Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 637a8d8

Browse files
stamparmstamparm
committed
improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism
1 parent ce4c697 commit 637a8d8

5 files changed

Lines changed: 23 additions & 16 deletions

File tree

lib/controller/checks.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -327,6 +327,7 @@ def genCmpPayload():
327327
# Useful to set kb.matchRatio at first based on
328328
# the False response content
329329
kb.matchRatio = None
330+
kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)
330331
Request.queryPage(genCmpPayload(), place, raise404=False)
331332

332333
# Perform the test's True request

lib/core/common.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2386,6 +2386,7 @@ def initTechnique(technique=None):
23862386
if data:
23872387
kb.pageTemplate, kb.errorIsNone = getPageTemplate(data.templatePayload, kb.injection.place)
23882388
kb.matchRatio = data.matchRatio
2389+
kb.negativeLogic = (technique == PAYLOAD.TECHNIQUE.BOOLEAN) and (data.where == PAYLOAD.WHERE.NEGATIVE)
23892390

23902391
# Restoring stored conf options
23912392
for key, value in kb.injection.conf.items():

lib/request/comparison.py

Lines changed: 12 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -29,12 +29,19 @@
2929
from lib.core.threads import getCurrentThreadData
3030

3131
def comparison(page, headers, code=None, getRatioValue=False, pageLength=None):
32-
#return _checkNegativeLogic(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue)
33-
return _comparison(page, headers, code, getRatioValue, pageLength)
32+
return _adjust(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue)
33+
34+
def _adjust(condition, getRatioValue):
35+
# Negative logic approach is used in raw page comparison scheme as that what is "different" than original
36+
# PAYLOAD.WHERE.NEGATIVE response is considered as True; in switch based approach negative logic is not
37+
# applied as that is by the user considered as True is that what is returned by the comparison mechanism
38+
# itself
39+
if not any([conf.string, conf.regexp, conf.code]):
40+
retVal = not (condition or False) if kb.negativeLogic else condition
41+
else:
42+
retVal = condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO)
3443

35-
def _checkNegativeLogic(condition, getRatioValue):
36-
condition = not (condition or False) if kb.negativeLogic else condition
37-
return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO)
44+
return retVal
3845

3946
def _comparison(page, headers, code, getRatioValue, pageLength):
4047
if page is None and pageLength is None:

lib/request/connect.py

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -502,8 +502,6 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
502502
string match check ('--string' command line parameter)
503503
"""
504504

505-
kb.negativeLogic = "OR NOT" in (value or "")
506-
507505
if conf.direct:
508506
return direct(value, content)
509507

xml/payloads.xml

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -615,12 +615,12 @@ Formats:
615615
<risk>3</risk>
616616
<clause>1</clause>
617617
<where>2</where>
618-
<vector>OR NOT ([INFERENCE])</vector>
618+
<vector>OR ([INFERENCE])</vector>
619619
<request>
620-
<payload>OR NOT ([RANDNUM]=[RANDNUM])</payload>
620+
<payload>OR ([RANDNUM]=[RANDNUM])</payload>
621621
</request>
622622
<response>
623-
<comparison>OR NOT ([RANDNUM]=[RANDNUM1])</comparison>
623+
<comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
624624
</response>
625625
</test>
626626

@@ -631,13 +631,13 @@ Formats:
631631
<risk>3</risk>
632632
<clause>1</clause>
633633
<where>2</where>
634-
<vector>OR NOT ([INFERENCE])</vector>
634+
<vector>OR ([INFERENCE])</vector>
635635
<request>
636-
<payload>OR NOT ([RANDNUM]=[RANDNUM])</payload>
636+
<payload>OR ([RANDNUM]=[RANDNUM])</payload>
637637
<comment>#</comment>
638638
</request>
639639
<response>
640-
<comparison>OR NOT ([RANDNUM]=[RANDNUM1])</comparison>
640+
<comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
641641
</response>
642642
<details>
643643
<dbms>MySQL</dbms>
@@ -651,13 +651,13 @@ Formats:
651651
<risk>3</risk>
652652
<clause>1</clause>
653653
<where>2</where>
654-
<vector>OR NOT ([INFERENCE])</vector>
654+
<vector>OR ([INFERENCE])</vector>
655655
<request>
656-
<payload>OR NOT ([RANDNUM]=[RANDNUM])</payload>
656+
<payload>OR ([RANDNUM]=[RANDNUM])</payload>
657657
<comment>-- </comment>
658658
</request>
659659
<response>
660-
<comparison>OR NOT ([RANDNUM]=[RANDNUM1])</comparison>
660+
<comparison>OR ([RANDNUM]=[RANDNUM1])</comparison>
661661
</response>
662662
</test>
663663

0 commit comments

Comments
 (0)