/// <summary>
/// attack all input fields with xss pattern.
/// </summary>
public void attackAllInputfields(string URL)
{
// get page content
WebCrawler spider = new WebCrawler(URL);
string htmlContent = spider.fetchPage();
HtmlParser p = new HtmlParser(URL,htmlContent);
// fetch forms input fields
List<List<string>> inputFields = p.getFormsInputFields();
//for each form
for (int currentFormID = 0; currentFormID < inputFields.Count; currentFormID++)
{
string currentFormURL = inputFields[currentFormID][0];
string currentFormFieldsHeader = string.Empty;
// for each input field
for (int currentInputFieldID = 1; currentInputFieldID < inputFields[currentFormID].Count; currentInputFieldID++)
{
//xss the current input field only
if (currentFormFieldsHeader != string.Empty) // second param
{
currentFormFieldsHeader += "&" + inputFields[currentFormID][currentInputFieldID] + "=" + xssAttackPattern;
}
else // first param
{
currentFormFieldsHeader += inputFields[currentFormID][currentInputFieldID] + "=" + xssAttackPattern;
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(currentFormFieldsHeader);
// send the post request here
WebPostRequest myPost = new WebPostRequest(currentFormURL);
myPost.AddParamsToHeader(currentFormFieldsHeader);
string resultHTML = myPost.GetResponse();
//check the results
if (resultHTML.Contains(xssAttackPattern))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " has an XSS vulnerable in one of its form fields \n\r saving the vulnerability for later reviews\n\r");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "XSS", currentFormURL + "\n\r form fields values : " + currentFormFieldsHeader, "Unknown");
}
//else
//{
// // it is safe page againest XSS.
// // it is a vulnerable page !
// SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " form fields are safe againest XSS attacks.\n\r");
//}
}
}
/// <summary>
/// attack each input field with sql injection pattern to know exactly where is the exploit.
/// </summary>
public void attackEachInputfield(string URL)
{
// get page content
WebCrawler spider = new WebCrawler(URL);
string htmlContent = spider.fetchPage();
HtmlParser parser = new HtmlParser(URL, htmlContent);
// fetch forms input fields
List<List<string>> inputFields = parser.getFormsInputFields();
//for each form
for (int currentFormID = 0; currentFormID < inputFields.Count; currentFormID++)
{
string currentFormURL = inputFields[currentFormID][0];
// for each input field
for (int currentInputFieldID = 1; currentInputFieldID < inputFields[currentFormID].Count; currentInputFieldID++)
{
string currentFormFieldsHeader = string.Empty;
//sql injection the current input field only
if (currentFormFieldsHeader != string.Empty) // second param
{
currentFormFieldsHeader += "&" + inputFields[currentFormID][currentInputFieldID] + "=" + sqlAttackPattern;
}
else // first param
{
currentFormFieldsHeader += inputFields[currentFormID][currentInputFieldID] + "=" + sqlAttackPattern;
}
//fill other fields with regular values = for ex '11'.
for (int i = 1; i < inputFields[currentFormID].Count; i++)
{
if (i != currentInputFieldID) // not to add the same param twice
{
//sql injection the current input field only
if (currentFormFieldsHeader != string.Empty) // second param
{
currentFormFieldsHeader += "&" + inputFields[currentFormID][i] + "=11";
}
else // first param
{
currentFormFieldsHeader += inputFields[currentFormID][i] + "=11";
}
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(currentFormFieldsHeader);
string resultHTML = string.Empty;
try
{
WebPostRequest myPost = new WebPostRequest(currentFormURL);
myPost.AddParamsToHeader(currentFormFieldsHeader);
resultHTML = myPost.GetResponse();
}
catch (WebException exep)
{
SharedVariables.myTestingForm.displayOutputActivity(string.Format("Unknown error : {0}\n\r", exep.Message));
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " maybe has a SQL Injection vulnerable in \"" + inputFields[currentFormID][currentInputFieldID] + "\" form field\n\r saving the vulnerability for later reviews\n\r");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "Maybe SQL Injection", currentFormURL + " \n\r form fields values : " + currentFormFieldsHeader, inputFields[currentFormID][currentInputFieldID]);
}
//check the returned page
foreach (string s in sqlSuccessResult)
{
if (resultHTML.Contains(s))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + currentFormURL + " has a SQL Injection vulnerable in \"" + inputFields[currentFormID][currentInputFieldID] + "\" form field\n\r saving the vulnerability for later reviews\n\r");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "SQL Injection", currentFormURL + " \n\r form fields values : " + currentFormFieldsHeader, inputFields[currentFormID][currentInputFieldID]);
continue;
}
}
}
}
}
/// <summary>
/// attack all query strings with SQL Injection pattern.
/// </summary>
public void attackAllQueryStrings(string URL)
{
HtmlParser parser = new HtmlParser(URL, string.Empty);
List<string> queryStrings = parser.getQueryStringParams(URL);
string nativeURL = URL.Split("?".ToCharArray())[0]; //get the link without query strings
string targetURL = nativeURL += "?";
foreach (string p in queryStrings)
{
if (targetURL[targetURL.Length - 1].ToString() == "?")
{
//first param in query string without &
targetURL += p.Split("=".ToCharArray())[0] + "=" + sqlAttackPattern;
}
else
{
//from second param we must add & before the param!
targetURL += "&" + p.Split("=".ToCharArray())[0] + "=" + sqlAttackPattern;
}
}
//just for testing
//System.Windows.Forms.MessageBox.Show(targetURL);
//attack the query strings
WebCrawler attacker = new WebCrawler(targetURL);
string resultHTML = attacker.fetchPage();
//check the results
foreach (string s in sqlSuccessResult)
{
if (resultHTML.Contains(s))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " has a SQL Injection vulnerable in one of its query string parameters\n saving the vulnerability for later reviews");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "SQL Injection", targetURL,"Unknown");
}
}
}
private void button1_Click(object sender, EventArgs e)
{
WebCrawler c = new WebCrawler(textBox1.Text);
textBox2.Text=c.fetchPage();
}
/// <summary>
/// attack each query string with xss pattern to know exactly where is the exploit.
/// </summary>
public void attackEachQueryString(string URL)
{
HtmlParser parser = new HtmlParser(URL, string.Empty);
List<string> queryStrings = parser.getQueryStringParams(URL);
string nativeURL = URL.Split("?".ToCharArray())[0]; //get the link without query strings
string targetURL;
for (int i = 0; i < queryStrings.Count; i++)
{
targetURL= nativeURL + "?";
if (targetURL[targetURL.Length - 1].ToString() == "?")
{
//condition Ok meaning that it is the first param !!!!!!
//change just current query string with xss pattern
targetURL += queryStrings[i].Split("=".ToCharArray())[0].ToString() +"="+ xssAttackPattern;
}
else
{
//change just current query string with xss pattern
targetURL +="&"+ queryStrings[i].Split("=".ToCharArray())[0].ToString() +"="+ xssAttackPattern;
}
for (int j = 0; j < queryStrings.Count; j++)
{
if (j != i) // not to add the same param twice
{
if (targetURL[targetURL.Length - 1].ToString() == "?")//first param
{
//change just current query string with xss pattern
targetURL += queryStrings[j];
}
else
{
//change just current query string with xss pattern
targetURL += "&" + queryStrings[j];
}
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(targetURL);
//attack the query strings
WebCrawler attacker = new WebCrawler(targetURL);
string resultHTML = attacker.fetchPage();
//check the results
if (resultHTML.Contains(xssAttackPattern))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " has an XSS vulnerable in one of its query string parameters\n saving the vulnerability for later reviews");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "XSS", targetURL, queryStrings[i].Split("=".ToCharArray())[0].ToString());
}
//else
//{
// // it is safe page againest XSS.
// // it is a vulnerable page !
// SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " query strigns are safe againest XSS attacks.");
//}
}
}
