public IToolResults Run()
{
string cmd, output;
cmd = " -u \"" + _options.URL + ":" + _options.Port + "\" -o --fresh-queries --random-agent --flush-session --smart --batch --crawl=" + _options.CrawlLevel.ToString();
cmd += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty);
cmd += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty);
cmd += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty);
cmd += (_options.TestForms ? " --forms" : string.Empty);
ProcessStartInfo si = new ProcessStartInfo();
si.RedirectStandardOutput = true;
si.UseShellExecute = false;
Process proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = cmd;
proc.Start();
output = proc.StandardOutput.ReadToEnd();
proc.WaitForExit();
SQLMapResults results = new SQLMapResults(output, _options.URL);
//this is a hack
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
return(results);
}
public PersistentSQLMapResults(SQLMapResults results)
{
this.FullOutput = results.FullOutput;
this.ParentHostPort = new PersistentPort(results.ParentHostPort);
this.Log = results.Log;
this.PersistentVulnerabilities = new List<PersistentSQLMapVulnerability>();
if (results.Vulnerabilities != null)
{
foreach (SQLMapVulnerability vuln in results.Vulnerabilities)
{
PersistentSQLMapVulnerability pvuln = new PersistentSQLMapVulnerability(vuln);
pvuln.SetCreationInfo(Guid.Empty);
pvuln.ParentResults = this;
this.PersistentVulnerabilities.Add(pvuln);
}
}
}
public IToolResults Run(WapitiBug bug)
{
string bugType = bug.Type;
if (!bugType.StartsWith("SQL Injection"))
return null;
ProcessStartInfo si = new ProcessStartInfo();
si.RedirectStandardOutput = true;
si.UseShellExecute = false;
Process proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
string output = proc.StandardOutput.ReadToEnd();
string url = bug.URL;
if (url.Contains(bug.Parameter))
{
//URL contains the parameters, most likely injection via GET verb
//remove any offending data
url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
List<string> skippedParams = new List<string>();
foreach (string param in Regex.Split(bug.Parameter, "&"))
{
if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark"))
continue;
else
skippedParams.Add(param.Split('=')[0]);
}
Console.WriteLine("Running GET SQL injection test on URL: " + bug.URL);
string command = string.Empty;
string host = url.Split('/')[2].Split(':')[0];
command = " --disable-coloring -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch";
if (skippedParams.Count > 0)
command = command + " --skip=\"" + String.Join(",", skippedParams) + "\"";
command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty);
command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty);
command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty);
//command += (_options.TestForms ? " --forms" : string.Empty);
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = command;
proc.Start();
output = proc.StandardOutput.ReadToEnd();
SQLMapResults results = new SQLMapResults(output, host);
//this is a hack
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
output = proc.StandardOutput.ReadToEnd();
return results;
}
else
{
//URL does not contain the parameters, most likely injection via POST verb
//remove any offending data
url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
string data = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
List<string> skippedParams = new List<string>();
foreach (string param in Regex.Split(bug.Parameter, "&"))
{
if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark"))
continue;
else
skippedParams.Add(param.Split('=')[0]);
}
Console.WriteLine("Running POST SQL injection test on URL: " + bug.URL);
string host = url.Split('/')[2].Split(':')[0];
string command = string.Empty;
command = " -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch";
command += " --data=\"" + data + "\"";
if (skippedParams.Count > 0)
command = command + " --skip=\"" + String.Join(",", skippedParams) + "\"";
command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty);
command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty);
command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty);
si = new ProcessStartInfo();
si.RedirectStandardOutput = true;
si.UseShellExecute = false;
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = command;
proc.Start();
output = proc.StandardOutput.ReadToEnd();
SQLMapResults results = new SQLMapResults(output, host);
//this is a hack
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
output = proc.StandardOutput.ReadToEnd();
return results;
}
}
public IToolResults Run()
{
string cmd, output;
cmd = " -u \"" + _options.URL + ":" + _options.Port + "\" -o --fresh-queries --random-agent --flush-session --smart --batch --crawl=" + _options.CrawlLevel.ToString();
cmd += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty);
cmd += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty);
cmd += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty);
cmd += (_options.TestForms ? " --forms" : string.Empty);
ProcessStartInfo si = new ProcessStartInfo();
si.RedirectStandardOutput = true;
si.UseShellExecute = false;
Process proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = cmd;
proc.Start();
output = proc.StandardOutput.ReadToEnd();
proc.WaitForExit();
SQLMapResults results = new SQLMapResults(output, _options.URL);
//this is a hack
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
return results;
}
public IToolResults Run(WapitiBug bug)
{
string bugType = bug.Type;
if (!bugType.StartsWith("SQL Injection"))
{
return(null);
}
ProcessStartInfo si = new ProcessStartInfo();
si.RedirectStandardOutput = true;
si.UseShellExecute = false;
Process proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
string output = proc.StandardOutput.ReadToEnd();
string url = bug.URL;
if (url.Contains(bug.Parameter))
{
//URL contains the parameters, most likely injection via GET verb
//remove any offending data
url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
List <string> skippedParams = new List <string>();
foreach (string param in Regex.Split(bug.Parameter, "&"))
{
if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark"))
{
continue;
}
else
{
skippedParams.Add(param.Split('=')[0]);
}
}
Console.WriteLine("Running GET SQL injection test on URL: " + bug.URL);
string command = string.Empty;
string host = url.Split('/')[2].Split(':')[0];
command = " --disable-coloring -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch";
if (skippedParams.Count > 0)
{
command = command + " --skip=\"" + String.Join(",", skippedParams) + "\"";
}
command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty);
command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty);
command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty);
//command += (_options.TestForms ? " --forms" : string.Empty);
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = command;
proc.Start();
output = proc.StandardOutput.ReadToEnd();
SQLMapResults results = new SQLMapResults(output, host);
//this is a hack
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
output = proc.StandardOutput.ReadToEnd();
return(results);
}
else
{
//URL does not contain the parameters, most likely injection via POST verb
//remove any offending data
url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
string data = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
List <string> skippedParams = new List <string>();
foreach (string param in Regex.Split(bug.Parameter, "&"))
{
if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark"))
{
continue;
}
else
{
skippedParams.Add(param.Split('=')[0]);
}
}
Console.WriteLine("Running POST SQL injection test on URL: " + bug.URL);
string host = url.Split('/')[2].Split(':')[0];
string command = string.Empty;
command = " -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch";
command += " --data=\"" + data + "\"";
if (skippedParams.Count > 0)
{
command = command + " --skip=\"" + String.Join(",", skippedParams) + "\"";
}
command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty);
command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty);
command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty);
si = new ProcessStartInfo();
si.RedirectStandardOutput = true;
si.UseShellExecute = false;
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = command;
proc.Start();
output = proc.StandardOutput.ReadToEnd();
SQLMapResults results = new SQLMapResults(output, host);
//this is a hack
proc = new Process();
proc.StartInfo = si;
proc.EnableRaisingEvents = false;
proc.StartInfo.FileName = _options.Path;
proc.StartInfo.Arguments = "--purge-output";
proc.Start();
output = proc.StandardOutput.ReadToEnd();
return(results);
}
}
private List<IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary<string, string> config)
{
List<IToolResults > _results = new List<IToolResults> ();
Console.WriteLine ("Scanning host: " + host.Hostname);
foreach (var port in host.Ports) {
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse (config ["isSQLMap"])) {
IToolOptions _options = new WapitiToolOptions ();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config ["wapitiPath"];
Wapiti wapiti = new Wapiti (_options);
Console.WriteLine ("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try {
wapitiResults = wapiti.Run (new TimeSpan (0, 10, 0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add (wapitiResults);
} catch (Exception ex) {
Console.WriteLine (ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null) {
if (wapitiResults.Bugs == null) { // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap (sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run () as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add (sqlmapResults);
} else {
using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
using (SqlmapManager manager = new SqlmapManager(sess)) {
foreach (WapitiBug bug in wapitiResults.Bugs) {
if (bug.Type.StartsWith ("SQL Injection")) {
Console.WriteLine ("Starting SQLMap on host/port: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
//SQLMap mapper = new SQLMap (sqlmapOptions);
//SQLMapResults results = mapper.Run (bug) as SQLMapResults;
// if (results == null )
// continue;
//
// if (results.Vulnerabilities != null)
// foreach (var vuln in results.Vulnerabilities)
// vuln.Target = bug.URL;
//
// results.ParentHostPort = port;
//
// _results.Add (results);
string taskid = manager.NewTask ();
Dictionary<string, object> opts = manager.GetOptions (taskid);
if (bug.URL.Contains (bug.Parameter)) {
opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
} else {
opts ["url"] = bug.URL;
opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
SqlmapStatus status = manager.GetScanStatus(taskid);
while (status.Status != "terminated")
{
System.Threading.Thread.Sleep(new TimeSpan(0,0,10));
status = manager.GetScanStatus(taskid);
}
List<SqlmapLogItem> logItems = manager.GetLog(taskid);
SQLMapResults results = new SQLMapResults();
results.Vulnerabilities = new List<SQLMapVulnerability>();
foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
{
SQLMapVulnerability vuln = new SQLMapVulnerability();
Console.WriteLine(item.Message);
}
manager.DeleteTask(taskid);
} else if (bug.Type.Contains ("Cross Site Scripting)")) {
//dsxs
}
}
}
}
}
}
}
}
Console.WriteLine ("Done with host: " + host.Hostname);
return _results;
}
private List <IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary <string, string> config)
{
List <IToolResults> _results = new List <IToolResults> ();
Console.WriteLine("Scanning host: " + host.Hostname);
foreach (var port in host.Ports)
{
port.ParentIPAddress = host.IPAddressv4;
if ((port.Service == "http" || port.Service == "https") && bool.Parse(config ["isSQLMap"]))
{
IToolOptions _options = new WapitiToolOptions();
(_options as WapitiToolOptions).Host = host.IPAddressv4;
(_options as WapitiToolOptions).Port = port.PortNumber;
(_options as WapitiToolOptions).Path = config ["wapitiPath"];
Wapiti wapiti = new Wapiti(_options);
Console.WriteLine("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname));
WapitiToolResults wapitiResults = null;
try {
wapitiResults = wapiti.Run(new TimeSpan(0, 10, 0)) as WapitiToolResults;
wapitiResults.HostIPAddressV4 = host.IPAddressv4;
wapitiResults.HostPort = port.PortNumber;
wapitiResults.IsTCP = true;
_results.Add(wapitiResults);
} catch (Exception ex) {
Console.WriteLine(ex.Message);
}
if (sqlmapOptions != null && wapitiResults != null)
{
if (wapitiResults.Bugs == null) // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs.
{
sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4;
sqlmapOptions.Port = port.PortNumber;
sqlmapOptions.Path = config ["sqlmapPath"];
SQLMap mapper = new SQLMap(sqlmapOptions);
SQLMapResults sqlmapResults = mapper.Run() as SQLMapResults;
sqlmapResults.ParentHostPort = port;
_results.Add(sqlmapResults);
}
else
{
using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) {
using (SqlmapManager manager = new SqlmapManager(sess)) {
foreach (WapitiBug bug in wapitiResults.Bugs)
{
if (bug.Type.StartsWith("SQL Injection"))
{
Console.WriteLine("Starting SQLMap on host/port: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber);
sqlmapOptions.Path = config ["sqlmapPath"];
//SQLMap mapper = new SQLMap (sqlmapOptions);
//SQLMapResults results = mapper.Run (bug) as SQLMapResults;
// if (results == null )
// continue;
//
// if (results.Vulnerabilities != null)
// foreach (var vuln in results.Vulnerabilities)
// vuln.Target = bug.URL;
//
// results.ParentHostPort = port;
//
// _results.Add (results);
string taskid = manager.NewTask();
Dictionary <string, object> opts = manager.GetOptions(taskid);
if (bug.URL.Contains(bug.Parameter))
{
opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
else
{
opts ["url"] = bug.URL;
opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd");
manager.StartTask(taskid, opts);
}
SqlmapStatus status = manager.GetScanStatus(taskid);
while (status.Status != "terminated")
{
System.Threading.Thread.Sleep(new TimeSpan(0, 0, 10));
status = manager.GetScanStatus(taskid);
}
List <SqlmapLogItem> logItems = manager.GetLog(taskid);
SQLMapResults results = new SQLMapResults();
results.Vulnerabilities = new List <SQLMapVulnerability>();
foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable")))
{
SQLMapVulnerability vuln = new SQLMapVulnerability();
Console.WriteLine(item.Message);
}
manager.DeleteTask(taskid);
}
else if (bug.Type.Contains("Cross Site Scripting)"))
{
//dsxs
}
}
}
}
}
}
}
}
Console.WriteLine("Done with host: " + host.Hostname);
return(_results);
}
