string TimeCommandGenerator(int TimeDelayInMilliSeconds, CodeInjectionPayloadParts PayloadParts)
{
if (TimeDelayInMilliSeconds == 0)
{
return(this.Scnr.PreInjectionParameterValue);
}
else
{
int DelayCount = TimeDelayNumberCalculator(TimeDelayInMilliSeconds);
return(string.Format(PayloadParts.Function, DelayCount));
}
}
//void SendAndAnalyzeTimePayload(string payload, string func_to_execute, int avg_time)
//{
// for (int i = 0; i < 2; i++)
// {
// this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
// Response res = this.Scnr.Inject(payload);
// //#we reduce the delay by 3 seconds to make up for the the fact that the ping could complete earlier
// if (res.RoundTrip >= this.time * 1000)
// {
// if (i == 0)
// {
// this.Scnr.ResponseTrace(string.Format(" ==> <i<b>>Observed a delay of {0}ms, induced delay was for {1}ms. Rechecking the delay by sending the same payload again<i</b>>", res.RoundTrip, this.time * 1000));
// }
// else
// {
// this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Observed a delay of {0}ms, induced delay was for {1}ms. Delay observed twice, indicates Code Injection!!<i</cr>>", res.RoundTrip, this.time * 1000));
// this.AddToTriggers(payload, string.Format("The payload in this request contains a code snippet which if executed will cause the response to be delayed by {0} milliseconds. The code snippet is: {1}", this.time * 1000, func_to_execute), "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", res.RoundTrip, this.time * 1000));
// FindingReason reason = this.GetBlindReason(payload, func_to_execute, res.RoundTrip, avg_time);
// this.Reasons.Add(reason);
// }
// }
// else
// {
// if (i == 0)
// {
// this.Scnr.ResponseTrace(string.Format(" ==> Response time was {0}ms. No delay observed.", res.RoundTrip));
// return;
// }
// else
// {
// this.Scnr.ResponseTrace(string.Format(" ==> Response time was {0}ms. Delay did not reoccur, initial delay could have been due to network issues.", res.RoundTrip));
// }
// }
// }
//}
void SendAndAnalyzeTimePayload(CodeInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
string Function = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts);
this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a code snippet which if executed will cause the response to be delayed by {0} milliseconds. The code snippet is: {1}", TimeCheckResults.DelayInduced, Function), TimeCheckResults.DelayRequest, "", string.Format("It took {0} milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse);
FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Function, TimeCheckResults);
this.Reasons.Add(reason);
}
}
string TimePayloadGenerator(int TimeDelayInMilliSeconds, object OtherInfo)
{
if (TimeDelayInMilliSeconds == 0)
{
return(this.Scnr.PreInjectionParameterValue);
}
else
{
CodeInjectionPayloadParts PayloadParts = (CodeInjectionPayloadParts)OtherInfo;
string Function = TimeCommandGenerator(TimeDelayInMilliSeconds, PayloadParts);
return(string.Format("{0}{1}{2}", PayloadParts.Prefix, Function, PayloadParts.Comment));
//"{0}{1}{2}", p, func_to_execute, c);
}
}
string TimeCommandGenerator(int TimeDelayInMilliSeconds, CodeInjectionPayloadParts PayloadParts)
{
if (TimeDelayInMilliSeconds == 0)
{
return this.Scnr.PreInjectionParameterValue;
}
else
{
int DelayCount = TimeDelayNumberCalculator(TimeDelayInMilliSeconds);
return string.Format(PayloadParts.Function, DelayCount);
}
}
//void SendAndAnalyzeTimePayload(string payload, string func_to_execute, int avg_time)
//{
// for (int i = 0; i < 2; i++)
// {
// this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
// Response res = this.Scnr.Inject(payload);
// //#we reduce the delay by 3 seconds to make up for the the fact that the ping could complete earlier
// if (res.RoundTrip >= this.time * 1000)
// {
// if (i == 0)
// {
// this.Scnr.ResponseTrace(string.Format(" ==> <i<b>>Observed a delay of {0}ms, induced delay was for {1}ms. Rechecking the delay by sending the same payload again<i</b>>", res.RoundTrip, this.time * 1000));
// }
// else
// {
// this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Observed a delay of {0}ms, induced delay was for {1}ms. Delay observed twice, indicates Code Injection!!<i</cr>>", res.RoundTrip, this.time * 1000));
// this.AddToTriggers(payload, string.Format("The payload in this request contains a code snippet which if executed will cause the response to be delayed by {0} milliseconds. The code snippet is: {1}", this.time * 1000, func_to_execute), "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", res.RoundTrip, this.time * 1000));
// FindingReason reason = this.GetBlindReason(payload, func_to_execute, res.RoundTrip, avg_time);
// this.Reasons.Add(reason);
// }
// }
// else
// {
// if (i == 0)
// {
// this.Scnr.ResponseTrace(string.Format(" ==> Response time was {0}ms. No delay observed.", res.RoundTrip));
// return;
// }
// else
// {
// this.Scnr.ResponseTrace(string.Format(" ==> Response time was {0}ms. Delay did not reoccur, initial delay could have been due to network issues.", res.RoundTrip));
// }
// }
// }
//}
void SendAndAnalyzeTimePayload(CodeInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
string Function = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts);
this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a code snippet which if executed will cause the response to be delayed by {0} milliseconds. The code snippet is: {1}", TimeCheckResults.DelayInduced, Function), TimeCheckResults.DelayRequest, "", string.Format("It took {0} milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse);
FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Function, TimeCheckResults);
this.Reasons.Add(reason);
}
}
void CheckForTimeBasedCodeInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Time based Code Injection:<i</h>>");
//#set the time related values for time-based code injection check
//this.time = 0;
//int max_delay = 0;
//int min_delay = -1;
//this.Scnr.Trace("<i<br>>Sending three requests to get a baseline of the response time for time based check:");
//List<string> base_line_delays = new List<string>();
//int avg_delay = 0;
//for (int i = 0; i < 3; i++)
//{
// Response res = this.Scnr.Inject();
// avg_delay = avg_delay + res.RoundTrip;
// base_line_delays.Add(string.Format(" {0}) Response time is - {1} ms", i + 1, res.RoundTrip));
// if (res.RoundTrip > max_delay)
// {
// max_delay = res.RoundTrip;
// }
// if (res.RoundTrip < min_delay || min_delay == -1)
// {
// min_delay = res.RoundTrip;
// }
//}
//avg_delay = avg_delay / 3;
//this.Scnr.Trace(string.Join("<i<br>>", base_line_delays.ToArray()));
//if (min_delay > 5000)
//{
// this.time = ((max_delay + min_delay) / 1000) + 1;
//}
//else
//{
// this.time = ((max_delay + 5000) / 1000) + 1;
//}
//this.Scnr.Trace(string.Format("<i<br>>Maximum Response Time: {0}ms. Minimum Response Time: {1}ms<i<br>>Induced Time Delay will be for {2}ms<i<br>>", max_delay, min_delay, this.time * 1000));
List<string> functions = new List<string>() { "sleep(<seconds>);", "import time;time.sleep(<seconds>);" };
List<string> prefixes = new List<string>() { "", "';", "\";" };
List<string> comments = new List<string>() { "", "#" };
foreach (string f in functions)
{
foreach (string p in prefixes)
{
foreach (string c in comments)
{
CodeInjectionPayloadParts PayloadParts = new CodeInjectionPayloadParts();
PayloadParts.Prefix = p;
PayloadParts.Function = f.Replace("<seconds>","{0}");
PayloadParts.Comment = c;
//string func_to_execute = f.Replace("<seconds>", this.time.ToString());
//string payload = string.Format("{0}{1}{2}", p, func_to_execute, c);
//this.SendAndAnalyzeTimePayload(payload, func_to_execute, avg_delay);
this.SendAndAnalyzeTimePayload(PayloadParts);
}
}
}
}
void CheckForTimeBasedCodeInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Time based Code Injection:<i</h>>");
//#set the time related values for time-based code injection check
//this.time = 0;
//int max_delay = 0;
//int min_delay = -1;
//this.Scnr.Trace("<i<br>>Sending three requests to get a baseline of the response time for time based check:");
//List<string> base_line_delays = new List<string>();
//int avg_delay = 0;
//for (int i = 0; i < 3; i++)
//{
// Response res = this.Scnr.Inject();
// avg_delay = avg_delay + res.RoundTrip;
// base_line_delays.Add(string.Format(" {0}) Response time is - {1} ms", i + 1, res.RoundTrip));
// if (res.RoundTrip > max_delay)
// {
// max_delay = res.RoundTrip;
// }
// if (res.RoundTrip < min_delay || min_delay == -1)
// {
// min_delay = res.RoundTrip;
// }
//}
//avg_delay = avg_delay / 3;
//this.Scnr.Trace(string.Join("<i<br>>", base_line_delays.ToArray()));
//if (min_delay > 5000)
//{
// this.time = ((max_delay + min_delay) / 1000) + 1;
//}
//else
//{
// this.time = ((max_delay + 5000) / 1000) + 1;
//}
//this.Scnr.Trace(string.Format("<i<br>>Maximum Response Time: {0}ms. Minimum Response Time: {1}ms<i<br>>Induced Time Delay will be for {2}ms<i<br>>", max_delay, min_delay, this.time * 1000));
List <string> functions = new List <string>()
{
"sleep(<seconds>);", "import time;time.sleep(<seconds>);"
};
List <string> prefixes = new List <string>()
{
"", "';", "\";"
};
List <string> comments = new List <string>()
{
"", "#"
};
foreach (string f in functions)
{
foreach (string p in prefixes)
{
foreach (string c in comments)
{
CodeInjectionPayloadParts PayloadParts = new CodeInjectionPayloadParts();
PayloadParts.Prefix = p;
PayloadParts.Function = f.Replace("<seconds>", "{0}");
PayloadParts.Comment = c;
//string func_to_execute = f.Replace("<seconds>", this.time.ToString());
//string payload = string.Format("{0}{1}{2}", p, func_to_execute, c);
//this.SendAndAnalyzeTimePayload(payload, func_to_execute, avg_delay);
this.SendAndAnalyzeTimePayload(PayloadParts);
}
}
}
}
