/* Preia un doc parsat deja cu Html Agility Pack, si o lista prin referinta. * Cauta form-uri si ancore care se potrivesc a fi vulnerabile. * La gasirea lor se adauga in lista de posibile puncte de injectie */ private void searchInjectionPoints(HtmlDocument doc, ref List<InjectionPoint> lista) { //Caut toate elementele de tip "input" si iau numele lor, actiune formului si metoda formului //caut toate form-urile HtmlNode.ElementsFlags.Remove("form"); HtmlNode[] formNodes = doc.DocumentNode.SelectNodes("//form") != null ? doc.DocumentNode.SelectNodes("//form").ToArray() : null; if (formNodes != null)//daca avem form-uri in pagina { foreach (HtmlNode form in formNodes)//selectam fiecare form { //pentru fiecare form iau urmatorii parametrii: action si method String method = form.Attributes["method"] != null ? form.Attributes["method"].Value.ToString() : "GET"; String actionUrl = form.Attributes["action"] != null ? form.Attributes["action"].Value.ToString() : ""; HtmlNode[] inputNodes = form.Descendants("input").ToArray();//si iau fiecare input al formului foreach (HtmlNode input in inputNodes)//si pentru fiecare input iau numele si valoarea curenta si adaug la injection points { String name = input.Attributes["name"] != null ? input.Attributes["name"].Value.ToString() : ""; String value = input.Attributes["value"] != null ? input.Attributes["value"].Value.ToString() : ""; InjectionPoint aux = new InjectionPoint(); aux.formMethod = method; aux.ParameterName = name; aux.ParameterValueAsEncountered = value; aux.UrlAction = actionUrl; aux.Origin = 1; //Daca nu avem deja un parametru cu acelasi nume adaugat, il adaugam if (!lista.Exists(i => i.ParameterName == name)) lista.Add(aux); } } } //Caut elementele de tip "a" care contin parametrii in url si iau numele parametrilor, url-ul in sine si metoda=GET HtmlNode[] nodes = doc.DocumentNode.SelectNodes("//a").ToArray(); foreach (HtmlNode node in nodes) { var auxUrl = node.Attributes["href"]; //Daca gasesc ancore fara camp de href (poate sa aiba definit un event Onclick sau similar) trec la urmatoarea iteratie a foreach-ului if (auxUrl == null) continue; String url=node.Attributes["href"].Value.ToString(); int hasParams = url.IndexOf('?'); //Daca URL-ul nu are parametrii, nu are rost sa il tratam (-1=nu am gasim ? in URL) if (hasParams!=-1) { var q = url.Substring(url.IndexOf('?')); var query = HttpUtility.ParseQueryString(q); foreach (String c in query.Keys) { if (c != null) { InjectionPoint aux = new InjectionPoint(); aux.formMethod = "GET"; aux.ParameterName = c; aux.ParameterValueAsEncountered = query[c]; aux.UrlAction = url.Substring(0, url.IndexOf("?")); aux.Origin = 2; //Daca nu exista deja parametrul cu acelasi nume ( spre ex: "page" este prezent la toate linkurile din menu la Mutillidae) if (!lista.Exists(i=>i.ParameterName==c)) lista.Add(aux); } } } } }
/* Verifica daca URL-ul de start, este el in sine vulnerabil prin parametrii din el * si adauga la aceasi lista de injectie toti parametrii din URL */ private void checkUrlParameters(String Url, ref List<InjectionPoint>lista) { var uri = new Uri(Url); var query = HttpUtility.ParseQueryString(uri.Query); foreach (String c in query.Keys) { InjectionPoint aux = new InjectionPoint(); aux.formMethod = "GET"; aux.ParameterName = c.ToString(); aux.ParameterValueAsEncountered = query[c]; aux.UrlAction= Url.Substring(0, Url.IndexOf("?")); aux.Origin = 2; if (!lista.Exists(i => i.ParameterName == c)) lista.Add(aux); } }
/* Functia care verifica daca un punct de injectie este intr-adevar o vulnerabilitate * Preia un element de tip InjectionPoin si faca request-urile cu parametrii potriviti * si se verifica raspunsul * */ private void checkVulnerability(InjectionPoint i, ref List<ScanResult> vulnerabilitati) { //Trebuie sa verific un parametru pentru toate cele trei tipuri de vulnerabilitati String DummyParamString= buildDummyParamString(i.ParameterName); String sqliParam = i.ParameterName+"="+ "\'"+DummyParamString; String cmdiParam = i.ParameterName+"="+ "x;+ping+-c+1+127.0.0.1" + DummyParamString; String lfliParam = i.ParameterName + "=" + "../../../../../../../etc/passwd" + DummyParamString; if (i.formMethod.ToUpper() == "GET") { //Fac cele 3 request-uri String response1 = responseOfGetHtmlUrl(i.UrlAction, this.CookieForPage, sqliParam); String response2 = responseOfGetHtmlUrl(i.UrlAction, this.CookieForPage, cmdiParam); String response3 = responseOfGetHtmlUrl(i.UrlAction, this.CookieForPage, lfliParam); //Verific fiecare response daca contine stringurile care marcheaza prezenta vulnerabilitatii String responseCheck1 = VulnerabilityTypeCheck(response1); String responseCheck2 = VulnerabilityTypeCheck(response2); String responseCheck3 = VulnerabilityTypeCheck(response3); //Daca exista vreo vulnerabilitate, adaug in lista de vulnerabilitati if (responseCheck1 != String.Empty) { ScanResult rezultat = new ScanResult(responseCheck1, this.UrlToScan, i.ParameterName); vulnerabilitati.Add(rezultat); } if (responseCheck2 != String.Empty) { ScanResult rezultat = new ScanResult(responseCheck2, this.UrlToScan, i.ParameterName); vulnerabilitati.Add(rezultat); } if (responseCheck3 != String.Empty) { ScanResult rezultat = new ScanResult(responseCheck3, this.UrlToScan, i.ParameterName); vulnerabilitati.Add(rezultat); } } else if (i.formMethod.ToUpper() == "POST") { //Fac cele 3 request-uri String response1 = responseOfPostHtmlUrl(i.UrlAction, this.CookieForPage, sqliParam); String response2 = responseOfPostHtmlUrl(i.UrlAction, this.CookieForPage, cmdiParam); String response3 = responseOfPostHtmlUrl(i.UrlAction, this.CookieForPage, lfliParam); //Verific fiecare response daca contine stringurile care marcheaza prezenta vulnerabilitatii String responseCheck1 = VulnerabilityTypeCheck(response1); String responseCheck2 = VulnerabilityTypeCheck(response2); String responseCheck3 = VulnerabilityTypeCheck(response3); //Daca exista vreo vulnerabilitate, adaug in lista de vulnerabilitati if (responseCheck1 != String.Empty) { ScanResult rezultat = new ScanResult(responseCheck1, this.UrlToScan, i.ParameterName); vulnerabilitati.Add(rezultat); } if (responseCheck2 != String.Empty) { ScanResult rezultat = new ScanResult(responseCheck2, this.UrlToScan, i.ParameterName); vulnerabilitati.Add(rezultat); } if (responseCheck3 != String.Empty) { ScanResult rezultat = new ScanResult(responseCheck3, this.UrlToScan, i.ParameterName); vulnerabilitati.Add(rezultat); } } }