Example #1
0
        private void ParseLog()
        {
            string logPath = "/home/bperry/tools/sqlmap/output/" + this.HostIPAddressV4 + "/log";
            string log = System.IO.File.ReadAllText(logPath);
            string[] results = Regex.Split(log, "---");

            this.Log = log;

            if (results.Length == 1)
                return;

            //---
            //Place: GET
            //Parameter: searchquery
            //    Type: UNION query
            //    Title: MySQL UNION query (NULL) - 4 columns
            //    Payload: action=search&searchquery=abcd' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a626b763a,0x66726b4c574566415773,0x3a74786e3a), NULL, NULL, NULL#
            //---

            this.Vulnerabilities = new List<SQLMapVulnerability>();

            foreach (string result in results.Skip(1))
            {
                if (string.IsNullOrWhiteSpace(result))
                    continue;

                SQLMapVulnerability vuln  = new SQLMapVulnerability();

                foreach (string line in result.Split('\n'))
                {
                    string l = line.Trim();

                    if (l.StartsWith("Place"))
                    {
                        vuln.HTTPRequestType = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Parameter"))
                    {
                        vuln.Parameter = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Type"))
                    {
                        vuln.PayloadType  = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Title"))
                    {
                        vuln.Title = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith ("Payload"))
                    {
                        vuln.Payload  = l.Split(':')[1].Trim();
                    }
                }

                this.Vulnerabilities.Add(vuln);
            }
        }
Example #2
0
        private List <IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary <string, string> config)
        {
            List <IToolResults> _results = new List <IToolResults> ();

            Console.WriteLine("Scanning host: " + host.Hostname);
            foreach (var port in host.Ports)
            {
                port.ParentIPAddress = host.IPAddressv4;

                if ((port.Service == "http" || port.Service == "https") && bool.Parse(config ["isSQLMap"]))
                {
                    IToolOptions _options = new WapitiToolOptions();

                    (_options as WapitiToolOptions).Host = host.IPAddressv4;
                    (_options as WapitiToolOptions).Port = port.PortNumber;
                    (_options as WapitiToolOptions).Path = config ["wapitiPath"];

                    Wapiti wapiti = new Wapiti(_options);

                    Console.WriteLine("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname));
                    WapitiToolResults wapitiResults = null;
                    try {
                        wapitiResults = wapiti.Run(new TimeSpan(0, 10, 0)) as WapitiToolResults;
                        wapitiResults.HostIPAddressV4 = host.IPAddressv4;
                        wapitiResults.HostPort        = port.PortNumber;
                        wapitiResults.IsTCP           = true;

                        _results.Add(wapitiResults);
                    } catch (Exception ex) {
                        Console.WriteLine(ex.Message);
                    }

                    if (sqlmapOptions != null && wapitiResults != null)
                    {
                        if (wapitiResults.Bugs == null)                           // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.

                        {
                            sqlmapOptions.URL  = port.Service + "://" + host.IPAddressv4;
                            sqlmapOptions.Port = port.PortNumber;
                            sqlmapOptions.Path = config ["sqlmapPath"];

                            SQLMap mapper = new SQLMap(sqlmapOptions);

                            SQLMapResults sqlmapResults = mapper.Run() as SQLMapResults;
                            sqlmapResults.ParentHostPort = port;

                            _results.Add(sqlmapResults);
                        }
                        else
                        {
                            using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
                                using (SqlmapManager manager = new SqlmapManager(sess)) {
                                    foreach (WapitiBug bug in wapitiResults.Bugs)
                                    {
                                        if (bug.Type.StartsWith("SQL Injection"))
                                        {
                                            Console.WriteLine("Starting SQLMap on host/port: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);

                                            sqlmapOptions.Path = config ["sqlmapPath"];
                                            //SQLMap mapper = new SQLMap (sqlmapOptions);

                                            //SQLMapResults results = mapper.Run (bug) as SQLMapResults;

//									if (results == null )
//										continue;
//
//									if (results.Vulnerabilities != null)
//										foreach (var vuln in results.Vulnerabilities)
//											vuln.Target = bug.URL;
//
//									results.ParentHostPort = port;
//
//									_results.Add (results);

                                            string taskid = manager.NewTask();
                                            Dictionary <string, object> opts = manager.GetOptions(taskid);


                                            if (bug.URL.Contains(bug.Parameter))
                                            {
                                                opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
                                                manager.StartTask(taskid, opts);
                                            }
                                            else
                                            {
                                                opts ["url"] = bug.URL;
                                                opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
                                                manager.StartTask(taskid, opts);
                                            }

                                            SqlmapStatus status = manager.GetScanStatus(taskid);

                                            while (status.Status != "terminated")
                                            {
                                                System.Threading.Thread.Sleep(new TimeSpan(0, 0, 10));
                                                status = manager.GetScanStatus(taskid);
                                            }

                                            List <SqlmapLogItem> logItems = manager.GetLog(taskid);

                                            SQLMapResults results = new SQLMapResults();
                                            results.Vulnerabilities = new List <SQLMapVulnerability>();

                                            foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
                                            {
                                                SQLMapVulnerability vuln = new SQLMapVulnerability();

                                                Console.WriteLine(item.Message);
                                            }
                                            manager.DeleteTask(taskid);
                                        }
                                        else if (bug.Type.Contains("Cross Site Scripting)"))
                                        {
                                            //dsxs
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }

            Console.WriteLine("Done with host: " + host.Hostname);

            return(_results);
        }
Example #3
0
        private List<IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary<string, string> config)
        {
            List<IToolResults > _results = new List<IToolResults> ();

            Console.WriteLine ("Scanning host: " + host.Hostname);
            foreach (var port in host.Ports) {

                port.ParentIPAddress = host.IPAddressv4;

                if ((port.Service == "http" || port.Service == "https") && bool.Parse (config ["isSQLMap"])) {
                    IToolOptions _options = new WapitiToolOptions ();

                    (_options as WapitiToolOptions).Host = host.IPAddressv4;
                    (_options as WapitiToolOptions).Port = port.PortNumber;
                    (_options as WapitiToolOptions).Path = config ["wapitiPath"];

                    Wapiti wapiti = new Wapiti (_options);

                    Console.WriteLine ("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname));
                    WapitiToolResults wapitiResults = null;
                    try {
                        wapitiResults = wapiti.Run (new TimeSpan (0, 10, 0)) as WapitiToolResults;
                        wapitiResults.HostIPAddressV4 = host.IPAddressv4;
                        wapitiResults.HostPort = port.PortNumber;
                        wapitiResults.IsTCP = true;

                        _results.Add (wapitiResults);
                    } catch (Exception ex) {
                        Console.WriteLine (ex.Message);
                    }

                    if (sqlmapOptions != null && wapitiResults != null) {

                        if (wapitiResults.Bugs == null) { // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.

                            sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
                            sqlmapOptions.Port = port.PortNumber;
                            sqlmapOptions.Path = config ["sqlmapPath"];

                            SQLMap mapper = new SQLMap (sqlmapOptions);

                            SQLMapResults sqlmapResults = mapper.Run () as SQLMapResults;
                            sqlmapResults.ParentHostPort = port;

                            _results.Add (sqlmapResults);
                        } else {

                            using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
                                using (SqlmapManager manager = new SqlmapManager(sess)) {
                                    foreach (WapitiBug bug in wapitiResults.Bugs) {
                                        if (bug.Type.StartsWith ("SQL Injection")) {

                                            Console.WriteLine ("Starting SQLMap on host/port: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);

                                            sqlmapOptions.Path = config ["sqlmapPath"];
                                            //SQLMap mapper = new SQLMap (sqlmapOptions);

                                            //SQLMapResults results = mapper.Run (bug) as SQLMapResults;

            //									if (results == null )
            //										continue;
            //
            //									if (results.Vulnerabilities != null)
            //										foreach (var vuln in results.Vulnerabilities)
            //											vuln.Target = bug.URL;
            //
            //									results.ParentHostPort = port;
            //
            //									_results.Add (results);

                                            string taskid = manager.NewTask ();
                                            Dictionary<string, object> opts = manager.GetOptions (taskid);

                                            if (bug.URL.Contains (bug.Parameter)) {
                                                opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
                                                manager.StartTask(taskid, opts);

                                            } else {
                                                opts ["url"] = bug.URL;
                                                opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
                                                manager.StartTask(taskid, opts);
                                            }

                                            SqlmapStatus status = manager.GetScanStatus(taskid);

                                            while (status.Status != "terminated")
                                            {
                                                System.Threading.Thread.Sleep(new TimeSpan(0,0,10));
                                                status = manager.GetScanStatus(taskid);
                                            }

                                            List<SqlmapLogItem> logItems = manager.GetLog(taskid);

                                            SQLMapResults results = new SQLMapResults();
                                            results.Vulnerabilities = new List<SQLMapVulnerability>();

                                            foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
                                            {
                                                SQLMapVulnerability vuln = new SQLMapVulnerability();

                                                Console.WriteLine(item.Message);
                                            }
                                            manager.DeleteTask(taskid);

                                        } else if (bug.Type.Contains ("Cross Site Scripting)")) {
                                            //dsxs
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            }

            Console.WriteLine ("Done with host: " + host.Hostname);

            return _results;
        }
Example #4
0
        private void ParseLog()
        {
            string logPath = "/home/bperry/tools/sqlmap/output/" + this.HostIPAddressV4 + "/log";
            string log     = System.IO.File.ReadAllText(logPath);

            string[] results = Regex.Split(log, "---");

            this.Log = log;

            if (results.Length == 1)
            {
                return;
            }

            //---
            //Place: GET
            //Parameter: searchquery
            //    Type: UNION query
            //    Title: MySQL UNION query (NULL) - 4 columns
            //    Payload: action=search&searchquery=abcd' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a626b763a,0x66726b4c574566415773,0x3a74786e3a), NULL, NULL, NULL#
            //---

            this.Vulnerabilities = new List <SQLMapVulnerability>();

            foreach (string result in results.Skip(1))
            {
                if (string.IsNullOrWhiteSpace(result))
                {
                    continue;
                }

                SQLMapVulnerability vuln = new SQLMapVulnerability();

                foreach (string line in result.Split('\n'))
                {
                    string l = line.Trim();

                    if (l.StartsWith("Place"))
                    {
                        vuln.HTTPRequestType = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Parameter"))
                    {
                        vuln.Parameter = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Type"))
                    {
                        vuln.PayloadType = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Title"))
                    {
                        vuln.Title = l.Split(':')[1].Trim();
                    }
                    else if (l.StartsWith("Payload"))
                    {
                        vuln.Payload = l.Split(':')[1].Trim();
                    }
                }

                this.Vulnerabilities.Add(vuln);
            }
        }