Bernardo Damele
7df954dd9f
paranoy
2011-04-21 23:41:25 +00:00
Miroslav Stampar
0764c4c752
parenthesis were missing; banning OR NOT from payloads
2011-04-21 23:32:53 +00:00
Bernardo Damele
1d61611145
leftover
2011-04-21 22:46:43 +00:00
Bernardo Damele
870f773d70
In some old versions of MySQL (perhaps others DBMS too) the NOT clause is not supported, hence we need also OR tests without NOT - tested and works like this
2011-04-21 20:36:50 +00:00
Miroslav Stampar
05a0e1d3b0
fix for a bug reported by m4l1c3 (TypeError: not all arguments converted during string formatting)
2011-04-15 11:34:14 +00:00
Miroslav Stampar
136e85abf3
little refresh of PHPIDS rules for --check-payload
2011-04-11 15:37:49 +00:00
Miroslav Stampar
75f286cf6d
minor update conformant to http://dev.mysql.com/doc/refman/4.1/en/comments.html
2011-04-10 23:41:00 +00:00
Miroslav Stampar
3177c6023d
lol. re-revert
2011-04-10 23:30:56 +00:00
Bernardo Damele
9ea4010508
Leave it as is :)
2011-04-10 23:20:35 +00:00
Miroslav Stampar
3e680978a9
revert of that last commit (waiting for some better days)
2011-04-10 23:18:38 +00:00
Miroslav Stampar
f532478a34
update of MySQL comments
2011-04-10 23:08:18 +00:00
Bernardo Damele
af096b2c83
Leave it as is!!!
2011-04-10 21:47:23 +00:00
Miroslav Stampar
d0cef21d9c
fix
2011-04-10 21:19:34 +00:00
Miroslav Stampar
6fa2fd139c
implemented support for __pivotDumpTable on MSSQL as normal tables tend to not play well with normal TOP 1 ..NOT IN..ORDER BY mechanism if the argument for ORDER BY is not the unique one (returns only number of rows equal to the number of distinct values for that field)
2011-04-08 15:17:57 +00:00
Bernardo Damele
02eeeccd33
Added UNION query SQL injection tests also with a random number for columns (not only NULL)
2011-04-07 13:39:36 +00:00
Miroslav Stampar
ca009e9fe2
minor update
2011-04-07 10:43:19 +00:00
Miroslav Stampar
672abc27fd
minor adjustment of livetests for new flavor of --technique
2011-04-07 10:41:12 +00:00
Miroslav Stampar
e27afef6be
minor update regarding --current-db on Oracle
2011-04-01 15:56:11 +00:00
Miroslav Stampar
60102209f6
quick fix for a bug reported by Kirill (AttributeError: 'NoneType' object has no attribute 'split')
2011-04-01 11:14:24 +00:00
Miroslav Stampar
b7813f9e68
incrementing level for MySQL stacked payloads
2011-03-29 07:31:56 +00:00
Miroslav Stampar
86f93713d3
fix for a bug reported by m4l1c3 (object of type 'NoneType' has no len()) and minor update
2011-03-29 06:25:17 +00:00
Miroslav Stampar
73e5d20ade
bulk commit for safe/unsafe identificator naming (done and tested for all 4 major DBMSes) and one bug fix for --search-column on MSSQL (inside queries)
2011-03-28 11:01:55 +00:00
Miroslav Stampar
5eb7787fc9
adding partial union cases to the live tests
2011-03-25 15:56:15 +00:00
Miroslav Stampar
670aa7f99b
update for live tests (added dumping of columns and table values)
2011-03-25 15:37:11 +00:00
Miroslav Stampar
e80c9e08d8
minor update regarding --live-test
2011-03-25 09:03:08 +00:00
Miroslav Stampar
82ab4c8dc2
minor fix (ORDER BY 1 screws things up in blind mode)
2011-03-24 14:19:32 +00:00
Miroslav Stampar
06a5c39efe
fix related to the bug reported by Alone Shell
2011-03-24 14:03:40 +00:00
Miroslav Stampar
cef2c0879d
adding live test cases for --technique=1 too
2011-03-24 12:19:40 +00:00
Miroslav Stampar
33c01726dd
adding basic live tests for MSSQL too
2011-03-24 12:01:53 +00:00
Miroslav Stampar
2b15ad57c2
basic live tests against 3 major DBMSes
2011-03-24 11:47:01 +00:00
Miroslav Stampar
b72cdfe9e6
fix for mssql regarding usage of schema names reported by jabra@spl0it.org
2011-03-23 10:40:34 +00:00
Miroslav Stampar
b5c9ccb755
Oracle XML based error payload has problems with char $ as with space
2011-03-21 13:13:12 +00:00
Miroslav Stampar
4889764114
minor update regarding last commit
2011-03-21 11:40:27 +00:00
Miroslav Stampar
5291fe35c9
proper implementation of --dbs on Oracle (we are using now schema names as a counterpart to dbs in other DBMSes)
2011-03-21 11:29:43 +00:00
Miroslav Stampar
0535225fe7
throwing out obsolete ORDER BY 1 from inband queries
2011-03-16 14:18:12 +00:00
Miroslav Stampar
eedd6a990d
removing space after , for our payloads
2011-03-08 14:29:22 +00:00
Miroslav Stampar
3dc31f6273
removing spaces after , in our queries
2011-03-08 14:07:26 +00:00
Miroslav Stampar
ff9080de48
MaxDB always precalculates values for both TRUE and FALSE, hence we can't trick him to run any "faulty" command (e.g. 1/0). This payload is fairly ok because in case of FALSE --> something=NULL is always NULL
2011-02-21 20:59:34 +00:00
Miroslav Stampar
08697e60a9
added some Microsoft Access payloads
2011-02-21 20:04:50 +00:00
Bernardo Damele
3e8c204121
Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba
2011-02-21 16:00:56 +00:00
Miroslav Stampar
68a95fd1b1
minor update
2011-02-20 22:45:23 +00:00
Miroslav Stampar
aac817935a
further improvement of MaxDB support
2011-02-20 22:41:42 +00:00
Miroslav Stampar
a3ba8b6928
--dump now works on MaxDB too
2011-02-20 22:07:12 +00:00
Miroslav Stampar
59e666d16e
--is-dba (related) update for Sybase
2011-02-20 17:28:06 +00:00
Miroslav Stampar
67ec691eb1
more updates regarding Sybase
2011-02-20 16:28:48 +00:00
Miroslav Stampar
823e4351b5
minor change
2011-02-20 12:34:09 +00:00
Miroslav Stampar
f30dea74f3
more Sybase updates
2011-02-19 18:36:26 +00:00
Miroslav Stampar
b71bb321dd
some more Sybase updates
2011-02-19 18:04:27 +00:00
Miroslav Stampar
e0efe453ab
minor update regarding Sybase support
2011-02-19 14:07:08 +00:00
Miroslav Stampar
5f4ffc9287
update regarding Sybase dumping
2011-02-19 00:36:47 +00:00
Miroslav Stampar
5fb11fd173
update regarding multiple DBMS payloads
2011-02-13 21:20:21 +00:00
Bernardo Damele
394ccb5cc5
Added query for MSSQL/--privileges
2011-02-10 15:52:55 +00:00
Miroslav Stampar
5050a76b59
update regarding reading of table names from access system tables
2011-02-09 10:33:29 +00:00
Miroslav Stampar
1a5a66870e
problem fixed
2011-02-07 11:57:41 +00:00
Bernardo Damele
7dcfcca87f
Tests' titles adjustments
2011-02-06 23:17:39 +00:00
Miroslav Stampar
5ecb75cc56
minor update
2011-02-06 15:14:07 +00:00
Miroslav Stampar
f754953c4f
reverting this one. spotted a major bug. dbms is not properly enforced at this moment, don't know why. if it was this would be properly encoded.
2011-02-06 12:33:58 +00:00
Miroslav Stampar
97f9c9d119
bug fix (playing with wavsep i've realized that we are sending in this payload quoted 'string' (causing problems), while MD5 also accepts integer values
2011-02-06 12:24:50 +00:00
Bernardo Damele
27601babb4
Minor adjustments to levels of boundaries
2011-02-04 11:57:47 +00:00
Miroslav Stampar
76ab14f20f
revert of r3203
2011-02-04 09:30:20 +00:00
Miroslav Stampar
78d696fd4f
i believe that this one should be the first level 1 boundary
2011-02-03 21:27:03 +00:00
Miroslav Stampar
64f18724ad
new default UNION test(s) ranges
2011-02-03 16:26:35 +00:00
Miroslav Stampar
4bb7ffcb3a
minor update
2011-02-03 13:18:43 +00:00
Bernardo Damele
8397c526d8
Minor adjustment
2011-01-31 21:20:23 +00:00
Miroslav Stampar
f9eac97fe8
refactoring of MSSQL XML banner parsing
2011-01-31 11:38:00 +00:00
Miroslav Stampar
14de5809ea
update
2011-01-31 11:08:58 +00:00
Miroslav Stampar
5aa958a146
ASCII & CHR is quite common, so removing this one
2011-01-24 22:51:15 +00:00
Miroslav Stampar
a1619f84b6
changing level of last payload
2011-01-24 22:31:26 +00:00
Miroslav Stampar
8155f95b82
new payload - PostgreSQL boolean-based blind - Parameter replace (based on CHR(0) - "SQL error: ERROR: null character not permitted")
2011-01-24 22:28:54 +00:00
Miroslav Stampar
9f76468005
another premiere, yeeej. IDSes, watch yourself :)
2011-01-24 21:30:46 +00:00
Miroslav Stampar
2fb0c946d2
minor update
2011-01-24 21:21:47 +00:00
Miroslav Stampar
15645f50d4
world premiere :)
2011-01-24 21:21:11 +00:00
Miroslav Stampar
440264341c
minor update
2011-01-24 17:43:25 +00:00
Miroslav Stampar
0eea5665b2
minor update
2011-01-24 17:41:36 +00:00
Bernardo Damele
b0dc6c24eb
Moved
2011-01-24 17:04:49 +00:00
Miroslav Stampar
c188996627
patch for possible query optimization (avoid precalculation of 1/0)
2011-01-24 16:21:27 +00:00
Bernardo Damele
47fa600c04
Minor fix and cosmetics
2011-01-24 11:12:33 +00:00
Miroslav Stampar
db76bcb327
fix for cases when mixing ingres dbms with spanish word "ingresa"
2011-01-23 11:19:10 +00:00
Miroslav Stampar
7bf05bf2cb
minor update
2011-01-22 00:12:03 +00:00
Miroslav Stampar
d6d8d54eda
implemented Johannes Dahse / Reiners' technique
2011-01-22 00:06:27 +00:00
Miroslav Stampar
0743202879
minor update
2011-01-21 23:54:25 +00:00
Miroslav Stampar
cb0e7080c5
more appropriate name (on http://websec.wordpress.com/ they use term "conditional" for something very similar, although not stacked)
2011-01-21 23:47:45 +00:00
Miroslav Stampar
7c4c79477d
world premiere of "forced-error blind stacked" payloads (spent 3 hours on pgsql)
2011-01-21 18:32:10 +00:00
Miroslav Stampar
79e4b1efd5
added new signature for SQLite error messages
2011-01-20 22:47:03 +00:00
Bernardo Damele
6c490bfc8f
Avoid a traceback elsewhere
2011-01-20 21:43:41 +00:00
Bernardo Damele
7ce49bcf0d
Sorted boundaries so that the ones with parenthesis are tested first - it has to be like this!
...
Adjusted comments accordingly to new UNION-specific tags.
2011-01-20 21:42:55 +00:00
Miroslav Stampar
f6d79f58bc
another fix (LIMIT is not a good idea to have in inband queries)
2011-01-20 21:13:28 +00:00
Miroslav Stampar
ff1a44c335
probably a fix for that SQLite bug reported by Ahmed Shawky
2011-01-20 20:30:18 +00:00
Miroslav Stampar
a1d77737f5
minor grammar update (this should be a better form)
2011-01-20 18:35:21 +00:00
Bernardo Damele
81be23976e
Confirmed HAVING payloads work as WHERE ones.
...
Changed <risk> value of all 'heavy query' tests to 2 as it can potentially lead to a DoS.
Proper handling of title for UNION tests when --union-char is provided.
2011-01-18 22:55:20 +00:00
Miroslav Stampar
f7d9b22510
because other major DBMSes have at least one level 1 time based payload
2011-01-18 20:32:49 +00:00
Miroslav Stampar
bdcb10cdab
added MSSQL time based vector
2011-01-18 02:05:18 +00:00
Bernardo Damele
c2a358561f
Proper support for --union-cols
2011-01-17 22:57:33 +00:00
Miroslav Stampar
fb166e9445
adding USER_LOCK stacked query support for ORACLE (older versions)
2011-01-16 10:31:16 +00:00
Miroslav Stampar
f31c028232
Oracle stacked vector based on DBMS_LOCK.SLEEP ( https://foro.undersecurity.net/read.php?46,1436 )
2011-01-16 10:07:56 +00:00
Bernardo Damele
1b3717c79c
Improvement to make time-based blind to work also against login forms
2011-01-12 16:20:29 +00:00
Bernardo Damele
d7a7993e0d
Minor comment fix
2011-01-12 11:57:36 +00:00
Bernardo Damele
2f5995a7eb
Added generic and mysql UNION tests from 1 to 25 columns.
...
Adapted config file and command line removing now outdated --union-test switch.
Minor bug fix.
Minor code refactoring.
Got rid of some debug messages, standardized logging of UNION tests.
2011-01-11 22:56:21 +00:00
Bernardo Damele
300128042c
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though.
...
Major refactoring to Agent.payload() method.
Minor bug fixes, some code refactoring and a lot of core adjustments here and there.
Added more checks for injection in GROUP BY and ORDER BY.
2011-01-11 22:18:47 +00:00
Bernardo Damele
1c86ec374e
Code refactoring and cosmetics
2011-01-07 15:41:09 +00:00