protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
var scanMode = FileScanMode.DefaultModes[Mode];
string _queryString = "";
var getFields = new List<string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
(x.Name == "$_GET" || x.Name == "$_REQUEST")))
{
if (c.ParameterValues.Count == 0)
c.ParameterValues = new List<string> { "shell_file" };
if (getFields.Contains(c.ParameterValues[0]))
continue;
getFields.Add(c.ParameterValues[0]);
_queryString += (_queryString.Length != 0 ? "&" : "?") +
c.ParameterValues[0] + "=" + HttpUtility.UrlEncode(scanMode.ShellFile);
}
var content = "";
var postFields = new List<string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
x.Name == "$_POST"))
{
if (!c.ParameterValues.Any())
c.ParameterValues.Add("shell_file");
if (postFields.Contains(c.ParameterValues[0]))
continue;
postFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"\r\n" +
"\r\n" +
scanMode.ShellFile + "\r\n";
}
var files = SourceTrace.Calls.Where(x => x.Name == "$_FILES");
if (files.Count() == 0)
files = new TracedFunctionCall[]
{
new TracedFunctionCall()
{
ParameterValues = new List<string>() { "shell_file" }
}
};
else
{
Cli.WriteLine("~Yellow~File Upload detected in {0}~R~", TargetFile);
}
var fileFields = new List<string>();
foreach (TracedFunctionCall c in files)
{
if (c.Name == "$_FILES" &&
c.ParameterValues.Count == 0)
c.ParameterValues = new List<string>{ "shell_file" };
if (fileFields.Contains(c.ParameterValues[0]))
continue;
fileFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"; " +
"filename=\"" + scanMode.ShellFile + "\"\r\n" +
"Content-Type: " + scanMode.ContentType + "\r\n" +
"\r\n" +
scanMode.Shell + "\r\n";
}
if (content.Length > 0)
{
content +=
"------x--\r\n" +
"\r\n";
}
var header =
"POST " + TargetFile + _queryString + " HTTP/1.1\r\n" +
"Host: " + _server + "\r\n" +
"Proxy-Connection: keep-alive\r\n" +
"User-Agent: x\r\n" +
"Content-Length: " + content.Length + "\r\n" +
"Cache-Control: max-age=0\r\n" +
"Origin: null\r\n" +
"Content-Type: multipart/form-data; boundary=----x\r\n" +
"Accept: text/html\r\n" +
"Accept-Encoding: gzip,deflate,sdch\r\n" +
"Accept-Language: en-US,en;q=0.8\r\n" +
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" +
"\r\n";
return header + content;
}
protected override string BuildRequestCore(int Mode, string TargetFile, FileTrace SourceTrace)
{
var scanMode = FileScanMode.DefaultModes[Mode];
string _queryString = "";
var getFields = new List <string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
(x.Name == "$_GET" || x.Name == "$_REQUEST")))
{
if (c.ParameterValues.Count == 0)
{
c.ParameterValues = new List <string> {
"shell_file"
}
}
;
if (getFields.Contains(c.ParameterValues[0]))
{
continue;
}
getFields.Add(c.ParameterValues[0]);
_queryString += (_queryString.Length != 0 ? "&" : "?") +
c.ParameterValues[0] + "=" + HttpUtility.UrlEncode(scanMode.ShellFile);
}
var content = "";
var postFields = new List <string>();
foreach (TracedFunctionCall c in SourceTrace.Calls.Where(x =>
x.Name == "$_POST"))
{
if (!c.ParameterValues.Any())
{
c.ParameterValues.Add("shell_file");
}
if (postFields.Contains(c.ParameterValues[0]))
{
continue;
}
postFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"\r\n" +
"\r\n" +
scanMode.ShellFile + "\r\n";
}
var files = SourceTrace.Calls.Where(x => x.Name == "$_FILES");
if (files.Count() == 0)
{
files = new TracedFunctionCall[]
{
new TracedFunctionCall()
{
ParameterValues = new List <string>()
{
"shell_file"
}
}
}
}
;
else
{
Cli.WriteLine("~Yellow~File Upload detected in {0}~R~", TargetFile);
}
var fileFields = new List <string>();
foreach (TracedFunctionCall c in files)
{
if (c.Name == "$_FILES" &&
c.ParameterValues.Count == 0)
{
c.ParameterValues = new List <string> {
"shell_file"
}
}
;
if (fileFields.Contains(c.ParameterValues[0]))
{
continue;
}
fileFields.Add(c.ParameterValues[0]);
content +=
"------x\r\n" +
"Content-Disposition: form-data; name=\"" + c.ParameterValues[0] + "\"; " +
"filename=\"" + scanMode.ShellFile + "\"\r\n" +
"Content-Type: " + scanMode.ContentType + "\r\n" +
"\r\n" +
scanMode.Shell + "\r\n";
}
if (content.Length > 0)
{
content +=
"------x--\r\n" +
"\r\n";
}
var header =
"POST " + TargetFile + _queryString + " HTTP/1.1\r\n" +
"Host: " + _server + "\r\n" +
"Proxy-Connection: keep-alive\r\n" +
"User-Agent: x\r\n" +
"Content-Length: " + content.Length + "\r\n" +
"Cache-Control: max-age=0\r\n" +
"Origin: null\r\n" +
"Content-Type: multipart/form-data; boundary=----x\r\n" +
"Accept: text/html\r\n" +
"Accept-Encoding: gzip,deflate,sdch\r\n" +
"Accept-Language: en-US,en;q=0.8\r\n" +
"Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3\r\n" +
"\r\n";
return(header + content);
}
