void CheckForCRLFInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for Header Injection:<i</h>>");
this.Scnr.Trace("<i<br>><i<b>> Trying to inject a header named 'Neww'<i</b>>");
bool crlf_inj_found = false;
List<string> prefix = new List<string>() {"", this.Scnr.PreInjectionParameterValue};
foreach(string cis in this.crlf_inj_str)
{
if (crlf_inj_found)
{
break;
}
foreach(string p in prefix)
{
string payload = p + cis;
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
if(res.Headers.Has("Neww"))
{
this.Scnr.ResponseTrace(" ==> <i<cr>>Header 'Neww' injected<i</cr>>");
this.reason = this.GetReason(payload);
this.ReportCRLFInjection(payload, string.Format("The payload in this request attempts to insert a header with name 'Neww' in the response. The payload is {0}", payload), "Neww: Headerr", "This response has a header named 'Neww' which was added because of the payload");
crlf_inj_found = true;
break;
}
else
{
this.Scnr.ResponseTrace(" ==> Header not injected");
}
}
}
}
public override void Check(Scanner scnr)
{
//#Check logic based on https://github.com/fnordbg/SSI-Scan
this.Scnr = scnr;
this.Scnr.Trace("<i<br>><i<h>>Checking for Server Side Includes Injection:<i</h>><i<br>><i<br>>");
List<string> payloads = new List<string>() {string.Format("{0}\"'><!--#printenv -->", this.Scnr.PreInjectionParameterValue), "\"'><!--#printenv -->", "<!--#printenv -->"};
foreach(string payload in payloads)
{
this.Scnr.RequestTrace("Injected - " + payload);
Response res = this.Scnr.Inject(payload);
if (res.BodyString.Contains("REMOTE_ADDR") && res.BodyString.Contains("DATE_LOCAL") && res.BodyString.Contains("DATE_GMT") && res.BodyString.Contains("DOCUMENT_URI") && res.BodyString.Contains("LAST_MODIFIED"))
{
this.Scnr.ResponseTrace(" ==> <i<cr>> Got contents of Environment variables in the response body. Indicates SSI Injection.<i</cr>>");
this.reason = this.GetReason(payload, new List<string>() {"REMOTE_ADDR", "DATE_LOCAL", "DATE_GMT", "DOCUMENT_URI", "LAST_MODIFIED"});
this.ReportSSI(payload, string.Format("The payload in this request contains a SSI snippet <!--#printenv--> which if executed will print the contents of the environment variables. The payload is: {0}", payload), string.Join("\r\n", new string[] {"REMOTE_ADDR", "DATE_LOCAL", "DATE_GMT", "DOCUMENT_URI", "LAST_MODIFIED"}), "This response contains some keywords that are similar to some standard environment variable names.");
return;
}
else
{
this.Scnr.ResponseTrace(" ==> The response does not contain any Environment variable information.");
}
}
this.Scnr.Trace("<i<br>>No indication for presence of SSI Injection");
}
FindingReason GetBlindTimeReason(TimeBasedCheckResults TimeCheckResults, int Trigger)
{
//#Reason = "IronWASP sent <i>' and pg_sleep(5)--</i> as payload to the application. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. ", Tools.EncodeForTrace(TimeCheckResults.DelayPayload));
//#Reason = Reason + "This payload has a small snippet of SQL code that will cause the database server to sleep for 5000 milliseconds. "
Reason = Reason + string.Format("This payload has a small snippet of SQL code that will cause the database server to sleep for <i<hlg>>{0}<i</hlg>> milliseconds. ", TimeCheckResults.DelayInduced);
//#Reason = Reason + "If this code is executed then the application will return the response 5000 milliseconds later than usual. "
Reason = Reason + string.Format("If this code is executed then the application will return the response <i<hlg>>{0}<i</hlg>> milliseconds later than usual. ", TimeCheckResults.DelayInduced);
//#Reason = Reason + "After the payload was injected the response from the application took <i>6783</i> milliseconds. "
Reason = Reason + string.Format("After the payload was injected the response from the application took <i<hlg>>{0}<i</hlg>> milliseconds. ", TimeCheckResults.DelayObserved);
//#Reason = Reason + "Normally this particular request is processed at around <i>463</i> milliseconds. "
Reason = Reason + string.Format("Normally this particular request is processed at around <i</hlg>>{0}<i</hlg>> milliseconds. ", TimeCheckResults.AverageBaseTime);
Reason = Reason + "This indicates that the injected SQL code snippet could have been executed on the server-side.";
string ReasonType = "TimeDelay";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the number of seconds of delay to different values. Then you can observe if the time taken for the response to be returned is affected accordingly.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, Trigger, FalsePositiveCheck);
return FR;
}
FindingReason GetBlindMathSubtractReason(List<string> payloads, int first_diff, int second_diff, List<string> first_group, List<string> second_group, int Trigger)
{
string Reason = "IronWASP sent six payload to the application with SQL code snippets in them.<i<br>>";
string[] ids = new string[] { "A", "B", "C", "D", "E", "F" };
//#Payload A - <i>4-1<i>
//#Payload B - <i>5-2<i>
//#Payload C - <i>7-5<i>
//#Payload D - <i>8-6<i>
//#Payload E - <i>4-a<i>
//#Payload F - <i>4-b<i>
for (int i = 0; i < ids.Length; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
//#Reason = Reason + "Payload A and B is the subtraction of two numbers whose difference is 3. "
Reason = Reason + string.Format("Payload A and B is the subtraction of two numbers whose difference is <i<hlg>>{0}<i</hlg>>. ", first_diff);
//#Reason = Reason + "Payload C and D is also the subtraction of two numbers whose difference would be 2. "
Reason = Reason + string.Format("Payload C and D is also the subtraction of two numbers whose difference would be <i<hlg>>{0}<i</hlg>>. ", second_diff);
Reason = Reason + "Payload E and F are invalid subtraction attempts as a string is being deducted from a number.<i<br>>";
if (first_group.Count == 2)
{
Reason = Reason + "The response for Payload A and B is similar to each other and is different from Payloads C, D, E and F. ";
Reason = Reason + "This indicates that the application actually performed the subtraction of the two numbers in the Payload A and B. ";
Reason = Reason + "Since their differnce is the same their responses are similar. Payloads C and D have a different difference values. ";
Reason = Reason + "Payload E and F are invalid subtraction attempts. If the application was not actually performing subtraction then all six payload should have returned very similar responses. ";
}
else
{
Reason = Reason + "The response for Payload A, B, C and D are similar to each other and is different from Payloads E and F. ";
Reason = Reason + "This indicates that the application actually performed the subtraction of the two numbers in the Payload A, B, C and D. ";
Reason = Reason + "Since in all four cases the substration is a valid SQL syntax their responses are similar. ";
Reason = Reason + "Payload E and F are invalid subtraction attempts so their responses are different. If the application was not actually performing subtraction then all six payloads should have returned very similar responses. ";
}
Reason = Reason + "Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.";
string ReasonType = "MathSubtract";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the responses received for the six payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with different numbers and check if this behaviour is repeated.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, new List<int> { Trigger - 5, Trigger - 4, Trigger - 3, Trigger - 2, Trigger - 1, Trigger }, FalsePositiveCheck);
return FR;
}
FindingReason GetBlindConcatReason(List<string> payloads, string db, int Trigger)
{
string Reason = "IronWASP sent three payloads to the application with SQL code snippets in them.<i<br>>";
string[] ids = new string[] { "A", "B", "C" };
//#Payload A - <i>a'||'b<i>
//#Payload B - <i>a'+'b<i>
//#Payload C - <i>a' 'b<i>
for (int i = 0; i < ids.Length; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
Reason = Reason + "Payload A is trying to concatenate two strings as per the SQL syntax of Oracle database servers. ";
Reason = Reason + "Payload B is trying to concatenate the same two strings as per SQL syntax of MS SQL database servers. ";
Reason = Reason + "Payload C is trying to concatenate the same two strings as per the SQL syntax of MySQL database servers.<i<br>>";
List<string> same = new List<string>();
string diff = "";
//#keys = [ "Oracle", "MS SQL", "MySQL"]
if (db == "Oracle")
{
diff = "A";
same = new List<string>() { "B", "C" };
}
else if (db == "MS SQL")
{
diff = "B";
same = new List<string>() { "A", "C" };
}
else if (db == "MySQL")
{
diff = "C";
same = new List<string>() { "A", "B" };
}
else
{
return null;
}
//#Reason = Reason + "The response for Payload A and B were similar to each other and is different from the response recieved for Payloads C. "
Reason = Reason + string.Format("The response for Payload {0} and {1} were similar to each other and is different from the response received for Payloads {2}. ", same[0], same[1], diff);
//#Reason = Reason + "This indicates that the application was actually trying to perform the string concatenation on the server-side and that the backend database in use is MySQL. "
Reason = Reason + string.Format("This indicates that the application was actually trying to perform the string concatenation on the server-side and that the backend database in use is <i<hlg>>{0}<i</hlg>>. ", db);
//#Reason = Reason + "Since incase of MySQL Payloads A & B would have simply thrown an invalid SQL syntax exception their responses are similar. "
Reason = Reason + string.Format("Since incase of <i<hlg>>{0}<i</hlg>> database server Payloads {0} & {1} would have simply thrown an invalid SQL syntax exception their responses are similar. ", db, same[0], same[1]);
//#Reason = Reason + "And Payload C would have executed without this error and so its response was different than the other two.<i<br>>"
Reason = Reason + string.Format("And Payload {0} would have executed without this error and so its response was different than the other two.<i<br>>", diff);
Reason = Reason + "If the application was not actually performing the concatenation then all three payload should have received very similar responses. ";
Reason = Reason + "Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.";
string ReasonType = "Concat";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the responses received for the three payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with different strings and check if this behaviour is repeated.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, new List<int> { Trigger - 2, Trigger - 1, Trigger }, FalsePositiveCheck);
return FR;
}
FindingReason GetBlindBoolReason(List<string> payloads, string bool_cond, int Trigger)
{
bool_cond = bool_cond.ToUpper();
string Reason = "IronWASP sent four payloads to the application with SQL code snippets in them.<i<br>>";
string[] ids = new string[] { "A", "B", "C", "D" };
//#Payload A - <i>a' or 8=8--<i>
//#Payload B - <i>a' or 7=5--<i>
//#Payload C - <i>a' or 6=6--<i>
//#Payload D - <i>a' or 4=6--<i>
for (int i = 0; i < ids.Length; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
//#Reason = Reason + "Payload A and C have a boolean condition after the OR keyword that will evaluate to true. The boolean condition in Payload B and D would evaluate to false.".format(payload)
Reason = Reason + string.Format("Payload A and C have a boolean condition after the <i<hlg>>{0}<i</hlg>> keyword that will evaluate to true. ", bool_cond);
Reason = Reason + "The boolean condition in Payload B and D would evaluate to false.<i<br>>";
Reason = Reason + "The response for Payload A and C were similar to each other and were different from the response received for Payload B and D. ";
Reason = Reason + "This indicates that the application was actually evaluating the boolean condition in the payloads. ";
Reason = Reason + "So since Payload A and C both has a true boolean condition their responses are similar, C and D had a false boolean condition.<i<br>>";
Reason = Reason + "If the application was not actually evaluating the boolean condition then all four payload should have returned very similar responses. ";
Reason = Reason + "Therefore this indicates that SQL syntax from the payload is executed as part of the SQL query on the server.";
string ReasonType = "Bool";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the responses received for the four payloads and confirm if the type of similarity explained above actually exists in them. Try resending the same payloads again but with values in the boolean expression and check if this behaviour is repeated.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, new List<int> { Trigger - 3, Trigger - 2, Trigger - 1, Trigger }, FalsePositiveCheck);
return FR;
}
FindingReason GetEchoReason(string payload, string file_name, string file_contents, string slash, int Trigger, string Prefix)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>../../../../../../../../../../../../../etc/passwd\000.txt</i> as payload to the application. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. ", payload);
//#Reason = Reason + "This payload tries to refer to the file <i>/etc/passwd</i> by traversing from the current directory with a series of <i>../</i>. "
if (Prefix == "file:")
{
Reason = Reason + string.Format("This payload tries to refer to the file <i<hlg>>{0}<i</hlg>> by using the <i<hlg>>file:<i</hlg>> protocol.", file_name);
}
else
{
Reason = Reason + string.Format("This payload tries to refer to the file <i<hlg>>{0}<i</hlg>> by traversing from the current directory with a series of <i<hlg>>..{1}<i</hlg>>. ", file_name, slash);
}
//#Reason = Reason + "If the application is vulnerable it will load the <i>/etc/passwd</i> file and send its contents in the response. "
Reason = Reason + string.Format("If the application is vulnerable it will load the <i<hlg>>{0}<i</hlg>> file and send its contents in the response. ", file_name);
//#Reason = Reason + "The response that came back from the application after the payload was injected had the text <i>root:x:0:0:</i>, which is usually found in <i>/etc/passwd</i> files. This indicates that the <i>/etc/passwd</i> file was loaded and its content printed in the response.".format(payload, code)
Reason = Reason + string.Format("The response that came back from the application after the payload was injected had the text <i<hlg>>{0}<i</hlg>>, which is usually found in <i<hlg>>{1}<i</hlg>> files. This indicates that the <i<hlg>>{1}<i</hlg>> file was loaded and its content printed in the response.", file_contents, file_name);
string ReasonType = "Echo";
//#False Positive Check
//#Reason = Reason + "To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the <i<hlg>>/etc/passwd<i</hlg>> file. "
string FalsePositiveCheck = string.Format("To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the <i<hlg>>{0}<i</hlg>> file. ", file_name);
FalsePositiveCheck = FalsePositiveCheck + "After that you can try changing the file name to something else and see if the server prints those file contents.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, Trigger, FalsePositiveCheck);
return FR;
}
FindingReason GetBlindReason(string payload, string cmd, TimeBasedCheckResults TimeCheckResults)
{
//#Reason = "IronWASP sent <i>'; ping -n 8 localhost</i> as payload to the application. This payload has a small system command - <i>ping -n 8 localhost</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small system command - <i<hlg>>{1}<i</hlg>>. ", Tools.EncodeForTrace(payload), cmd);
//#Reason = Reason + "If this command is executed then the server will ping itself 8 times. This will cause the response to be returned around 5000 milliseconds later than usual. "
Reason = Reason + string.Format("If this command is executed then the server will ping itself <i<hlg>>{0}<i</hlg>> times. This will cause the response to be returned around <i<hlg>>{1}<i</hlg>> milliseconds later than usual. ", PingCountCalculator(TimeCheckResults.DelayInduced), TimeCheckResults.DelayInduced);
//#Reason = Reason + "After the payload was injected the response from the application took <i>6783</i> milliseconds. Normally this particular request is processed at around <i>463</i> milliseconds. "
Reason = Reason + string.Format("After the payload was injected the response from the application took <i<hlg>>{0}<i</hlg>> milliseconds. Normally this particular request is processed at around <i<hlg>>{1}<i</hlg>> milliseconds. ", TimeCheckResults.DelayObserved, TimeCheckResults.AverageBaseTime);
Reason = Reason + "This indicates that the injected command could have been executed on the server-side.";
string ReasonType = "Blind";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the number of ping requests sent to different values. Then you can observe if the time taken for the response to be returned is affected accordingly.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return FR;
}
FindingReason GetReason(string payload, List<string> keywords)
{
payload = Tools.EncodeForTrace(payload);
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application, this payload would display the environment variables to be printed in the response if the application is vulnerable to Server Side Includes Injection.", payload);
Reason = Reason + "The response from the application for this payload had some keywords that are similar to the names of environment variables. These keywords were:";
foreach(string keyword in keywords)
{
Reason = Reason + string.Format("<i<br>><i<hlg>>{0}<i</hlg>>", keyword);
}
Reason = Reason + "<i<br>>These words are similar to that of standard environment variable names, therefore this issue has been reported.";
string ReasonType = "Echo";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the response received for the payload and confirm if it actually contains the environment variable details. Change the printenv command to some other SSI command and see if the response contains that command's output.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return FR;
}
void CheckForLDAPInjection()
{
this.Scnr.Trace("<i<br>><i<h>>Checking for LDAP Injection:<i</h>>");
string payload = "#^($!@$)(()))******";
this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload));
Response res = this.Scnr.Inject(payload);
List<string> errors_found = new List<string>();
foreach(string error in error_strings)
{
if (res.BodyString.Contains(error))
{
errors_found.Add(error);
}
}
if (errors_found.Count > 0)
{
this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>LDAP Injection Found.<i<br>>Errors:<i<br>>{0}<i</cr>>", string.Join(", ", errors_found.ToArray())));
this.reason = this.GetReason(payload, errors_found);
this.ReportLDAPInjection(payload, string.Format("The payload in this request is meant to trigger LDAP errors. The payload is: {0}", payload), string.Join("\r\n", errors_found.ToArray()), "This response contains LDAP error messages due to the error triggered by the payload");
}
else
{
this.Scnr.ResponseTrace(" ==> No Errors Found");
}
}
//#Override the Check method of the base class with custom functionlity
public override void Check(Scanner scnr)
{
this.Scnr = scnr;
this.reason = null;
this.CheckForLDAPInjection();
}
FindingReason GetReason(string payload, List<string> errors)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = Reason + "IronWASP sent <i>#^($!@$)(()))******<i> as payload to the application, this payload would cause an exception to happen in insecure LDAP queries. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application, this payload would cause an exception to happen in insecure LDAP queries. ", payload);
if (errors.Count > 1)
{
Reason = Reason + "The response from the application for this payload had the error messages:";
foreach (string error in errors)
{
Reason = Reason + string.Format("<i<br>><i<hlg>>{0}<i</hlg>>", error);
}
Reason = Reason + "<i<br>>These error messages are usually found in LDAP query related exceptions. Therefore this issue has been reported.";
}
else
{
//#Reason = Reason + "The response from the application for this payload had the error message: <i>An inappropriate matching occurred</i>. ".format(error)
Reason = Reason + string.Format("The response from the application for this payload had the error message: <i<hlg>>{0}<i</hlg>>. ", errors[0]);
Reason = Reason + "This error message is usually found in LDAP query related exceptions. Therefore this issue has been reported.";
}
string ReasonType = "Error";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the response recived for the payload and confirm if the error message is actually because of some exception on the server-side.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return FR;
}
FindingReason GetDiffReason(List<string> payloads, bool time, List<int> time_delays, int trigger_start, int trigger_count)
{
string Reason = "IronWASP sent four payloads to the application.<i<br>>";
List<string> ids = new List<string>() { "A", "B", "C", "D" };
for (int i = 0; i < ids.Count; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
Reason = Reason + "<i<br>>Payloads A and C are similar in nature. They both refer to ports 65555 and 66666 on the server which are invalid ports.";
Reason = Reason + "<i<br>>Payloads B and D are similar to each other but different from A & C. They both refer to ports 1 and 2 on the server which are valid ports.";
Reason = Reason + "<i<br>>If the application is vulnerable to SSRF then it will try to connect to these ports and connections to invalid potrs with throw an exception of different type than the exception or error caused by connecting to the valid ports 1 and 2 which are most likely to be closed.";
Reason = Reason + "<i<br>>This would mean that the response for Payloads A & C must be similar to each other and different from responses for Payloads B&D. ";
if (time)
{
Reason = Reason + "<i<br>><i<br>>The responses for the injected payloads were analyzed and it was found that the response times for Payloads A & C were similar to each other and were also different from response times for Payloads B & D, thereby indicating the presence of this vulnerability.";
Reason = Reason + "<i<br>>The responses times for the four payloads were:";
Reason = Reason + string.Format("<i<br>>Payload A - {0}ms", time_delays[0]);
Reason = Reason + string.Format("<i<br>>Payload B - {0}ms", time_delays[1]);
Reason = Reason + string.Format("<i<br>>Payload C - {0}ms", time_delays[2]);
Reason = Reason + string.Format("<i<br>>Payload D - {0}ms", time_delays[3]);
}
else
{
Reason = Reason + "<i<br>><i<br>>The responses for the injected payloads were analyzed and it was found that Payloads A & C got a similar looking response and were also different from responses got from Payloads B & D, thereby indicating the presence of this vulnerability.";
}
//#Trigger
List<int> trigger_ids = new List<int>();
for (int i = trigger_start + 1; i < trigger_start + trigger_count + 1; i++)
{
trigger_ids.Add(i);
}
string ReasonType = "";
if (time)
{
ReasonType = "Delay";
}
else
{
ReasonType = "Diff";
}
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually look at the responses received for Payloads A, B, C and D. Analyze these payloads and verify if indeed A & C got similar responses and were different from B & D. ";
FalsePositiveCheck = FalsePositiveCheck + "You can also change the payloads for A & C by chaning the port number to some other invalid port and change payloads B & D to some other valid port numbers and check of the four response show the same pattern as before.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, trigger_ids, FalsePositiveCheck);
return FR;
}
FindingReason GetReason(string payload)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>'\r\nNeww: Headerr</i> as payload to the application. This payload has CRLF characters followed by the string <i>Neww: Headerr</i> which is in the format of a HTTP Header with name <i>Neww</i> and value <i>Headerr</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has CRLF characters followed by the string <i<hlg>>Neww: Headerr<i</hlg>> which is in the format of a HTTP Header with name <i<hlg>>Neww<i</hlg>> and value <i<hlg>>Headerr<i</hlg>>. ", payload);
Reason = Reason + "The response that came back from the application after injecting this payload has an HTTP header named <i<hlg>>Neww<i</hlg>>. ";
Reason = Reason + "This indicates that our payload caused an HTTP header to be injected in the response.";
string ReasonType = "HeaderAdded";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can send the same payload but with different values for the header name part of the payload. If the response contains any HTTP headers with the specified names then there actually is Header Injection.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, 1, FalsePositiveCheck);
return FR;
}
FindingReason GetErrorReason(string payload, List<string> errors, int Trigger)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>'abcd<i> as payload to the application and the response that came back had the error message <i>Incorrect SQL syntax</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application and the response that came back ", payload);
if (errors.Count == 1)
{
Reason = Reason + string.Format("had the error message <i<hlg>>{0}<i</hlg>>. ", errors[0]);
}
else
{
Reason = Reason + "had the error messages ";
for (int i = 0; i < errors.Count; i++)
{
if (i == (errors.Count - 1))
{
Reason = Reason + " and ";
}
else if (i > 0)
{
Reason = Reason + " , ";
}
Reason = Reason + string.Format("<i<hlg>>{0}<i</hlg>>", errors[i]);
}
Reason = Reason + ".";
}
Reason = Reason + "This error message is usually associated with SQL query related errors and it appears that the payload was able to break out of the data context and cause this error. ";
Reason = Reason + "This is an indication of SQL Injection.";
string ReasonType = "Error";
//#False Positive Check
string FalsePositiveCheck = "Manually analyze the response received for the payload and confirm if the error message actually is because of some SQL related exception on the server-side. Try sending the same request without the payload and check if the error goes away.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, Trigger, FalsePositiveCheck);
return FR;
}
FindingReason GetDelayReason(string payload, List<int> res_times, string domain, int trigger)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>http://abcd1234.example.org/a</i> four times to the application. The first time the payload was sent the response came back in 789ms. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> four times to the application. The first time the payload was sent the response came back in <i<hlg>>{1}ms<i</hlg>>. ", payload, res_times[0]);
//#Reason = Reason + "The second, third and fourth time the responses came back in <i<hlg>>204ms<i</hlg>>, <i<hlg>>140ms<i</hlg>> and <i<hlg>>134ms<i</hlg>> respectively. ".format(res_times[1], res_times[2], res_times[3])
Reason = Reason + string.Format("The second, third and fourth time the responses came back in <i<hlg>>{0}ms<i</hlg>>, <i<hlg>>{1}ms<i</hlg>> and <i<hlg>>{2}ms<i</hlg>> respectively. ", res_times[1], res_times[2], res_times[3]);
Reason = Reason + "The second, third and fourth responses came back atleast 300ms quicker than the first one. ";
//#Reason = Reason + "<i>abcd1234.example.org</i> is an invalid subdomain. "
Reason = Reason + string.Format("<i<hlg>>{0}<i</hlg>> is a non-existent subdomain. If the server had RFI vulnerability then it would try to connect to this non-existent domain. ", domain);
Reason = Reason + "The first time the DNS resolution would have taken extra time. Subsequent attempts to connect to the same domain would be quicker due to DNS caching. Since similar behaviour was observed for the payload this indicates a RFI vulnerability.";
string ReasonType = "TimeDelay";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually send the same payload but by changing the domain name to some other non-existent domain. ";
FalsePositiveCheck = FalsePositiveCheck + "Send this modified payload multiple times and check if the first time takes about 300ms longer than the subsequent attempts. ";
FalsePositiveCheck = FalsePositiveCheck + "If this behaviour is observed repeatedly then this is mostly likely a genuine RFI.<i<br>>";
FalsePositiveCheck = FalsePositiveCheck + "Ofcourse the most concrete way to check this is to refer to a page on one of your public web servers in the payload and check if the target sever fetched that page.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, trigger, FalsePositiveCheck);
return FR;
}
FindingReason GetEchoReason(string payload, string echo_content, int Trigger)
{
payload = Tools.EncodeForTrace(payload);
//#Reason = "IronWASP sent <i>http://www.iana.org/a</i> as payload to the application. This payload refers to the home page of IANA. ".format(payload)
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload refers to the home page of IANA. ", payload);
//#Reason = Reason + "The response that came back for this payload had the string <i>IANA is responsible for coordinating the Internet</i>. ".format(payload);
Reason = Reason + string.Format("The response that came back for this payload had the string <i<hlg>>{0}<i</hlg>>. ", echo_content);
Reason = Reason + "This string is found in the home page of IANA. This indicates that the application fetched the home page of IANA and returned it in the response, which is RFI.";
string ReasonType = "Echo";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the IANA website. After that you can try loading contents of other URLs and check if they get added in the response.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, Trigger, FalsePositiveCheck);
return FR;
}
public void AddReason(FindingReason Reason)
{
this.Reasons.Add(Reason);
}
FindingReason GetEchoReason(string payload, string code, int num_a, int num_b)
{
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small Expression Language snippet - <i<hlg>>{1}<i</hlg>>. ", payload, code);
Reason = Reason + string.Format("If this code is executed then <i<hlg>>{0}<i</hlg>> and <i<hlg>>{1}<i</hlg>> will be added together and the sum of the addition will be printed back in the response. ", num_a, num_b);
Reason = Reason + string.Format("The response that came back from the application after the payload was injected had the value <i<hlg>>{0}<i</hlg>>, which is the sum of <i<hlg>>{1}<i</hlg>> & <i<hlg>>{2}<i</hlg>>. ", num_a + num_b, num_a, num_b);
Reason = Reason + "This indicates that the injected code snippet could have been executed on the server-side.";
string ReasonType = "Error";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can manually inject the same payload but by changing the two numbers to some other value. Then you can observe if the response contains the sum of two numbers.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return FR;
}
FindingReason GetErrorReason(string payload, string cmd, string echoed_file, string file_content_match)
{
//#payload - ';print 1234 + 7678;#
//#code - print 1234 + 7678
//#num_a - 1234
//#num_b - 7678
//#Reason = "IronWASP sent <i>'; /bin/cat /etc/passwd</i> as payload to the application. This payload has a small system command - <i>/bin/cat /etc/passwd</i>. "
string Reason = string.Format("IronWASP sent <i<hlg>>{0}<i</hlg>> as payload to the application. This payload has a small system command - <i<hlg>>{1}<i</hlg>>. ", payload, cmd);
//#Reason = Reason + "If this command is executed by the server then the contents of the <i<hlg>>/etc/passwd<i</hlg>> file will be present in the response. ".format(echoed_file)
Reason = Reason + string.Format("If this command is executed by the server then the contents of the <i<hlg>>{0}<i</hlg>> file will be present in the response. ", echoed_file);
//#Reason = Reason + "The response that came back from the application after the payload was injected had the text <i<hlg>>root:x:0:0:<i</hlg>>, which is usually found in <i<hlg>>/etc/passwd<i</hlg>> files. "
Reason = Reason + string.Format("The response that came back from the application after the payload was injected had the text <i<hlg>>{0}<i</hlg>>, which is usually found in <i<hlg>>{1}<i</hlg>> files. ", file_content_match, echoed_file);
Reason = Reason + string.Format("This indicates that the injected command was executed by the server and the contents of the <i<hlg>>{0}<i</hlg>> file was printed in the response.", echoed_file);
string ReasonType = "Error";
//#False Positive Check
string FalsePositiveCheck = string.Format("To check if this was a valid case or a false positive you can first manually look at the response sent for this payload and determine if it actually contains the contents of the <i<hlg>>{0}<i</hlg>> file. ", echoed_file);
FalsePositiveCheck = FalsePositiveCheck + "After that you can try changing the file name to something else and see if the server prints those file contents.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, this.TriggerCount, FalsePositiveCheck);
return FR;
}
FindingReason GetDiffReason(List<string> payloads, string file_name, string slash, int trigger_start, int trigger_count)
{
string Reason = "IronWASP sent four payloads to the application.<i<br>>";
string[] ids = new string[] { "A", "B", "C", "D" };
//#Payload A - <i>aa/../abcd.jpg</i>
//#Payload B - <i>aa../abcd.jpg</i>
//#Payload C - <i>bb/../abcd.jpg</i>
//#Payload D - <i>bb../abcd.jpg</i>
for (int i = 0; i < ids.Length; i++)
{
payloads[i] = Tools.EncodeForTrace(payloads[i]);
Reason = Reason + string.Format("Payload {0} - <i<hlg>>{1}<i</hlg>><i<br>>", ids[i], payloads[i]);
}
Reason = Reason + string.Format("<i<br>>Payloads A and C are similar in nature. They both refer to the file <i<hlg>>{0}<i</hlg>> ", file_name);
Reason = Reason + string.Format("by including an imaginary directory in the path (aa & bb) but then also invalidating it by traversing upwards by one directory using <i<hlg>>..{0}<i</hlg>>. ", slash);
//#Reason = Reason + "So these payloads must have the same effect as refering to the file <i<hlg>>abcd.jpg<i</hlg>> normally."
Reason = Reason + string.Format("So these payloads must have the same effect as referring to the file <i<hlg>>{0}<i</hlg>> normally.", file_name);
//#Reason = Reason + "<i<br>>Payloads B and D are similar to each other but different from A & C. They refer to the file <i>abcd.jpg</i> inside invalid directories (aa & bb)."
Reason = Reason + string.Format("<i<br>>Payloads B and D are similar to each other but different from A & C. They refer to the file <i<hlg>>{0}<i</hlg>> inside invalid directories (aa & bb).", file_name);
Reason = Reason + "<i<br>>If the application is vulnerable to Local File Include then the response for Payloads A & C must be similar to each other and different from responses for Payloads B&D. ";
Reason = Reason + "The responses for the injected payloads were analyzed and it was found that Payloads A & C got a similar looking response and were also different from responses got from Payloads B & D, thereby indicating the presence of this vulnerability.";
//#Trigger
List<int> trigger_ids = new List<int>();
for (int i = trigger_start + 1; i < trigger_start + trigger_count + 1; i++)
{
trigger_ids.Add(i);
}
string ReasonType = "Diff";
//#False Positive Check
string FalsePositiveCheck = "To check if this was a valid case or a false positive you can first manually look at the responses received for Payloads A, B, C and D. Analyze these payloads and verify if indeed A & C got similar responses and were different from B & D. ";
FalsePositiveCheck = FalsePositiveCheck + string.Format("You can also change the payloads for A & C by adding one more invalid directory and one more <i<hlg>>..{0}<i</hlg>> to invalidate that directory. ", slash);
FalsePositiveCheck = FalsePositiveCheck + "This must get the same response as the responses for A & C.";
FalsePositiveCheck = FalsePositiveCheck + "<i<br>>If you discover that this issue was a false positive then please consider reporting this to <i<cb>>[email protected]<i</cb>>. Your feedback will help improve the accuracy of the scanner.";
FindingReason FR = new FindingReason(Reason, ReasonType, trigger_ids, FalsePositiveCheck);
return FR;
}
