/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//对一个网站进行扫描,主控程序
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
public void Scan()
{
try
{
this.ipList = System.Net.Dns.GetHostEntry(new Uri(this.RootUrl).Host).AddressList;
}
catch (Exception e)
{
e.GetType();
this.SecurityLevel = 0;
return;
}
//向主页发出http请求
this.HtmlCode = GetResponseHtmlCode(RootUrl, "GET");
if (this.HtmlCode.Contains("无法解析此远程名称"))
{
this.SecurityLevel = 0;
return;
}
//分析该网站的开发语言 asp php aspx jsp
string strASP = @"\.asp\?";
string strASPX = @"\.aspx\?";
string strJSP = @"\.jsp\?";
string strPHP = @"\.php\?";
this.WebLanguage = "asp";
Regex rASP = new Regex(strASP, RegexOptions.IgnoreCase);
Regex rASPX = new Regex(strASPX, RegexOptions.IgnoreCase);
Regex rJSP = new Regex(strJSP, RegexOptions.IgnoreCase);
Regex rPHP = new Regex(strPHP, RegexOptions.IgnoreCase);
MatchCollection mASP = rASP.Matches(HtmlCode);
MatchCollection mASPX = rASPX.Matches(HtmlCode);
MatchCollection mJSP = rJSP.Matches(HtmlCode);
MatchCollection mPHP = rPHP.Matches(HtmlCode);
int max = mASP.Count;
if (mASPX.Count >= max)
{
this.WebLanguage = "aspx";
max = mASPX.Count;
}
if (mJSP.Count > max)
{
this.WebLanguage = "jsp";
max = mJSP.Count;
}
if (mPHP.Count > max)
{
this.WebLanguage = "php";
max = mPHP.Count;
}
InjectionPoint IPnew = new InjectionPoint(RootUrl, false, false, false);
alPossibleInjectionPoints.Add(IPnew);
//从主页中寻找可能的SQL注入点,并放入alPossibleInjectionPoints中
FindPossibleInjectionPoints(HtmlCode, new Uri(RootUrl), alPossibleInjectionPoints);
if (alPossibleInjectionPoints.Count == 0)
{
floor_threads_num[floor] = -1;//扫描终止标志
return;
}
else
{
floor_threads_num[floor++] = alPossibleInjectionPoints.Count;//第一轮需要扫描页面个数
floor_threads_num[floor] = 0;
SubScan();
}
}
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
//根据返回的htmlcode寻找可能的注入点,并把这些可能的注入点加入到alPossibleInjectionPoints中
//提取htmlcode中的链接(绝对路径)
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
public void FindPossibleInjectionPoints(string htmlCode, Uri relativeLocation, ArrayList aldestIPs)
{
//www.abc.com/ def/ghi/ jkl.asp?id=23
//www.abc.com/ def/ghi/ jkl?id=23
//string strRegex = @"(http://([A-Za-z0-9_.]+/))?([(\w*/)|(\./)|(\.\./)])*(\w+\.((asp)|(php)|(jsp)|(aspx))(\?\w+=([A-Za-z0-9\u0391-\uFFE5_.]+)))";
//string strRegex = @"(http://([A-Za-z0-9_.]+/))?([(\w*/)|(\./)|(\.\./)])*(\w+\.((asp)|(php)|(jsp)|(aspx))(\?\w+=([A-Za-z0-9\u0391-\uFFE5_.]+)(&)?)*)";
//string strRegex = @"(http://([A-Za-z0-9_.:]+/))?(/)?([(\w*/)|(\./)|(\.\./)])*(\w+(\.((aspx)|(php)|(jsp)|(asp)))?(\?(\w+=([A-Za-z0-9\u0391-\uFFE5_.]+)(&)?)+)?)";
//string strRegex = @"(http://([A-Za-z0-9_.:]+/))?([(\w*/)|(\./)|(\.\./)])*(\w+((\.aspx)|(\.php)|(\.jsp)|(\.asp)|(\?(\w+=([A-Za-z0-9\u0391-\uFFE5_.]+))))((\?)(\w+=([A-Za-z0-9\u0391-\uFFE5_.]+)&?)+)?)";
string strRegex = @"(http://([A-Za-z0-9_.:]+/))?([(\w*/)|(\./)|(\.\./)])*((\w+((\.aspx)|(\.php)|(\.jsp)|(\.asp))((\?)(\w+=([A-Za-z0-9\u0391-\uFFE5_.]+)&?)+)?)|(\w+\?((\w+=([A-Za-z0-9\u0391-\uFFE5_.]+)&?)+)))";
Regex r = new Regex(strRegex, RegexOptions.IgnoreCase);
MatchCollection m = r.Matches(htmlCode);
for (int i = 0; i <= m.Count - 1; i++)
{
bool rep = false;
string strNew = m[i].ToString();
//改绝对路径方式的url
Uri urlNew = new Uri(relativeLocation, strNew);
strNew = urlNew.AbsoluteUri.ToString();
// 过滤重复的URL,并且不能出站(2个条件)
//ArrayList al = new ArrayList();
//al = aldestIPs;
lock (aldestIPs.SyncRoot)
{
foreach (InjectionPoint IP in aldestIPs)
{
int end1 = 0, end2 = 0;
if (strNew.IndexOf('?') == -1)
{
end1 = strNew.Length;
}
else
{
end1 = strNew.IndexOf('?');
}
if (IP.Url.IndexOf('?') == -1)
{
end2 = IP.Url.Length;
}
else
{
end2 = IP.Url.IndexOf('?');
}
if ((strNew.Substring(0, end1) == IP.Url.Substring(0, end2)) && (IP.Url.IndexOf('?') == -1 && strNew.IndexOf('?') != -1))
{
//xxx.asp
//xxx.asp?id=123
//加
rep = false;
}
if ((strNew.Substring(0, end1) == IP.Url.Substring(0, end2)) && (IP.Url.IndexOf('?') != -1))
{
//xxx.asp?id=123
//xxx.asp 或 xxx.asp?id=456
//不加
rep = true;
break;
}
if ((strNew.Substring(0, end1) == IP.Url.Substring(0, end2)) && (IP.Url.IndexOf('?') == -1 && strNew.IndexOf('?') == -1))
{
//xxx.asp
//xxx.asp
//不加
rep = true;
break;
}
}
if (!rep)
{
//把这个新的url加入到alPossibleInjectionPoints中,并标记为"尚未处理"和"未知是否可注入"
if (strNew.StartsWith(RootUrl))
{
InjectionPoint IPnew = new InjectionPoint(strNew, false, false, false);
while (locked_alPIP)
{
;
}
if (!locked_alPIP)
{
locked_alPIP = true;
aldestIPs.Add(IPnew);
locked_alPIP = false;
}
}
else
{
foreach (IPAddress ip in ipList)
{
if (strNew.StartsWith("http://" + ip.ToString()))
{
InjectionPoint IPnew = new InjectionPoint(strNew, false, false, false);
while (locked_alPIP)
{
;
}
if (!locked_alPIP)
{
locked_alPIP = true;
aldestIPs.Add(IPnew);
locked_alPIP = false;
}
break;
}
}
}
}
}
}
}
