void CheckForLDAPInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for LDAP Injection:<i</h>>");
string payload = "#^($!@$)(()))******";
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
List <string> errors_found = new List <string>();
foreach (string error in error_strings)
{
if (res.BodyString.Contains(error))
{
errors_found.Add(error);
}
}
if (errors_found.Count > 0)
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>LDAP Injection Found.<i<br>>Errors:<i<br>>{0}<i</cr>>", string.Join(", ", errors_found.ToArray())));
this.reason = this.GetReason(payload, errors_found);
this.ReportLDAPInjection(payload, string.Format("The payload in this request is meant to trigger LDAP errors. The payload is: {0}", payload), string.Join("\r\n", errors_found.ToArray()), "This response contains LDAP error messages due to the error triggered by the payload");
}
else
{
this.Scnr.ResponseTrace(" ==> No Errors Found");
}
}
FindingReason GetErrorReason(string payload, string code, int num_a, int num_b)
{
//#payload - ';print 1234 + 7678;#
//#code - print 1234 + 7678
//#num_a - 1234
//#num_b - 7678
//#Reason = "IronWASP sent <i<hlg>>';print 1234 + 7678;#<i</hlg>> as payload to the application. This payload has a small snippet of code - <i<hlg>>print 1234 + 7678<i</hlg>>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small snippet of code - <i<hlg>>{1}<i</hlg>>. ", payload, code);
Reason = Reason + string.Format("If this code is executed then <i<hlg>>{0}<i</hlg>> and <i<hlg>>{1}<i</hlg>> will be added together and the sum of the addition will be printed back in the response. ", num_a, num_b);
//#Reason = Reason + "The response that came back from the application after the payload was injected had the value <i>34345</i>, which is the sum of 1234 & 7678. This indicates that the injected code snippet could have been executed on the server-side."
Reason = Reason + string.Format("The response that came back from the application after the payload was injected had the value <i<hlg>>{0}<i</hlg>>, which is the sum of <i<hlg>>{1}<i</hlg>> & <i<hlg>>{2}<i</hlg>>. ", num_a + num_b, num_a, num_b);
Reason = Reason + "This indicates that the injected code snippet could have been executed on the server-side.";
string ReasonType = "Error";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the two numbers to some other value. Then you can observe if the response contains the sum of two numbers.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return(FR);
}
FindingReason GetReason(string payload, List <string> errors)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = Reason + "IronWASP sent <i>#^($!@$)(()))******<i> as payload to the application, this payload would cause an exception to happen in insecure LDAP queries. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application, this payload would cause an exception to happen in insecure LDAP queries. ", payload);
if (errors.Count > 1)
{
Reason = Reason + "The response from the application for this payload had the error messages:";
foreach (string error in errors)
{
Reason = Reason + string.Format("<i<br>><i<hlg>>{0}<i</hlg>>", error);
}
Reason = Reason + "<i<br>>These error messages are usually found in LDAP query related exceptions. Therefore this issue has been reported.";
}
else
{
//#Reason = Reason + "The response from the application for this payload had the error message: <i>An inappropriate matching occurred</i>. ".format(error)
Reason = Reason + string.Format("The response from the application for this payload had the error message: <i<hlg>>{0}<i</hlg>>. ", errors[0]);
Reason = Reason + "This error message is usually found in LDAP query related exceptions. Therefore this issue has been reported.";
}
string ReasonType = "Error";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the response recived for the payload and confirm if the error message is actually because of some exception on the server-side.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return(FR);
}
public override void Check(Scanner scnr)
{
//#Check logic based on https://github.com/fnordbg/SSI-Scan
this.Scnr = scnr;
this.Scnr.Trace("<i<br>><i<h>>Checking for Server Side Includes Injection:<i</h>><i<br>><i<br>>");
List <string> payloads = new List <string>()
{
string.Format("{0}\"'><!--#printenv -->", this.Scnr.PreInjectionParameterValue), "\"'><!--#printenv -->", "<!--#printenv -->"
};
foreach (string payload in payloads)
{
this.Scnr.RequestTrace("Injected - " + payload);
Response res = this.Scnr.Inject(payload);
if (res.BodyString.Contains("REMOTE_ADDR") && res.BodyString.Contains("DATE_LOCAL") && res.BodyString.Contains("DATE_GMT") && res.BodyString.Contains("DOCUMENT_URI") && res.BodyString.Contains("LAST_MODIFIED"))
{
this.Scnr.ResponseTrace(" ==> <i<cr>> Got contents of Environment variables in the response body. Indicates SSI Injection.<i</cr>>");
this.reason = this.GetReason(payload, new List <string>()
{
"REMOTE_ADDR", "DATE_LOCAL", "DATE_GMT", "DOCUMENT_URI", "LAST_MODIFIED"
});
this.ReportSSI(payload, string.Format("The payload in this request contains a SSI snippet <!--#printenv--> which if executed will print the contents of the environment variables. The payload is: {0}", payload), string.Join("\r\n", new string[] { "REMOTE_ADDR", "DATE_LOCAL", "DATE_GMT", "DOCUMENT_URI", "LAST_MODIFIED" }), "This response contains some keywords that are similar to some standard environment variable names.");
return;
}
else
{
this.Scnr.ResponseTrace(" ==> The response does not contain any Environment variable information.");
}
}
this.Scnr.Trace("<i<br>>No indication for presence of SSI Injection");
}
void CheckForELI()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Expression Langugage Injection:<i</h>>");
for (int i = 0; i < 2; i++)
{
int add_num_1 = 0;
int add_num_2 = 0;
Response base_res = this.Scnr.BaseResponse;
bool found_rand_nums = false;
while (!found_rand_nums)
{
add_num_1 = Tools.GetRandomNumber(1000000, 10000000);
add_num_2 = Tools.GetRandomNumber(1000000, 10000000);
if (!base_res.BodyString.Contains((add_num_1 + add_num_2).ToString()))
{
found_rand_nums = true;
}
}
string add_str = string.Format("{0}+{1}", add_num_1, add_num_2);
string added_str = (add_num_1 + add_num_2).ToString();
string payload = string.Format("${{{0}}}", add_str);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
if (res.BodyString.Contains(added_str))
{
if (i == 0)
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<b>>Got {0} in the response, this is the result of executing '{1}'. Rechecking to confirm.<i</b>>", added_str, add_str));
continue;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Got {0} in the response, this is the result of executing '{1}'. Indicates Expression Language Injection!<i</cr>>", added_str, add_str));
this.Scnr.SetTraceTitle("Expression Language Injection", 5);
this.AddToTriggers(payload, string.Format("The payload in this request contains a Expression Language snippet which if executed will add the numbers {0} & {1} and print the result. The Expression Language snippet is: {2}", add_num_1, add_num_2, payload), added_str, string.Format("This response contains the value {0} which is the sum of the numbers {1} & {2} which were sent in the request.", add_num_1 + add_num_2, add_num_1, add_num_2));
FindingReason reason = this.GetEchoReason(payload, payload, add_num_1, add_num_2);
this.Reasons.Add(reason);
return;
}
}
else
{
if (i == 0)
{
this.Scnr.ResponseTrace(string.Format(" ==> Did not get {0} in the response", added_str));
this.Scnr.Trace("<i<br>>No indication for presence of Expression Language Injection");
break;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Did not get {0} in the response. The last instance might have been a false trigger.", added_str));
this.Scnr.Trace("<i<br>>No indication for presence of Expression Language Injection");
}
}
}
}
void SendAndAnalyzeTimePayload(CommandInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
string Cmd = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts);
this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a system command which if executed will cause the response to be delayed by {0} milliseconds. The system command is: {1}", TimeCheckResults.DelayInduced, Cmd), TimeCheckResults.DelayRequest, "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse);
FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Cmd, TimeCheckResults);
this.Reasons.Add(reason);
}
}
FindingReason GetDiffReason(List <string> payloads, string file_name, string slash, int trigger_start, int trigger_count)
{
string Reason = "IronWASP sent four payloads to the application.<i<br>>";
string[] ids = new string[] { "A", "B", "C", "D" };
//#Payload A - <i>aa/../abcd.jpg</i>
//#Payload B - <i>aa../abcd.jpg</i>
//#Payload C - <i>bb/../abcd.jpg</i>
//#Payload D - <i>bb../abcd.jpg</i>
for (int i = 0; i < ids.Length; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
Reason = Reason + string.Format("<i<br>>Payloads A and C are similar in nature. They both refer to the file <i<hlg>>{0}<i</hlg>> ", file_name);
Reason = Reason + string.Format("by including an imaginary directory in the path (aa & bb) but then also invalidating it by traversing upwards by one directory using <i<hlg>>..{0}<i</hlg>>. ", slash);
//#Reason = Reason + "So these payloads must have the same effect as refering to the file <i<hlg>>abcd.jpg<i</hlg>> normally."
Reason = Reason + string.Format("So these payloads must have the same effect as referring to the file <i<hlg>>{0}<i</hlg>> normally.", file_name);
//#Reason = Reason + "<i<br>>Payloads B and D are similar to each other but different from A & C. They refer to the file <i>abcd.jpg</i> inside invalid directories (aa & bb)."
Reason = Reason + string.Format("<i<br>>Payloads B and D are similar to each other but different from A & C. They refer to the file <i<hlg>>{0}<i</hlg>> inside invalid directories (aa & bb).", file_name);
Reason = Reason + "<i<br>>If the application is vulnerable to Local File Include then the response for Payloads A & C must be similar to each other and different from responses for Payloads B&D. ";
Reason = Reason + "The responses for the injected payloads were analyzed and it was found that Payloads A & C got a similar looking response and were also different from responses got from Payloads B & D, thereby indicating the presence of this vulnerability.";
//#Trigger
List <int> trigger_ids = new List <int>();
for (int i = trigger_start + 1; i < trigger_start + trigger_count + 1; i++)
{
trigger_ids.Add(i);
}
string ReasonType = "Diff";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually look at the responses received for Payloads A, B, C and D. Analyze these payloads and verify if indeed A & C got similar responses and were different from B & D. ";
FalsePositiveCheck = FalsePositiveCheck + string.Format("You can also change the payloads for A & C by adding one more invalid directory and one more <i<hlg>>..{0}<i</hlg>> to invalidate that directory. ", slash);
FalsePositiveCheck = FalsePositiveCheck + "This must get the same response as the responses for A & C.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, trigger_ids, FalsePositiveCheck);
return(FR);
}
void SendAndAnalyzeEchoPayload(string payload, string file_echoed, string cmd)
{
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
string echoed_file_info = this.GetDownloadedFileInfo(res, file_echoed);
if (echoed_file_info.Length > 0)
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Response contains contens of {0}<i</cr>>", file_echoed));
this.AddToTriggers(payload, string.Format("The payload in this request contains a system command which if executed will add the numbers prints the contens of the {0} file on the server. The system command is : {1}", file_echoed, cmd), echoed_file_info, string.Format("This response body contains the contents of the {0} file", file_echoed));
FindingReason reason = this.GetErrorReason(payload, cmd, file_echoed, echoed_file_info);
this.Reasons.Add(reason);
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> No trace of {0}", file_echoed));
}
}
FindingReason GetEchoReason(string payload, string echo_content, int Trigger)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>http://www.iana.org/a</i> as payload to the application. This payload refers to the home page of IANA. ".format(payload)
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload refers to the home page of IANA. ", payload);
//#Reason = Reason + "The response that came back for this payload had the string <i>IANA is responsible for coordinating the Internet</i>. ".format(payload);
Reason = Reason + string.Format("The response that came back for this payload had the string <i<hlg>>{0}<i</hlg>>. ", echo_content);
Reason = Reason + "This string is found in the home page of IANA. This indicates that the application fetched the home page of IANA and returned it in the response, which is RFI.";
string ReasonType = "Echo";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the IANA website. After that you can try loading contents of other URLs and check if they get added in the response.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, Trigger, FalsePositiveCheck);
return(FR);
}
FindingReason GetReason(string payload)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>'\r\nNeww: Headerr</i> as payload to the application. This payload has CRLF characters followed by the string <i>Neww: Headerr</i> which is in the format of a HTTP Header with name <i>Neww</i> and value <i>Headerr</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has CRLF characters followed by the string <i<hlg>>Neww: Headerr<i</hlg>> which is in the format of a HTTP Header with name <i<hlg>>Neww<i</hlg>> and value <i<hlg>>Headerr<i</hlg>>. ", payload);
Reason = Reason + "The response that came back from the application after injecting this payload has an HTTP header named <i<hlg>>Neww<i</hlg>>. ";
Reason = Reason + "This indicates that our payload caused an HTTP header to be injected in the response.";
string ReasonType = "HeaderAdded";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can send the same payload but with different values for the header name part of the payload. If the response contains any HTTP headers with the specified names then there actually is Header Injection.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return(FR);
}
FindingReason GetReason(string payload, string redir_type)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = Reason + "IronWASP sent <i>http://vulnsite.example.com</i> as payload to the application. The response that came back from the application to this payload had"
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. The response that came back from the application to this payload had ", payload);
if (redir_type == "Location-Header")
{
Reason = Reason + string.Format("the value <i<hlg>>{0}<i</hlg>> in its 'Location' header.", payload);
}
else if (redir_type == "Location-Meta")
{
Reason = Reason + string.Format("the value <i<hlg>>{0}<i</hlg>> in its meta http-equiv tag for 'Location'. This is equivalent to having this value in the 'Location' header.", payload);
}
else if (redir_type == "Refresh-Header")
{
Reason = Reason + string.Format("the value <i<hlg>>{0}<i</hlg>> in its 'Refresh' header.", payload);
}
else if (redir_type == "Refresh-Meta")
{
Reason = Reason + string.Format("the value <i<hlg>>{0}<i</hlg>> in its meta http-equiv tag for 'Refresh'. This is equivalent to having this value in the 'Refresh' header.", payload);
}
else if (redir_type.StartsWith("JS"))
{
Reason = Reason + string.Format("the value <i<hlg>>{0}<i</hlg>> inside JavaScript of the page in such a way that it would cause a redirection to this value.", payload);
}
string ReasonType = redir_type;
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually send this payload from the browser and observe is the page is actually being redirect outside. If the browser does not perform a redirect then observe the HTML source of the page and try to identify why the page does not redirect inspite of the payload URL occurring in a section of the page that would trigger a redirect.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return(FR);
}
FindingReason GetBlindReason(string payload, string cmd, TimeBasedCheckResults TimeCheckResults)
{
//#Reason = "IronWASP sent <i>'; ping -n 8 localhost</i> as payload to the application. This payload has a small system command - <i>ping -n 8 localhost</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small system command - <i<hlg>>{1}<i</hlg>>. ", Tools.EncodeForTrace(payload), cmd);
//#Reason = Reason + "If this command is executed then the server will ping itself 8 times. This will cause the response to be returned around 5000 milliseconds later than usual. "
Reason = Reason + string.Format("If this command is executed then the server will ping itself <i<hlg>>{0}<i</hlg>> times. This will cause the response to be returned around <i<hlg>>{1}<i</hlg>> milliseconds later than usual. ", PingCountCalculator(TimeCheckResults.DelayInduced), TimeCheckResults.DelayInduced);
//#Reason = Reason + "After the payload was injected the response from the application took <i>6783</i> milliseconds. Normally this particular request is processed at around <i>463</i> milliseconds. "
Reason = Reason + string.Format("After the payload was injected the response from the application took <i<hlg>>{0}<i</hlg>> milliseconds. Normally this particular request is processed at around <i<hlg>>{1}<i</hlg>> milliseconds. ", TimeCheckResults.DelayObserved, TimeCheckResults.AverageBaseTime);
Reason = Reason + "This indicates that the injected command could have been executed on the server-side.";
string ReasonType = "Blind";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the number of ping requests sent to different values. Then you can observe if the time taken for the response to be returned is affected accordingly.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return(FR);
}
FindingReason GetReason(string payload, List <string> keywords)
{
payload = Tools.EncodeForTrace(payload);
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application, this payload would display the environment variables to be printed in the response if the application is vulnerable to Server Side Includes Injection.", payload);
Reason = Reason + "The response from the application for this payload had some keywords that are similar to the names of environment variables. These keywords were:";
foreach (string keyword in keywords)
{
Reason = Reason + string.Format("<i<br>><i<hlg>>{0}<i</hlg>>", keyword);
}
Reason = Reason + "<i<br>>These words are similar to that of standard environment variable names, therefore this issue has been reported.";
string ReasonType = "Echo";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the response received for the payload and confirm if it actually contains the environment variable details. Change the printenv command to some other SSI command and see if the response contains that command's output.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return(FR);
}
void CheckForCRLFInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Header Injection:<i</h>>");
this.Scnr.Trace("<i<br>><i<b>> Trying to inject a header named 'Neww'<i</b>>");
bool crlf_inj_found = false;
List <string> prefix = new List <string>()
{
"", this.Scnr.PreInjectionParameterValue
};
foreach (string cis in this.crlf_inj_str)
{
if (crlf_inj_found)
{
break;
}
foreach (string p in prefix)
{
string payload = p + cis;
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
if (res.Headers.Has("Neww"))
{
this.Scnr.ResponseTrace(" ==> <i<cr>>Header 'Neww' injected<i</cr>>");
this.reason = this.GetReason(payload);
this.ReportCRLFInjection(payload, string.Format("The payload in this request attempts to insert a header with name 'Neww' in the response. The payload is {0}", payload), "Neww: Headerr", "This response has a header named 'Neww' which was added because of the payload");
crlf_inj_found = true;
break;
}
else
{
this.Scnr.ResponseTrace(" ==> Header not injected");
}
}
}
}
//#Override the Check method of the base class with custom functionlity
public override void Check(Scanner scnr)
{
this.Scnr = scnr;
this.reason = null;
this.CheckForCRLFInjection();
}
void CheckForOpenRedirection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Open Redirect:<i</h>>");
List <string> urls = new List <string>();
string uniq_str = "eziepwlivt";
this.Scnr.Trace("<i<br>><i<h>>Checking if In-Domain Redirect Happens:<i</h>>");
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", uniq_str));
Response res = this.Scnr.Inject(uniq_str);
if (this.IsRedirectedTo(uniq_str, res, false).Length > 0)
{
this.Scnr.ResponseTrace(" ==> <i<b>>In-domain redirect happens. Using full payload set!<i</b>>");
this.Scnr.SetTraceTitle("In-domain redirect happens", 5);
urls.AddRange(this.full_redirect_urls);
}
else
{
this.Scnr.ResponseTrace(" ==> In-domain redirect does not happen. Using only basic payload set");
urls.AddRange(this.basic_redirect_urls);
}
string host = this.BaseRequest.Host;
//#remove the port number from hostname
try
{
if (host.Contains(":"))
{
host = host.Substring(host.IndexOf(":"));
}
}
catch { }
this.Scnr.Trace("<i<br>><i<h>>Checking if Out-of-Domain Redirect Happens:<i</h>>");
foreach (string url in urls)
{
for (int i = 0; i < 2; i++)
{
string h = "";
if (i == 0)
{
h = "example.org";
}
else
{
h = string.Format("{0}.example.org", host);
}
string payload = url.Replace("<host>", h);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
res = this.Scnr.Inject(payload);
string redirected = "";
if (payload.StartsWith("5;") || payload.StartsWith("URL="))
{
string redirect_url = string.Format("http://{0}", h);
redirected = this.IsRedirectedTo(redirect_url, res, false);
}
else if (payload.StartsWith(h))
{
redirected = this.IsRedirectedTo(payload, res, true);
}
else
{
redirected = this.IsRedirectedTo(payload, res, false);
}
if (redirected.Length > 0)
{
this.reason = this.GetReason(payload, redirected);
this.Scnr.ResponseTrace(" ==> <i<cr>>Redirects to Injected payload!<i</cr>>");
this.ReportOpenRedirect(payload, string.Format("The payload in this request contains an url to the domain {0}. The payload is {1}", h, payload), payload, this.GetResponseTriggerDesc(redirected, h));
return;
}
else
{
this.Scnr.ResponseTrace(" ==> No redirect to payload");
}
}
}
}
FindingReason GetDiffReason(List <string> payloads, bool time, List <int> time_delays, int trigger_start, int trigger_count)
{
string Reason = "IronWASP sent four payloads to the application.<i<br>>";
List <string> ids = new List <string>()
{
"A", "B", "C", "D"
};
for (int i = 0; i < ids.Count; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
Reason = Reason + "<i<br>>Payloads A and C are similar in nature. They both refer to ports 65555 and 66666 on the server which are invalid ports.";
Reason = Reason + "<i<br>>Payloads B and D are similar to each other but different from A & C. They both refer to ports 1 and 2 on the server which are valid ports.";
Reason = Reason + "<i<br>>If the application is vulnerable to SSRF then it will try to connect to these ports and connections to invalid potrs with throw an exception of different type than the exception or error caused by connecting to the valid ports 1 and 2 which are most likely to be closed.";
Reason = Reason + "<i<br>>This would mean that the response for Payloads A & C must be similar to each other and different from responses for Payloads B&D. ";
if (time)
{
Reason = Reason + "<i<br>><i<br>>The responses for the injected payloads were analyzed and it was found that the response times for Payloads A & C were similar to each other and were also different from response times for Payloads B & D, thereby indicating the presence of this vulnerability.";
Reason = Reason + "<i<br>>The responses times for the four payloads were:";
Reason = Reason + string.Format("<i<br>>Payload A - {0}ms", time_delays[0]);
Reason = Reason + string.Format("<i<br>>Payload B - {0}ms", time_delays[1]);
Reason = Reason + string.Format("<i<br>>Payload C - {0}ms", time_delays[2]);
Reason = Reason + string.Format("<i<br>>Payload D - {0}ms", time_delays[3]);
}
else
{
Reason = Reason + "<i<br>><i<br>>The responses for the injected payloads were analyzed and it was found that Payloads A & C got a similar looking response and were also different from responses got from Payloads B & D, thereby indicating the presence of this vulnerability.";
}
//#Trigger
List <int> trigger_ids = new List <int>();
for (int i = trigger_start + 1; i < trigger_start + trigger_count + 1; i++)
{
trigger_ids.Add(i);
}
string ReasonType = "";
if (time)
{
ReasonType = "Delay";
}
else
{
ReasonType = "Diff";
}
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually look at the responses received for Payloads A, B, C and D. Analyze these payloads and verify if indeed A & C got similar responses and were different from B & D. ";
FalsePositiveCheck = FalsePositiveCheck + "You can also change the payloads for A & C by chaning the port number to some other invalid port and change payloads B & D to some other valid port numbers and check of the four response show the same pattern as before.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, trigger_ids, FalsePositiveCheck);
return(FR);
}
public void AddReason(FindingReason Reason)
{
this.Reasons.Add(Reason);
}
int CheckForRemoteFileIncludeWithSubDomainDelayOnce(string payload, string sub_domain, int worked)
{
int first_time = 0;
int last_res_time = 0;
List <int> res_times = new List <int>();
Request req_current = null;
Response res_current = null;
for (int i = 0; i < 4; i++)
{
if (i == 0)
{
this.Scnr.Trace(string.Format("<i<br>><i<b>>Sending First Request with Payload - {0}:<i</b>>", payload));
}
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
res_times.Add(res.RoundTrip);
if (i == 0)
{
req_current = this.Scnr.InjectedRequest;
res_current = res;
first_time = res.RoundTrip;
this.Scnr.ResponseTrace(string.Format(" ==> Response time is {0}ms. This will be treated as the base time.", res.RoundTrip));
}
else
{
if (i == 1)
{
last_res_time = res.RoundTrip;
}
else
{
if (res.RoundTrip > (last_res_time + 150) || res.RoundTrip < (last_res_time - 150))
{
this.IsResponseTimeConsistent = false;
this.Scnr.ResponseTrace("<i<br>><i<b>>Response times are inconsistent, terminating time based RFI check.<i</b>>");
return(0);
}
}
if (res.RoundTrip >= first_time - 300)
{
this.Scnr.ResponseTrace(string.Format(" ==> Response time is {0}ms which is not 300ms lower than base time. Not an indication of RFI", res.RoundTrip));
break;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Response time is {0}ms which is 300ms lower than base time. If this is repeated then it could mean RFI", res.RoundTrip));
}
}
if (i == 3)
{
worked = worked + 1;
this.Scnr.SetTraceTitle("RFI Time Delay Observed Once", 5);
if (worked == 3)
{
this.RequestTriggers.Add(payload);
this.RequestTriggerDescs.Add(string.Format("The payload in this request refers to an non-existent domain {0}.example.org. The payload is {1}.", sub_domain, payload));
this.ResponseTriggers.Add("");
this.ResponseTriggerDescs.Add("The first time this payload was sent the response took longer to come back. In subsequent attempts to send the same payload, including this one, the response came back much faster.");
this.TriggerRequests.Add(req_current);
this.TriggerResponses.Add(res_current);
this.Scnr.Trace(string.Format("<i<br>><i<cr>>Got a delay in first request with payload - {0}. The three requests after that with the same payload took 300ms less. Infering that this is due to DNS caching on the server-side this is a RFI!<i</cr>>", payload));
FindingReason reason = this.GetDelayReason(payload, res_times, string.Format("{0}.example.org", sub_domain), this.TriggerCount + 1);
this.Reasons.Add(reason);
}
}
}
return(worked);
}
void CheckForSSRF()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Server Side Request Forgery:<i</h>>");
this.Scnr.Trace(string.Format("<i<br>>Normal Response Code - {0}. Length -{0}", this.BaseResponse.Code, this.BaseResponse.BodyLength));
string p = "";
string first_time_pattern = "";
string second_time_pattern = "";
bool strict_group_matched = false;
bool relaxed_group_matched = false;
if (this.Scnr.PreInjectionParameterValue.StartsWith("http://"))
{
p = "http://";
}
else if (this.Scnr.PreInjectionParameterValue.StartsWith("https://"))
{
p = "https://";
}
else
{
p = "";
}
for (int i = 0; i < 2; i++)
{
string payload_a = string.Format("{0}localhost:65555", p);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_a));
Response res_a = this.Scnr.Inject(payload_a);
Request req_a = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_a.Code, res_a.BodyLength));
string payload_a1 = string.Format("{0}localhost:1", p);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_a1));
Response res_a1 = this.Scnr.Inject(payload_a1);
Request req_a1 = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_a1.Code, res_a1.BodyLength));
string payload_b = string.Format("{0}localhost:66666", p);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_b));
Response res_b = this.Scnr.Inject(payload_b);
Request req_b = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_b.Code, res_b.BodyLength));
string payload_b1 = string.Format("{0}localhost:2", p);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_b1));
Response res_b1 = this.Scnr.Inject(payload_b1);
Request req_b1 = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_b1.Code, res_b1.BodyLength));
this.Scnr.Trace("<i<br>>Analysing the responses for patterns...");
//#Analyzing the responses for patterns
SimilarityChecker sc = new SimilarityChecker();
sc.Add("a", res_a, payload_a);
sc.Add("a1", res_a1, payload_a1);
sc.Add("b", res_b, payload_b);
sc.Add("b1", res_b1, payload_b1);
sc.Check();
List <Request> requests = new List <Request>()
{
req_a, req_a1, req_b, req_b1
};
List <Response> responses = new List <Response>()
{
res_a, res_a1, res_b, res_b1
};
List <string> request_trigger_descs = new List <string>();
request_trigger_descs.Add(string.Format("This payload points to the invalid port 65555 on localhost. The payload is {0}", payload_a));
request_trigger_descs.Add(string.Format("This payload points to the valid port 1 on localhost. The payload is {0}", payload_a1));
request_trigger_descs.Add(string.Format("This payload points to the invalid port 66666 on localhost. The payload is {0}", payload_b));
request_trigger_descs.Add(string.Format("This payload points to the valid port 2 on localhost. The payload is {0}", payload_b1));
List <string> response_trigger_descs = new List <string>();
response_trigger_descs.Add("The contents of this response are different from the response of the next trigger but are similar to the response of the trigger after the next.");
response_trigger_descs.Add("The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger after the next.");
response_trigger_descs.Add("The contents of this response are different from the response of the next trigger but are similar to the response of the trigger before the previous.");
response_trigger_descs.Add("The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger before the previous.");
List <string> request_triggers = new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
};
List <string> response_triggers = new List <string>()
{
"", "", "", ""
};
if (i == 0)
{
foreach (SimilarityCheckerGroup group in sc.StrictGroups)
{
if (group.Count == 2)
{
if (group.HasKey("a") && group.HasKey("b"))
{
this.Scnr.Trace("<i<br>><i<cr>>Responses for invalid port based payloads are similar to each other and are different from responses for valid port based payloads. Indicates presence of SSRF.<i</cr>>");
FindingReason reason = this.GetDiffReason(new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
}, false, new List <int>(), this.TriggerCount, request_triggers.Count);
this.Reasons.Add(reason);
this.RequestTriggers.AddRange(request_triggers);
this.ResponseTriggers.AddRange(response_triggers);
this.RequestTriggerDescs.AddRange(request_trigger_descs);
this.ResponseTriggerDescs.AddRange(response_trigger_descs);
this.TriggerRequests.AddRange(requests);
this.TriggerResponses.AddRange(responses);
this.TriggerCount = this.TriggerCount + request_triggers.Count;
this.SetConfidence(2);
strict_group_matched = true;
}
}
}
if (!strict_group_matched)
{
foreach (SimilarityCheckerGroup group in sc.RelaxedGroups)
{
if (group.Count == 2)
{
if (group.HasKey("a") && group.HasKey("b"))
{
this.Scnr.Trace("<i<br>><i<cr>>Responses for invalid port based payloads are similar to each other and are different responses for valid port based payload. Indicates presence of SSRF.<i</cr>>");
FindingReason reason = this.GetDiffReason(new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
}, false, new List <int>(), this.TriggerCount, request_triggers.Count);
this.Reasons.Add(reason);
this.RequestTriggers.AddRange(request_triggers);
this.ResponseTriggers.AddRange(response_triggers);
this.RequestTriggerDescs.AddRange(request_trigger_descs);
this.ResponseTriggerDescs.AddRange(response_trigger_descs);
this.TriggerRequests.AddRange(requests);
this.TriggerResponses.AddRange(responses);
this.TriggerCount = this.TriggerCount + request_triggers.Count;
this.SetConfidence(2);
relaxed_group_matched = true;
}
}
}
}
}
List <int> res_times = new List <int>()
{
res_a.RoundTrip, res_a1.RoundTrip, res_b.RoundTrip, res_b1.RoundTrip
};
res_times.Sort();
if ((res_times[2] - res_times[0] > 200) && (res_times[3] - res_times[0] > 200) && (res_times[2] - res_times[1] > 200) && (res_times[3] - res_times[1] > 200) && ((res_times[1] - res_times[0]) < 200) && ((res_times[3] - res_times[2]) < 200))
{
if ((res_a.RoundTrip == res_times[0] && res_b.RoundTrip == res_times[1]) || (res_a.RoundTrip == res_times[1] && res_b.RoundTrip == res_times[0]))
{
if (i == 0)
{
first_time_pattern = "Valid>Invalid";
}
else
{
second_time_pattern = "Valid>Invalid";
}
}
else if ((res_a1.RoundTrip == res_times[0] && res_b1.RoundTrip == res_times[1]) || (res_a1.RoundTrip == res_times[1] && res_b1.RoundTrip == res_times[0]))
{
if (i == 0)
{
first_time_pattern = "Invalid>Valid";
}
else
{
second_time_pattern = "Invalid>Valid";
}
}
}
if (first_time_pattern.Length > 0)
{
if (i == 0)
{
this.Scnr.Trace("<i<br>>There is a pattern in the roundtrip time of the four responses. Rechecking to confirm.<i<br>>");
continue;
}
else if (i == 1)
{
if (first_time_pattern == second_time_pattern)
{
this.Scnr.Trace("<i<br>><i<cr>>Response times for invalid port based payloads are similar to each other and are different from response times for valid port based payload. Indicates presence of SSRF.<i</cr>>");
response_trigger_descs = new List <string>();
response_trigger_descs.Add("This response time is different from the response time of the next trigger but is similar to the response time of the trigger after the next.");
response_trigger_descs.Add("This response time is different from the response time of the previous trigger but is similar to the response time of the trigger after the next.");
response_trigger_descs.Add("This response time is different from the response time of the next trigger but is similar to the response time of the trigger before the previous.");
response_trigger_descs.Add("This response time is different from the response time of the previous trigger but is similar to the response time of the trigger before the previous.");
FindingReason reason = this.GetDiffReason(new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
}, true, new List <int>()
{
res_a.RoundTrip, res_a1.RoundTrip, res_b.RoundTrip, res_b1.RoundTrip
}, this.TriggerCount, request_triggers.Count);
this.Reasons.Add(reason);
this.RequestTriggers.AddRange(request_triggers);
this.ResponseTriggers.AddRange(response_triggers);
this.RequestTriggerDescs.AddRange(request_trigger_descs);
this.ResponseTriggerDescs.AddRange(response_trigger_descs);
this.TriggerRequests.AddRange(requests);
this.TriggerResponses.AddRange(responses);
this.TriggerCount = this.TriggerCount + request_triggers.Count;
this.SetConfidence(2);
return;
}
else
{
this.Scnr.Trace("<i<br>>The pattern in the response times is inconsistent and therefore does not indicate SSRF");
return;
}
}
}
else if (!(relaxed_group_matched || strict_group_matched))
{
this.Scnr.Trace("<i<br>>The responses did not fall in any patterns that indicate SSRF");
break;
}
}
}
void CheckForLocalFileIncludeWithDownwardTraversalWithSlash(string slash)
{
//#check downward traversal
//#indicates presence of file read function and also a insecure direct object reference in that function
this.Scnr.Trace("<i<br>><i<b>>Checking for Downward Directory Traversal:<i</b>>");
this.Scnr.Trace(string.Format("<i<br>>Normal Response Code - {0}. Length -{0}", this.BaseResponse.Code, this.BaseResponse.BodyLength));
string payload_a = string.Format("aa<s>..<s>{0}", this.Scnr.PreInjectionParameterValue);
payload_a = payload_a.Replace("<s>", slash);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_a));
Response res_a = this.Scnr.Inject(payload_a);
Request req_a = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_a.Code, res_a.BodyLength));
string payload_a1 = string.Format("aa..<s>{0}", this.Scnr.PreInjectionParameterValue);
payload_a1 = payload_a1.Replace("<s>", slash);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_a1));
Response res_a1 = this.Scnr.Inject(payload_a1);
Request req_a1 = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_a1.Code, res_a1.BodyLength));
string payload_b = string.Format("bb<s>..<s>{0}", this.Scnr.PreInjectionParameterValue);
payload_b = payload_b.Replace("<s>", slash);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_b));
Response res_b = this.Scnr.Inject(payload_b);
Request req_b = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_b.Code, res_b.BodyLength));
string payload_b1 = string.Format("bb..<s>{0}", this.Scnr.PreInjectionParameterValue);
payload_b1 = payload_b1.Replace("<s>", slash);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload_b1));
Response res_b1 = this.Scnr.Inject(payload_b1);
Request req_b1 = this.Scnr.InjectedRequest;
this.Scnr.ResponseTrace(string.Format(" ==> Got Response. Code- {0}. Length- {1}", res_b1.Code, res_b1.BodyLength));
this.Scnr.Trace("<i<br>>Analysing the responses for patterns...");
//#Analyzing the responses for patterns
SimilarityChecker sc = new SimilarityChecker();
sc.Add("a", res_a);
sc.Add("a1", res_a1);
sc.Add("b", res_b);
sc.Add("b1", res_b1);
sc.Check();
List <Request> requests = new List <Request>()
{
req_a, req_a1, req_b, req_b1
};
List <Response> responses = new List <Response>()
{
res_a, res_a1, res_b, res_b1
};
List <string> request_trigger_descs = new List <string>();
request_trigger_descs.Add(string.Format("This payload refers to the {0} file by doing a proper upward directory traversal of a dummy directory 'aa'. The payload is {1}", this.Scnr.PreInjectionParameterValue, payload_a));
request_trigger_descs.Add(string.Format("This payload does not do a proper upward directory traversal of the dummy directory 'aa' and so does not refer to the {0} file. The payload is {1}", this.Scnr.PreInjectionParameterValue, payload_a1));
request_trigger_descs.Add(string.Format("This payload refers to the {0} file by doing a proper upward directory traversal of a dummy directory 'bb'. The payload is {1}", this.Scnr.PreInjectionParameterValue, payload_b));
request_trigger_descs.Add(string.Format("This payload does not do a proper upward directory traversal of the dummy directory 'bb' and so does not refer to the {0} file. The payload is {1}", this.Scnr.PreInjectionParameterValue, payload_b1));
List <string> response_trigger_descs = new List <string>();
response_trigger_descs.Add("The contents of this response are different from the response of the next trigger but are similar to the response of the trigger after the next.");
response_trigger_descs.Add("The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger after the next.");
response_trigger_descs.Add("The contents of this response are different from the response of the next trigger but are similar to the response of the trigger before the previous.");
response_trigger_descs.Add("The contents of this response are different from the response of the previous trigger but are similar to the response of the trigger before the previous.");
List <string> request_triggers = new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
};
List <string> response_triggers = new List <string>()
{
"", "", "", ""
};
foreach (SimilarityCheckerGroup group in sc.StrictGroups)
{
if (group.Count == 2)
{
if (group.HasKey("a") && group.HasKey("b"))
{
this.Scnr.Trace("<i<br>><i<cr>>Responses for traversal based payloads are similar to each other and are different from non-traversal based responses. Indicates presence of LFI.<i</cr>>");
FindingReason reason = this.GetDiffReason(new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
}, this.Scnr.PreInjectionParameterValue, slash, this.TriggerCount, request_triggers.Count);
this.Reasons.Add(reason);
this.RequestTriggers.AddRange(request_triggers);
this.ResponseTriggers.AddRange(response_triggers);
this.RequestTriggerDescs.AddRange(request_trigger_descs);
this.ResponseTriggerDescs.AddRange(response_trigger_descs);
this.TriggerRequests.AddRange(requests);
this.TriggerResponses.AddRange(responses);
this.TriggerCount = this.TriggerCount + request_triggers.Count;
this.SetConfidence(2);
return;
}
}
}
foreach (SimilarityCheckerGroup group in sc.RelaxedGroups)
{
if (group.Count == 2)
{
if (group.HasKey("a") && group.HasKey("b"))
{
this.Scnr.Trace("<i<br>><i<cr>>Responses for traversal based payloads are similar to each other and are different from non-traversal based responses. Indicates presence of LFI.<i</cr>>");
FindingReason reason = this.GetDiffReason(new List <string>()
{
payload_a, payload_a1, payload_b, payload_b1
}, this.Scnr.PreInjectionParameterValue, slash, this.TriggerCount, request_triggers.Count);
this.Reasons.Add(reason);
this.RequestTriggers.AddRange(request_triggers);
this.ResponseTriggers.AddRange(response_triggers);
this.RequestTriggerDescs.AddRange(request_trigger_descs);
this.ResponseTriggerDescs.AddRange(response_trigger_descs);
this.TriggerRequests.AddRange(requests);
this.TriggerResponses.AddRange(responses);
this.TriggerCount = this.TriggerCount + request_triggers.Count;
this.SetConfidence(1);
return;
}
}
}
this.Scnr.Trace("<i<br>>The responses did not fall in any patterns that indicate LFI");
}
void CheckForLocalFileIncludeWithKnownFiles()
{
List <string> file_exts = new List <string>();
this.BaseResponse = this.Scnr.BaseResponse;
string[] parts = this.Scnr.PreInjectionParameterValue.Split('.');
if (parts.Length > 1)
{
file_exts.Add(parts[parts.Length - 1]);
}
file_exts.AddRange(this.file_ext);
this.Scnr.Trace("<i<br>><i<h>>Checking for Local File Include with Known Files:<i</h>>");
foreach (string f in this.files.Keys)
{
foreach (string nt in this.null_terminator)
{
foreach (string fe in file_exts)
{
if (nt.Length == 0 && fe.Length > 0)
{
continue;//#no point in adding a file extension without a null terminator
}
string payload = "";
if (this.slash_prefix == "file:")
{
if (this.files[f] == "nix")
{
payload = string.Format("/{0}{1}", f, nt);
}
else
{
payload = string.Format("c:\\{0}{1}", f, nt);
}
}
else
{
if (this.files[f] == "nix")
{
payload = string.Format("{0}{1}{2}{3}", this.slash_prefix, Tools.MultiplyString("../", 15), f, nt);
}
else
{
payload = string.Format("{0}{1}{2}{3}", this.slash_prefix, Tools.MultiplyString("..\\", 15), f, nt);
}
}
if (fe.Length > 0)
{
payload = string.Format("{0}.{1}", payload, fe);
}
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
string downloaded_file_info = this.GetDownloadedFileInfo(res, f);
if (downloaded_file_info.Length > 0)
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Response contains contens of {0}<i</cr>>", f));
if (this.slash_prefix == "file:")
{
this.AddToTriggers(payload, string.Format("The payload in this request refers to the {0} file by using the file: protocol. The payload is {1}", f, payload), downloaded_file_info, string.Format("This response contains contents of the {0} file. This was caused by the payload", f));
}
else
{
this.AddToTriggers(payload, string.Format("The payload in this request refers to the {0} file by traversing upwards in the directory structure. The payload is {1}", f, payload), downloaded_file_info, string.Format("This response contains contents of the {0} file. This was caused by the payload", f));
}
this.SetConfidence(3);
string slash = "";
if (this.files[f] == "nix")
{
slash = "/";
}
else
{
slash = "\\";
}
FindingReason reason = this.GetEchoReason(payload, f, downloaded_file_info, slash, this.TriggerCount, this.slash_prefix);
this.Reasons.Add(reason);
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> No trace of {0}", f));
}
}
}
}
}
void CheckForEchoBasedCodeInjection()
{
//#lang_order [php, perl, pyton, asp, ruby]
List <string> functions = new List <string>()
{
"echo <add_str>;", "print <add_str>;", "print <add_str>", "Response.Write(<add_str>)", "puts <add_str>"
};
List <string> comments = new List <string>()
{
"#", "#", "#", "'", "#"
};
List <string> prefixes = new List <string>()
{
"", ";", "';", "\";"
};
int add_num_1 = 0;
int add_num_2 = 0;
Response base_res = this.Scnr.BaseResponse;
bool found_rand_nums = false;
while (!found_rand_nums)
{
add_num_1 = Tools.GetRandomNumber(1000000, 10000000);
add_num_2 = Tools.GetRandomNumber(1000000, 10000000);
if (!base_res.BodyString.Contains((add_num_1 + add_num_2).ToString()))
{
found_rand_nums = true;
}
}
string add_str = string.Format("{0}+{1}", add_num_1, add_num_2);
string added_str = (add_num_1 + add_num_2).ToString();
this.Scnr.Trace("<i<br>><i<h>>Checking for Echo based Code Injection:<i</h>>");
for (int i = 0; i < functions.Count; i++)
{
foreach (string p in prefixes)
{
List <string> inj_comments = new List <string>()
{
"", comments[i]
};
foreach (string c in inj_comments)
{
string func_to_execute = functions[i].Replace("<add_str>", add_str);
string payload = string.Format("{0}{1}{2}", p, func_to_execute, c);
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
if (res.BodyString.Contains(added_str))
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Got {0} in the response, this is the result of executing '{1}'. Indicates Code Injection!<i</cr>>", added_str, add_str));
this.Scnr.SetTraceTitle("Echo based Code Injection", 5);
this.AddToTriggers(payload, string.Format("The payload in this request contains a code snippet which if executed will add the numbers {0} & {1} and print the result. The code snippet is: {2}", add_num_1, add_num_2, func_to_execute), added_str, string.Format("This response contains the value {0} which is the sum of the numbers {1} & {2} which were sent in the request.", add_num_1 + add_num_2, add_num_1, add_num_2));
FindingReason reason = this.GetErrorReason(payload, func_to_execute, add_num_1, add_num_2);
this.Reasons.Add(reason);
return;
}
else
{
this.Scnr.ResponseTrace(string.Format(" ==> Did not get {0} in the response", added_str));
}
}
}
}
}
