public IToolResults Run() { string cmd, output; cmd = " -u \"" + _options.URL + ":" + _options.Port + "\" -o --fresh-queries --random-agent --flush-session --smart --batch --crawl=" + _options.CrawlLevel.ToString(); cmd += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty); cmd += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty); cmd += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty); cmd += (_options.TestForms ? " --forms" : string.Empty); ProcessStartInfo si = new ProcessStartInfo(); si.RedirectStandardOutput = true; si.UseShellExecute = false; Process proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = cmd; proc.Start(); output = proc.StandardOutput.ReadToEnd(); proc.WaitForExit(); SQLMapResults results = new SQLMapResults(output, _options.URL); //this is a hack proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); return(results); }
public PersistentSQLMapResults(SQLMapResults results) { this.FullOutput = results.FullOutput; this.ParentHostPort = new PersistentPort(results.ParentHostPort); this.Log = results.Log; this.PersistentVulnerabilities = new List<PersistentSQLMapVulnerability>(); if (results.Vulnerabilities != null) { foreach (SQLMapVulnerability vuln in results.Vulnerabilities) { PersistentSQLMapVulnerability pvuln = new PersistentSQLMapVulnerability(vuln); pvuln.SetCreationInfo(Guid.Empty); pvuln.ParentResults = this; this.PersistentVulnerabilities.Add(pvuln); } } }
public IToolResults Run(WapitiBug bug) { string bugType = bug.Type; if (!bugType.StartsWith("SQL Injection")) return null; ProcessStartInfo si = new ProcessStartInfo(); si.RedirectStandardOutput = true; si.UseShellExecute = false; Process proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); string url = bug.URL; if (url.Contains(bug.Parameter)) { //URL contains the parameters, most likely injection via GET verb //remove any offending data url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); List<string> skippedParams = new List<string>(); foreach (string param in Regex.Split(bug.Parameter, "&")) { if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark")) continue; else skippedParams.Add(param.Split('=')[0]); } Console.WriteLine("Running GET SQL injection test on URL: " + bug.URL); string command = string.Empty; string host = url.Split('/')[2].Split(':')[0]; command = " --disable-coloring -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch"; if (skippedParams.Count > 0) command = command + " --skip=\"" + String.Join(",", skippedParams) + "\""; command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty); command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty); command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty); //command += (_options.TestForms ? " --forms" : string.Empty); proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = command; proc.Start(); output = proc.StandardOutput.ReadToEnd(); SQLMapResults results = new SQLMapResults(output, host); //this is a hack proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); output = proc.StandardOutput.ReadToEnd(); return results; } else { //URL does not contain the parameters, most likely injection via POST verb //remove any offending data url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); string data = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); List<string> skippedParams = new List<string>(); foreach (string param in Regex.Split(bug.Parameter, "&")) { if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark")) continue; else skippedParams.Add(param.Split('=')[0]); } Console.WriteLine("Running POST SQL injection test on URL: " + bug.URL); string host = url.Split('/')[2].Split(':')[0]; string command = string.Empty; command = " -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch"; command += " --data=\"" + data + "\""; if (skippedParams.Count > 0) command = command + " --skip=\"" + String.Join(",", skippedParams) + "\""; command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty); command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty); command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty); si = new ProcessStartInfo(); si.RedirectStandardOutput = true; si.UseShellExecute = false; proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = command; proc.Start(); output = proc.StandardOutput.ReadToEnd(); SQLMapResults results = new SQLMapResults(output, host); //this is a hack proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); output = proc.StandardOutput.ReadToEnd(); return results; } }
public IToolResults Run() { string cmd, output; cmd = " -u \"" + _options.URL + ":" + _options.Port + "\" -o --fresh-queries --random-agent --flush-session --smart --batch --crawl=" + _options.CrawlLevel.ToString(); cmd += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty); cmd += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty); cmd += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty); cmd += (_options.TestForms ? " --forms" : string.Empty); ProcessStartInfo si = new ProcessStartInfo(); si.RedirectStandardOutput = true; si.UseShellExecute = false; Process proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = cmd; proc.Start(); output = proc.StandardOutput.ReadToEnd(); proc.WaitForExit(); SQLMapResults results = new SQLMapResults(output, _options.URL); //this is a hack proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); return results; }
public IToolResults Run(WapitiBug bug) { string bugType = bug.Type; if (!bugType.StartsWith("SQL Injection")) { return(null); } ProcessStartInfo si = new ProcessStartInfo(); si.RedirectStandardOutput = true; si.UseShellExecute = false; Process proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); string output = proc.StandardOutput.ReadToEnd(); string url = bug.URL; if (url.Contains(bug.Parameter)) { //URL contains the parameters, most likely injection via GET verb //remove any offending data url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); List <string> skippedParams = new List <string>(); foreach (string param in Regex.Split(bug.Parameter, "&")) { if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark")) { continue; } else { skippedParams.Add(param.Split('=')[0]); } } Console.WriteLine("Running GET SQL injection test on URL: " + bug.URL); string command = string.Empty; string host = url.Split('/')[2].Split(':')[0]; command = " --disable-coloring -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch"; if (skippedParams.Count > 0) { command = command + " --skip=\"" + String.Join(",", skippedParams) + "\""; } command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty); command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty); command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty); //command += (_options.TestForms ? " --forms" : string.Empty); proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = command; proc.Start(); output = proc.StandardOutput.ReadToEnd(); SQLMapResults results = new SQLMapResults(output, host); //this is a hack proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); output = proc.StandardOutput.ReadToEnd(); return(results); } else { //URL does not contain the parameters, most likely injection via POST verb //remove any offending data url = url.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); string data = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); List <string> skippedParams = new List <string>(); foreach (string param in Regex.Split(bug.Parameter, "&")) { if (param.Contains("%BF%27%22%28") || param.Contains("or+benchmark")) { continue; } else { skippedParams.Add(param.Split('=')[0]); } } Console.WriteLine("Running POST SQL injection test on URL: " + bug.URL); string host = url.Split('/')[2].Split(':')[0]; string command = string.Empty; command = " -u \"" + url + "\" -o --fresh-queries --random-agent --flush-session --smart --batch"; command += " --data=\"" + data + "\""; if (skippedParams.Count > 0) { command = command + " --skip=\"" + String.Join(",", skippedParams) + "\""; } command += (!string.IsNullOrEmpty(_options.DBMS) ? " --dbms=" + _options.DBMS : string.Empty); command += (_options.Level.HasValue ? " --level=" + _options.Level.Value.ToString() : string.Empty); command += (_options.Risk.HasValue ? " --risk=" + _options.Risk.Value : string.Empty); si = new ProcessStartInfo(); si.RedirectStandardOutput = true; si.UseShellExecute = false; proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = command; proc.Start(); output = proc.StandardOutput.ReadToEnd(); SQLMapResults results = new SQLMapResults(output, host); //this is a hack proc = new Process(); proc.StartInfo = si; proc.EnableRaisingEvents = false; proc.StartInfo.FileName = _options.Path; proc.StartInfo.Arguments = "--purge-output"; proc.Start(); output = proc.StandardOutput.ReadToEnd(); return(results); } }
private List<IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary<string, string> config) { List<IToolResults > _results = new List<IToolResults> (); Console.WriteLine ("Scanning host: " + host.Hostname); foreach (var port in host.Ports) { port.ParentIPAddress = host.IPAddressv4; if ((port.Service == "http" || port.Service == "https") && bool.Parse (config ["isSQLMap"])) { IToolOptions _options = new WapitiToolOptions (); (_options as WapitiToolOptions).Host = host.IPAddressv4; (_options as WapitiToolOptions).Port = port.PortNumber; (_options as WapitiToolOptions).Path = config ["wapitiPath"]; Wapiti wapiti = new Wapiti (_options); Console.WriteLine ("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname)); WapitiToolResults wapitiResults = null; try { wapitiResults = wapiti.Run (new TimeSpan (0, 10, 0)) as WapitiToolResults; wapitiResults.HostIPAddressV4 = host.IPAddressv4; wapitiResults.HostPort = port.PortNumber; wapitiResults.IsTCP = true; _results.Add (wapitiResults); } catch (Exception ex) { Console.WriteLine (ex.Message); } if (sqlmapOptions != null && wapitiResults != null) { if (wapitiResults.Bugs == null) { // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs. sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4; sqlmapOptions.Port = port.PortNumber; sqlmapOptions.Path = config ["sqlmapPath"]; SQLMap mapper = new SQLMap (sqlmapOptions); SQLMapResults sqlmapResults = mapper.Run () as SQLMapResults; sqlmapResults.ParentHostPort = port; _results.Add (sqlmapResults); } else { using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) { using (SqlmapManager manager = new SqlmapManager(sess)) { foreach (WapitiBug bug in wapitiResults.Bugs) { if (bug.Type.StartsWith ("SQL Injection")) { Console.WriteLine ("Starting SQLMap on host/port: " + (string.IsNullOrEmpty (host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber); sqlmapOptions.Path = config ["sqlmapPath"]; //SQLMap mapper = new SQLMap (sqlmapOptions); //SQLMapResults results = mapper.Run (bug) as SQLMapResults; // if (results == null ) // continue; // // if (results.Vulnerabilities != null) // foreach (var vuln in results.Vulnerabilities) // vuln.Target = bug.URL; // // results.ParentHostPort = port; // // _results.Add (results); string taskid = manager.NewTask (); Dictionary<string, object> opts = manager.GetOptions (taskid); if (bug.URL.Contains (bug.Parameter)) { opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); manager.StartTask(taskid, opts); } else { opts ["url"] = bug.URL; opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); manager.StartTask(taskid, opts); } SqlmapStatus status = manager.GetScanStatus(taskid); while (status.Status != "terminated") { System.Threading.Thread.Sleep(new TimeSpan(0,0,10)); status = manager.GetScanStatus(taskid); } List<SqlmapLogItem> logItems = manager.GetLog(taskid); SQLMapResults results = new SQLMapResults(); results.Vulnerabilities = new List<SQLMapVulnerability>(); foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable"))) { SQLMapVulnerability vuln = new SQLMapVulnerability(); Console.WriteLine(item.Message); } manager.DeleteTask(taskid); } else if (bug.Type.Contains ("Cross Site Scripting)")) { //dsxs } } } } } } } } Console.WriteLine ("Done with host: " + host.Hostname); return _results; }
private List <IToolResults> ScanHost(NMapHost host, SQLMapOptions sqlmapOptions, Dictionary <string, string> config) { List <IToolResults> _results = new List <IToolResults> (); Console.WriteLine("Scanning host: " + host.Hostname); foreach (var port in host.Ports) { port.ParentIPAddress = host.IPAddressv4; if ((port.Service == "http" || port.Service == "https") && bool.Parse(config ["isSQLMap"])) { IToolOptions _options = new WapitiToolOptions(); (_options as WapitiToolOptions).Host = host.IPAddressv4; (_options as WapitiToolOptions).Port = port.PortNumber; (_options as WapitiToolOptions).Path = config ["wapitiPath"]; Wapiti wapiti = new Wapiti(_options); Console.WriteLine("Running wapiti (http/" + port.PortNumber + ") on host: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname)); WapitiToolResults wapitiResults = null; try { wapitiResults = wapiti.Run(new TimeSpan(0, 10, 0)) as WapitiToolResults; wapitiResults.HostIPAddressV4 = host.IPAddressv4; wapitiResults.HostPort = port.PortNumber; wapitiResults.IsTCP = true; _results.Add(wapitiResults); } catch (Exception ex) { Console.WriteLine(ex.Message); } if (sqlmapOptions != null && wapitiResults != null) { if (wapitiResults.Bugs == null) // we get bugs from the findings of wapiti, if wapiti didn't run, no bugs. { sqlmapOptions.URL = port.Service + "://" + host.IPAddressv4; sqlmapOptions.Port = port.PortNumber; sqlmapOptions.Path = config ["sqlmapPath"]; SQLMap mapper = new SQLMap(sqlmapOptions); SQLMapResults sqlmapResults = mapper.Run() as SQLMapResults; sqlmapResults.ParentHostPort = port; _results.Add(sqlmapResults); } else { using (SqlmapSession sess = new SqlmapSession("127.0.0.1", 8775)) { using (SqlmapManager manager = new SqlmapManager(sess)) { foreach (WapitiBug bug in wapitiResults.Bugs) { if (bug.Type.StartsWith("SQL Injection")) { Console.WriteLine("Starting SQLMap on host/port: " + (string.IsNullOrEmpty(host.Hostname) ? host.IPAddressv4 : host.Hostname) + "/" + port.PortNumber); sqlmapOptions.Path = config ["sqlmapPath"]; //SQLMap mapper = new SQLMap (sqlmapOptions); //SQLMapResults results = mapper.Run (bug) as SQLMapResults; // if (results == null ) // continue; // // if (results.Vulnerabilities != null) // foreach (var vuln in results.Vulnerabilities) // vuln.Target = bug.URL; // // results.ParentHostPort = port; // // _results.Add (results); string taskid = manager.NewTask(); Dictionary <string, object> opts = manager.GetOptions(taskid); if (bug.URL.Contains(bug.Parameter)) { opts ["url"] = bug.URL.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); manager.StartTask(taskid, opts); } else { opts ["url"] = bug.URL; opts["data"] = bug.Parameter.Replace("%BF%27%22%28", "abcd").Replace("%27+or+benchmark%2810000000%2CMD5%281%29%29%23", "abcd"); manager.StartTask(taskid, opts); } SqlmapStatus status = manager.GetScanStatus(taskid); while (status.Status != "terminated") { System.Threading.Thread.Sleep(new TimeSpan(0, 0, 10)); status = manager.GetScanStatus(taskid); } List <SqlmapLogItem> logItems = manager.GetLog(taskid); SQLMapResults results = new SQLMapResults(); results.Vulnerabilities = new List <SQLMapVulnerability>(); foreach (SqlmapLogItem item in logItems.Where(l => l.Level == "INFO" && l.Message.EndsWith("injectable"))) { SQLMapVulnerability vuln = new SQLMapVulnerability(); Console.WriteLine(item.Message); } manager.DeleteTask(taskid); } else if (bug.Type.Contains("Cross Site Scripting)")) { //dsxs } } } } } } } } Console.WriteLine("Done with host: " + host.Hostname); return(_results); }