avoid false positive message when extensive heuristic check is performed following detection of boolean blind injection detection: do only heuristic DBMS fingerprint for DBMS specific tables

2025-01-23 15:54:24 +03:00 · 2015-02-20 18:36:34 +00:00 · 2015-02-20 18:36:34 +00:00 · 4f939b5719
commit 4f939b5719
parent 4bbf168b18
1 changed files with 4 additions and 1 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -650,9 +650,12 @@ def heuristicCheckDbms(injection):

    pushValue(kb.injection)
    kb.injection = injection
-    randStr1, randStr2 = randomStr(), randomStr()

    for dbms in getPublicTypeMembers(DBMS, True):
+        if not FROM_DUMMY_TABLE.get(dbms, ""):
+            continue
+
+        randStr1, randStr2 = randomStr(), randomStr()
        Backend.forceDbms(dbms)

        if checkBooleanExpression("(SELECT '%s'%s)='%s'" % (randStr1, FROM_DUMMY_TABLE.get(dbms, ""), randStr1)):