Bernardo Damele
c483e91445
added payloads for ORDER BY/GROUP BY time-based injections - issue #97
2012-07-17 22:52:28 +01:00
Bernardo Damele
771e7a9fc3
Initial commit for issue #97
2012-07-17 10:13:09 +01:00
Miroslav Stampar
5d35d255ba
minor refactoring
2012-06-11 22:27:33 +00:00
Miroslav Stampar
2538e2d5b4
fixing an issue with --file-read and ROW() MySQL payload (it's internal caching mechanism prevents error message if FROM part is not unique enough dumping only partial file content); minor refactoring
2012-05-22 09:33:22 +00:00
Miroslav Stampar
3a9e266d78
adding revisited wildcard LIKE payloads
2012-05-21 21:49:54 +00:00
Miroslav Stampar
602369c762
reverting last changes on boundaries
2012-05-21 09:20:46 +00:00
Miroslav Stampar
1500b3fccd
adding a new payload boundaries by smcintyre@securestate.com
2012-05-21 08:31:37 +00:00
Miroslav Stampar
37f2709197
making a generic solution for all "Generic comment"/MsAccess cases (it's the only DBMS which doesn't accept --, hence replacing generic comment with %00 for it)
2012-05-09 09:08:23 +00:00
Miroslav Stampar
1e45ee9ab6
reverting back to smaller UNION ranges as that mechanism for automatic extending was implemented few days ago
2012-04-25 20:37:39 +00:00
Bernardo Damele
eb73cab636
increased UNION test ranges
2012-04-23 11:54:52 +00:00
Miroslav Stampar
414c74b8aa
new payload
2012-04-13 08:16:33 +00:00
Bernardo Damele
1f82d29a36
switch two conditional payloads for proper detection
2012-04-04 10:11:48 +00:00
Bernardo Damele
d5b4b7996a
minor revert
2012-04-04 00:09:47 +00:00
Bernardo Damele
049c27c739
improved detection for INSERT and UPDATE statements
2012-04-03 23:29:06 +00:00
Bernardo Damele
40a7232de6
Minor fix to avoid useless tests (FROM DUAL is Oracle specific so no point using + to concatenate strings)
2012-03-30 16:27:08 +00:00
Miroslav Stampar
637a8d8273
improvement toward proper implementation of OR-based injection by usage of "negative logic" mechanism
2012-03-29 14:33:27 +00:00
Miroslav Stampar
772ead8d03
fixed support for error-based injection on MySQL 4.1 (help table a needs more than 2 items inside); also, fixed some border issues with reflective values
2012-03-29 12:44:20 +00:00
Miroslav Stampar
84479eebe9
minor fix
2012-03-15 08:55:42 +00:00
Bernardo Damele
890bf708bc
Minor fixes to make --os-* switch work again against MySQL/Windows/ASP.NET (where stacked queries are supported)
2012-03-15 00:19:57 +00:00
Miroslav Stampar
ac5a752b12
Oracle's XMLType doesn't like '#' char too
2012-03-01 11:59:37 +00:00
Miroslav Stampar
f1147035cf
minor concision/beautification update
2012-01-10 11:50:26 +00:00
Miroslav Stampar
94790bf08a
minor update (removing reference to Microsoft Access for Generic payload)
2011-12-01 13:25:27 +00:00
Miroslav Stampar
df4e3be191
using MySQL comments in explicit MySQL payloads where not comments stated in title (as we already use in MySQL UNION payloads; in lots of cases minus character is either filtered or "exploded" - seen in lots of WP vulnerabilites; also, it was a false claim by myself previously that # is no longer a valid MySQL comment syntax in never versions)
2011-11-23 22:57:02 +00:00
Miroslav Stampar
d8047c79f3
reverting back last two commits
2011-11-22 15:28:31 +00:00
Miroslav Stampar
73276c0785
even better (added long before plugins table)
2011-11-22 15:23:31 +00:00
Miroslav Stampar
ff07031170
better choice than character_sets (lesser rows in start and avoiding one rare problem - description column name based)
2011-11-22 15:20:12 +00:00
Miroslav Stampar
bbb7e1562d
adding AGAINST full-text search boundaries
2011-11-12 14:16:43 +00:00
Miroslav Stampar
2e5222bfd8
adding INSERT/UPDATE generic boundaries
2011-10-28 11:00:09 +00:00
Miroslav Stampar
382db1b67a
degrading Microsoft Access UNION tests for one level down (it really does take toooooo long to scan a site with no vulnerable parameters and normal level)
2011-08-31 20:35:57 +00:00
Miroslav Stampar
d283e3eb3c
adding support for pre-WHERE injections
2011-08-24 09:04:18 +00:00
Miroslav Stampar
13eb20cea1
minor beautification
2011-08-03 10:12:06 +00:00
Bernardo Damele
2e20eb1a88
Minor fix
2011-08-03 10:08:59 +00:00
Bernardo Damele
99a0b62d0d
Minor adjustments
2011-07-24 22:26:11 +00:00
Miroslav Stampar
ca83305b58
added MySQL updatexml error-based payload
2011-07-24 21:08:32 +00:00
Miroslav Stampar
a89140e1ce
revisit of Oracle error-based payloads (added replace for '@' as a problematic char for XMLType function)
2011-07-23 06:07:00 +00:00
Bernardo Damele
c9ba58acb6
Moved MS Access UNION query tests after generic as generic test must identify MSSQL
2011-07-11 09:47:52 +00:00
Miroslav Stampar
5d31eb5ef7
cosmetics and also tested against testing env - works perfectly
2011-07-10 09:07:07 +00:00
Miroslav Stampar
eb42cedf2a
adding extractvalue MySQL >= 5.1 error payload ( http://www.notsosecure.com/folder2/2010/06/29/mysql-exploitation-with-error-messages/ ) - untested (lack of particular ver for testing) and prone to level/risk adjustment
2011-07-10 08:54:22 +00:00
Bernardo Damele
067354b97f
Revert of last commit and proper fix to detect UNION query SQL injection against Microsoft Access
2011-07-07 13:20:40 +00:00
Bernardo Damele
ed4cfbb6d2
Minor fix
2011-06-27 08:58:59 +00:00
Miroslav Stampar
bedf16b88b
adding payloads for time-based injection on SAP MaxDB (heavy query)
2011-06-26 23:46:09 +00:00
Miroslav Stampar
d0490cc4e7
adding payloads for time-based injection on DB2 (heavy query)
2011-06-26 16:38:22 +00:00
Miroslav Stampar
0baf931669
real generic comment is "-- " not "--" (MySQL doesn't support "--")
2011-05-24 09:16:21 +00:00
Miroslav Stampar
171a4c389b
added MySQL >=4.1 <=5.0 error based WHERE/HAVING payload
2011-05-23 06:24:45 +00:00
Miroslav Stampar
939e6541d0
far safer way for dealing with error-based payloads on MySQL (no timeouts with .CHARACTER_SETS on testing platforms versus when used .TABLES)
2011-05-19 23:36:51 +00:00
Miroslav Stampar
bd1b07fbc2
one more parameter replace payload for MySQL and rising level of GENERATE_SERIES for PostgreSQL
2011-05-19 06:32:23 +00:00
Miroslav Stampar
7f086916c0
decent parameter replace payload for PostgreSQL (GENERATE_SERIES)
2011-05-18 23:40:42 +00:00
Miroslav Stampar
e58d6d2e00
removing (CBRT(LN(0)) because it's nothing special compared to standard 1/0; also, removing parameter replacement with returned value 1 as it doesn't have much sense in comparison to origvalue one (which is far more stable and usable)
2011-05-18 23:20:02 +00:00
Miroslav Stampar
fe50d09cc8
added new payload for PostgreSQL (parameter replace)
2011-05-18 23:01:41 +00:00
Bernardo Damele
3a8309c4b0
Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches
2011-05-10 15:34:54 +00:00
Bernardo Damele
7df954dd9f
paranoy
2011-04-21 23:41:25 +00:00
Miroslav Stampar
0764c4c752
parenthesis were missing; banning OR NOT from payloads
2011-04-21 23:32:53 +00:00
Bernardo Damele
1d61611145
leftover
2011-04-21 22:46:43 +00:00
Bernardo Damele
870f773d70
In some old versions of MySQL (perhaps others DBMS too) the NOT clause is not supported, hence we need also OR tests without NOT - tested and works like this
2011-04-21 20:36:50 +00:00
Miroslav Stampar
75f286cf6d
minor update conformant to http://dev.mysql.com/doc/refman/4.1/en/comments.html
2011-04-10 23:41:00 +00:00
Miroslav Stampar
3177c6023d
lol. re-revert
2011-04-10 23:30:56 +00:00
Bernardo Damele
9ea4010508
Leave it as is :)
2011-04-10 23:20:35 +00:00
Miroslav Stampar
3e680978a9
revert of that last commit (waiting for some better days)
2011-04-10 23:18:38 +00:00
Miroslav Stampar
f532478a34
update of MySQL comments
2011-04-10 23:08:18 +00:00
Bernardo Damele
af096b2c83
Leave it as is!!!
2011-04-10 21:47:23 +00:00
Bernardo Damele
02eeeccd33
Added UNION query SQL injection tests also with a random number for columns (not only NULL)
2011-04-07 13:39:36 +00:00
Miroslav Stampar
b7813f9e68
incrementing level for MySQL stacked payloads
2011-03-29 07:31:56 +00:00
Miroslav Stampar
b5c9ccb755
Oracle XML based error payload has problems with char $ as with space
2011-03-21 13:13:12 +00:00
Miroslav Stampar
eedd6a990d
removing space after , for our payloads
2011-03-08 14:29:22 +00:00
Miroslav Stampar
ff9080de48
MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL
2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9
added some Microsoft Access payloads
2011-02-21 20:04:50 +00:00
Miroslav Stampar
5fb11fd173
update regarding multiple DBMS payloads
2011-02-13 21:20:21 +00:00
Bernardo Damele
7dcfcca87f
Tests' titles adjustments
2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56
minor update
2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f
reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded.
2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119
bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values
2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4
Minor adjustments to levels of boundaries
2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f
revert of r3203
2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f
i believe that this one should be the first level 1 boundary
2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad
new default UNION test(s) ranges
2011-02-03 16:26:35 +00:00
Miroslav Stampar
5aa958a146
ASCII & CHR is quite common, so removing this one
2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6
changing level of last payload
2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82
new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted")
2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005
another premiere, yeeej. IDSes, watch yourself :)
2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2
minor update
2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4
world premiere :)
2011-01-24 21:21:11 +00:00
Bernardo Damele
b0dc6c24eb
Moved
2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627
patch for possible query optimization (avoid precalculation of 1/0)
2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04
Minor fix and cosmetics
2011-01-24 11:12:33 +00:00
Miroslav Stampar
7bf05bf2cb
minor update
2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda
implemented Johannes Dahse / Reiners' technique
2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879
minor update
2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5
more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked)
2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 18:32:10 +00:00
Bernardo Damele
7ce49bcf0d
Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
...
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
a1d77737f5
minor grammar update (this should be a better form)
2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e
Confirmed HAVING payloads work as WHERE ones.
...
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510
because other major DBMSes have at least one level 1 time based payload
2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab
added MSSQL time based vector
2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445
adding USER_LOCK stacked query support for ORACLE (older versions)
2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232
Oracle stacked vector based on DBMS_LOCK.SLEEP ( https://foro.undersecurity.net/read.php?46,1436 )
2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c
Improvement to make time-based blind to work also against login forms
2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d
Minor comment fix
2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00