string TimeCommandGenerator(int TimeDelayInMilliSeconds, CodeInjectionPayloadParts PayloadParts) { if (TimeDelayInMilliSeconds == 0) { return(this.Scnr.PreInjectionParameterValue); } else { int DelayCount = TimeDelayNumberCalculator(TimeDelayInMilliSeconds); return(string.Format(PayloadParts.Function, DelayCount)); } }
//void SendAndAnalyzeTimePayload(string payload, string func_to_execute, int avg_time) //{ // for (int i = 0; i < 2; i++) // { // this.Scnr.RequestTrace(string.Format(" Injected payload - {0}", payload)); // Response res = this.Scnr.Inject(payload); // //#we reduce the delay by 3 seconds to make up for the the fact that the ping could complete earlier // if (res.RoundTrip >= this.time * 1000) // { // if (i == 0) // { // this.Scnr.ResponseTrace(string.Format(" ==> <i<b>>Observed a delay of {0}ms, induced delay was for {1}ms. Rechecking the delay by sending the same payload again<i</b>>", res.RoundTrip, this.time * 1000)); // } // else // { // this.Scnr.ResponseTrace(string.Format(" ==> <i<cr>>Observed a delay of {0}ms, induced delay was for {1}ms. Delay observed twice, indicates Code Injection!!<i</cr>>", res.RoundTrip, this.time * 1000)); // this.AddToTriggers(payload, string.Format("The payload in this request contains a code snippet which if executed will cause the response to be delayed by {0} milliseconds. The code snippet is: {1}", this.time * 1000, func_to_execute), "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", res.RoundTrip, this.time * 1000)); // FindingReason reason = this.GetBlindReason(payload, func_to_execute, res.RoundTrip, avg_time); // this.Reasons.Add(reason); // } // } // else // { // if (i == 0) // { // this.Scnr.ResponseTrace(string.Format(" ==> Response time was {0}ms. No delay observed.", res.RoundTrip)); // return; // } // else // { // this.Scnr.ResponseTrace(string.Format(" ==> Response time was {0}ms. Delay did not reoccur, initial delay could have been due to network issues.", res.RoundTrip)); // } // } // } //} void SendAndAnalyzeTimePayload(CodeInjectionPayloadParts PayloadParts) { TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts); if (TimeCheckResults.Success) { string Function = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts); this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a code snippet which if executed will cause the response to be delayed by {0} milliseconds. The code snippet is: {1}", TimeCheckResults.DelayInduced, Function), TimeCheckResults.DelayRequest, "", string.Format("It took {0} milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse); FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Function, TimeCheckResults); this.Reasons.Add(reason); } }
string TimePayloadGenerator(int TimeDelayInMilliSeconds, object OtherInfo) { if (TimeDelayInMilliSeconds == 0) { return(this.Scnr.PreInjectionParameterValue); } else { CodeInjectionPayloadParts PayloadParts = (CodeInjectionPayloadParts)OtherInfo; string Function = TimeCommandGenerator(TimeDelayInMilliSeconds, PayloadParts); return(string.Format("{0}{1}{2}", PayloadParts.Prefix, Function, PayloadParts.Comment)); //"{0}{1}{2}", p, func_to_execute, c); } }
string TimeCommandGenerator(int TimeDelayInMilliSeconds, CodeInjectionPayloadParts PayloadParts) { if (TimeDelayInMilliSeconds == 0) { return this.Scnr.PreInjectionParameterValue; } else { int DelayCount = TimeDelayNumberCalculator(TimeDelayInMilliSeconds); return string.Format(PayloadParts.Function, DelayCount); } }
void CheckForTimeBasedCodeInjection() { this.Scnr.Trace("<i<br>><i<h>>Checking for Time based Code Injection:<i</h>>"); //#set the time related values for time-based code injection check //this.time = 0; //int max_delay = 0; //int min_delay = -1; //this.Scnr.Trace("<i<br>>Sending three requests to get a baseline of the response time for time based check:"); //List<string> base_line_delays = new List<string>(); //int avg_delay = 0; //for (int i = 0; i < 3; i++) //{ // Response res = this.Scnr.Inject(); // avg_delay = avg_delay + res.RoundTrip; // base_line_delays.Add(string.Format(" {0}) Response time is - {1} ms", i + 1, res.RoundTrip)); // if (res.RoundTrip > max_delay) // { // max_delay = res.RoundTrip; // } // if (res.RoundTrip < min_delay || min_delay == -1) // { // min_delay = res.RoundTrip; // } //} //avg_delay = avg_delay / 3; //this.Scnr.Trace(string.Join("<i<br>>", base_line_delays.ToArray())); //if (min_delay > 5000) //{ // this.time = ((max_delay + min_delay) / 1000) + 1; //} //else //{ // this.time = ((max_delay + 5000) / 1000) + 1; //} //this.Scnr.Trace(string.Format("<i<br>>Maximum Response Time: {0}ms. Minimum Response Time: {1}ms<i<br>>Induced Time Delay will be for {2}ms<i<br>>", max_delay, min_delay, this.time * 1000)); List<string> functions = new List<string>() { "sleep(<seconds>);", "import time;time.sleep(<seconds>);" }; List<string> prefixes = new List<string>() { "", "';", "\";" }; List<string> comments = new List<string>() { "", "#" }; foreach (string f in functions) { foreach (string p in prefixes) { foreach (string c in comments) { CodeInjectionPayloadParts PayloadParts = new CodeInjectionPayloadParts(); PayloadParts.Prefix = p; PayloadParts.Function = f.Replace("<seconds>","{0}"); PayloadParts.Comment = c; //string func_to_execute = f.Replace("<seconds>", this.time.ToString()); //string payload = string.Format("{0}{1}{2}", p, func_to_execute, c); //this.SendAndAnalyzeTimePayload(payload, func_to_execute, avg_delay); this.SendAndAnalyzeTimePayload(PayloadParts); } } } }
void CheckForTimeBasedCodeInjection() { this.Scnr.Trace("<i<br>><i<h>>Checking for Time based Code Injection:<i</h>>"); //#set the time related values for time-based code injection check //this.time = 0; //int max_delay = 0; //int min_delay = -1; //this.Scnr.Trace("<i<br>>Sending three requests to get a baseline of the response time for time based check:"); //List<string> base_line_delays = new List<string>(); //int avg_delay = 0; //for (int i = 0; i < 3; i++) //{ // Response res = this.Scnr.Inject(); // avg_delay = avg_delay + res.RoundTrip; // base_line_delays.Add(string.Format(" {0}) Response time is - {1} ms", i + 1, res.RoundTrip)); // if (res.RoundTrip > max_delay) // { // max_delay = res.RoundTrip; // } // if (res.RoundTrip < min_delay || min_delay == -1) // { // min_delay = res.RoundTrip; // } //} //avg_delay = avg_delay / 3; //this.Scnr.Trace(string.Join("<i<br>>", base_line_delays.ToArray())); //if (min_delay > 5000) //{ // this.time = ((max_delay + min_delay) / 1000) + 1; //} //else //{ // this.time = ((max_delay + 5000) / 1000) + 1; //} //this.Scnr.Trace(string.Format("<i<br>>Maximum Response Time: {0}ms. Minimum Response Time: {1}ms<i<br>>Induced Time Delay will be for {2}ms<i<br>>", max_delay, min_delay, this.time * 1000)); List <string> functions = new List <string>() { "sleep(<seconds>);", "import time;time.sleep(<seconds>);" }; List <string> prefixes = new List <string>() { "", "';", "\";" }; List <string> comments = new List <string>() { "", "#" }; foreach (string f in functions) { foreach (string p in prefixes) { foreach (string c in comments) { CodeInjectionPayloadParts PayloadParts = new CodeInjectionPayloadParts(); PayloadParts.Prefix = p; PayloadParts.Function = f.Replace("<seconds>", "{0}"); PayloadParts.Comment = c; //string func_to_execute = f.Replace("<seconds>", this.time.ToString()); //string payload = string.Format("{0}{1}{2}", p, func_to_execute, c); //this.SendAndAnalyzeTimePayload(payload, func_to_execute, avg_delay); this.SendAndAnalyzeTimePayload(PayloadParts); } } } }