From c5de903eabf01500f14763de15494ba16d99ca9f Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 31 Mar 2011 09:35:09 +0000 Subject: [PATCH] minor improvement ("quick defense against substr fields") --- lib/core/settings.py | 3 +++ lib/techniques/inband/union/test.py | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index ca15bb561..2d8072ae7 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -66,6 +66,9 @@ CONCAT_VALUE_DELIMITER = '|' # coefficient used for a time-based query delay checking (must be >= 7) TIME_STDEV_COEFF = 10 +# minimum length of usable union injected response (quick defense against substr fields) +UNION_MIN_RESPONSE_CHARS = 10 + # coefficient used for a union-based number of columns checking (must be >= 7) UNION_STDEV_COEFF = 7 diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index d464669d2..b8c00d4e2 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -32,6 +32,7 @@ from lib.core.data import queries from lib.core.enums import DBMS from lib.core.enums import PAYLOAD from lib.core.settings import FROM_TABLE +from lib.core.settings import UNION_MIN_RESPONSE_CHARS from lib.core.settings import UNION_STDEV_COEFF from lib.core.settings import MIN_RATIO from lib.core.settings import MAX_RATIO @@ -113,7 +114,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe # affected by an exploitable inband SQL injection vulnerability for position in positions: # Prepare expression with delimiters - randQuery = randomStr() + randQuery = randomStr(UNION_MIN_RESPONSE_CHARS) phrase = "%s%s%s".lower() % (kb.misc.start, randQuery, kb.misc.stop) randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryUnescaped = unescaper.unescape(randQueryProcessed) @@ -134,7 +135,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe if where == PAYLOAD.WHERE.ORIGINAL: # Prepare expression with delimiters - randQuery2 = randomStr() + randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS) phrase2 = "%s%s%s".lower() % (kb.misc.start, randQuery2, kb.misc.stop) randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2) randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)