void CheckForTimeBasedCommandInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Command Injection by Inducing Time Delay:<i</h>>");
foreach (string prefix in this.prefixes)
{
CommandInjectionPayloadParts PayloadParts = new CommandInjectionPayloadParts();
foreach (string seperator in this.seperators)
{
PayloadParts.Prefix = prefix;
PayloadParts.Seperator = seperator;
PayloadParts.Command = "ping -n {0} localhost";
this.SendAndAnalyzeTimePayload(PayloadParts);
PayloadParts.Command = "ping -c {0} localhost";
this.SendAndAnalyzeTimePayload(PayloadParts);
PayloadParts.Command = "/usr/sbin/ping -s localhost 1000 {0} ";
this.SendAndAnalyzeTimePayload(PayloadParts);
}
PayloadParts = new CommandInjectionPayloadParts();
PayloadParts.Prefix = prefix;
PayloadParts.Seperator = "";
PayloadParts.Command = "`ping -c {0} localhost`";
this.SendAndAnalyzeTimePayload(PayloadParts);
PayloadParts.Command = "run ping -n {0} localhost";
this.SendAndAnalyzeTimePayload(PayloadParts);
}
}
string TimeCommandGenerator(int TimeDelayInMilliSeconds, CommandInjectionPayloadParts PayloadParts)
{
if (TimeDelayInMilliSeconds == 0)
{
return(this.Scnr.PreInjectionParameterValue);
}
else
{
int PingCount = PingCountCalculator(TimeDelayInMilliSeconds);
return(string.Format(PayloadParts.Command, PingCount));
}
}
void SendAndAnalyzeTimePayload(CommandInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
string Cmd = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts);
this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a system command which if executed will cause the response to be delayed by {0} milliseconds. The system command is: {1}", TimeCheckResults.DelayInduced, Cmd), TimeCheckResults.DelayRequest, "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse);
FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Cmd, TimeCheckResults);
this.Reasons.Add(reason);
}
}
string TimePayloadGenerator(int TimeDelayInMilliSeconds, object OtherInfo)
{
if (TimeDelayInMilliSeconds == 0)
{
return(this.Scnr.PreInjectionParameterValue);
}
else
{
CommandInjectionPayloadParts PayloadParts = (CommandInjectionPayloadParts)OtherInfo;
string Cmd = TimeCommandGenerator(TimeDelayInMilliSeconds, PayloadParts);
return(string.Format("{0}{1} {2}", PayloadParts.Prefix, PayloadParts.Seperator, Cmd));
}
}
string TimeCommandGenerator(int TimeDelayInMilliSeconds, CommandInjectionPayloadParts PayloadParts)
{
if (TimeDelayInMilliSeconds == 0)
{
return this.Scnr.PreInjectionParameterValue;
}
else
{
int PingCount = PingCountCalculator(TimeDelayInMilliSeconds);
return string.Format(PayloadParts.Command, PingCount);
}
}
void SendAndAnalyzeTimePayload(CommandInjectionPayloadParts PayloadParts)
{
TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts);
if (TimeCheckResults.Success)
{
string Cmd = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts);
this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a system command which if executed will cause the response to be delayed by {0} milliseconds. The system command is: {1}", TimeCheckResults.DelayInduced, Cmd), TimeCheckResults.DelayRequest, "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse);
FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Cmd, TimeCheckResults);
this.Reasons.Add(reason);
}
}
void CheckForTimeBasedCommandInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Command Injection by Inducing Time Delay:<i</h>>");
foreach (string prefix in this.prefixes)
{
CommandInjectionPayloadParts PayloadParts = new CommandInjectionPayloadParts();
foreach (string seperator in this.seperators)
{
PayloadParts.Prefix = prefix;
PayloadParts.Seperator = seperator;
PayloadParts.Command = "ping -n {0} localhost";
this.SendAndAnalyzeTimePayload(PayloadParts);
PayloadParts.Command = "ping -c {0} localhost";
this.SendAndAnalyzeTimePayload(PayloadParts);
PayloadParts.Command = "/usr/sbin/ping -s localhost 1000 {0} ";
this.SendAndAnalyzeTimePayload(PayloadParts);
}
PayloadParts = new CommandInjectionPayloadParts();
PayloadParts.Prefix = prefix;
PayloadParts.Seperator = "";
PayloadParts.Command = "`ping -c {0} localhost`";
this.SendAndAnalyzeTimePayload(PayloadParts);
PayloadParts.Command = "run ping -n {0} localhost";
this.SendAndAnalyzeTimePayload(PayloadParts);
}
}
