Commit Graph

179 Commits

Author SHA1 Message Date
Miroslav Stampar
d0490cc4e7 adding payloads for time-based injection on DB2 (heavy query) 2011-06-26 16:38:22 +00:00
Miroslav Stampar
0baf931669 real generic comment is "-- " not "--" (MySQL doesn't support "--") 2011-05-24 09:16:21 +00:00
Miroslav Stampar
171a4c389b added MySQL >=4.1 <=5.0 error based WHERE/HAVING payload 2011-05-23 06:24:45 +00:00
Miroslav Stampar
939e6541d0 far safer way for dealing with error-based payloads on MySQL (no timeouts with .CHARACTER_SETS on testing platforms versus when used .TABLES) 2011-05-19 23:36:51 +00:00
Miroslav Stampar
bd1b07fbc2 one more parameter replace payload for MySQL and rising level of GENERATE_SERIES for PostgreSQL 2011-05-19 06:32:23 +00:00
Miroslav Stampar
7f086916c0 decent parameter replace payload for PostgreSQL (GENERATE_SERIES) 2011-05-18 23:40:42 +00:00
Miroslav Stampar
e58d6d2e00 removing (CBRT(LN(0)) because it's nothing special compared to standard 1/0; also, removing parameter replacement with returned value 1 as it doesn't have much sense in comparison to origvalue one (which is far more stable and usable) 2011-05-18 23:20:02 +00:00
Miroslav Stampar
fe50d09cc8 added new payload for PostgreSQL (parameter replace) 2011-05-18 23:01:41 +00:00
Bernardo Damele
3a8309c4b0 Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches 2011-05-10 15:34:54 +00:00
Bernardo Damele
7df954dd9f paranoy 2011-04-21 23:41:25 +00:00
Miroslav Stampar
0764c4c752 parenthesis were missing; banning OR NOT from payloads 2011-04-21 23:32:53 +00:00
Bernardo Damele
1d61611145 leftover 2011-04-21 22:46:43 +00:00
Bernardo Damele
870f773d70 In some old versions of MySQL (perhaps others DBMS too) the NOT clause is not supported, hence we need also OR tests without NOT - tested and works like this 2011-04-21 20:36:50 +00:00
Miroslav Stampar
75f286cf6d minor update conformant to http://dev.mysql.com/doc/refman/4.1/en/comments.html 2011-04-10 23:41:00 +00:00
Miroslav Stampar
3177c6023d lol. re-revert 2011-04-10 23:30:56 +00:00
Bernardo Damele
9ea4010508 Leave it as is :) 2011-04-10 23:20:35 +00:00
Miroslav Stampar
3e680978a9 revert of that last commit (waiting for some better days) 2011-04-10 23:18:38 +00:00
Miroslav Stampar
f532478a34 update of MySQL comments 2011-04-10 23:08:18 +00:00
Bernardo Damele
af096b2c83 Leave it as is!!! 2011-04-10 21:47:23 +00:00
Bernardo Damele
02eeeccd33 Added UNION query SQL injection tests also with a random number for columns (not only NULL) 2011-04-07 13:39:36 +00:00
Miroslav Stampar
b7813f9e68 incrementing level for MySQL stacked payloads 2011-03-29 07:31:56 +00:00
Miroslav Stampar
b5c9ccb755 Oracle XML based error payload has problems with char $ as with space 2011-03-21 13:13:12 +00:00
Miroslav Stampar
eedd6a990d removing space after , for our payloads 2011-03-08 14:29:22 +00:00
Miroslav Stampar
ff9080de48 MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL 2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9 added some Microsoft Access payloads 2011-02-21 20:04:50 +00:00
Miroslav Stampar
5fb11fd173 update regarding multiple DBMS payloads 2011-02-13 21:20:21 +00:00
Bernardo Damele
7dcfcca87f Tests' titles adjustments 2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56 minor update 2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded. 2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119 bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values 2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4 Minor adjustments to levels of boundaries 2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f revert of r3203 2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f i believe that this one should be the first level 1 boundary 2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad new default UNION test(s) ranges 2011-02-03 16:26:35 +00:00
Miroslav Stampar
5aa958a146 ASCII & CHR is quite common, so removing this one 2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6 changing level of last payload 2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82 new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted") 2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005 another premiere, yeeej. IDSes, watch yourself :) 2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2 minor update 2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4 world premiere :) 2011-01-24 21:21:11 +00:00
Bernardo Damele
b0dc6c24eb Moved 2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627 patch for possible query optimization (avoid precalculation of 1/0) 2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04 Minor fix and cosmetics 2011-01-24 11:12:33 +00:00
Miroslav Stampar
7bf05bf2cb minor update 2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda implemented Johannes Dahse / Reiners' technique 2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879 minor update 2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5 more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked) 2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql) 2011-01-21 18:32:10 +00:00
Bernardo Damele
7ce49bcf0d Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
a1d77737f5 minor grammar update (this should be a better form) 2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e Confirmed HAVING payloads work as WHERE ones.
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510 because other major DBMSes have at least one level 1 time based payload 2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab added MSSQL time based vector 2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f Proper support for --union-cols 2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445 adding USER_LOCK stacked query support for ORACLE (older versions) 2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232 Oracle stacked vector based on DBMS_LOCK.SLEEP (https://foro.undersecurity.net/read.php?46,1436) 2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c Improvement to make time-based blind to work also against login forms 2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d Minor comment fix 2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb Added generic and mysql UNION tests from 1 to 25 columns.
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e Code refactoring and cosmetics 2011-01-07 15:41:09 +00:00
Miroslav Stampar
96c3ffd3d7 changing risk level to 0 - lots of MySQL databases around have information_schema unreadable, thus disabling first AND based error payload 2010-12-27 19:02:13 +00:00
Bernardo Damele
e791f8f2b7 Minor fix 2010-12-20 10:33:24 +00:00
Miroslav Stampar
bfdc4fa000 new error vector for MS SQL (from David Guimaraes' mail) 2010-12-17 19:00:20 +00:00
Bernardo Damele
207f63cebc Prepare for UNION query tests at detection phase 2010-12-13 21:31:34 +00:00
Miroslav Stampar
acc7d6d40c fix 2010-12-11 11:03:32 +00:00
Miroslav Stampar
ac9080c07b update 2010-12-11 08:24:29 +00:00
Miroslav Stampar
7e2984b4b6 added stacked query support for Oracle 2010-12-09 15:24:48 +00:00
Bernardo Damele
4bb40c0a06 Higher the level for Oracle stacked tests just in case the SQL inj is within a PL/SQL function ('cause of no support for stacked queries by design on Oracle) 2010-12-09 15:14:18 +00:00
Miroslav Stampar
d8edc5b244 adding stacked-query vector for Firebird 2010-12-09 15:11:21 +00:00
Bernardo Damele
13b522efc2 Added error-based support for MySQL < 5.0 - closes #14 2010-12-09 15:09:03 +00:00
Miroslav Stampar
5aafd19957 added vector for SQLite's stacked query payload 2010-12-09 15:06:40 +00:00
Miroslav Stampar
71761ba9a5 another fix for another beautiful heavy query payload which took a few 100 megs and 5 mins to run 2010-12-09 10:35:18 +00:00
Miroslav Stampar
094baadc5b bug fix (in SELECT based heavy queries COUNT(*) should be used; otherwise multiple row error happens without proper delay) 2010-12-09 10:17:04 +00:00
Bernardo Damele
3b293c4ea7 Added possible stacked queries time-based blind vector for MSSQL 2010-12-08 23:55:42 +00:00
Bernardo Damele
f5ce739bdf Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet. 2010-12-08 23:52:31 +00:00
Miroslav Stampar
ad00fe13c1 another fix for MySQL time based payloads 2010-12-08 12:00:27 +00:00
Miroslav Stampar
8227e6d3cf bug fix for BENCHMARK time-based vectors 2010-12-08 11:49:55 +00:00
Bernardo Damele
8ff7c9a5a1 Works on Oracle's GROUP BY too 2010-12-07 17:17:01 +00:00
Miroslav Stampar
4f01d4c109 number crunching based time payloads are now affected by conf.timeSec 2010-12-07 13:24:18 +00:00
Miroslav Stampar
d0936bc8ed adding vectors for SQLite time-based payloads 2010-12-07 13:14:56 +00:00
Bernardo Damele
54b8cb76a1 Messed up with my last merge, all fixed now 2010-12-07 12:59:53 +00:00
Miroslav Stampar
b38a634d95 bug fix 2010-12-07 12:55:31 +00:00
Bernardo Damele
7c32db6e9d Forgot when merged with my last commit 2010-12-07 12:52:09 +00:00
Bernardo Damele
acac0d346f Minor bug fixes and adjustments 2010-12-07 12:45:45 +00:00
Miroslav Stampar
2b2b7dc3a6 added vectors for time-based Firebird payloads 2010-12-07 12:20:48 +00:00
Miroslav Stampar
36a7fca8d5 added time-based payload vector for MSSQL 2010-12-07 12:06:25 +00:00
Miroslav Stampar
485981c619 added vectors for PostgresSQL time-based payloads 2010-12-07 11:57:33 +00:00
Miroslav Stampar
f9085e01e7 added vectors for Oracle time-based payloads 2010-12-07 11:47:29 +00:00
Miroslav Stampar
3d87489de5 minor update 2010-12-07 08:05:03 +00:00
Miroslav Stampar
90b776c1a2 update 2010-12-07 00:58:54 +00:00
Miroslav Stampar
0da1ebde7d introducing PostgreSQL time based blind 2010-12-07 00:51:14 +00:00
Miroslav Stampar
1ba98dc9ec found a fix for a OR time-based MySQL payload :) 2010-12-07 00:31:46 +00:00
Miroslav Stampar
61f82fd274 introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic 2010-12-07 00:27:26 +00:00
Bernardo Damele
32f1909131 Some more "advanced" boundaries 2010-12-06 23:15:41 +00:00
Miroslav Stampar
84a038d0a3 added one more subtag 2010-12-06 23:10:38 +00:00
Miroslav Stampar
1031723c89 added one more time based blind for Oracle 2010-12-06 23:05:53 +00:00
Miroslav Stampar
7697d19292 space replace is not needed in other two Oracle error based payloads; removing incorrect dbms_version for ctxsys.drithsx.sn as it also works on 10g 2010-12-06 22:52:18 +00:00
Miroslav Stampar
2735848ab6 removed ERROR_SPACE 2010-12-06 22:40:07 +00:00
Miroslav Stampar
f516c18a2a minor update 2010-12-06 21:39:57 +00:00