private void ParseLog()
{
string logPath = "/home/bperry/tools/sqlmap/output/" + this.HostIPAddressV4 + "/log";
string log = System.IO.File.ReadAllText(logPath);
string[] results = Regex.Split(log, "---");
this.Log = log;
if (results.Length == 1)
return;
//---
//Place: GET
//Parameter: searchquery
// Type: UNION query
// Title: MySQL UNION query (NULL) - 4 columns
// Payload: action=search&searchquery=abcd' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a626b763a,0x66726b4c574566415773,0x3a74786e3a), NULL, NULL, NULL#
//---
this.Vulnerabilities = new List<SQLMapVulnerability>();
foreach (string result in results.Skip(1))
{
if (string.IsNullOrWhiteSpace(result))
continue;
SQLMapVulnerability vuln = new SQLMapVulnerability();
foreach (string line in result.Split('\n'))
{
string l = line.Trim();
if (l.StartsWith("Place"))
{
vuln.HTTPRequestType = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Parameter"))
{
vuln.Parameter = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Type"))
{
vuln.PayloadType = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Title"))
{
vuln.Title = l.Split(':')[1].Trim();
}
else if (l.StartsWith ("Payload"))
{
vuln.Payload = l.Split(':')[1].Trim();
}
}
this.Vulnerabilities.Add(vuln);
}
}
private List <IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary <string, string> config)
{
List <IToolResults> _results = new List <IToolResults> ();
Console.WriteLine("Scanning host: " + host.Hostname);
foreach (var port in host.Ports)
{
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse(config ["isSQLMap"]))
{
IToolOptions _options = new WapitiToolOptions();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config ["wapitiPath"];
Wapiti wapiti = new Wapiti(_options);
Console.WriteLine("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try {
wapitiResults = wapiti.Run(new TimeSpan(0, 10, 0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add(wapitiResults);
} catch (Exception ex) {
Console.WriteLine(ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null)
{
if (wapitiResults.Bugs == null) // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
{
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap(sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run() as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add(sqlmapResults);
}
else
{
using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
using (SqlmapManager manager = new SqlmapManager(sess)) {
foreach (WapitiBug bug in wapitiResults.Bugs)
{
if (bug.Type.StartsWith("SQL Injection"))
{
Console.WriteLine("Starting SQLMap on host/port: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
//SQLMap mapper = new SQLMap (sqlmapOptions);
//SQLMapResults results = mapper.Run (bug) as SQLMapResults;
// if (results == null )
// continue;
//
// if (results.Vulnerabilities != null)
// foreach (var vuln in results.Vulnerabilities)
// vuln.Target = bug.URL;
//
// results.ParentHostPort = port;
//
// _results.Add (results);
string taskid = manager.NewTask();
Dictionary <string, object> opts = manager.GetOptions(taskid);
if (bug.URL.Contains(bug.Parameter))
{
opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
else
{
opts ["url"] = bug.URL;
opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
SqlmapStatus status = manager.GetScanStatus(taskid);
while (status.Status != "terminated")
{
System.Threading.Thread.Sleep(new TimeSpan(0, 0, 10));
status = manager.GetScanStatus(taskid);
}
List <SqlmapLogItem> logItems = manager.GetLog(taskid);
SQLMapResults results = new SQLMapResults();
results.Vulnerabilities = new List <SQLMapVulnerability>();
foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
{
SQLMapVulnerability vuln = new SQLMapVulnerability();
Console.WriteLine(item.Message);
}
manager.DeleteTask(taskid);
}
else if (bug.Type.Contains("Cross Site Scripting)"))
{
//dsxs
}
}
}
}
}
}
}
}
Console.WriteLine("Done with host: " + host.Hostname);
return(_results);
}
private List<IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary<string, string> config)
{
List<IToolResults > _results = new List<IToolResults> ();
Console.WriteLine ("Scanning host: " + host.Hostname);
foreach (var port in host.Ports) {
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse (config ["isSQLMap"])) {
IToolOptions _options = new WapitiToolOptions ();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config ["wapitiPath"];
Wapiti wapiti = new Wapiti (_options);
Console.WriteLine ("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try {
wapitiResults = wapiti.Run (new TimeSpan (0, 10, 0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add (wapitiResults);
} catch (Exception ex) {
Console.WriteLine (ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null) {
if (wapitiResults.Bugs == null) { // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap (sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run () as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add (sqlmapResults);
} else {
using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
using (SqlmapManager manager = new SqlmapManager(sess)) {
foreach (WapitiBug bug in wapitiResults.Bugs) {
if (bug.Type.StartsWith ("SQL Injection")) {
Console.WriteLine ("Starting SQLMap on host/port: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
//SQLMap mapper = new SQLMap (sqlmapOptions);
//SQLMapResults results = mapper.Run (bug) as SQLMapResults;
// if (results == null )
// continue;
//
// if (results.Vulnerabilities != null)
// foreach (var vuln in results.Vulnerabilities)
// vuln.Target = bug.URL;
//
// results.ParentHostPort = port;
//
// _results.Add (results);
string taskid = manager.NewTask ();
Dictionary<string, object> opts = manager.GetOptions (taskid);
if (bug.URL.Contains (bug.Parameter)) {
opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
} else {
opts ["url"] = bug.URL;
opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
SqlmapStatus status = manager.GetScanStatus(taskid);
while (status.Status != "terminated")
{
System.Threading.Thread.Sleep(new TimeSpan(0,0,10));
status = manager.GetScanStatus(taskid);
}
List<SqlmapLogItem> logItems = manager.GetLog(taskid);
SQLMapResults results = new SQLMapResults();
results.Vulnerabilities = new List<SQLMapVulnerability>();
foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
{
SQLMapVulnerability vuln = new SQLMapVulnerability();
Console.WriteLine(item.Message);
}
manager.DeleteTask(taskid);
} else if (bug.Type.Contains ("Cross Site Scripting)")) {
//dsxs
}
}
}
}
}
}
}
}
Console.WriteLine ("Done with host: " + host.Hostname);
return _results;
}
private void ParseLog()
{
string logPath = "/home/bperry/tools/sqlmap/output/" + this.HostIPAddressV4 + "/log";
string log = System.IO.File.ReadAllText(logPath);
string[] results = Regex.Split(log, "---");
this.Log = log;
if (results.Length == 1)
{
return;
}
//---
//Place: GET
//Parameter: searchquery
// Type: UNION query
// Title: MySQL UNION query (NULL) - 4 columns
// Payload: action=search&searchquery=abcd' LIMIT 1,1 UNION ALL SELECT CONCAT(0x3a626b763a,0x66726b4c574566415773,0x3a74786e3a), NULL, NULL, NULL#
//---
this.Vulnerabilities = new List <SQLMapVulnerability>();
foreach (string result in results.Skip(1))
{
if (string.IsNullOrWhiteSpace(result))
{
continue;
}
SQLMapVulnerability vuln = new SQLMapVulnerability();
foreach (string line in result.Split('\n'))
{
string l = line.Trim();
if (l.StartsWith("Place"))
{
vuln.HTTPRequestType = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Parameter"))
{
vuln.Parameter = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Type"))
{
vuln.PayloadType = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Title"))
{
vuln.Title = l.Split(':')[1].Trim();
}
else if (l.StartsWith("Payload"))
{
vuln.Payload = l.Split(':')[1].Trim();
}
}
this.Vulnerabilities.Add(vuln);
}
}