void CheckForTimeBasedCommandInjection() { this.Scnr.Trace("<i<br>><i<h>>Checking for Command Injection by Inducing Time Delay:<i</h>>"); foreach (string prefix in this.prefixes) { CommandInjectionPayloadParts PayloadParts = new CommandInjectionPayloadParts(); foreach (string seperator in this.seperators) { PayloadParts.Prefix = prefix; PayloadParts.Seperator = seperator; PayloadParts.Command = "ping -n {0} localhost"; this.SendAndAnalyzeTimePayload(PayloadParts); PayloadParts.Command = "ping -c {0} localhost"; this.SendAndAnalyzeTimePayload(PayloadParts); PayloadParts.Command = "/usr/sbin/ping -s localhost 1000 {0} "; this.SendAndAnalyzeTimePayload(PayloadParts); } PayloadParts = new CommandInjectionPayloadParts(); PayloadParts.Prefix = prefix; PayloadParts.Seperator = ""; PayloadParts.Command = "`ping -c {0} localhost`"; this.SendAndAnalyzeTimePayload(PayloadParts); PayloadParts.Command = "run ping -n {0} localhost"; this.SendAndAnalyzeTimePayload(PayloadParts); } }
string TimeCommandGenerator(int TimeDelayInMilliSeconds, CommandInjectionPayloadParts PayloadParts) { if (TimeDelayInMilliSeconds == 0) { return(this.Scnr.PreInjectionParameterValue); } else { int PingCount = PingCountCalculator(TimeDelayInMilliSeconds); return(string.Format(PayloadParts.Command, PingCount)); } }
void SendAndAnalyzeTimePayload(CommandInjectionPayloadParts PayloadParts) { TimeBasedCheckResults TimeCheckResults = DoTimeDelayBasedCheck(TimePayloadGenerator, PayloadParts); if (TimeCheckResults.Success) { string Cmd = TimeCommandGenerator(TimeCheckResults.DelayInduced, PayloadParts); this.AddToTriggers(TimeCheckResults.DelayPayload, string.Format("The payload in this request contains a system command which if executed will cause the response to be delayed by {0} milliseconds. The system command is: {1}", TimeCheckResults.DelayInduced, Cmd), TimeCheckResults.DelayRequest, "", string.Format("It took {0}milliseconds to recieve the response from the server. It took so long because of the {1} millisecond delay caused by the payload.", TimeCheckResults.DelayObserved, TimeCheckResults.DelayInduced), TimeCheckResults.DelayResponse); FindingReason reason = this.GetBlindReason(TimeCheckResults.DelayPayload, Cmd, TimeCheckResults); this.Reasons.Add(reason); } }
string TimePayloadGenerator(int TimeDelayInMilliSeconds, object OtherInfo) { if (TimeDelayInMilliSeconds == 0) { return(this.Scnr.PreInjectionParameterValue); } else { CommandInjectionPayloadParts PayloadParts = (CommandInjectionPayloadParts)OtherInfo; string Cmd = TimeCommandGenerator(TimeDelayInMilliSeconds, PayloadParts); return(string.Format("{0}{1} {2}", PayloadParts.Prefix, PayloadParts.Seperator, Cmd)); } }
string TimeCommandGenerator(int TimeDelayInMilliSeconds, CommandInjectionPayloadParts PayloadParts) { if (TimeDelayInMilliSeconds == 0) { return this.Scnr.PreInjectionParameterValue; } else { int PingCount = PingCountCalculator(TimeDelayInMilliSeconds); return string.Format(PayloadParts.Command, PingCount); } }