/// <summary> /// Converts the Attack Vector from the native type to XML /// </summary> /// <param name="xInput">The XML node to start deserialization</param> /// <param name="AnonProxies">Any anonymous proxies being used</param> public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies) { string FullUrl; if (!_UseSSL) { FullUrl = "http://" + _TargetURL; } else { FullUrl = "https://" + _TargetURL; } XmlNode n = xInput.SelectSingleNode("attackvector"); if (n == null) { return; } InjectionOptions opts; if (_IsBlind) { opts = new BlindInjectionOptions(); ((BlindInjectionOptions)opts).Delimiter = _FilterDelimiter; ((BlindInjectionOptions)opts).Tolerance = _Tolerance; ((BlindInjectionOptions)opts).Throttle = _ThrottleValue; } else { opts = new ErrorInjectionOptions(); } opts.TerminateQuery = _TerminateQuery; opts.WebProxies = AnonProxies; AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts); _TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName)); _TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus); }
private void InitializeAttackVectors() { string URL; URL = ctlConnection1.UseSsl == true ? "https://" : "http://"; URL += ctlConnection1.TargetUrl; string Method = ctlConnection1.ConnectMethod; if (Method.Equals("")) return; SafelyChangeCursor(Cursors.WaitCursor); // Generate StringDict string TargetName, TargetField; bool InjectAsString; TargetName = String.Empty; TargetField = String.Empty; NameValueCollection Others = new NameValueCollection(); NameValueCollection Cookies = new NameValueCollection(); Others = FormParameters.FormParameters(ref TargetName, ref TargetField, out InjectAsString); Cookies = FormParameters.Cookies; if (TargetName.Equals(String.Empty)) { UserStatus("No Injection Point Found"); SafelyChangeCursor(Cursors.Default); return; } UserStatus("Beginning Preliminary Scan"); try { SafelyChangeEnableOfControl(butInitializeInjection, false); AttackVectorFactory avf; InjectionOptions opts; if (optBlindInjection.Checked == true) { opts = new BlindInjectionOptions(); ((BlindInjectionOptions)opts).Tolerance = _AbsintheState.FilterTolerance; ((BlindInjectionOptions)opts).Delimiter = _AbsintheState.FilterDelimiter; } else { opts = new ErrorInjectionOptions(); ((ErrorInjectionOptions)opts).VerifyVersion = chkVerifyVersion.Checked; } opts.TerminateQuery = _AbsintheState.TerminateQuery; opts.Cookies = Cookies; opts.WebProxies = _AppSettings.ProxyQueue(); opts.InjectAsString = InjectAsString; opts.UserAgent = _AbsintheState.UserAgent; opts.AuthCredentials = ctlUserAuth1.NetworkCredential; opts.AppendedQuery = _AbsintheState.AppendedText; avf = new AttackVectorFactory(URL, TargetName, TargetField, Others, Method, opts); avf.UserStatus += new UserEvents.UserStatusEventHandler(UserStatus); int PluginNumber = Array.IndexOf(_PluginEntries, _AbsintheState.LoadedPluginName); IPlugin pt = null; if (optBlindInjection.Checked) { foreach (IPlugin bp in _AbsintheState.PluginList) { if (bp.GetType().GetInterface("IBlindPlugin") != null) { if (bp.PluginDisplayTargetName == _AbsintheState.LoadedPluginName) { pt = (IPlugin)bp; break; } } } _AbsintheState.TargetAttackVector = avf.BuildBlindSqlAttackVector(_AbsintheState.FilterTolerance, (IBlindPlugin)pt); UserStatus("Finished initial scan"); } else if (optErrorBasedInjection.Checked) { if (PluginNumber <= 0) { pt = AutoDetectPlugin(avf); } else { foreach (IPlugin ep in _AbsintheState.PluginList) { if (ep.PluginDisplayTargetName == _AbsintheState.LoadedPluginName) { pt = (IPlugin)ep; break; } } } if (pt != null) { try { _AbsintheState.TargetAttackVector = avf.BuildSqlErrorAttackVector((IErrorPlugin)pt); UserStatus("Finished initial scan"); } catch (UnsupportedSQLErrorVersionException sqlex) { ErrorReportingDelegate ts = new ErrorReportingDelegate(ThreadUnsafeDisplayErrorReportDialog); this.Invoke(ts, new object[] { sqlex.VersionErrorPageHtml, sqlex.HavingErrorPageHtml }); } } } } catch (Exception e) { System.Diagnostics.Debug.WriteLine(e.ToString()); UserStatus(e.Message); } finally { SafelyChangeEnableOfControl(butInitializeInjection, true); SafelyChangeCursor(Cursors.Default); } }
private BlindSqlAttackVector DeserializeBlindSqlAttackVectorXml(XmlNode VectorNode, BlindInjectionOptions opts, IBlindPlugin PluginUsed) { double[] TrueSig = null, FalseSig = null; int[] TrueFilter = null, FalseFilter = null; foreach (XmlNode n in VectorNode.ChildNodes) { switch (n.Name) { case "truepage": //_ParentOutput("Deserializing True signature.. "); TrueSig = ExtractSignatureFromXml(n); break; case "falsepage": //_ParentOutput("Deserializing False signature.. "); FalseSig = ExtractSignatureFromXml(n); break; case "truefilter": //_ParentOutput("Deserializing True Filter.. "); TrueFilter = ExtractFilterFromXml(n); break; case "falsefilter": //_ParentOutput("Deserializing False filter.. "); FalseFilter = ExtractFilterFromXml(n); break; } } if (TrueSig == null || FalseSig == null || TrueFilter == null || FalseFilter == null) { return(null); } string Name = String.Empty; string Buffer = String.Empty; if (VectorNode.Attributes["Delimiter"] != null) { ((BlindInjectionOptions)opts).Delimiter = VectorNode.Attributes["Delimiter"].InnerText; } if (VectorNode.Attributes["tolerance"] != null) { opts.Tolerance = System.Single.Parse(VectorNode.Attributes["tolerance"].InnerText); } if (VectorNode.Attributes["name"] != null) { Name = VectorNode.Attributes["name"].InnerText; } if (VectorNode.Attributes["buffer"] != null) { Buffer = VectorNode.Attributes["buffer"].InnerText; } if (VectorNode.Attributes["InjectAsString"] != null) { opts.InjectAsString = System.Boolean.Parse(VectorNode.Attributes["InjectAsString"].InnerText); } return(new BlindSqlAttackVector(_TargetURL, Name, Buffer, _AttackParams, _Method, PluginUsed, TrueSig, FalseSig, TrueFilter, FalseFilter, opts)); }
///<summary>Public constructor for instantiation.</summary> ///<param name="URL">The URL of the target web application, including file path</param> ///<param name="VectorName">The name of the parameter to use as the injection point</param> ///<param name="VectorBuffer">The default value to store in the injectable parameter</param> ///<param name="AdditionalParams">All parameters (names and values) that are used, but not chosen as injection points</param> ///<param name="Method">The HTTP connection method. This can be "GET" or "POST"</param> ///<param name="PluginUsed">The Plugin being used for the connection</param> ///<param name="TruePage">The signature for the page representing a "true" value</param> ///<param name="FalsePage">The signature for the page representing a "false" value</param> ///<param name="TrueFilterIn">The indices of the signature relevant for comparing an unknown to the true signature</param> ///<param name="FalseFilterIn">The indices of the signature relevant for comparing an unknown to the false signature</param> ///<param name="Options">The InjectionOptions to use for all requests</param> public BlindSqlAttackVector(string URL, string VectorName, string VectorBuffer, NameValueCollection AdditionalParams, string Method, IBlindPlugin PluginUsed, double[] TruePage, double[] FalsePage, int[] TrueFilterIn, int[] FalseFilterIn, BlindInjectionOptions Options) { _ConnectViaPost = String.Equals(Method.ToUpper(), "POST"); _TargetURL = URL; _VectorName = VectorName; _VectorBuffer = VectorBuffer; _Options = Options; _PluginData = PluginUsed; if (_Options.InjectAsString) _VectorBuffer += "'"; _AttackParams = AdditionalParams; TruePageSignature = TruePage; FalsePageSignature = FalsePage; TrueFilter = TrueFilterIn; FalseFilter = FalseFilterIn; _VectorPostBuffer = String.Empty; if (_Options.TerminateQuery) { _VectorPostBuffer += "--"; } else if (_Options.AppendedQuery.Length > 0) { _VectorPostBuffer += _Options.AppendedQuery; } else if (_Options.InjectAsString) { _VectorPostBuffer = " AND '1'='1"; } _VectorBuffer += " "; // Required so plugins aren't required to add the spaces _Proxies = Options.WebProxies; ParsePage.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus); }
///<summary>Public constructor for instantiation.</summary> ///<param name="URL">The URL of the target web application, including file path</param> ///<param name="VectorName">The name of the parameter to use as the injection point</param> ///<param name="VectorBuffer">The default value to store in the injectable parameter</param> ///<param name="AdditionalParams">All parameters (names and values) that are used, but not chosen as injection points</param> ///<param name="Method">The HTTP connection method. This can be "GET" or "POST"</param> ///<param name="PluginUsed">The Plugin being used for the connection</param> ///<param name="Options">The InjectionOptions to use for all connections</param> public BlindSqlAttackVector(string URL, string VectorName, string VectorBuffer, NameValueCollection AdditionalParams, string Method, IBlindPlugin PluginUsed, BlindInjectionOptions Options) { _Proxies = Options.WebProxies; if (PluginUsed == null) UserStatus("Null plugin"); _PluginData = PluginUsed; _Options = Options; _ConnectViaPost = String.Equals(Method.ToUpper(), "POST"); _TargetURL = URL; _VectorName = VectorName; _VectorBuffer = VectorBuffer; if (_Options.InjectAsString) _VectorBuffer += "'"; _AttackParams = AdditionalParams; ParsePage.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus); //Initialize();//URL, VectorName, VectorBuffer, AdditionalParams, Method); }
private BlindSqlAttackVector DeserializeBlindSqlAttackVectorXml(XmlNode VectorNode, BlindInjectionOptions opts, IBlindPlugin PluginUsed) { double[] TrueSig = null, FalseSig = null; int[] TrueFilter = null, FalseFilter = null; foreach (XmlNode n in VectorNode.ChildNodes) { switch (n.Name) { case "truepage": //_ParentOutput("Deserializing True signature.. "); TrueSig = ExtractSignatureFromXml(n); break; case "falsepage": //_ParentOutput("Deserializing False signature.. "); FalseSig = ExtractSignatureFromXml(n); break; case "truefilter": //_ParentOutput("Deserializing True Filter.. "); TrueFilter = ExtractFilterFromXml(n); break; case "falsefilter": //_ParentOutput("Deserializing False filter.. "); FalseFilter = ExtractFilterFromXml(n); break; } } if (TrueSig == null || FalseSig == null || TrueFilter == null || FalseFilter == null) return null; string Name = String.Empty; string Buffer = String.Empty; if (VectorNode.Attributes["Delimiter"] != null) ((BlindInjectionOptions) opts).Delimiter = VectorNode.Attributes["Delimiter"].InnerText; if (VectorNode.Attributes["tolerance"] != null) opts.Tolerance = System.Single.Parse(VectorNode.Attributes["tolerance"].InnerText); if (VectorNode.Attributes["name"] != null) Name = VectorNode.Attributes["name"].InnerText; if (VectorNode.Attributes["buffer"] != null) Buffer = VectorNode.Attributes["buffer"].InnerText; if (VectorNode.Attributes["InjectAsString"] != null) opts.InjectAsString = System.Boolean.Parse(VectorNode.Attributes["InjectAsString"].InnerText); return new BlindSqlAttackVector(_TargetURL, Name, Buffer, _AttackParams, _Method, PluginUsed, TrueSig, FalseSig, TrueFilter, FalseFilter, opts); }
/// <summary> /// Converts the Attack Vector from the native type to XML /// </summary> /// <param name="xInput">The XML node to start deserialization</param> /// <param name="AnonProxies">Any anonymous proxies being used</param> public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies) { string FullUrl; if (!_UseSSL) FullUrl = "http://" + _TargetURL; else FullUrl = "https://" + _TargetURL; XmlNode n = xInput.SelectSingleNode("attackvector"); if (n == null) return; InjectionOptions opts; if (_IsBlind) { opts = new BlindInjectionOptions(); ((BlindInjectionOptions) opts).Delimiter = _FilterDelimiter; ((BlindInjectionOptions) opts).Tolerance = _Tolerance; ((BlindInjectionOptions) opts).Throttle = _ThrottleValue; } else opts = new ErrorInjectionOptions(); opts.TerminateQuery = _TerminateQuery; opts.WebProxies = AnonProxies; AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts); _TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName)); _TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus); }