Miroslav Stampar
ff1a44c335
probably a fix for that SQLite bug reported by Ahmed Shawky
2011-01-20 20:30:18 +00:00
Miroslav Stampar
a1d77737f5
minor grammar update (this should be a better form)
2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e
Confirmed HAVING payloads work as WHERE ones.
...
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510
because other major DBMSes have at least one level 1 time based payload
2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab
added MSSQL time based vector
2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445
adding USER_LOCK stacked query support for ORACLE (older versions)
2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232
Oracle stacked vector based on DBMS_LOCK.SLEEP ( https://foro.undersecurity.net/read.php?46,1436 )
2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c
Improvement to make time-based blind to work also against login forms
2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d
Minor comment fix
2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e
Code refactoring and cosmetics
2011-01-07 15:41:09 +00:00
Miroslav Stampar
2efe7928c0
more concise than previously
2011-01-02 17:06:13 +00:00
Miroslav Stampar
a56934e68b
one more MSSQL/ASPX error banner regex
2011-01-02 15:36:57 +00:00
Miroslav Stampar
e6f0c4d857
minor update
2011-01-02 15:32:35 +00:00
Miroslav Stampar
c1d0dde769
added support for .NET banners ( http://msdn.microsoft.com/en-us/library/system.data.sqlclient.aspx )
2011-01-02 14:46:31 +00:00
Miroslav Stampar
93cb75ff65
added Nginx
2011-01-02 08:50:27 +00:00
Miroslav Stampar
ded9798e3d
minor bug fix
2011-01-01 23:07:50 +00:00
Miroslav Stampar
c3065f6ecc
minor fix
2010-12-29 20:38:56 +00:00
Miroslav Stampar
96c3ffd3d7
changing risk level to 0 - lots of MySQL databases around have information_schema unreadable, thus disabling first AND based error payload
2010-12-27 19:02:13 +00:00
Miroslav Stampar
2c8115eed9
further improvement for ms access table dumping
2010-12-26 01:04:30 +00:00
Miroslav Stampar
fb099615e2
minor update
2010-12-25 11:16:35 +00:00
Miroslav Stampar
272476773f
getPageTextWordsSet on tableExists is pretty powerful stuff
2010-12-25 09:37:33 +00:00
Miroslav Stampar
706d8e0b88
development update (basic ms access dumping implemented)
2010-12-24 19:53:11 +00:00
Miroslav Stampar
edcf1a0872
few bug fixes
2010-12-24 18:40:48 +00:00
Miroslav Stampar
3043ed095a
bug fix (those two regexes where too generic making false MS ACCESS positives here and there)
2010-12-24 00:11:10 +00:00
Miroslav Stampar
5a0aef0f33
fix for a case: Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [MySQL][ODBC 3.51 Driver][mysqld-5.1.31-community] - it was wrongly error message recognized as MS SQL Server
2010-12-23 09:53:13 +00:00
Miroslav Stampar
8fc60215ed
lol. this was a pesky bug. heuristic wasn't working on one mssql test site and i couldn't find why. at end the problem was that when the HTTP code was raised (like 500) no parseResponse was called.
2010-12-22 19:12:46 +00:00
Bernardo Damele
c9ab8ae60e
Bug fix to properly identify if current user is DBA (--is-dba) on MySQL
2010-12-22 14:06:01 +00:00
Bernardo Damele
e791f8f2b7
Minor fix
2010-12-20 10:33:24 +00:00
Miroslav Stampar
bfdc4fa000
new error vector for MS SQL (from David Guimaraes' mail)
2010-12-17 19:00:20 +00:00
Miroslav Stampar
3ee44584d4
i've found a way! thank you hesus! fyea (ASC(MID) was just crashing when MID returned 'empty string')
2010-12-14 12:57:59 +00:00
Bernardo Damele
207f63cebc
Prepare for UNION query tests at detection phase
2010-12-13 21:31:34 +00:00
Miroslav Stampar
33639578ee
minor update for MS Access
2010-12-12 15:25:19 +00:00
Miroslav Stampar
b1babeefe5
update regarding dumping of tables with blind on Sqlite
2010-12-11 22:00:16 +00:00
Miroslav Stampar
acc7d6d40c
fix
2010-12-11 11:03:32 +00:00
Miroslav Stampar
ac9080c07b
update
2010-12-11 08:24:29 +00:00
Miroslav Stampar
fe2039f5ba
coollyy little commits
2010-12-10 11:32:46 +00:00
Miroslav Stampar
7e2984b4b6
added stacked query support for Oracle
2010-12-09 15:24:48 +00:00
Bernardo Damele
4bb40c0a06
Higher the level for Oracle stacked tests just in case the SQL inj is within a PL/SQL function ('cause of no support for stacked queries by design on Oracle)
2010-12-09 15:14:18 +00:00
Miroslav Stampar
d8edc5b244
adding stacked-query vector for Firebird
2010-12-09 15:11:21 +00:00
Bernardo Damele
13b522efc2
Added error-based support for MySQL < 5.0 - closes #14
2010-12-09 15:09:03 +00:00
Miroslav Stampar
5aafd19957
added vector for SQLite's stacked query payload
2010-12-09 15:06:40 +00:00
Miroslav Stampar
71761ba9a5
another fix for another beautiful heavy query payload which took a few 100 megs and 5 mins to run
2010-12-09 10:35:18 +00:00
Miroslav Stampar
094baadc5b
bug fix (in SELECT based heavy queries COUNT(*) should be used; otherwise multiple row error happens without proper delay)
2010-12-09 10:17:04 +00:00
Bernardo Damele
3b293c4ea7
Added possible stacked queries time-based blind vector for MSSQL
2010-12-08 23:55:42 +00:00
Bernardo Damele
f5ce739bdf
Added support for time-based blind SQL injection via stacked queries too. Need to add vectors for some DBMS yet.
2010-12-08 23:52:31 +00:00
Miroslav Stampar
69c4f94980
update
2010-12-08 15:40:01 +00:00
Miroslav Stampar
ad00fe13c1
another fix for MySQL time based payloads
2010-12-08 12:00:27 +00:00
Miroslav Stampar
8227e6d3cf
bug fix for BENCHMARK time-based vectors
2010-12-08 11:49:55 +00:00
Bernardo Damele
8ff7c9a5a1
Works on Oracle's GROUP BY too
2010-12-07 17:17:01 +00:00
Miroslav Stampar
4f01d4c109
number crunching based time payloads are now affected by conf.timeSec
2010-12-07 13:24:18 +00:00
Miroslav Stampar
d0936bc8ed
adding vectors for SQLite time-based payloads
2010-12-07 13:14:56 +00:00
Bernardo Damele
54b8cb76a1
Messed up with my last merge, all fixed now
2010-12-07 12:59:53 +00:00
Miroslav Stampar
b38a634d95
bug fix
2010-12-07 12:55:31 +00:00
Bernardo Damele
7c32db6e9d
Forgot when merged with my last commit
2010-12-07 12:52:09 +00:00
Bernardo Damele
acac0d346f
Minor bug fixes and adjustments
2010-12-07 12:45:45 +00:00
Miroslav Stampar
2b2b7dc3a6
added vectors for time-based Firebird payloads
2010-12-07 12:20:48 +00:00
Miroslav Stampar
36a7fca8d5
added time-based payload vector for MSSQL
2010-12-07 12:06:25 +00:00
Miroslav Stampar
485981c619
added vectors for PostgresSQL time-based payloads
2010-12-07 11:57:33 +00:00
Miroslav Stampar
f9085e01e7
added vectors for Oracle time-based payloads
2010-12-07 11:47:29 +00:00
Miroslav Stampar
3d87489de5
minor update
2010-12-07 08:05:03 +00:00
Miroslav Stampar
90b776c1a2
update
2010-12-07 00:58:54 +00:00
Miroslav Stampar
0da1ebde7d
introducing PostgreSQL time based blind
2010-12-07 00:51:14 +00:00
Miroslav Stampar
1ba98dc9ec
found a fix for a OR time-based MySQL payload :)
2010-12-07 00:31:46 +00:00
Miroslav Stampar
61f82fd274
introducing [DELAYED] for heavy query time based payloads when response time is non-deterministic
2010-12-07 00:27:26 +00:00
Bernardo Damele
32f1909131
Some more "advanced" boundaries
2010-12-06 23:15:41 +00:00
Miroslav Stampar
84a038d0a3
added one more subtag
2010-12-06 23:10:38 +00:00
Miroslav Stampar
1031723c89
added one more time based blind for Oracle
2010-12-06 23:05:53 +00:00
Miroslav Stampar
7697d19292
space replace is not needed in other two Oracle error based payloads; removing incorrect dbms_version for ctxsys.drithsx.sn as it also works on 10g
2010-12-06 22:52:18 +00:00
Miroslav Stampar
2735848ab6
removed ERROR_SPACE
2010-12-06 22:40:07 +00:00
Miroslav Stampar
f516c18a2a
minor update
2010-12-06 21:39:57 +00:00
Miroslav Stampar
0c5c2aa807
adding one more error based payload for Oracle
2010-12-06 21:20:26 +00:00
Miroslav Stampar
956a155377
adding one more error based payload for Oracle
2010-12-06 20:43:23 +00:00
Miroslav Stampar
ff43a4a955
minor update to preserve consistency of payload naming
2010-12-06 20:28:26 +00:00
Miroslav Stampar
c0e05d6869
update
2010-12-06 19:11:05 +00:00
Miroslav Stampar
e4b51dd549
proper way of handling OR based injections (completely compatible with current AND based inference engine)
2010-12-06 17:23:21 +00:00
Bernardo Damele
a1e89d3e94
Minor tweak
2010-12-05 13:12:12 +00:00
Bernardo Damele
bf425d90bc
More tweaking
2010-12-05 12:23:18 +00:00
Bernardo Damele
41e1b95c6c
Minor code refactoring and finally make exploitation work also on OR boolean-based injections
2010-12-05 11:25:44 +00:00
Bernardo Damele
191ba3118f
Cosmetics
2010-12-05 11:08:52 +00:00
Bernardo Damele
1b17bac494
Sorted out
2010-12-05 11:06:37 +00:00
Bernardo Damele
8066610217
Minor improvements to OR based injections
2010-12-05 10:55:19 +00:00
Bernardo Damele
2612615978
Major improvements
2010-12-04 16:40:08 +00:00
Miroslav Stampar
9e5f933ace
some updates
2010-12-04 15:47:02 +00:00
Bernardo Damele
95a3f4b52f
Rudimental OR boolean-based tests for login forms
2010-12-03 22:58:35 +00:00
Bernardo Damele
9d55c4da87
Done with support for injection in ORDER BY and GROUP BY (hopefully)
2010-12-03 16:12:47 +00:00
Bernardo Damele
072835e04b
Removed for time being
2010-12-03 14:48:31 +00:00
Bernardo Damele
11058667e4
Better naming
2010-12-03 14:45:13 +00:00
Miroslav Stampar
73dfb69308
minor update for OR based time injection (Firebird)
2010-12-03 12:15:41 +00:00
Bernardo Damele
4dec049c22
Major bug fix for test on ORDER BY and GROUP BY clauses.
...
Minor bug fix to skip following tests if they do not match any of the clause previously identified (injection.clause value).
2010-12-03 12:00:03 +00:00
Miroslav Stampar
23a86ed612
minor bug fix related to Firebird time based test vectors
2010-12-03 11:05:16 +00:00
Bernardo Damele
0069a21a0d
Added also OR error-based checks, tweaked some TODOs and added some new boundaries for login forms (yet to test)
2010-12-03 10:52:24 +00:00
Miroslav Stampar
bf09b8a6d9
added Firebird error based (WHERE) attack vector
2010-12-02 15:09:21 +00:00
Bernardo Damele
df4cb1a601
On the way to get full support for injection on ORDER BY and GROUP BY clauses
2010-12-01 23:30:38 +00:00
Bernardo Damele
089c16a1b8
Added tag <epayload> to the payloads.xml's <test> tag to define which payload to use when exploiting the test type.
...
Removed some useless tests.
Moved <error> from queries.xml to payloads.xml as it makes more sense.
Beeps at sql inj found only if --beep is provided.
Minor fix in order to be able to pickle advancedDict() objects.
Minor code refactoring.
Removed useless folders.
2010-12-01 17:09:52 +00:00
Bernardo Damele
2708aad504
Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests.
2010-12-01 10:31:50 +00:00
Bernardo Damele
c8f943f5e4
Now, if the back-end dbms type has been identified by the detection engine, skips the fingerprint phase.
...
Major code refactoring and commenting to detection engine.
Ask user whether or not to proceed to test remaining parameters after an injection point has been identified.
Restore beep at SQL injection find.
Avoid reuse of same variable in DBMS handler code.
Minor adjustment of payloads XML file.
2010-11-30 22:40:25 +00:00
Bernardo Damele
6525e08d6b
Minor adjustment to detect the proper parameter type based upon --prefix and --suffix values
2010-11-29 12:13:42 +00:00