Example 41 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ResourceAccess method injectShell.
private void injectShell(String username, String password, String pathShellFixed, String urlShellFixed, String urlProtocol, String urlWithoutFileName, List<String> directoryNames) throws InterruptedException {
ExecutorService taskExecutor = this.injectionModel.getMediatorUtils().getThreadUtil().getExecutor("CallableCreateSqlShell");
CompletionService<CallableHttpHead> taskCompletionService = new ExecutorCompletionService<>(taskExecutor);
var urlPart = new StringBuilder();
for (String segment : directoryNames) {
urlPart.append(segment);
taskCompletionService.submit(new CallableHttpHead(urlProtocol + urlPart.toString() + this.filenameSqlshell, this.injectionModel, "sqlshell:create"));
}
int submittedTasks = directoryNames.size() * 1;
int tasksHandled;
String urlSuccess = null;
for (tasksHandled = 0; tasksHandled < submittedTasks; tasksHandled++) {
try {
CallableHttpHead currentCallable = taskCompletionService.take().get();
if (!currentCallable.isHttpResponseOk()) {
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "Connection to payload not found at '{}'", currentCallable.getUrl());
continue;
}
urlSuccess = currentCallable.getUrl();
if (!urlShellFixed.isEmpty() && urlSuccess.replace(this.filenameSqlshell, StringUtils.EMPTY).equals(urlShellFixed) || urlSuccess.replace(this.filenameSqlshell, StringUtils.EMPTY).equals(urlProtocol + urlWithoutFileName)) {
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "Connection to payload found at expected location '{}'", urlSuccess);
} else {
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "Connection to payload found at unexpected location '{}'", urlSuccess);
}
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
} catch (ExecutionException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
}
}
taskExecutor.shutdown();
taskExecutor.awaitTermination(5, TimeUnit.SECONDS);
if (urlSuccess != null) {
var request = new Request();
request.setMessage(Interaction.CREATE_SQL_SHELL_TAB);
request.setParameters(pathShellFixed.replace(this.filenameSqlshell, StringUtils.EMPTY), urlSuccess, username, password);
this.injectionModel.sendToViews(request);
} else {
LOGGER.log(LogLevel.CONSOLE_ERROR, "HTTP connection to SQL payload not found");
}
}
Also used :
ExecutorService(java.util.concurrent.ExecutorService)
HttpRequest(java.net.http.HttpRequest)
Request(com.jsql.model.bean.util.Request)
ExecutorCompletionService(java.util.concurrent.ExecutorCompletionService)
ExecutionException(java.util.concurrent.ExecutionException)
Example 42 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ResourceAccess method injectWebshell.
private void injectWebshell(String pathShellFixed, String urlShellFixed, String urlProtocol, String urlWithoutFileName, List<String> directoryNames) throws InterruptedException {
ExecutorService taskExecutor = this.injectionModel.getMediatorUtils().getThreadUtil().getExecutor("CallableCreateWebShell");
CompletionService<CallableHttpHead> taskCompletionService = new ExecutorCompletionService<>(taskExecutor);
var urlPart = new StringBuilder();
for (String segment : directoryNames) {
urlPart.append(segment);
taskCompletionService.submit(new CallableHttpHead(urlProtocol + urlPart.toString() + this.filenameWebshell, this.injectionModel, "wshell#run"));
}
int submittedTasks = directoryNames.size() * 1;
String urlSuccess = this.injectShell(urlShellFixed, urlProtocol, urlWithoutFileName, taskCompletionService, submittedTasks);
taskExecutor.shutdown();
taskExecutor.awaitTermination(5, TimeUnit.SECONDS);
if (urlSuccess != null) {
var request = new Request();
request.setMessage(Interaction.CREATE_SHELL_TAB);
request.setParameters(pathShellFixed.replace(this.filenameWebshell, StringUtils.EMPTY), urlSuccess);
this.injectionModel.sendToViews(request);
} else {
LOGGER.log(LogLevel.CONSOLE_ERROR, "HTTP connection to Web payload not found");
}
}
Also used :
ExecutorService(java.util.concurrent.ExecutorService)
HttpRequest(java.net.http.HttpRequest)
Request(com.jsql.model.bean.util.Request)
ExecutorCompletionService(java.util.concurrent.ExecutorCompletionService)
Example 43 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ResourceAccess method isReadingAllowed.
/**
* Check if current user can read files.
* @return True if user can read file, false otherwise
* @throws JSqlException when an error occurs during injection
*/
public boolean isReadingAllowed() throws JSqlException {
// Fix #41055: NullPointerException on getFile()
if (this.injectionModel.getMediatorVendor().getVendor().instance().getModelYaml().getResource().getFile() == null) {
LOGGER.log(LogLevel.CONSOLE_ERROR, "Reading file on {} is currently not supported", () -> this.injectionModel.getMediatorVendor().getVendor());
return false;
}
var sourcePage = new String[] { StringUtils.EMPTY };
String resultInjection = new SuspendableGetRows(this.injectionModel).run(this.injectionModel.getMediatorVendor().getVendor().instance().sqlPrivilegeTest(), sourcePage, false, 1, null, "privilege");
if (StringUtils.isEmpty(resultInjection)) {
this.injectionModel.sendResponseFromSite("Can't read privilege", sourcePage[0].trim());
var request = new Request();
request.setMessage(Interaction.MARK_FILE_SYSTEM_INVULNERABLE);
this.injectionModel.sendToViews(request);
this.readingIsAllowed = false;
} else if ("false".equals(resultInjection)) {
LOGGER.log(LogLevel.CONSOLE_ERROR, "Privilege FILE is not granted to current user, files can\'t be read");
var request = new Request();
request.setMessage(Interaction.MARK_FILE_SYSTEM_INVULNERABLE);
this.injectionModel.sendToViews(request);
this.readingIsAllowed = false;
} else {
var request = new Request();
request.setMessage(Interaction.MARK_FILE_SYSTEM_VULNERABLE);
this.injectionModel.sendToViews(request);
this.readingIsAllowed = true;
}
return this.readingIsAllowed;
}
Also used :
SuspendableGetRows(com.jsql.model.suspendable.SuspendableGetRows)
HttpRequest(java.net.http.HttpRequest)
Request(com.jsql.model.bean.util.Request)
Example 44 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class ParameterUtil method controlInput.
/**
* Send each parameters from the GUI to the model in order to
* start the preparation of injection, the injection process is
* started in a new thread via model function inputValidation().
*/
public void controlInput(String urlQuery, String dataRequest, String dataHeader, AbstractMethodInjection methodInjection, String typeRequest, boolean isScanning) {
try {
String urlQueryFixed = urlQuery;
// Keep single check
if (!urlQueryFixed.isEmpty() && !urlQueryFixed.matches("(?i)^https?://.*")) {
if (!urlQueryFixed.matches("(?i)^\\w+://.*")) {
LOGGER.log(LogLevel.CONSOLE_INFORM, "Undefined URL protocol, forcing to [http://]");
urlQueryFixed = "http://" + urlQueryFixed;
} else {
throw new MalformedURLException("unknown URL protocol");
}
}
this.initializeQueryString(urlQueryFixed);
this.initializeRequest(dataRequest);
this.initializeHeader(dataHeader);
this.injectionModel.getMediatorUtils().getConnectionUtil().setMethodInjection(methodInjection);
this.injectionModel.getMediatorUtils().getConnectionUtil().setTypeRequest(typeRequest);
if (isScanning) {
this.injectionModel.beginInjection();
} else {
// Start the model injection process in a thread
new Thread(this.injectionModel::beginInjection, "ThreadBeginInjection").start();
}
} catch (MalformedURLException e) {
LOGGER.log(LogLevel.CONSOLE_ERROR, "Incorrect Url: {}", e.getMessage());
// Incorrect URL, reset the start button
var request = new Request();
request.setMessage(Interaction.END_PREPARATION);
this.injectionModel.sendToViews(request);
}
}
Also used :
MalformedURLException(java.net.MalformedURLException)
Request(com.jsql.model.bean.util.Request)
Example 45 with Request
use of com.jsql.model.bean.util.Request in project jsql-injection by ron190.
the class SuspendableGetCharInsertion method run.
@Override
public String run(Object... args) throws JSqlException {
String characterInsertionByUser = (String) args[0];
ExecutorService taskExecutor = this.injectionModel.getMediatorUtils().getThreadUtil().getExecutor("CallableGetInsertionCharacter");
CompletionService<CallablePageSource> taskCompletionService = new ExecutorCompletionService<>(taskExecutor);
var charFromBooleanMatch = new String[1];
List<String> charactersInsertion = this.initializeCallables(taskCompletionService, characterInsertionByUser, charFromBooleanMatch);
var mediatorVendor = this.injectionModel.getMediatorVendor();
LOGGER.log(LogLevel.CONSOLE_DEFAULT, "Fingerprinting database and character insertion with Order by match...");
String charFromOrderBy = null;
int total = charactersInsertion.size();
while (0 < total) {
if (this.isSuspended()) {
throw new StoppedByUserSlidingException();
}
try {
CallablePageSource currentCallable = taskCompletionService.take().get();
total--;
String pageSource = currentCallable.getContent();
List<Vendor> vendorsOrderByMatch = this.getVendorsOrderByMatch(mediatorVendor, pageSource);
if (!vendorsOrderByMatch.isEmpty()) {
this.setVendor(mediatorVendor, vendorsOrderByMatch);
LOGGER.log(LogLevel.CONSOLE_INFORM, "Using [{}]", mediatorVendor.getVendor());
var requestSetVendor = new Request();
requestSetVendor.setMessage(Interaction.SET_VENDOR);
requestSetVendor.setParameters(mediatorVendor.getVendor());
this.injectionModel.sendToViews(requestSetVendor);
// Char insertion
charFromOrderBy = currentCallable.getCharacterInsertion();
LOGGER.log(LogLevel.CONSOLE_SUCCESS, "Character insertion [{}] matching with Order by and compatible with Error strategy", charFromOrderBy);
break;
}
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
} catch (ExecutionException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
}
}
// End the job
try {
taskExecutor.shutdown();
if (!taskExecutor.awaitTermination(15, TimeUnit.SECONDS)) {
taskExecutor.shutdownNow();
}
} catch (InterruptedException e) {
LOGGER.log(LogLevel.CONSOLE_JAVA, e, e);
Thread.currentThread().interrupt();
}
if (charFromOrderBy == null && charFromBooleanMatch[0] != null) {
charFromOrderBy = charFromBooleanMatch[0];
}
return this.getCharacterInsertion(characterInsertionByUser, charFromOrderBy);
}
Also used :
Request(com.jsql.model.bean.util.Request)
ExecutorCompletionService(java.util.concurrent.ExecutorCompletionService)
CallablePageSource(com.jsql.model.suspendable.callable.CallablePageSource)
Vendor(com.jsql.model.injection.vendor.model.Vendor)
MediatorVendor(com.jsql.model.injection.vendor.MediatorVendor)
ExecutorService(java.util.concurrent.ExecutorService)
StoppedByUserSlidingException(com.jsql.model.exception.StoppedByUserSlidingException)
ExecutionException(java.util.concurrent.ExecutionException)
Aggregations
Request (com.jsql.model.bean.util.Request)47
ArrayList (java.util.ArrayList)13
Header (com.jsql.model.bean.util.Header)12
EnumMap (java.util.EnumMap)12
ExecutorCompletionService (java.util.concurrent.ExecutorCompletionService)11
ExecutorService (java.util.concurrent.ExecutorService)11
JSqlException (com.jsql.model.exception.JSqlException)10
SuspendableGetRows (com.jsql.model.suspendable.SuspendableGetRows)9
IOException (java.io.IOException)9
ThreadFactoryCallable (com.jsql.model.suspendable.callable.ThreadFactoryCallable)8
ExecutionException (java.util.concurrent.ExecutionException)8
InjectionFailureException (com.jsql.model.exception.InjectionFailureException)7
ItemList (com.jsql.view.swing.list.ItemList)7
MalformedURLException (java.net.MalformedURLException)6
HttpRequest (java.net.http.HttpRequest)6
URL (java.net.URL)5
List (java.util.List)5
Matcher (java.util.regex.Matcher)5
IgnoreMessageException (com.jsql.model.exception.IgnoreMessageException)4
StoppedByUserSlidingException (com.jsql.model.exception.StoppedByUserSlidingException)4
