Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now.

Minor code refactoring too.
This commit is contained in:
Bernardo Damele 2010-11-29 17:18:38 +00:00
parent e9291932e5
commit 8b9706656e
6 changed files with 25 additions and 79 deletions

View File

@ -45,29 +45,6 @@ from lib.core.session import setTimeBased
from lib.core.target import initTargetEnv
from lib.core.target import setupTargetEnv
def __saveToSessionFile():
for inj in kb.injections:
setInjection(inj)
place = inj.place
parameter = inj.parameter
for stype, sdata in inj.data.items():
payload = sdata[0]
if stype == 1:
kb.booleanTest = payload
setBooleanBased(place, parameter, payload)
elif stype == 2:
kb.errorTest = payload
setError(place, parameter, payload)
elif stype == 4:
kb.stackedTest = payload
setStacked(place, parameter, payload)
elif stype == 5:
kb.timeTest = payload
setTimeBased(place, parameter, payload)
def __selectInjection():
"""
Selection function for injection place, parameters and type.
@ -144,6 +121,29 @@ def __showInjections():
dumper.technic(header, data)
def __saveToSessionFile():
for inj in kb.injections:
setInjection(inj)
place = inj.place
parameter = inj.parameter
for stype, sdata in inj.data.items():
payload = sdata[0]
if stype == 1:
kb.booleanTest = payload
setBooleanBased(place, parameter, payload)
elif stype == 2:
kb.errorTest = payload
setError(place, parameter, payload)
elif stype == 4:
kb.stackedTest = payload
setStacked(place, parameter, payload)
elif stype == 5:
kb.timeTest = payload
setTimeBased(place, parameter, payload)
def start():
"""
This function calls a function that performs checks on both URL

View File

@ -499,24 +499,6 @@ def __setWriteFile():
conf.wFileType = getFileType(conf.wFile)
def __setUnion():
if isinstance(conf.uTech, basestring):
debugMsg = "setting the UNION query SQL injection detection technique"
logger.debug(debugMsg)
uTechOriginal = conf.uTech
conf.uTech = conf.uTech.lower()
if conf.uTech and conf.uTech not in ( "char", "orderby" ):
infoMsg = "resetting the UNION query detection technique to "
infoMsg += "'char', '%s' is not a valid technique" % uTechOriginal
logger.info(infoMsg)
conf.uTech = "char"
else:
debugMsg = "setting UNION query detection technique to "
debugMsg += "'%s'" % uTechOriginal
logger.debug(debugMsg)
if isinstance(conf.uCols, basestring) and conf.uChar != "1-20":
debugMsg = "setting the UNION query SQL injection range of columns"
logger.debug(debugMsg)

View File

@ -77,7 +77,6 @@ optDict = {
"Techniques": {
"timeSec": "integer",
"unionTest": "boolean",
"uTech": "string",
"uCols": "integer",
"uChar": "string"
},

View File

@ -235,9 +235,6 @@ def cmdLineParser():
action="store_true", default=False,
help="Test for and use UNION query (inband) SQL injection")
techniques.add_option("--union-tech", dest="uTech", default="char",
help="Technique to test for UNION query SQL injection")
techniques.add_option("--union-cols", dest="uCols", default="1-20",
help="Range of columns to test for UNION query SQL injection")

View File

@ -117,26 +117,6 @@ def __unionTestByCharBruteforce(comment):
return validPayload
def __unionTestByOrderBy(comment):
columns = None
prevPayload = ""
for count in range(conf.uColsStart, conf.uColsStop+1):
query = agent.prefixQuery("ORDER BY %d" % count)
orderByQuery = agent.suffixQuery(query, comment)
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
_, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
if seqMatcher >= 0.6:
columns = count
setUnion(count=count)
elif columns:
break
prevPayload = payload
return columns
def unionTest():
"""
This method tests if the target url is affected by an inband
@ -149,9 +129,7 @@ def unionTest():
if kb.unionTest is not None:
return kb.unionTest
if conf.uTech == "orderby":
technique = "ORDER BY clause bruteforcing"
elif conf.uChar == "NULL":
if conf.uChar == "NULL":
technique = "NULL bruteforcing"
else:
technique = "char (%s) bruteforcing" % conf.uChar
@ -163,10 +141,7 @@ def unionTest():
validPayload = None
comment = queries[kb.dbms].comment.query
if conf.uTech == "orderby":
validPayload = __unionTestByOrderBy(comment)
else:
validPayload = __unionTestByCharBruteforce(comment)
validPayload = __unionTestByCharBruteforce(comment)
if validPayload:
setUnion(comment=comment)

View File

@ -255,13 +255,6 @@ timeSec = 5
# Valid: True or False
unionTest = False
# Technique to test for UNION query SQL injection
# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
# clause (ob)
# Valid: char, OrderBy
# Default: char
uTech = char
# Range of columns to test for
# Valid: range of integers
# Default: 1-20