void SendAndAnalyzeTimePayload(CommandInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
string Cmd = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts);
this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a system command which if executed will cause the response to be delayed by {0} milliseconds. The system command is: {1}", TimeCheckResults.DelayInduced, Cmd), TimeCheckResults.DelayRequest, "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse);
FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Cmd, TimeCheckResults);
this.Reasons.Add(reason);
}
}
FindingReason GetBlindReason(string payload, string cmd, TimeBasedCheckResults TimeCheckResults)
{
//#Reason = "IronWASP sent <i>'; ping -n 8 localhost</i> as payload to the application. This payload has a small system command - <i>ping -n 8 localhost</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small system command - <i<hlg>>{1}<i</hlg>>. ", Tools.EncodeForTrace(payload), cmd);
//#Reason = Reason + "If this command is executed then the server will ping itself 8 times. This will cause the response to be returned around 5000 milliseconds later than usual. "
Reason = Reason + string.Format("If this command is executed then the server will ping itself <i<hlg>>{0}<i</hlg>> times. This will cause the response to be returned around <i<hlg>>{1}<i</hlg>> milliseconds later than usual. ", PingCountCalculator(TimeCheckResults.DelayInduced), TimeCheckResults.DelayInduced);
//#Reason = Reason + "After the payload was injected the response from the application took <i>6783</i> milliseconds. Normally this particular request is processed at around <i>463</i> milliseconds. "
Reason = Reason + string.Format("After the payload was injected the response from the application took <i<hlg>>{0}<i</hlg>> milliseconds. Normally this particular request is processed at around <i<hlg>>{1}<i</hlg>> milliseconds. ", TimeCheckResults.DelayObserved, TimeCheckResults.AverageBaseTime);
Reason = Reason + "This indicates that the injected command could have been executed on the server-side.";
string ReasonType = "Blind";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the number of ping requests sent to different values. Then you can observe if the time taken for the response to be returned is affected accordingly.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return(FR);
}
FindingReason GetBlindReason(string payload, string cmd, TimeBasedCheckResults TimeCheckResults)
{
//#Reason = "IronWASP sent <i>'; ping -n 8 localhost</i> as payload to the application. This payload has a small system command - <i>ping -n 8 localhost</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small system command - <i<hlg>>{1}<i</hlg>>. ", Tools.EncodeForTrace(payload), cmd);
//#Reason = Reason + "If this command is executed then the server will ping itself 8 times. This will cause the response to be returned around 5000 milliseconds later than usual. "
Reason = Reason + string.Format("If this command is executed then the server will ping itself <i<hlg>>{0}<i</hlg>> times. This will cause the response to be returned around <i<hlg>>{1}<i</hlg>> milliseconds later than usual. ", PingCountCalculator(TimeCheckResults.DelayInduced), TimeCheckResults.DelayInduced);
//#Reason = Reason + "After the payload was injected the response from the application took <i>6783</i> milliseconds. Normally this particular request is processed at around <i>463</i> milliseconds. "
Reason = Reason + string.Format("After the payload was injected the response from the application took <i<hlg>>{0}<i</hlg>> milliseconds. Normally this particular request is processed at around <i<hlg>>{1}<i</hlg>> milliseconds. ", TimeCheckResults.DelayObserved, TimeCheckResults.AverageBaseTime);
Reason = Reason + "This indicates that the injected command could have been executed on the server-side.";
string ReasonType = "Blind";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the number of ping requests sent to different values. Then you can observe if the time taken for the response to be returned is affected accordingly.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return FR;
}
public TimeBasedCheckResults DoTimeDelayBasedCheck(PayloadGenerator PayloadGen, object OtherInfo, int AverageBaseRoundTrip)
{
TimeBasedCheckResults TimeCheckResults = new TimeBasedCheckResults();
TimeCheckResults.Success = false;
int DelayTime = 5000;
if (AverageBaseRoundTrip * 2 > DelayTime)
{
DelayTime = AverageBaseRoundTrip * 2;
}
string DelayPayload = PayloadGen(DelayTime, OtherInfo);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", DelayPayload));
Response DelayRes = this.Scnr.Inject(DelayPayload);
if (DelayRes.RoundTrip < DelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
return(TimeCheckResults);
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
this.Scnr.Trace("<i<b>>Doing further checks to determine if this delay was valid or a false positive<i</b>>");
}
List <int> SmallDelays = new List <int>();
List <int> BigDelays = new List <int>();
int BiggestDelay = 0;
Request DelayRequest = null;
Response DelayResponse = null;
int SmallDelayTime = 1000;
string SmallDelayPayload = PayloadGen(SmallDelayTime, OtherInfo);
foreach (int i in new int[] { 0, 1, 2 })
{
Thread.Sleep(2000);//To help the server recover from big delay
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", SmallDelayPayload));
SmallDelays.Add(this.Scnr.Inject(SmallDelayPayload).RoundTrip);
if (SmallDelays[i] < SmallDelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
return(TimeCheckResults);
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
}
Thread.Sleep(1000);//To help the server recover from small delay
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", DelayPayload));
Response Res = this.Scnr.Inject(DelayPayload);
if (Res.RoundTrip >= BiggestDelay)
{
BiggestDelay = Res.RoundTrip;
DelayRequest = this.Scnr.InjectedRequest.GetClone();
DelayResponse = Res;
}
BigDelays.Add(Res.RoundTrip);
if (BigDelays[i] < DelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
return(TimeCheckResults);
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
}
}
//Analyze small delays to confirm if this is vulnerable
int SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - DelayTime) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses for the payload that induced a delay of {0}ms consistently took atleast {1}ms less than the 3 responses for the payload that induced a delay of {2}ms.<i</cr>>", SmallDelayTime, DelayTime - SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.High;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return(TimeCheckResults);
//Time delay successful high confidence
}
SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - (DelayTime - 1000)) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, DelayTime - 1000 - SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.Medium;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return(TimeCheckResults);
//Time delay successful medium confidence
}
SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - DelayTime / 2) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, (DelayTime / 2) - SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.Low;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return(TimeCheckResults);
//Time delay successful low confidence
}
this.Scnr.Trace("<i<b>>There were no consistent delays based on the injected payloads, so concluding that the earlier delays were false positives.<i</b>>");
return(TimeCheckResults);
}
FindingReason GetBlindTimeReason(TimeBasedCheckResults TimeCheckResults, int Trigger)
{
//#Reason = "IronWASP sent <i>' and pg_sleep(5)--</i> as payload to the application. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. ", Tools.EncodeForTrace(TimeCheckResults.DelayPayload));
//#Reason = Reason + "This payload has a small snippet of SQL code that will cause the database server to sleep for 5000 milliseconds. "
Reason = Reason + string.Format("This payload has a small snippet of SQL code that will cause the database server to sleep for <i<hlg>>{0}<i</hlg>> milliseconds. ", TimeCheckResults.DelayInduced);
//#Reason = Reason + "If this code is executed then the application will return the response 5000 milliseconds later than usual. "
Reason = Reason + string.Format("If this code is executed then the application will return the response <i<hlg>>{0}<i</hlg>> milliseconds later than usual. ", TimeCheckResults.DelayInduced);
//#Reason = Reason + "After the payload was injected the response from the application took <i>6783</i> milliseconds. "
Reason = Reason + string.Format("After the payload was injected the response from the application took <i<hlg>>{0}<i</hlg>> milliseconds. ", TimeCheckResults.DelayObserved);
//#Reason = Reason + "Normally this particular request is processed at around <i>463</i> milliseconds. "
Reason = Reason + string.Format("Normally this particular request is processed at around <i</hlg>>{0}<i</hlg>> milliseconds. ", TimeCheckResults.AverageBaseTime);
Reason = Reason + "This indicates that the injected SQL code snippet could have been executed on the server-side.";
string ReasonType = "TimeDelay";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the number of seconds of delay to different values. Then you can observe if the time taken for the response to be returned is affected accordingly.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, Trigger, FalsePositiveCheck);
return FR;
}
public TimeBasedCheckResults DoTimeDelayBasedCheck(PayloadGenerator PayloadGen, object OtherInfo, int AverageBaseRoundTrip)
{
TimeBasedCheckResults TimeCheckResults = new TimeBasedCheckResults();
TimeCheckResults.Success = false;
int DelayTime = 5000;
if (AverageBaseRoundTrip * 2 > DelayTime)
{
DelayTime = AverageBaseRoundTrip * 2;
}
string DelayPayload = PayloadGen(DelayTime, OtherInfo);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", DelayPayload));
Response DelayRes = this.Scnr.Inject(DelayPayload);
if (DelayRes.RoundTrip < DelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
return TimeCheckResults;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", DelayRes.RoundTrip, DelayTime));
this.Scnr.Trace("<i<b>>Doing further checks to determine if this delay was valid or a false positive<i</b>>");
}
List<int> SmallDelays = new List<int>();
List<int> BigDelays = new List<int>();
int BiggestDelay = 0;
Request DelayRequest=null;
Response DelayResponse=null;
int SmallDelayTime = 1000;
string SmallDelayPayload = PayloadGen(SmallDelayTime, OtherInfo);
foreach (int i in new int[] { 0, 1, 2 })
{
Thread.Sleep(2000);//To help the server recover from big delay
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", SmallDelayPayload));
SmallDelays.Add(this.Scnr.Inject(SmallDelayPayload).RoundTrip);
if (SmallDelays[i] < SmallDelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
return TimeCheckResults;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", SmallDelays[i], SmallDelayTime));
}
Thread.Sleep(1000);//To help the server recover from small delay
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", DelayPayload));
Response Res = this.Scnr.Inject(DelayPayload);
if (Res.RoundTrip >= BiggestDelay)
{
BiggestDelay = Res.RoundTrip;
DelayRequest = this.Scnr.InjectedRequest.GetClone();
DelayResponse = Res;
}
BigDelays.Add(Res.RoundTrip);
if (BigDelays[i] < DelayTime)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is less than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
this.Scnr.Trace("<i<b>>Concluding that the earlier delays were False Positives<i</b>>");
return TimeCheckResults;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response roundtrip is {0}ms which is more than the {1}ms delay induced in the payload.", BigDelays[i], DelayTime));
}
}
//Analyze small delays to confirm if this is vulnerable
int SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - DelayTime) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses for the payload that induced a delay of {0}ms consistently took atleast {1}ms less than the 3 responses for the payload that induced a delay of {2}ms.<i</cr>>", SmallDelayTime, DelayTime - SmallDelayTime ,DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.High;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return TimeCheckResults;
//Time delay successful high confidence
}
SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - (DelayTime - 1000)) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, DelayTime - 1000 - SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.Medium;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return TimeCheckResults;
//Time delay successful medium confidence
}
SmallDelayTimeDiffSuccessCount = 0;
foreach (int i in new int[] { 0, 1, 2 })
{
if ((BigDelays[i] - DelayTime / 2) >= (SmallDelays[i] - SmallDelayTime))
{
SmallDelayTimeDiffSuccessCount++;
}
}
if (SmallDelayTimeDiffSuccessCount == 3)
{
this.Scnr.Trace(string.Format("<i<cr>>The 3 responses where a delay of {0}ms was induced consistently took atleast {1}ms less than the 3 responses where {2}ms delay was induced.<i</cr>>", SmallDelayTime, (DelayTime/2)-SmallDelayTime, DelayTime));
this.Scnr.Trace("<i<cr>>This strongly indicates that the payloads are causing the delays and they are not false positives.<i</cr>>");
TimeCheckResults.DelayPayload = DelayPayload;
TimeCheckResults.DelayInduced = DelayTime;
TimeCheckResults.DelayObserved = BiggestDelay;
TimeCheckResults.DelayRequest = DelayRequest;
TimeCheckResults.DelayResponse = DelayResponse;
TimeCheckResults.Confidence = FindingConfidence.Low;
TimeCheckResults.AverageBaseTime = this.AvgBaseRoundTrip;
TimeCheckResults.Success = true;
return TimeCheckResults;
//Time delay successful low confidence
}
this.Scnr.Trace("<i<b>>There were no consistent delays based on the injected payloads, so concluding that the earlier delays were false positives.<i</b>>");
return TimeCheckResults;
}
