Miroslav Stampar
e27afef6be
minor update regarding --current-db on Oracle
2011-04-01 15:56:11 +00:00
Miroslav Stampar
60102209f6
quick fix for a bug reported by Kirill (AttributeError: 'NoneType' object has no attribute 'split')
2011-04-01 11:14:24 +00:00
Miroslav Stampar
b7813f9e68
incrementing level for MySQL stacked payloads
2011-03-29 07:31:56 +00:00
Miroslav Stampar
86f93713d3
fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update
2011-03-29 06:25:17 +00:00
Miroslav Stampar
73e5d20ade
bulk commit for safe/unsafe identificator naming (done and tested for all 4 major DBMSes) and one bug fix for --search-column on MSSQL (inside queries)
2011-03-28 11:01:55 +00:00
Miroslav Stampar
5eb7787fc9
adding partial union cases to the live tests
2011-03-25 15:56:15 +00:00
Miroslav Stampar
670aa7f99b
update for live tests (added dumping of columns and table values)
2011-03-25 15:37:11 +00:00
Miroslav Stampar
e80c9e08d8
minor update regarding --live-test
2011-03-25 09:03:08 +00:00
Miroslav Stampar
82ab4c8dc2
minor fix (ORDER BY 1 screws things up in blind mode)
2011-03-24 14:19:32 +00:00
Miroslav Stampar
06a5c39efe
fix related to the bug reported by Alone Shell
2011-03-24 14:03:40 +00:00
Miroslav Stampar
cef2c0879d
adding live test cases for --technique=1 too
2011-03-24 12:19:40 +00:00
Miroslav Stampar
33c01726dd
adding basic live tests for MSSQL too
2011-03-24 12:01:53 +00:00
Miroslav Stampar
2b15ad57c2
basic live tests against 3 major DBMSes
2011-03-24 11:47:01 +00:00
Miroslav Stampar
b72cdfe9e6
fix for mssql regarding usage of schema names reported by jabra@spl0it.org
2011-03-23 10:40:34 +00:00
Miroslav Stampar
b5c9ccb755
Oracle XML based error payload has problems with char $ as with space
2011-03-21 13:13:12 +00:00
Miroslav Stampar
4889764114
minor update regarding last commit
2011-03-21 11:40:27 +00:00
Miroslav Stampar
5291fe35c9
proper implementation of --dbs on Oracle (we are using now schema names as a counterpart to dbs in other DBMSes)
2011-03-21 11:29:43 +00:00
Miroslav Stampar
0535225fe7
throwing out obsolete ORDER BY 1 from inband queries
2011-03-16 14:18:12 +00:00
Miroslav Stampar
eedd6a990d
removing space after , for our payloads
2011-03-08 14:29:22 +00:00
Miroslav Stampar
3dc31f6273
removing spaces after , in our queries
2011-03-08 14:07:26 +00:00
Miroslav Stampar
ff9080de48
MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL
2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9
added some Microsoft Access payloads
2011-02-21 20:04:50 +00:00
Bernardo Damele
3e8c204121
Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba
2011-02-21 16:00:56 +00:00
Miroslav Stampar
68a95fd1b1
minor update
2011-02-20 22:45:23 +00:00
Miroslav Stampar
aac817935a
further improvement of MaxDB support
2011-02-20 22:41:42 +00:00
Miroslav Stampar
a3ba8b6928
--dump now works on MaxDB too
2011-02-20 22:07:12 +00:00
Miroslav Stampar
59e666d16e
--is-dba (related) update for Sybase
2011-02-20 17:28:06 +00:00
Miroslav Stampar
67ec691eb1
more updates regarding Sybase
2011-02-20 16:28:48 +00:00
Miroslav Stampar
823e4351b5
minor change
2011-02-20 12:34:09 +00:00
Miroslav Stampar
f30dea74f3
more Sybase updates
2011-02-19 18:36:26 +00:00
Miroslav Stampar
b71bb321dd
some more Sybase updates
2011-02-19 18:04:27 +00:00
Miroslav Stampar
e0efe453ab
minor update regarding Sybase support
2011-02-19 14:07:08 +00:00
Miroslav Stampar
5f4ffc9287
update regarding Sybase dumping
2011-02-19 00:36:47 +00:00
Miroslav Stampar
5fb11fd173
update regarding multiple DBMS payloads
2011-02-13 21:20:21 +00:00
Bernardo Damele
394ccb5cc5
Added query for MSSQL/--privileges
2011-02-10 15:52:55 +00:00
Miroslav Stampar
5050a76b59
update regarding reading of table names from access system tables
2011-02-09 10:33:29 +00:00
Miroslav Stampar
1a5a66870e
problem fixed
2011-02-07 11:57:41 +00:00
Bernardo Damele
7dcfcca87f
Tests' titles adjustments
2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56
minor update
2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f
reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded.
2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119
bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values
2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4
Minor adjustments to levels of boundaries
2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f
revert of r3203
2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f
i believe that this one should be the first level 1 boundary
2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad
new default UNION test(s) ranges
2011-02-03 16:26:35 +00:00
Miroslav Stampar
4bb7ffcb3a
minor update
2011-02-03 13:18:43 +00:00
Bernardo Damele
8397c526d8
Minor adjustment
2011-01-31 21:20:23 +00:00
Miroslav Stampar
f9eac97fe8
refactoring of MSSQL XML banner parsing
2011-01-31 11:38:00 +00:00
Miroslav Stampar
14de5809ea
update
2011-01-31 11:08:58 +00:00
Miroslav Stampar
5aa958a146
ASCII & CHR is quite common, so removing this one
2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6
changing level of last payload
2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82
new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted")
2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005
another premiere, yeeej. IDSes, watch yourself :)
2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2
minor update
2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4
world premiere :)
2011-01-24 21:21:11 +00:00
Miroslav Stampar
440264341c
minor update
2011-01-24 17:43:25 +00:00
Miroslav Stampar
0eea5665b2
minor update
2011-01-24 17:41:36 +00:00
Bernardo Damele
b0dc6c24eb
Moved
2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627
patch for possible query optimization (avoid precalculation of 1/0)
2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04
Minor fix and cosmetics
2011-01-24 11:12:33 +00:00
Miroslav Stampar
db76bcb327
fix for cases when mixing ingres dbms with spanish word "ingresa"
2011-01-23 11:19:10 +00:00
Miroslav Stampar
7bf05bf2cb
minor update
2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda
implemented Johannes Dahse / Reiners' technique
2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879
minor update
2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5
more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked)
2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 18:32:10 +00:00
Miroslav Stampar
79e4b1efd5
added new signature for SQLite error messages
2011-01-20 22:47:03 +00:00
Bernardo Damele
6c490bfc8f
Avoid a traceback elsewhere
2011-01-20 21:43:41 +00:00
Bernardo Damele
7ce49bcf0d
Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
...
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
f6d79f58bc
another fix (LIMIT is not a good idea to have in inband queries)
2011-01-20 21:13:28 +00:00
Miroslav Stampar
ff1a44c335
probably a fix for that SQLite bug reported by Ahmed Shawky
2011-01-20 20:30:18 +00:00
Miroslav Stampar
a1d77737f5
minor grammar update (this should be a better form)
2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e
Confirmed HAVING payloads work as WHERE ones.
...
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510
because other major DBMSes have at least one level 1 time based payload
2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab
added MSSQL time based vector
2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445
adding USER_LOCK stacked query support for ORACLE (older versions)
2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232
Oracle stacked vector based on DBMS_LOCK.SLEEP ( https://foro.undersecurity.net/read.php?46,1436 )
2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c
Improvement to make time-based blind to work also against login forms
2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d
Minor comment fix
2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e
Code refactoring and cosmetics
2011-01-07 15:41:09 +00:00
Miroslav Stampar
2efe7928c0
more concise than previously
2011-01-02 17:06:13 +00:00
Miroslav Stampar
a56934e68b
one more MSSQL/ASPX error banner regex
2011-01-02 15:36:57 +00:00
Miroslav Stampar
e6f0c4d857
minor update
2011-01-02 15:32:35 +00:00
Miroslav Stampar
c1d0dde769
added support for .NET banners ( http://msdn.microsoft.com/en-us/library/system.data.sqlclient.aspx )
2011-01-02 14:46:31 +00:00
Miroslav Stampar
93cb75ff65
added Nginx
2011-01-02 08:50:27 +00:00
Miroslav Stampar
ded9798e3d
minor bug fix
2011-01-01 23:07:50 +00:00
Miroslav Stampar
c3065f6ecc
minor fix
2010-12-29 20:38:56 +00:00
Miroslav Stampar
96c3ffd3d7
changing risk level to 0 - lots of MySQL databases around have information_schema unreadable, thus disabling first AND based error payload
2010-12-27 19:02:13 +00:00
Miroslav Stampar
2c8115eed9
further improvement for ms access table dumping
2010-12-26 01:04:30 +00:00
Miroslav Stampar
fb099615e2
minor update
2010-12-25 11:16:35 +00:00
Miroslav Stampar
272476773f
getPageTextWordsSet on tableExists is pretty powerful stuff
2010-12-25 09:37:33 +00:00
Miroslav Stampar
706d8e0b88
development update (basic ms access dumping implemented)
2010-12-24 19:53:11 +00:00
Miroslav Stampar
edcf1a0872
few bug fixes
2010-12-24 18:40:48 +00:00
Miroslav Stampar
3043ed095a
bug fix (those two regexes where too generic making false MS ACCESS positives here and there)
2010-12-24 00:11:10 +00:00
Miroslav Stampar
5a0aef0f33
fix for a case: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [MySQL][ODBC 3.51 Driver][mysqld-5.1.31-community] - it was wrongly error message recognized as MS SQL Server
2010-12-23 09:53:13 +00:00
Miroslav Stampar
8fc60215ed
lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called.
2010-12-22 19:12:46 +00:00
Bernardo Damele
c9ab8ae60e
Bug fix to properly identify if current user is DBA (--is-dba) on MySQL
2010-12-22 14:06:01 +00:00
Bernardo Damele
e791f8f2b7
Minor fix
2010-12-20 10:33:24 +00:00
Miroslav Stampar
bfdc4fa000
new error vector for MS SQL (from David Guimaraes' mail)
2010-12-17 19:00:20 +00:00
Miroslav Stampar
3ee44584d4
i've found a way! thank you hesus! fyea (ASC(MID) was just crashing when MID returned 'empty string')
2010-12-14 12:57:59 +00:00
Bernardo Damele
207f63cebc
Prepare for UNION query tests at detection phase
2010-12-13 21:31:34 +00:00
Miroslav Stampar
33639578ee
minor update for MS Access
2010-12-12 15:25:19 +00:00
Miroslav Stampar
b1babeefe5
update regarding dumping of tables with blind on Sqlite
2010-12-11 22:00:16 +00:00
Miroslav Stampar
acc7d6d40c
fix
2010-12-11 11:03:32 +00:00
Miroslav Stampar
ac9080c07b
update
2010-12-11 08:24:29 +00:00
Miroslav Stampar
fe2039f5ba
coollyy little commits
2010-12-10 11:32:46 +00:00
Miroslav Stampar
7e2984b4b6
added stacked query support for Oracle
2010-12-09 15:24:48 +00:00
Bernardo Damele
4bb40c0a06
Higher the level for Oracle stacked tests just in case the SQL inj is within a PL/SQL function ('cause of no support for stacked queries by design on Oracle)
2010-12-09 15:14:18 +00:00
Miroslav Stampar
d8edc5b244
adding stacked-query vector for Firebird
2010-12-09 15:11:21 +00:00
Bernardo Damele
13b522efc2
Added error-based support for MySQL < 5.0 - closes #14
2010-12-09 15:09:03 +00:00
Miroslav Stampar
5aafd19957
added vector for SQLite's stacked query payload
2010-12-09 15:06:40 +00:00
Miroslav Stampar
71761ba9a5
another fix for another beautiful heavy query payload which took a few 100 megs and 5 mins to run
2010-12-09 10:35:18 +00:00
Miroslav Stampar
094baadc5b
bug fix (in SELECT based heavy queries COUNT(*) should be used; otherwise multiple row error happens without proper delay)
2010-12-09 10:17:04 +00:00
Bernardo Damele
3b293c4ea7
Added possible stacked queries time-based blind vector for MSSQL
2010-12-08 23:55:42 +00:00
Bernardo Damele
f5ce739bdf
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-08 23:52:31 +00:00
Miroslav Stampar
69c4f94980
update
2010-12-08 15:40:01 +00:00
Miroslav Stampar
ad00fe13c1
another fix for MySQL time based payloads
2010-12-08 12:00:27 +00:00
Miroslav Stampar
8227e6d3cf
bug fix for BENCHMARK time-based vectors
2010-12-08 11:49:55 +00:00
Bernardo Damele
8ff7c9a5a1
Works on Oracle's GROUP BY too
2010-12-07 17:17:01 +00:00
Miroslav Stampar
4f01d4c109
number crunching based time payloads are now affected by conf.timeSec
2010-12-07 13:24:18 +00:00
Miroslav Stampar
d0936bc8ed
adding vectors for SQLite time-based payloads
2010-12-07 13:14:56 +00:00
Bernardo Damele
54b8cb76a1
Messed up with my last merge, all fixed now
2010-12-07 12:59:53 +00:00
Miroslav Stampar
b38a634d95
bug fix
2010-12-07 12:55:31 +00:00
Bernardo Damele
7c32db6e9d
Forgot when merged with my last commit
2010-12-07 12:52:09 +00:00
Bernardo Damele
acac0d346f
Minor bug fixes and adjustments
2010-12-07 12:45:45 +00:00
Miroslav Stampar
2b2b7dc3a6
added vectors for time-based Firebird payloads
2010-12-07 12:20:48 +00:00
Miroslav Stampar
36a7fca8d5
added time-based payload vector for MSSQL
2010-12-07 12:06:25 +00:00
Miroslav Stampar
485981c619
added vectors for PostgresSQL time-based payloads
2010-12-07 11:57:33 +00:00
Miroslav Stampar
f9085e01e7
added vectors for Oracle time-based payloads
2010-12-07 11:47:29 +00:00
Miroslav Stampar
3d87489de5
minor update
2010-12-07 08:05:03 +00:00
Miroslav Stampar
90b776c1a2
update
2010-12-07 00:58:54 +00:00
Miroslav Stampar
0da1ebde7d
introducing PostgreSQL time based blind
2010-12-07 00:51:14 +00:00
Miroslav Stampar
1ba98dc9ec
found a fix for a OR time-based MySQL payload :)
2010-12-07 00:31:46 +00:00
Miroslav Stampar
61f82fd274
introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic
2010-12-07 00:27:26 +00:00
Bernardo Damele
32f1909131
Some more "advanced" boundaries
2010-12-06 23:15:41 +00:00
Miroslav Stampar
84a038d0a3
added one more subtag
2010-12-06 23:10:38 +00:00
Miroslav Stampar
1031723c89
added one more time based blind for Oracle
2010-12-06 23:05:53 +00:00
Miroslav Stampar
7697d19292
space replace is not needed in other two Oracle error based payloads; removing incorrect dbms_version for ctxsys.drithsx.sn as it also works on 10g
2010-12-06 22:52:18 +00:00
Miroslav Stampar
2735848ab6
removed ERROR_SPACE
2010-12-06 22:40:07 +00:00
Miroslav Stampar
f516c18a2a
minor update
2010-12-06 21:39:57 +00:00
Miroslav Stampar
0c5c2aa807
adding one more error based payload for Oracle
2010-12-06 21:20:26 +00:00
Miroslav Stampar
956a155377
adding one more error based payload for Oracle
2010-12-06 20:43:23 +00:00
Miroslav Stampar
ff43a4a955
minor update to preserve consistency of payload naming
2010-12-06 20:28:26 +00:00
Miroslav Stampar
c0e05d6869
update
2010-12-06 19:11:05 +00:00
Miroslav Stampar
e4b51dd549
proper way of handling OR based injections (completely compatible with current AND based inference engine)
2010-12-06 17:23:21 +00:00
Bernardo Damele
a1e89d3e94
Minor tweak
2010-12-05 13:12:12 +00:00
Bernardo Damele
bf425d90bc
More tweaking
2010-12-05 12:23:18 +00:00