From 637a8d827397886848d092af4e178ff7edd8da1d Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 29 Mar 2012 14:33:27 +0000 Subject: [PATCH] improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism --- lib/controller/checks.py | 1 + lib/core/common.py | 1 + lib/request/comparison.py | 17 ++++++++++++----- lib/request/connect.py | 2 -- xml/payloads.xml | 18 +++++++++--------- 5 files changed, 23 insertions(+), 16 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index d12f4313f..63064dac1 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -327,6 +327,7 @@ def checkSqlInjection(place, parameter, value): # Useful to set kb.matchRatio at first based on # the False response content kb.matchRatio = None + kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE) Request.queryPage(genCmpPayload(), place, raise404=False) # Perform the test's True request diff --git a/lib/core/common.py b/lib/core/common.py index bc6fe2a72..c7ee9bbcf 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -2386,6 +2386,7 @@ def initTechnique(technique=None): if data: kb.pageTemplate, kb.errorIsNone = getPageTemplate(data.templatePayload, kb.injection.place) kb.matchRatio = data.matchRatio + kb.negativeLogic = (technique == PAYLOAD.TECHNIQUE.BOOLEAN) and (data.where == PAYLOAD.WHERE.NEGATIVE) # Restoring stored conf options for key, value in kb.injection.conf.items(): diff --git a/lib/request/comparison.py b/lib/request/comparison.py index 82599f0cb..925955512 100644 --- a/lib/request/comparison.py +++ b/lib/request/comparison.py @@ -29,12 +29,19 @@ from lib.core.settings import UPPER_RATIO_BOUND from lib.core.threads import getCurrentThreadData def comparison(page, headers, code=None, getRatioValue=False, pageLength=None): - #return _checkNegativeLogic(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue) - return _comparison(page, headers, code, getRatioValue, pageLength) + return _adjust(_comparison(page, headers, code, getRatioValue, pageLength), getRatioValue) -def _checkNegativeLogic(condition, getRatioValue): - condition = not (condition or False) if kb.negativeLogic else condition - return condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) +def _adjust(condition, getRatioValue): + # Negative logic approach is used in raw page comparison scheme as that what is "different" than original + # PAYLOAD.WHERE.NEGATIVE response is considered as True; in switch based approach negative logic is not + # applied as that is by the user considered as True is that what is returned by the comparison mechanism + # itself + if not any([conf.string, conf.regexp, conf.code]): + retVal = not (condition or False) if kb.negativeLogic else condition + else: + retVal = condition if not getRatioValue else (MAX_RATIO if condition else MIN_RATIO) + + return retVal def _comparison(page, headers, code, getRatioValue, pageLength): if page is None and pageLength is None: diff --git a/lib/request/connect.py b/lib/request/connect.py index d0c21fe4f..a43501a14 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -502,8 +502,6 @@ class Connect: string match check ('--string' command line parameter) """ - kb.negativeLogic = "OR NOT" in (value or "") - if conf.direct: return direct(value, content) diff --git a/xml/payloads.xml b/xml/payloads.xml index 2d33495b5..13ea53a0c 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -615,12 +615,12 @@ Formats: 3 1 2 - OR NOT ([INFERENCE]) + OR ([INFERENCE]) - OR NOT ([RANDNUM]=[RANDNUM]) + OR ([RANDNUM]=[RANDNUM]) - OR NOT ([RANDNUM]=[RANDNUM1]) + OR ([RANDNUM]=[RANDNUM1]) @@ -631,13 +631,13 @@ Formats: 3 1 2 - OR NOT ([INFERENCE]) + OR ([INFERENCE]) - OR NOT ([RANDNUM]=[RANDNUM]) + OR ([RANDNUM]=[RANDNUM]) # - OR NOT ([RANDNUM]=[RANDNUM1]) + OR ([RANDNUM]=[RANDNUM1])
MySQL @@ -651,13 +651,13 @@ Formats: 3 1 2 - OR NOT ([INFERENCE]) + OR ([INFERENCE]) - OR NOT ([RANDNUM]=[RANDNUM]) + OR ([RANDNUM]=[RANDNUM]) -- - OR NOT ([RANDNUM]=[RANDNUM1]) + OR ([RANDNUM]=[RANDNUM1])