public void Run(IScriptableComponent component)
{
Form1 f = component.Parent;
int i = 0, j = 0;
if (f.saveDlg.ShowDialog() != DialogResult.OK)
{
return;
}
foreach (TreeNode n in f.tv.Nodes)
{
foreach (TreeNode nn in n.Nodes)
{
if (nn.Text.IndexOf("POST") >= 0)
{
DataBlock db = (DataBlock)nn.Tag;
if (db.LoadData())
{
if (db.AppendToFile(f.saveDlg.FileName))
{
j++;
using (StreamWriter w = File.AppendText(f.saveDlg.FileName))
{
w.Write("\r\n\r\n");
}
}
db.FreeData();
}
i++;
}
}
}
MessageBox.Show("total: " + i.ToString() + " written: " + j.ToString());
}
public void Run(IScriptableComponent component)
{
int i = 0, j = 0, hits = 0;
//int Red = -65536; //fu system.drawing cant be found...
Form1 f = component.Parent;
string pDir = Path.GetDirectoryName(f.txtPcap.Text);
string rep = pDir + "\\sqli.txt";
if (File.Exists(rep))
{
File.Delete(rep);
}
StreamWriter w = File.AppendText(rep);
foreach (TreeNode n in f.tv.Nodes)
{
i++;
f.setpb(i, f.tv.Nodes.Count, 1);
n.Checked = false;
foreach (TreeNode nn in n.Nodes)
{
j++;
f.setpb(j, n.Nodes.Count, 2);
nn.Checked = false;
DataBlock db = (DataBlock)nn.Tag;
if (db.LoadData())
{
string body = db.GetBody();
string fl = db.HttpFirstLine;
if (body.IndexOf("SqlException", StringComparison.CurrentCultureIgnoreCase) > 0)
{
//mssql and oracle
f.setNodeColor(nn, 1);
f.setNodeColor(n, 2);
w.Write("SQLException Found in: " + n.Text + "\r\n" + nn.Text + "\r\n\r\n");
hits++;
nn.Checked = true;
}
else if (body.IndexOf("SQL syntax", StringComparison.CurrentCultureIgnoreCase) > 0)
{
//mysql
f.setNodeColor(nn, 1);
f.setNodeColor(n, 2);
w.Write("SQLException Found in: " + n.Text + "\r\n" + nn.Text + "\r\n\r\n");
hits++;
nn.Checked = true;
}
//if (AnyInstr(fl,"500,408,401,403")) //error,timeout,unauthorized,forbidden //413 Entity to large? 405 Method Not Allowed
if (AnyInstr(fl, "500,408,401"))
{
f.setNodeColor(nn, 1);
f.setNodeColor(n, 2);
w.Write("Http Error code found in: " + n.Text + "\r\n" + nn.Text + "\r\n\r\n");
hits++;
nn.Checked = true;
}
db.FreeData();
}
}
}
f.pb.Value = 0;
f.pb2.Value = 0;
w.Close();
if (hits > 0)
{
MessageBox.Show(hits.ToString() + " results found. The nodes have been checked.\n\nYou can prune tree using right click menu");
}
else
{
MessageBox.Show("quick scan had no results...");
}
}
public void Run(IScriptableComponent component)
{
int i = 0, j = 0, hits = 0;
Form1 f = component.Parent;
string pDir = Path.GetDirectoryName(f.txtPcap.Text);
string rep = pDir + "\\exploits.txt";
//if (File.Exists(rep)) File.Delete(rep);
StreamWriter w = File.AppendText(rep);
foreach (TreeNode n in f.tv.Nodes)
{
i++;
f.setpb(i, f.tv.Nodes.Count, 1);
n.Checked = false;
foreach (TreeNode nn in n.Nodes)
{
j++;
f.setpb(j, n.Nodes.Count, 2);
nn.Checked = false;
DataBlock db = (DataBlock)nn.Tag;
if (db.LoadData())
{
string fl = db.HttpFirstLine;
//response codes that may indicate a problem to look at...
if (db.DataType == DataBlock.DataTypes.dtHttpResp)
{
if (AnyInstr(fl, "500,408,401,403,413,405,400")) //error,timeout,unauthorized,forbidden,413 Entity to large,405 Method Not Allowed, 400 bad req
{
f.setNodeColor(nn, 1);
f.setNodeColor(n, 2);
w.Write("Http Error code found in: " + n.Text + "\r\n" + nn.Text + "\r\n\r\n");
hits++;
nn.Checked = true;
}
}
//http requests to flag as suspecious..
if (db.DataType == DataBlock.DataTypes.dtHttpReq)
{
string body = db.GetBody();
if (body.IndexOf("SqlException", StringComparison.CurrentCultureIgnoreCase) > 0)
{
//mssql and oracle
f.setNodeColor(nn, 1);
f.setNodeColor(n, 2);
w.Write("SQLException Found in: " + n.Text + "\r\n" + nn.Text + "\r\n\r\n");
hits++;
nn.Checked = true;
}
//if (AnyInstr(fl,"500,408,401,403")) //error,timeout,unauthorized,forbidden //413 Entity to large? 405 Method Not Allowed
if (AnyInstr(fl, "..,script,bak,~,java.lang,jboss.,%252e,passwd,2d%64+%61"))
{
f.setNodeColor(nn, 1);
f.setNodeColor(n, 2);
w.Write("Http Error code found in: " + n.Text + "\r\n" + nn.Text + "\r\n\r\n");
hits++;
nn.Checked = true;
}
}
db.FreeData();
}
}
}
f.pb.Value = 0;
f.pb2.Value = 0;
w.Close();
if (hits > 0)
{
MessageBox.Show(hits.ToString() + " results found. The nodes have been checked.\n\nYou can prune tree using right click menu");
}
else
{
MessageBox.Show("quick scan had no results...");
}
}
public void Run(IScriptableComponent component)
{
int i = 0, j = 0, hits = 0;
Form1 f = component.Parent;
string C2 = f.InputBox("Enter the C2 IP to decode data for (can be partial string but be unique)", "Set C2", "");
if (C2.Length == 0)
{
return;
}
string pDir = Path.GetDirectoryName(f.txtPcap.Text);
string rep = pDir + "\\decoder_x_output.txt";
if (File.Exists(rep))
{
File.Delete(rep);
}
StreamWriter w = File.AppendText(rep);
foreach (TreeNode n in f.tv.Nodes)
{
i++; j = 0;
f.setpb(i, f.tv.Nodes.Count, 1);
TcpRecon recon = (TcpRecon)n.Tag;
//both ips are embedded in dump file name
//you can also use recon.Client[Address|Port] recon.Server[Address|Port]
if (recon.dumpFile.IndexOf(C2) == -1)
{
continue;
}
foreach (TreeNode nn in n.Nodes)
{
j++;
f.setpb(j, n.Nodes.Count, 2);
DataBlock db = (DataBlock)nn.Tag;
w.WriteLine(n.Text + " : " + nn.Text + "\r\n------------------------------------------------");
if (!db.LoadData())
{
w.WriteLine("Failed to load data...\r\n");
continue;
}
byte[] buf = null;
//in this example we will only process raw binary transfers (no http)
if (db.DataType == DataBlock.DataTypes.dtBinary)
{
buf = db.data;
}
/*else if(db.DataType == DataBlock.DataTypes.dtHttpReq) //if you wanted to process http request
* {
* buf = db.GetBinaryBody();
* }*/
//DataBlock Source and Dest addresses are set per packet,
//you can also filter based on db.SourcePort && db.DestPort
//
//example to handle client requests to server port 9000:
// if(db.SourceAddress == recon.ClientAddress && db.DestPort == 9000)
//
//Note: this for loop only runs if we matched target server because of continue above...
if (buf != null && buf.Length > 0)
{
hits++;
decode(buf);
w.WriteLine(HexDumper.HexDump(buf));
w.WriteLine("\r\n");
}
db.FreeData();
}
}
f.pb.Value = 0;
f.pb2.Value = 0;
w.Close();
if (hits > 0)
{
MessageBox.Show(hits.ToString() + " packets decoded.\nSaved as: " + rep);
}
else
{
MessageBox.Show("No binary data packets found from the C2 you entered: " + C2);
}
}
