protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { if (_fsArgs != null) { Console.ForegroundColor = ConsoleColor.Red; watcher.EnableRaisingEvents = false; WriteProbe(); watcher.EnableRaisingEvents = true; var c = _fsArgs.ChangeType; _fsArgs = null; return(new ScanAlert(ScanAlertOptions.Vulnerability, "File System Event: " + c, TargetTrace)); } var badCharsLowered = _badChars.ToLower(); if (TargetTrace.Response.ToLower().Contains(badCharsLowered)) { return(new ScanAlert(ScanAlertOptions.Vulnerability, TargetTrace.Response.ToLower().Contains(badCharsLowered + "5230") ? "Local File Inclusion" : "Arbitrary File Read", TargetTrace)); } else { return(null); } }
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { _processThread = new Thread(x => { while (true) { Thread.Sleep(500); var probes = Process.GetProcessesByName("PHPVHProbe"); if (probes.Any()) { _probeDetected = true; foreach (var p in probes) { try { p.Kill(); } catch { } } } } }) { IsBackground = true }; _processThread.Start(); return(RequestBuilder.CreateRequest(TargetFile, Server, Config.TestCases[Mode], false, false, true)); }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { var r = TargetTrace.Response.ToLower(); foreach (var call in TargetTrace.Calls .Where(x => Config.Functions.Any(y => y.Name == x.Name))) { var func = Config.Functions.SingleOrDefault(x => x.Name == call.Name && x.ParamCount == call.ParameterValues.Count); if (func == null) { continue; } var value = call.ParameterValues[func.QueryParam]; if (IsSQLInjectable(value)) { return(CreateAlert(TargetTrace)); } } return(null); }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { return(Regex.IsMatch(TargetTrace.Response, @"[^\w][^\\/:*?""<>|]:([\\/]+[^\\/:*?""<>|]+)+") ? new ScanAlert(ScanAlertOptions.Vulnerability, "Full Path Disclosure", TargetTrace) : null); }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { return Regex.IsMatch(TargetTrace.Response, @"[^\w][^\\/:*?""<>|]:([\\/]+[^\\/:*?""<>|]+)+") ? new ScanAlert(ScanAlertOptions.Vulnerability, "Full Path Disclosure", TargetTrace) : null; }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { try { _processThread.Abort(); } catch { } var detected = _probeDetected; if (detected) { Trace.WriteLine("Probe detected"); } _probeDetected = false; if (TargetTrace.Calls .Where(x => Config.Functions.Contains(x.Name)) .Any(x => x.ParameterValues.Any() && x.ParameterValues .Select(y => y.ToLower()) .Any(y => y.Contains(Config.ProbeName.ToLower())))) { foreach (var c in Process.GetProcessesByName(Config.ProbeName)) { c.Kill(); c.WaitForExit(); } return(new ScanAlert(ScanAlertOptions.Vulnerability, "Command Execution", TargetTrace)); } var processes = Process.GetProcessesByName(Config.ProbeName); if (detected || processes.Length != 0) { foreach (Process p in processes) { p.Kill(); p.WaitForExit(); } return(new ScanAlert(ScanAlertOptions.Vulnerability, "Command Execution", TargetTrace)); } else { return(null); } }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { if (TargetTrace.Calls .Where(x => x.Name == PhpName.Eval && x.ParameterValues.Any(y => y.Contains("testabc"))) .Any()) { return(CreateAlert(TargetTrace)); } var falsePositiveRegex = new Regex(Config.FalsePositiveRegex); var Response = falsePositiveRegex.Replace(TargetTrace.Response, ""); var regex = new Regex(Config.MatchRegex); return(regex.IsMatch(Response) ? CreateAlert(TargetTrace) : null); }
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { string chars; if (Mode < Config.FuzzStrings.Length) { chars = Config.FuzzStrings[Mode]; } else { chars = "\x00" + Config.FuzzStrings[Mode - (ModeCount / 2)]; } return(RequestBuilder.CreateRequest(TargetFile, Server, chars, false, true, true)); }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { var respLowered = TargetTrace.Response.ToLower(); if ((respLowered.Contains(Config.FuzzStrings[0].ToLower()) || HasAttributeVulnerability(respLowered)) && Regex.IsMatch(respLowered, @"^http/\d\.\d\s200\s")) { return(new ScanAlert(ScanAlertOptions.Vulnerability, "Reflected XSS", TargetTrace)); } else { return(null); } }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { var suspectFunctions = new string[] { "fopen", "file", "copy", "move_uploaded_file", "file_put_contents", "fwrite", "fputs" }; var fileCallMatches = TargetTrace.Calls.Where(x => suspectFunctions.Contains(x.Name) && x.ParameterValues.Any(y => y.Contains("shell.php") || y.Contains(".htaccess"))); if (fileCallMatches.Count() != 0) { _fsArgs = null; return(new ScanAlert(ScanAlertOptions.Vulnerability, "Arbitrary File Upload", TargetTrace)); } else if (_fsArgs != null) { string eventInfo = string.Format("Type={0} Path={1}", _fsArgs.ChangeType, _fsArgs.FullPath); if (_fsArgs is RenamedEventArgs) { eventInfo += " Old Path=" + (_fsArgs as RenamedEventArgs).OldFullPath; } _fsArgs = null; return(new ScanAlert(ScanAlertOptions.Vulnerability, "Arbitrary File Event - " + eventInfo, TargetTrace)); } else { return(null); } }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { if (TargetTrace.Response.Contains("DynamicClassProbe Instantiated") || Regex.IsMatch(TargetTrace.Response, @"Class '(" + Php.ValidNameRegex + @")?DynamicClassProbe(" + Php.ValidNameEndRegex + @")*' not found")) return new ScanAlert(ScanAlertOptions.Vulnerability, "User Controlled Dynamic Class Instantiation", TargetTrace); else if (TargetTrace.Response.Contains("DynamicFunctionProbe Called") || Regex.IsMatch(TargetTrace.Response, @"Call to undefined function (" + Php.ValidNameRegex + @")?DynamicFunctionProbe(" + Php.ValidNameEndRegex + @")*")) return new ScanAlert(ScanAlertOptions.Vulnerability, "User Controlled Dynamic Function Call", TargetTrace); else return null; }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { var header = TargetTrace.Response; var headerIndex = header.IndexOf("\r\n\r\n"); if (headerIndex != -1) header = header.Remove(headerIndex); if (Regex.IsMatch(header, @"Location:\s*([^/]+://)?[^/]*" + _badChars[0], RegexOptions.IgnoreCase)) { return new ScanAlert(ScanAlertOptions.Vulnerability, "Open Redirect", TargetTrace); } return null; }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { var header = TargetTrace.Response; var headerIndex = header.IndexOf("\r\n\r\n"); if (headerIndex != -1) { header = header.Remove(headerIndex); } if (Regex.IsMatch(header, @"Location:\s*([^/]+://)?[^/]*" + _badChars[0], RegexOptions.IgnoreCase)) { return(new ScanAlert(ScanAlertOptions.Vulnerability, "Open Redirect", TargetTrace)); } return(null); }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { if (TargetTrace.Response.Contains("DynamicClassProbe Instantiated") || Regex.IsMatch(TargetTrace.Response, @"Class '(" + Php.ValidNameRegex + @")?DynamicClassProbe(" + Php.ValidNameEndRegex + @")*' not found")) { return(new ScanAlert(ScanAlertOptions.Vulnerability, "User Controlled Dynamic Class Instantiation", TargetTrace)); } else if (TargetTrace.Response.Contains("DynamicFunctionProbe Called") || Regex.IsMatch(TargetTrace.Response, @"Call to undefined function (" + Php.ValidNameRegex + @")?DynamicFunctionProbe(" + Php.ValidNameEndRegex + @")*")) { return(new ScanAlert(ScanAlertOptions.Vulnerability, "User Controlled Dynamic Function Call", TargetTrace)); } else { return(null); } }
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { return(RequestBuilder.CreateRequest(TargetFile, Server, _badStrings[Mode], false, false, true)); }
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { var scanMode = FileScanMode.DefaultModes[Mode]; string _queryString = ""; var getFields = new List<string>(); foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x => (x.Name == "$_GET" || x.Name == "$_REQUEST"))) { if (c.ParameterValues.Count == 0) c.ParameterValues = new List<string> { "shell_file" }; if (getFields.Contains(c.ParameterValues[0])) continue; getFields.Add(c.ParameterValues[0]); _queryString += (_queryString.Length != 0 ? "&" : "?") + c.ParameterValues[0] + "=" + HttpUtility.UrlEncode(scanMode.ShellFile); } var content = ""; var postFields = new List<string>(); foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x => x.Name == "$_POST")) { if (!c.ParameterValues.Any()) c.ParameterValues.Add("shell_file"); if (postFields.Contains(c.ParameterValues[0])) continue; postFields.Add(c.ParameterValues[0]); content += "------x\r\n" + "Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"\r\n" + "\r\n" + scanMode.ShellFile + "\r\n"; } var files = SourceTrace.Calls.Where(x => x.Name == "$_FILES"); if (files.Count() == 0) files = new TracedFunctionCall[] { new TracedFunctionCall() { ParameterValues = new List<string>() { "shell_file" } } }; else { Cli.WriteLine("~Yellow~File Upload detected in {0}~R~", TargetFile); } var fileFields = new List<string>(); foreach (TracedFunctionCall c in files) { if (c.Name == "$_FILES" && c.ParameterValues.Count == 0) c.ParameterValues = new List<string>{ "shell_file" }; if (fileFields.Contains(c.ParameterValues[0])) continue; fileFields.Add(c.ParameterValues[0]); content += "------x\r\n" + "Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"; " + "filename=\"" + scanMode.ShellFile + "\"\r\n" + "Content-Type: " + scanMode.ContentType + "\r\n" + "\r\n" + scanMode.Shell + "\r\n"; } if (content.Length > 0) { content += "------x--\r\n" + "\r\n"; } var header = "POST " + TargetFile + _queryString + " HTTP/1.1\r\n" + "Host: " + _server + "\r\n" + "Proxy-Connection: keep-alive\r\n" + "User-Agent: x\r\n" + "Content-Length: " + content.Length + "\r\n" + "Cache-Control: max-age=0\r\n" + "Origin: null\r\n" + "Content-Type: multipart/form-data; boundary=----x\r\n" + "Accept: text/html\r\n" + "Accept-Encoding: gzip,deflate,sdch\r\n" + "Accept-Language: en-US,en;q=0.8\r\n" + "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" + "\r\n"; return header + content; }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { var suspectFunctions = new string[] { "fopen", "file", "copy", "move_uploaded_file", "file_put_contents", "fwrite", "fputs" }; var fileCallMatches = TargetTrace.Calls.Where(x => suspectFunctions.Contains(x.Name) && x.ParameterValues.Any(y => y.Contains("shell.php") || y.Contains(".htaccess"))); if (fileCallMatches.Count() != 0) { _fsArgs = null; return new ScanAlert(ScanAlertOptions.Vulnerability, "Arbitrary File Upload", TargetTrace); } else if (_fsArgs != null) { string eventInfo = string.Format("Type={0} Path={1}", _fsArgs.ChangeType, _fsArgs.FullPath); if (_fsArgs is RenamedEventArgs) eventInfo += " Old Path=" + (_fsArgs as RenamedEventArgs).OldFullPath; _fsArgs = null; return new ScanAlert(ScanAlertOptions.Vulnerability, "Arbitrary File Event - " + eventInfo, TargetTrace); } else return null; }
public ScanAlert ScanTrace(FileTrace targetTrace) { return(ScanTraceCore(targetTrace)); }
protected abstract string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace);
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { return RequestBuilder.CreateRequest(TargetFile, Server, _badChars[Mode], true, false, false); }
protected abstract ScanAlert ScanTraceCore(FileTrace TargetTrace);
public ScanAlert ScanTrace(FileTrace targetTrace) { return ScanTraceCore(targetTrace); }
private ScanAlert CreateAlert(FileTrace TargetTrace) { return(new ScanAlert(ScanAlertOptions.Vulnerability, "Arbitrarty PHP Execution", TargetTrace)); }
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace) { if (_fsArgs != null) { Console.ForegroundColor = ConsoleColor.Red; watcher.EnableRaisingEvents = false; WriteProbe(); watcher.EnableRaisingEvents = true; var c = _fsArgs.ChangeType; _fsArgs = null; return new ScanAlert(ScanAlertOptions.Vulnerability, "File System Event: " + c, TargetTrace); } var badCharsLowered = _badChars.ToLower(); if (TargetTrace.Response.ToLower().Contains(badCharsLowered)) { return new ScanAlert(ScanAlertOptions.Vulnerability, TargetTrace.Response.ToLower().Contains(badCharsLowered + "5230") ? "Local File Inclusion" : "Arbitrary File Read", TargetTrace); } else { return null; } }
private ScanAlert CreateAlert(FileTrace TargetTrace) { return(new ScanAlert(ScanAlertOptions.Vulnerability, "SQL Injection", TargetTrace)); }
public string BuildRequest(int Mode, string TargetFile, FileTrace SourceTrace) { _requestBuilder.Calls = SourceTrace.Calls; return(BuildRequestCore(Mode, TargetFile, SourceTrace)); }
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { var scanMode = FileScanMode.DefaultModes[Mode]; string _queryString = ""; var getFields = new List <string>(); foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x => (x.Name == "$_GET" || x.Name == "$_REQUEST"))) { if (c.ParameterValues.Count == 0) { c.ParameterValues = new List <string> { "shell_file" } } ; if (getFields.Contains(c.ParameterValues[0])) { continue; } getFields.Add(c.ParameterValues[0]); _queryString += (_queryString.Length != 0 ? "&" : "?") + c.ParameterValues[0] + "=" + HttpUtility.UrlEncode(scanMode.ShellFile); } var content = ""; var postFields = new List <string>(); foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x => x.Name == "$_POST")) { if (!c.ParameterValues.Any()) { c.ParameterValues.Add("shell_file"); } if (postFields.Contains(c.ParameterValues[0])) { continue; } postFields.Add(c.ParameterValues[0]); content += "------x\r\n" + "Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"\r\n" + "\r\n" + scanMode.ShellFile + "\r\n"; } var files = SourceTrace.Calls.Where(x => x.Name == "$_FILES"); if (files.Count() == 0) { files = new TracedFunctionCall[] { new TracedFunctionCall() { ParameterValues = new List <string>() { "shell_file" } } } } ; else { Cli.WriteLine("~Yellow~File Upload detected in {0}~R~", TargetFile); } var fileFields = new List <string>(); foreach (TracedFunctionCall c in files) { if (c.Name == "$_FILES" && c.ParameterValues.Count == 0) { c.ParameterValues = new List <string> { "shell_file" } } ; if (fileFields.Contains(c.ParameterValues[0])) { continue; } fileFields.Add(c.ParameterValues[0]); content += "------x\r\n" + "Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"; " + "filename=\"" + scanMode.ShellFile + "\"\r\n" + "Content-Type: " + scanMode.ContentType + "\r\n" + "\r\n" + scanMode.Shell + "\r\n"; } if (content.Length > 0) { content += "------x--\r\n" + "\r\n"; } var header = "POST " + TargetFile + _queryString + " HTTP/1.1\r\n" + "Host: " + _server + "\r\n" + "Proxy-Connection: keep-alive\r\n" + "User-Agent: x\r\n" + "Content-Length: " + content.Length + "\r\n" + "Cache-Control: max-age=0\r\n" + "Origin: null\r\n" + "Content-Type: multipart/form-data; boundary=----x\r\n" + "Accept: text/html\r\n" + "Accept-Encoding: gzip,deflate,sdch\r\n" + "Accept-Language: en-US,en;q=0.8\r\n" + "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" + "\r\n"; return(header + content); }
public string BuildRequest(int Mode, string TargetFile, FileTrace SourceTrace) { _requestBuilder.Calls = SourceTrace.Calls; return BuildRequestCore(Mode, TargetFile, SourceTrace); }
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace) { return RequestBuilder.CreateRequest(TargetFile, Server, _traversalSequences[Mode], false, false, true); }