protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
if (_fsArgs != null)
{
Console.ForegroundColor = ConsoleColor.Red;
watcher.EnableRaisingEvents = false;
WriteProbe();
watcher.EnableRaisingEvents = true;
var c = _fsArgs.ChangeType;
_fsArgs = null;
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"File System Event: " + c, TargetTrace));
}
var badCharsLowered = _badChars.ToLower();
if (TargetTrace.Response.ToLower().Contains(badCharsLowered))
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
TargetTrace.Response.ToLower().Contains(badCharsLowered + "5230") ?
"Local File Inclusion" :
"Arbitrary File Read",
TargetTrace));
}
else
{
return(null);
}
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
_processThread = new Thread(x =>
{
while (true)
{
Thread.Sleep(500);
var probes = Process.GetProcessesByName("PHPVHProbe");
if (probes.Any())
{
_probeDetected = true;
foreach (var p in probes)
{
try
{
p.Kill();
}
catch { }
}
}
}
})
{
IsBackground = true
};
_processThread.Start();
return(RequestBuilder.CreateRequest(TargetFile, Server,
Config.TestCases[Mode], false, false, true));
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
var r = TargetTrace.Response.ToLower();
foreach (var call in TargetTrace.Calls
.Where(x => Config.Functions.Any(y => y.Name == x.Name)))
{
var func = Config.Functions.SingleOrDefault(x => x.Name == call.Name &&
x.ParamCount == call.ParameterValues.Count);
if (func == null)
{
continue;
}
var value = call.ParameterValues[func.QueryParam];
if (IsSQLInjectable(value))
{
return(CreateAlert(TargetTrace));
}
}
return(null);
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
return(Regex.IsMatch(TargetTrace.Response,
@"[^\w][^\\/:*?""<>|]:([\\/]+[^\\/:*?""<>|]+)+") ?
new ScanAlert(ScanAlertOptions.Vulnerability,
"Full Path Disclosure", TargetTrace) :
null);
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
return Regex.IsMatch(TargetTrace.Response,
@"[^\w][^\\/:*?""<>|]:([\\/]+[^\\/:*?""<>|]+)+") ?
new ScanAlert(ScanAlertOptions.Vulnerability,
"Full Path Disclosure", TargetTrace) :
null;
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
try
{
_processThread.Abort();
}
catch { }
var detected = _probeDetected;
if (detected)
{
Trace.WriteLine("Probe detected");
}
_probeDetected = false;
if (TargetTrace.Calls
.Where(x => Config.Functions.Contains(x.Name))
.Any(x =>
x.ParameterValues.Any() &&
x.ParameterValues
.Select(y => y.ToLower())
.Any(y => y.Contains(Config.ProbeName.ToLower()))))
{
foreach (var c in Process.GetProcessesByName(Config.ProbeName))
{
c.Kill();
c.WaitForExit();
}
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Command Execution", TargetTrace));
}
var processes = Process.GetProcessesByName(Config.ProbeName);
if (detected || processes.Length != 0)
{
foreach (Process p in processes)
{
p.Kill();
p.WaitForExit();
}
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Command Execution", TargetTrace));
}
else
{
return(null);
}
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
if (TargetTrace.Calls
.Where(x => x.Name == PhpName.Eval && x.ParameterValues.Any(y => y.Contains("testabc")))
.Any())
{
return(CreateAlert(TargetTrace));
}
var falsePositiveRegex = new Regex(Config.FalsePositiveRegex);
var Response = falsePositiveRegex.Replace(TargetTrace.Response, "");
var regex = new Regex(Config.MatchRegex);
return(regex.IsMatch(Response) ? CreateAlert(TargetTrace) : null);
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
string chars;
if (Mode < Config.FuzzStrings.Length)
{
chars = Config.FuzzStrings[Mode];
}
else
{
chars = "\x00" + Config.FuzzStrings[Mode - (ModeCount / 2)];
}
return(RequestBuilder.CreateRequest(TargetFile, Server,
chars, false, true, true));
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
var respLowered = TargetTrace.Response.ToLower();
if ((respLowered.Contains(Config.FuzzStrings[0].ToLower()) ||
HasAttributeVulnerability(respLowered)) &&
Regex.IsMatch(respLowered, @"^http/\d\.\d\s200\s"))
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Reflected XSS", TargetTrace));
}
else
{
return(null);
}
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
var suspectFunctions = new string[]
{
"fopen",
"file",
"copy",
"move_uploaded_file",
"file_put_contents",
"fwrite",
"fputs"
};
var fileCallMatches = TargetTrace.Calls.Where(x =>
suspectFunctions.Contains(x.Name) &&
x.ParameterValues.Any(y =>
y.Contains("shell.php") ||
y.Contains(".htaccess")));
if (fileCallMatches.Count() != 0)
{
_fsArgs = null;
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Arbitrary File Upload", TargetTrace));
}
else if (_fsArgs != null)
{
string eventInfo = string.Format("Type={0} Path={1}",
_fsArgs.ChangeType, _fsArgs.FullPath);
if (_fsArgs is RenamedEventArgs)
{
eventInfo += " Old Path=" +
(_fsArgs as RenamedEventArgs).OldFullPath;
}
_fsArgs = null;
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Arbitrary File Event - " + eventInfo, TargetTrace));
}
else
{
return(null);
}
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
if (TargetTrace.Response.Contains("DynamicClassProbe Instantiated") ||
Regex.IsMatch(TargetTrace.Response,
@"Class '(" + Php.ValidNameRegex + @")?DynamicClassProbe(" +
Php.ValidNameEndRegex + @")*' not found"))
return new ScanAlert(ScanAlertOptions.Vulnerability,
"User Controlled Dynamic Class Instantiation", TargetTrace);
else if (TargetTrace.Response.Contains("DynamicFunctionProbe Called") ||
Regex.IsMatch(TargetTrace.Response,
@"Call to undefined function (" + Php.ValidNameRegex +
@")?DynamicFunctionProbe(" + Php.ValidNameEndRegex + @")*"))
return new ScanAlert(ScanAlertOptions.Vulnerability,
"User Controlled Dynamic Function Call", TargetTrace);
else
return null;
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
var header = TargetTrace.Response;
var headerIndex = header.IndexOf("\r\n\r\n");
if (headerIndex != -1)
header = header.Remove(headerIndex);
if (Regex.IsMatch(header, @"Location:\s*([^/]+://)?[^/]*" + _badChars[0],
RegexOptions.IgnoreCase))
{
return new ScanAlert(ScanAlertOptions.Vulnerability,
"Open Redirect", TargetTrace);
}
return null;
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
var header = TargetTrace.Response;
var headerIndex = header.IndexOf("\r\n\r\n");
if (headerIndex != -1)
{
header = header.Remove(headerIndex);
}
if (Regex.IsMatch(header, @"Location:\s*([^/]+://)?[^/]*" + _badChars[0],
RegexOptions.IgnoreCase))
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Open Redirect", TargetTrace));
}
return(null);
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
if (TargetTrace.Response.Contains("DynamicClassProbe Instantiated") ||
Regex.IsMatch(TargetTrace.Response,
@"Class '(" + Php.ValidNameRegex + @")?DynamicClassProbe(" +
Php.ValidNameEndRegex + @")*' not found"))
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"User Controlled Dynamic Class Instantiation", TargetTrace));
}
else if (TargetTrace.Response.Contains("DynamicFunctionProbe Called") ||
Regex.IsMatch(TargetTrace.Response,
@"Call to undefined function (" + Php.ValidNameRegex +
@")?DynamicFunctionProbe(" + Php.ValidNameEndRegex + @")*"))
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"User Controlled Dynamic Function Call", TargetTrace));
}
else
{
return(null);
}
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
return(RequestBuilder.CreateRequest(TargetFile, Server,
_badStrings[Mode], false, false, true));
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
var scanMode = FileScanMode.DefaultModes[Mode];
string _queryString = "";
var getFields = new List<string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
(x.Name == "$_GET" || x.Name == "$_REQUEST")))
{
if (c.ParameterValues.Count == 0)
c.ParameterValues = new List<string> { "shell_file" };
if (getFields.Contains(c.ParameterValues[0]))
continue;
getFields.Add(c.ParameterValues[0]);
_queryString += (_queryString.Length != 0 ? "&" : "?") +
c.ParameterValues[0] + "=" + HttpUtility.UrlEncode(scanMode.ShellFile);
}
var content = "";
var postFields = new List<string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
x.Name == "$_POST"))
{
if (!c.ParameterValues.Any())
c.ParameterValues.Add("shell_file");
if (postFields.Contains(c.ParameterValues[0]))
continue;
postFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"\r\n" +
"\r\n" +
scanMode.ShellFile + "\r\n";
}
var files = SourceTrace.Calls.Where(x => x.Name == "$_FILES");
if (files.Count() == 0)
files = new TracedFunctionCall[]
{
new TracedFunctionCall()
{
ParameterValues = new List<string>() { "shell_file" }
}
};
else
{
Cli.WriteLine("~Yellow~File Upload detected in {0}~R~", TargetFile);
}
var fileFields = new List<string>();
foreach (TracedFunctionCall c in files)
{
if (c.Name == "$_FILES" &&
c.ParameterValues.Count == 0)
c.ParameterValues = new List<string>{ "shell_file" };
if (fileFields.Contains(c.ParameterValues[0]))
continue;
fileFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"; " +
"filename=\"" + scanMode.ShellFile + "\"\r\n" +
"Content-Type: " + scanMode.ContentType + "\r\n" +
"\r\n" +
scanMode.Shell + "\r\n";
}
if (content.Length > 0)
{
content +=
"------x--\r\n" +
"\r\n";
}
var header =
"POST " + TargetFile + _queryString + " HTTP/1.1\r\n" +
"Host: " + _server + "\r\n" +
"Proxy-Connection: keep-alive\r\n" +
"User-Agent: x\r\n" +
"Content-Length: " + content.Length + "\r\n" +
"Cache-Control: max-age=0\r\n" +
"Origin: null\r\n" +
"Content-Type: multipart/form-data; boundary=----x\r\n" +
"Accept: text/html\r\n" +
"Accept-Encoding: gzip,deflate,sdch\r\n" +
"Accept-Language: en-US,en;q=0.8\r\n" +
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" +
"\r\n";
return header + content;
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
var suspectFunctions = new string[]
{
"fopen",
"file",
"copy",
"move_uploaded_file",
"file_put_contents",
"fwrite",
"fputs"
};
var fileCallMatches = TargetTrace.Calls.Where(x =>
suspectFunctions.Contains(x.Name) &&
x.ParameterValues.Any(y =>
y.Contains("shell.php") ||
y.Contains(".htaccess")));
if (fileCallMatches.Count() != 0)
{
_fsArgs = null;
return new ScanAlert(ScanAlertOptions.Vulnerability,
"Arbitrary File Upload", TargetTrace);
}
else if (_fsArgs != null)
{
string eventInfo = string.Format("Type={0} Path={1}",
_fsArgs.ChangeType, _fsArgs.FullPath);
if (_fsArgs is RenamedEventArgs)
eventInfo += " Old Path=" +
(_fsArgs as RenamedEventArgs).OldFullPath;
_fsArgs = null;
return new ScanAlert(ScanAlertOptions.Vulnerability,
"Arbitrary File Event - " + eventInfo, TargetTrace);
}
else
return null;
}
public ScanAlert ScanTrace(FileTrace targetTrace)
{
return(ScanTraceCore(targetTrace));
}
protected abstract string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace);
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
return RequestBuilder.CreateRequest(TargetFile, Server,
_badChars[Mode], true, false, false);
}
protected abstract string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace);
protected abstract ScanAlert ScanTraceCore(FileTrace TargetTrace);
public ScanAlert ScanTrace(FileTrace targetTrace)
{
return ScanTraceCore(targetTrace);
}
private ScanAlert CreateAlert(FileTrace TargetTrace)
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"Arbitrarty PHP Execution", TargetTrace));
}
protected override ScanAlert ScanTraceCore(FileTrace TargetTrace)
{
if (_fsArgs != null)
{
Console.ForegroundColor = ConsoleColor.Red;
watcher.EnableRaisingEvents = false;
WriteProbe();
watcher.EnableRaisingEvents = true;
var c = _fsArgs.ChangeType;
_fsArgs = null;
return new ScanAlert(ScanAlertOptions.Vulnerability,
"File System Event: " + c, TargetTrace);
}
var badCharsLowered = _badChars.ToLower();
if (TargetTrace.Response.ToLower().Contains(badCharsLowered))
{
return new ScanAlert(ScanAlertOptions.Vulnerability,
TargetTrace.Response.ToLower().Contains(badCharsLowered + "5230") ?
"Local File Inclusion" :
"Arbitrary File Read",
TargetTrace);
}
else
{
return null;
}
}
private ScanAlert CreateAlert(FileTrace TargetTrace)
{
return(new ScanAlert(ScanAlertOptions.Vulnerability,
"SQL Injection", TargetTrace));
}
public string BuildRequest(int Mode, string TargetFile, FileTrace SourceTrace)
{
_requestBuilder.Calls = SourceTrace.Calls;
return(BuildRequestCore(Mode, TargetFile, SourceTrace));
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
var scanMode = FileScanMode.DefaultModes[Mode];
string _queryString = "";
var getFields = new List <string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
(x.Name == "$_GET" || x.Name == "$_REQUEST")))
{
if (c.ParameterValues.Count == 0)
{
c.ParameterValues = new List <string> {
"shell_file"
}
}
;
if (getFields.Contains(c.ParameterValues[0]))
{
continue;
}
getFields.Add(c.ParameterValues[0]);
_queryString += (_queryString.Length != 0 ? "&" : "?") +
c.ParameterValues[0] + "=" + HttpUtility.UrlEncode(scanMode.ShellFile);
}
var content = "";
var postFields = new List <string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
x.Name == "$_POST"))
{
if (!c.ParameterValues.Any())
{
c.ParameterValues.Add("shell_file");
}
if (postFields.Contains(c.ParameterValues[0]))
{
continue;
}
postFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"\r\n" +
"\r\n" +
scanMode.ShellFile + "\r\n";
}
var files = SourceTrace.Calls.Where(x => x.Name == "$_FILES");
if (files.Count() == 0)
{
files = new TracedFunctionCall[]
{
new TracedFunctionCall()
{
ParameterValues = new List <string>()
{
"shell_file"
}
}
}
}
;
else
{
Cli.WriteLine("~Yellow~File Upload detected in {0}~R~", TargetFile);
}
var fileFields = new List <string>();
foreach (TracedFunctionCall c in files)
{
if (c.Name == "$_FILES" &&
c.ParameterValues.Count == 0)
{
c.ParameterValues = new List <string> {
"shell_file"
}
}
;
if (fileFields.Contains(c.ParameterValues[0]))
{
continue;
}
fileFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"; " +
"filename=\"" + scanMode.ShellFile + "\"\r\n" +
"Content-Type: " + scanMode.ContentType + "\r\n" +
"\r\n" +
scanMode.Shell + "\r\n";
}
if (content.Length > 0)
{
content +=
"------x--\r\n" +
"\r\n";
}
var header =
"POST " + TargetFile + _queryString + " HTTP/1.1\r\n" +
"Host: " + _server + "\r\n" +
"Proxy-Connection: keep-alive\r\n" +
"User-Agent: x\r\n" +
"Content-Length: " + content.Length + "\r\n" +
"Cache-Control: max-age=0\r\n" +
"Origin: null\r\n" +
"Content-Type: multipart/form-data; boundary=----x\r\n" +
"Accept: text/html\r\n" +
"Accept-Encoding: gzip,deflate,sdch\r\n" +
"Accept-Language: en-US,en;q=0.8\r\n" +
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" +
"\r\n";
return(header + content);
}
protected abstract ScanAlert ScanTraceCore(FileTrace TargetTrace);
public string BuildRequest(int Mode, string TargetFile, FileTrace SourceTrace)
{
_requestBuilder.Calls = SourceTrace.Calls;
return BuildRequestCore(Mode, TargetFile, SourceTrace);
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
return RequestBuilder.CreateRequest(TargetFile, Server, _traversalSequences[Mode],
false, false, true);
}
