currentFormAction;
else
actionUrl = urlOfSite + "/" + currentFormAction;
}
else
{
actionUrl = currentFormAction;
}
totalTestStr = "";//Compile a test string to show the user how the vulnerability was tested for
for (int p = 0; p < arrayOfValues.Count; p++)
{
string currentPostValueName = arrayOfValues[p].gpName;
string currentPostValueValue = arrayOfValues[p].gpValue;
totalTestStr += currentPostValueName;
totalTestStr += '=';
totalTestStr += currentPostValueValue;
if (p != (arrayOfValues.Count - 1))
totalTestStr += '&';
}
actionUrl += '?';
actionUrl += totalTestStr;
HttpWebRequest myHttpWebRequest = (HttpWebRequest)WebRequest.Create(actionUrl);
HttpWebResponse myHttpWebResponse = (HttpWebResponse)myHttpWebRequest.GetResponse();
Stream receiveStream = myHttpWebResponse.GetResponseStream();
StreamReader reader = new StreamReader(receiveStream, Encoding.UTF8);
String body = reader.ReadToEnd();
if (body.Length > 0)
{
vulnerabilityFound = false;
string regularExpression = "";
for (int warningIndex = 0; warningIndex < arrayOfSQLWarnings.Length; warningIndex++)
{
regularExpression = arrayOfSQLWarnings[warningIndex];
if (body.Contains(regularExpression))//if (Regex.IsMatch(regularExpression, body))
{
//MessageBox.Show("Found regular expression: $regularExpression, in body of HTTP response");
vulnerabilityFound = true;
break;
}
}
//Vulnerability details
if (vulnerabilityFound)
{
StringBuilder str = new StringBuilder();
str.Append("<br><span style='font-size:medium;font-style: bold;color:red;'>" + "SQL Injection Present!" +"</span><br>"+ "Query:" + urlToCheck + "<br>");
result = str.ToString();
array.Add(str.ToString());
Thread.Sleep(1000);
/*
showExtractConetent.InnerHtml = "<br>SQL Injection Present!<br>Query:" + urlToCheck + "<br>";
showExtractConetent.InnerHtml = "Method: GET <br>";
showExtractConetent.InnerHtml = "Url: " + testUrl + "<br>";
showExtractConetent.InnerHtml = "Error: " + regularExpression + "<br>";
*/
myHttpWebResponse.Close();
return;
}
}
myHttpWebResponse.Close();
}
else if (currentFormMethod == "post")//Send data in body of request
{
//Build query string and submit it at end of URL
if (!currentFormAction.Contains(urlOfSite))
{
if (urlOfSite[urlOfSite.Length - 1] == '/')
actionUrl = urlOfSite + currentFormAction;
else
actionUrl = urlOfSite + "/" + currentFormAction;
}
else
{
actionUrl = currentFormAction;
}
totalTestStr = "";//Compile a test string to show the user how the vulnerability was tested for
for (int p = 0; p < arrayOfValues.Count; p++)
{
string currentPostValueName = arrayOfValues[p].gpName;
string currentPostValueValue = arrayOfValues[p].gpValue;
totalTestStr += currentPostValueName;
totalTestStr += '=';
totalTestStr += currentPostValueValue;
if (p != (arrayOfValues.Count - 1))
totalTestStr += '&';
}
//create the constructor with post type and few data
MyWebRequest myRequest = new MyWebRequest(actionUrl, "POST", totalTestStr);
//show the response string on the console screen.
String body = myRequest.GetResponse();
if (body.Length > 0)
{
vulnerabilityFound = false;
string regularExpression = "";
for (int warningIndex = 0; warningIndex < arrayOfSQLWarnings.Length; warningIndex++)
{
regularExpression = arrayOfSQLWarnings[warningIndex];
if (body.Contains(regularExpression))//if (Regex.IsMatch(regularExpression, body))
{
//MessageBox.Show("Found regular expression: $regularExpression, in body of HTTP response");
vulnerabilityFound = true;
break;
}
}
//Vulnerability details
if (vulnerabilityFound)
{
StringBuilder str = new StringBuilder();
str.Append("<br><span style='font-size:medium;font-style: bold;color:red;'>" + "SQL Injection Present!" + "</span><br>" + "Query:" + urlToCheck + "<br>");
result = str.ToString();
array.Add(str.ToString());
Thread.Sleep(1000);
/*
showExtractConetent.InnerHtml = "<br>SQL Injection Present!<br>Query:" + urlToCheck + "<br>";
showExtractConetent.InnerHtml = "Method: GET <br>";
showExtractConetent.InnerHtml = "Url: " + testUrl + "<br>";
showExtractConetent.InnerHtml = "Error: " + regularExpression + "<br>";
*/
//myHttpWebResponse.Close();
return;
}
}
}
}
}
}
}
}
public override void Play(MyWebRequest req)
{
if (!req.Parameters.ContainsKey("id"))
{
return;
}
var plugpath = GetPluginFromPath(req.Url);
var plugin = _plugins.FirstOrDefault(p => plugpath == p.Id);
if (plugin != null)
{
var content = plugin.GetContent(req.Parameters);
if (content == null || content is IPluginContainer)
{
return;
}
var source = content.GetSourceUrl();
if (source.Type == SourceType.ContentId || source.Type == SourceType.Torrent)
{
var ts = GetContentUrl(source, req);
string url = ts.GetPlayTask().Result;
if (ts == null || string.IsNullOrEmpty(url))
{
ts.Disconnect();
req.GetResponse().SendText("File Not Found");
return;
}
TorrentStream ts1 = new TorrentStream(req.Client);
ts1.Connect();
var resp = ts1.ReadTorrent(source.Url, (TTVApi.SourceType)(byte) source.Type);
string file = resp.Files[req.Parameters.ContainsKey("index") ? int.Parse(req.Parameters["index"]) : 0];
string ext = Path.GetExtension(file);
ts1.Disconnect();
if (content.Translation == TranslationType.Broadcast)
{
SendBroadcast(url, req, ext);
}
else if (content.Translation == TranslationType.VoD)
{
for (int i = 0; i < ts.Owner.Count && ts.Owner.Count > 1; i++)
{
ts.Owner[i].Close();
}
SendFile(url, req, ext);
}
Thread.Sleep(5712);
if (ts.Owner.All(c => !c.Connected))
{
if (content.Translation == TranslationType.Broadcast && !_device.Proxy.Broadcaster.Contains(url) ||
content.Translation == TranslationType.VoD)
{
ts.Disconnect();
_device.Proxy.RemoveFromTsPoos(ts);
}
}
}
else if (source.Type == SourceType.File)
{
string ext = Path.GetExtension(source.Url);
if (content.Translation == TranslationType.Broadcast)
{
SendBroadcast(source.Url, req, ext);
}
else if (content.Translation == TranslationType.VoD)
{
SendFile(source.Url, req, ext);
}
}
}
}
private void GetSystemUpdateID(MyWebRequest request)
{
MyWebResponse response = request.GetResponse();
response.SendSoapHeadersBody("0");
}
private void ParseUri(MyUri uri, ref MyWebRequest request)
{
string str = "";
if ((request != null) && request.response.KeepAlive)
{
str = str + "连接转至: " + uri.Host + "\r\n\r\n";
}
else
{
str = str + "连接: " + uri.Host + "\r\n\r\n";
}
ListViewItem item = null;
Monitor.Enter(this.listViewThreads);
try
{
item = this.listViewThreads.Items[int.Parse(Thread.CurrentThread.Name)];
item.SubItems[1].Text = uri.Depth.ToString();
item.ImageIndex = 1;
item.BackColor = System.Drawing.Color.WhiteSmoke;
item.SubItems[2].Text = "正在连接";
item.ForeColor = System.Drawing.Color.Red;
item.SubItems[3].Text = uri.AbsoluteUri;
item.SubItems[4].Text = "";
item.SubItems[5].Text = "";
}
catch (Exception)
{
}
Monitor.Exit(this.listViewThreads);
try
{
object obj2;
request = MyWebRequest.Create(uri, request, this.KeepAlive);
request.Timeout = this.RequestTimeout * 0x3e8;
MyWebResponse response = request.GetResponse();
str = str + request.Header + response.Header;
if (!response.ResponseUri.Equals(uri))
{
this.EnqueueUri(new MyUri(response.ResponseUri.AbsoluteUri), true);
obj2 = str;
str = string.Concat(new object[] { obj2, "重定向到: ", response.ResponseUri, "\r\n" });
request = null;
}
else
{
if ((!this.AllMIMETypes && (response.ContentType != null)) && (this.MIMETypes.Length > 0))
{
string str2 = response.ContentType.ToLower();
int index = str2.IndexOf(';');
if (index != -1)
{
str2 = str2.Substring(0, index);
}
if ((str2.IndexOf('*') == -1) && ((index = this.MIMETypes.IndexOf(str2)) == -1))
{
this.LogError(uri.AbsoluteUri, str + "\r\nUnlisted Content-Type (" + str2 + "), check settings.");
request = null;
return;
}
Match match = new Regex(@"\d+").Match(this.MIMETypes, index);
int num3 = int.Parse(match.Value) * 0x400;
int num4 = int.Parse(match.NextMatch().Value) * 0x400;
if ((num3 < num4) && ((response.ContentLength < num3) || (response.ContentLength > num4)))
{
this.LogError(uri.AbsoluteUri, string.Concat(new object[] { str, "\r\nContentLength limit error (", response.ContentLength, ")" }));
request = null;
return;
}
}
string[] strArray = new string[] { ".gif", ".jpg", ".css", ".zip", ".exe" };
bool flag = true;
foreach (string str3 in strArray)
{
if (uri.AbsoluteUri.ToLower().EndsWith(str3))
{
flag = false;
break;
}
}
foreach (string str3 in this.ExcludeFiles)
{
if ((str3.Trim().Length > 0) && uri.AbsoluteUri.ToLower().EndsWith(str3))
{
flag = false;
break;
}
}
string strBody = uri.ToString();
if (this.Compared(uri.LocalPath.Substring(uri.LocalPath.LastIndexOf('.') + 1).ToLower()) && (uri.ToString().Substring(uri.ToString().Length - 1, 1) != "/"))
{
this.LogError("丢弃--非网页文件", strBody);
}
else
{
int num5;
UriKind absolute = UriKind.Absolute;
if (!string.IsNullOrEmpty(strBody) && Uri.IsWellFormedUriString(strBody, absolute))
{
string page = GetPage(strBody);
Stopwatch stopwatch = new Stopwatch();
stopwatch.Start();
Html html = new Html {
Web = page,
Url = strBody
};
CommonAnalyze analyze = new CommonAnalyze();
analyze.LoadHtml(html);
Net.LikeShow.ContentAnalyze.Document result = analyze.GetResult();
stopwatch.Stop();
string bt = result.Title.Replace("[(title)]", "");
switch (bt)
{
case null:
case "":
bt = result.Doc.Substring(20).ToString();
break;
}
if ((result.Doc == null) || (result.Doc == ""))
{
this.LogError("丢弃--空内容或非内空页", strBody);
}
else
{
Lucene.Net.Documents.Document document3;
string str7 = result.Doc + bt;
if (this.cgcount >= 10)
{
string keywords = this.MD5string(result.Doc.ToString());
string keyWordsSplitBySpace = "";
IndexSearcher searcher = new IndexSearcher(this.path);
keyWordsSplitBySpace = GetKeyWordsSplitBySpace(keywords, new KTDictSegTokenizer());
Query query = new QueryParser("J_md5_bai", new KTDictSegAnalyzer(true)).Parse(keyWordsSplitBySpace);
if (searcher.Search(query).Doc(0).Get("J_md5_bai") == keywords)
{
this.LogError("排除--重复", strBody);
}
else
{
this.cgcount++;
this.LogUri(bt, "引索完成");
document3 = new Lucene.Net.Documents.Document();
document3.Add(new Field("分类", this.page_py, Field.Store.YES, Field.Index.TOKENIZED));
document3.Add(new Field("J_title_bai", bt, Field.Store.YES, Field.Index.TOKENIZED));
document3.Add(new Field("J_msgContent_bai", str7, Field.Store.YES, Field.Index.TOKENIZED));
document3.Add(new Field("J_SiteType_bai", result.SiteType.ToString(), Field.Store.YES, Field.Index.NO));
document3.Add(new Field("J_URL_bai", strBody, Field.Store.YES, Field.Index.NO));
document3.Add(new Field("J_addtime_bai", DateTime.Now.ToShortDateString(), Field.Store.YES, Field.Index.NO));
document3.Add(new Field("J_md5_bai", this.MD5string(result.Doc.ToString()), Field.Store.YES, Field.Index.TOKENIZED));
this.writer.AddDocument(document3);
}
}
else
{
this.cgcount++;
this.LogUri(bt, "引索完成");
document3 = new Lucene.Net.Documents.Document();
document3.Add(new Field("分类", this.page_py, Field.Store.YES, Field.Index.TOKENIZED));
document3.Add(new Field("J_title_bai", bt, Field.Store.YES, Field.Index.TOKENIZED));
document3.Add(new Field("J_msgContent_bai", str7, Field.Store.YES, Field.Index.TOKENIZED));
document3.Add(new Field("J_SiteType_bai", result.SiteType.ToString(), Field.Store.YES, Field.Index.NO));
document3.Add(new Field("J_URL_bai", strBody, Field.Store.YES, Field.Index.NO));
document3.Add(new Field("J_addtime_bai", DateTime.Now.ToShortDateString(), Field.Store.YES, Field.Index.NO));
document3.Add(new Field("J_md5_bai", this.MD5string(result.Doc.ToString()), Field.Store.YES, Field.Index.TOKENIZED));
this.writer.AddDocument(document3);
}
}
}
item.SubItems[2].Text = "正在下载";
item.ForeColor = System.Drawing.Color.Black;
string input = "";
byte[] buffer = new byte[0x2800];
int nNum = 0;
while ((num5 = response.socket.Receive(buffer, 0, 0x2800, SocketFlags.None)) > 0)
{
nNum += num5;
if (flag)
{
input = input + Encoding.ASCII.GetString(buffer, 0, num5);
}
item.SubItems[4].Text = this.Commas(nNum);
if (response.ContentLength > 0)
{
item.SubItems[5].Text = '%' + ((100 - (((response.ContentLength - nNum) * 100) / response.ContentLength))).ToString();
}
if ((response.KeepAlive && (nNum >= response.ContentLength)) && (response.ContentLength > 0))
{
break;
}
}
if (response.KeepAlive)
{
str = str + "Connection kept alive to be used in subpages.\r\n";
}
else
{
response.Close();
str = str + "Connection closed.\r\n";
}
this.FileCount++;
this.ByteCount += nNum;
if ((this.ThreadsRunning && flag) && (uri.Depth < this.WebDepth))
{
str = str + "\r\nParsing page ...\r\n";
string pattern = "(href|HREF|src|SRC)[ ]*=[ ]*[\"'][^\"'#>]+[\"']";
MatchCollection matchs = new Regex(pattern).Matches(input);
obj2 = str;
str = string.Concat(new object[] { obj2, "Found: ", matchs.Count, " ref(s)\r\n" });
this.URLCount += matchs.Count;
foreach (Match match in matchs)
{
pattern = match.Value.Substring(match.Value.IndexOf('=') + 1).Trim(new char[] { '"', '\'', '#', ' ', '>' });
try
{
if (!(((pattern.IndexOf("..") == -1) && !pattern.StartsWith("/")) && pattern.StartsWith("http://")))
{
pattern = new Uri(uri, pattern).AbsoluteUri;
}
this.Normalize(ref pattern);
MyUri uri2 = new MyUri(pattern);
if ((((uri2.Scheme != Uri.UriSchemeHttp) && (uri2.Scheme != Uri.UriSchemeHttps)) || ((uri2.Host.Split(new char[] { '.' })[1] != this.urllhost[1]) && this.KeepSameServer)) || !this.Compared_jpg(uri2.LocalPath.Substring(uri2.LocalPath.LastIndexOf('.') + 1).ToLower()))
{
continue;
}
Global.URL = uri2.ToString();
if ((Global.BXBH != "") && (Redspider_link.bxbh() == 2))
{
continue;
}
uri2.Depth = uri.Depth + 1;
if (this.EnqueueUri(uri2, true))
{
str = str + uri2.AbsoluteUri + "\r\n";
}
}
catch (Exception)
{
}
}
}
}
}
}
catch (Exception exception)
{
this.LogError(uri.AbsoluteUri, str + exception.Message);
request = null;
}
finally
{
this.EraseItem(item);
}
}
private void GetSearchCapabilities(MyWebRequest request)
{
MyWebResponse response = request.GetResponse();
response.SendSoapHeadersBody("");
}
private void GetSortCapabilities(MyWebRequest request)
{
MyWebResponse response = request.GetResponse();
response.SendSoapHeadersBody("dc:title,dc:date");
}
private void ClearBroadcast(MyWebRequest obj)
{
Proxy.Broadcaster.StopAll();
obj.GetResponse().SendText("OK");
}
private void ProceedEventUnsub(MyWebRequest req)
{
req.GetResponse().SendHeaders();
}
private void IsValidated(MyWebRequest request, [UpnpServiceArgument("A_ARG_TYPE_DeviceID")][AliasAttribute("DeviceID")] string DeviceID)
{
MyWebResponse response = request.GetResponse();
response.SendSoapHeadersBody("1");
}
private void RegisterDevice(MyWebRequest request, [UpnpServiceArgument("A_ARG_TYPE_RegistrationReqMsg")][AliasAttribute("RegistrationReqMsg")] string RegistrationReqMsg)
{
MyWebResponse response = request.GetResponse();
response.SendSoapHeadersBody("OK");
}
private void AllRequest(MyWebRequest obj)
{
obj.GetResponse().SendText(GetXml(_device.Records.GetRecords()).ToString());
}
