/// <summary>
/// attack all query strings with SQL Injection pattern.
/// </summary>
public void attackAllQueryStrings(string URL)
{
HtmlParser parser = new HtmlParser(URL, string.Empty);
List<string> queryStrings = parser.getQueryStringParams(URL);
string nativeURL = URL.Split("?".ToCharArray())[0]; //get the link without query strings
string targetURL = nativeURL += "?";
foreach (string p in queryStrings)
{
if (targetURL[targetURL.Length - 1].ToString() == "?")
{
//first param in query string without &
targetURL += p.Split("=".ToCharArray())[0] + "=" + sqlAttackPattern;
}
else
{
//from second param we must add & before the param!
targetURL += "&" + p.Split("=".ToCharArray())[0] + "=" + sqlAttackPattern;
}
}
//just for testing
//System.Windows.Forms.MessageBox.Show(targetURL);
//attack the query strings
WebCrawler attacker = new WebCrawler(targetURL);
string resultHTML = attacker.fetchPage();
//check the results
foreach (string s in sqlSuccessResult)
{
if (resultHTML.Contains(s))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " has a SQL Injection vulnerable in one of its query string parameters\n saving the vulnerability for later reviews");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "SQL Injection", targetURL,"Unknown");
}
}
}
/// <summary>
/// attack each query string with SQL injection pattern to know exactly where is the exploit.
/// </summary>
public void attackEachQueryString(string URL)
{
HtmlParser parser = new HtmlParser(URL, string.Empty);
List<string> queryStrings = parser.getQueryStringParams(URL);
string nativeURL = URL.Split("?".ToCharArray())[0]; //get the link without query strings
string targetURL;
for (int i = 0; i < queryStrings.Count; i++)
{
targetURL = nativeURL + "?";
if (targetURL[targetURL.Length - 1].ToString() == "?")//first param
{
//change just current query string with SQL injection pattern
targetURL += queryStrings[i].Split("=".ToCharArray())[0].ToString() + "=" + sqlAttackPattern;
}
else
{
//change just current query string with SQL injection pattern
targetURL += "&" + queryStrings[i].Split("=".ToCharArray())[0].ToString() + "=" + sqlAttackPattern;
}
for (int j = 0; j < queryStrings.Count; j++)
{
if (j != i) // not to add the same param twice
{
if (targetURL[targetURL.Length - 1].ToString() == "?")//first param
{
//change just current query string with SQL Injection pattern
targetURL += queryStrings[j];
}
else
{
//change just current query string with SQL Injection pattern
targetURL += "&" + queryStrings[j];
}
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(targetURL);
//attack the query strings
string resultHTML = string.Empty;
try
{
HttpWebRequest req = HttpWebRequest.Create(targetURL) as HttpWebRequest;
req.Method = "GET";
HttpWebResponse res = req.GetResponse() as HttpWebResponse;
using (Stream s = res.GetResponseStream())
{
using (StreamReader sr = new StreamReader(s))
{
//Read the whole content of the response stream into a string
resultHTML = sr.ReadToEnd();
}
}
}
catch (WebException exep)
{
SharedVariables.myTestingForm.displayOutputActivity(string.Format("Unknown error : {0}\n", exep.Message));
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + URL + " maybe has a SQL Injection vulnerable in one of its form query strings\n saving the vulnerability for later reviews\n");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "Maybe SQL Injection", targetURL, queryStrings[i].Split("=".ToCharArray())[0].ToString());
}
//check the results
foreach (string s in sqlSuccessResult)
{
if (resultHTML.Contains(s))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " has a SQL Injection vulnerable in one of its query string parameters\n saving the vulnerability for later reviews");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "SQL Injection", targetURL, queryStrings[i].Split("=".ToCharArray())[0].ToString());
continue;
}
}
}
}
/// <summary>
/// attack each query string with xss pattern to know exactly where is the exploit.
/// </summary>
public void attackEachQueryString(string URL)
{
HtmlParser parser = new HtmlParser(URL, string.Empty);
List<string> queryStrings = parser.getQueryStringParams(URL);
string nativeURL = URL.Split("?".ToCharArray())[0]; //get the link without query strings
string targetURL;
for (int i = 0; i < queryStrings.Count; i++)
{
targetURL= nativeURL + "?";
if (targetURL[targetURL.Length - 1].ToString() == "?")
{
//condition Ok meaning that it is the first param !!!!!!
//change just current query string with xss pattern
targetURL += queryStrings[i].Split("=".ToCharArray())[0].ToString() +"="+ xssAttackPattern;
}
else
{
//change just current query string with xss pattern
targetURL +="&"+ queryStrings[i].Split("=".ToCharArray())[0].ToString() +"="+ xssAttackPattern;
}
for (int j = 0; j < queryStrings.Count; j++)
{
if (j != i) // not to add the same param twice
{
if (targetURL[targetURL.Length - 1].ToString() == "?")//first param
{
//change just current query string with xss pattern
targetURL += queryStrings[j];
}
else
{
//change just current query string with xss pattern
targetURL += "&" + queryStrings[j];
}
}
}
//just for tests
//System.Windows.Forms.MessageBox.Show(targetURL);
//attack the query strings
WebCrawler attacker = new WebCrawler(targetURL);
string resultHTML = attacker.fetchPage();
//check the results
if (resultHTML.Contains(xssAttackPattern))
{
// it is a vulnerable page !
SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " has an XSS vulnerable in one of its query string parameters\n saving the vulnerability for later reviews");
ExploitsManager e = new ExploitsManager();
e.add(_profileID.ToString(), "XSS", targetURL, queryStrings[i].Split("=".ToCharArray())[0].ToString());
}
//else
//{
// // it is safe page againest XSS.
// // it is a vulnerable page !
// SharedVariables.myTestingForm.displayOutputActivity("the page : " + nativeURL + " query strigns are safe againest XSS attacks.");
//}
}
}