libinjection icon indicating copy to clipboard operation
libinjection copied to clipboard

Published 20 hours ago verified publisher icon client9

Some small or/xor/having negatives

Open lifeforms opened this issue 9 years ago • 4 comments

I've done some tests with very small injections. Assuming there's a query select * from user where foo=$foo with injectable parameter, and I want to retrieve all rows. Then I can send a few small payloads. (I can assume that most tables have an id column, it could also be another column)

Payload Result
1 or 1=1 sqli with fingerprint of '1&1'
1 or 2=2 sqli with fingerprint of '1&1'
1 or id=id not sqli
1 or 0=0 sqli with fingerprint of '1&1'
1 or 0x00=0x00 sqli with fingerprint of '1&1'
1 or 0x00=0 sqli with fingerprint of '1&1'
1 or null is null sqli with fingerprint of '1&v'
1 or not 1 is null sqli with fingerprint of '1&1ov'
1 or 1 not sqli
1 or 2 not sqli
1 or 1*1 sqli with fingerprint of '1&1'
1 or 0+1 sqli with fingerprint of '1&1'
1 or true not sqli
1 or 1 or 1 sqli with fingerprint of '1&1'
1 or 0x1 not sqli
1 or 0x01 not sqli
1 or (1) sqli with fingerprint of '1&(1)'
1 or (1*1) sqli with fingerprint of '1&(1)'
1 or (0+1) sqli with fingerprint of '1&(1)'
1 or (true) sqli with fingerprint of '1&(1)'
1 or (1 or 1) sqli with fingerprint of '1&(1&'
1 or (1 or true) sqli with fingerprint of '1&(1&'
1 or (true or 1) sqli with fingerprint of '1&(1&'
1 or (0x1) sqli with fingerprint of '1&(1)'
1 or (0x01) sqli with fingerprint of '1&(1)'
1 or id=id not sqli
id or 1 not sqli
id or 2 not sqli
id or 1*1 sqli with fingerprint of 'n&1'
id or 0+1 sqli with fingerprint of 'n&1'
id or true not sqli
id or 1 or 1 sqli with fingerprint of 'n&1'
id or 0x1 not sqli
id or 0x01 not sqli
id or (1) sqli with fingerprint of 'n&(1)'
id or (1*1) sqli with fingerprint of 'n&(1)'
id or (0+1) sqli with fingerprint of 'n&(1)'
id or (true) sqli with fingerprint of 'n&(1)'
id or (1 or 1) sqli with fingerprint of 'n&(1&'
id or (1 or true) sqli with fingerprint of 'n&(1&'
id or (true or 1) sqli with fingerprint of 'n&(1&'
id or (0x1) sqli with fingerprint of 'n&(1)'
id or (0x01) sqli with fingerprint of 'n&(1)'
id or id=id not sqli
1 xor 0 not sqli
1 xor false not sqli
1 xor 0*0 sqli with fingerprint of '1&1'
1 xor 0+0 sqli with fingerprint of '1&1'
1 xor 0 or 0 sqli with fingerprint of '1&1'
1 xor 0x0 not sqli
1 xor 0x00 not sqli
1 xor id!=id not sqli
1 xor (0) sqli with fingerprint of '1&(1)'
1 xor (false) sqli with fingerprint of '1&(1)'
1 xor (0*0) sqli with fingerprint of '1&(1)'
1 xor (0+0) sqli with fingerprint of '1&(1)'
1 xor (0 or 0) sqli with fingerprint of '1&(1&'
1 xor (0 or false) sqli with fingerprint of '1&(1&'
1 xor (false or 0) sqli with fingerprint of '1&(1&'
1 xor (0x0) sqli with fingerprint of '1&(1)'
1 xor (0x00) sqli with fingerprint of '1&(1)'
1 xor (id!=id) sqli with fingerprint of '1&(n)'
id xor 0 not sqli
id xor false not sqli
id xor 0*0 sqli with fingerprint of 'n&1'
id xor 0+0 sqli with fingerprint of 'n&1'
id xor 0 or 0 sqli with fingerprint of 'n&1'
id xor 0x0 not sqli
id xor 0x00 not sqli
id xor id!=id not sqli
id xor (0) sqli with fingerprint of 'n&(1)'
id xor (false) sqli with fingerprint of 'n&(1)'
id xor (0*0) sqli with fingerprint of 'n&(1)'
id xor (0+0) sqli with fingerprint of 'n&(1)'
id xor (0 or 0) sqli with fingerprint of 'n&(1&'
id xor (0 or false) sqli with fingerprint of 'n&(1&'
id xor (false or 0) sqli with fingerprint of 'n&(1&'
id xor (0x0) sqli with fingerprint of 'n&(1)'
id xor (0x00) sqli with fingerprint of 'n&(1)'
id xor (id!=id) sqli with fingerprint of 'n&(n)'
id having 1 sqli with fingerprint of 'nB1'
id having 2 sqli with fingerprint of 'nB1'
id having true sqli with fingerprint of 'nB1'
id having 1 or 1 sqli with fingerprint of 'nB1&1'
id having 0x1 sqli with fingerprint of 'nB1'
id having 0x01 sqli with fingerprint of 'nB1'
id having (1) sqli with fingerprint of 'nB(1)'
id having (true) sqli with fingerprint of 'nB(1)'
id having (1 or 1) not sqli
id having (1 or true) not sqli
id having (true or 1) not sqli
id having (0x1) sqli with fingerprint of 'nB(1)'
id having (0x01) sqli with fingerprint of 'nB(1)'
id having id=id not sqli
id having null is null sqli with fingerprint of 'nBv'
id having not 0 is null sqli with fingerprint of 'nB1ov'

Many of these are detected by libinjection but some not (yet). The syntax to create false or true values could be a lot more complex too.

In version 3 of ModSecurity CRS, we'll be using libinjection in addition to a lot of regexp rules. We have some regexp rules to catch OR/XOR/HAVING, but these rules are not popular due to false positives in common English texts. I'm currently trying to decide what to do with them...

lifeforms avatar Jul 29 '16 21:07 lifeforms

I'll take a look and see if I can find some quick wins here.

client9 avatar Jul 29 '16 21:07 client9

@client9 Thanks a lot. They may be silly but I'm trying to get a feel for what types of things libinjection is aimed to detect.

lifeforms avatar Jul 30 '16 14:07 lifeforms

Going to revisit this... some are definitely doable.

client9 avatar May 21 '17 18:05 client9

These 3 are now detected correctly

id having (1 or 1)	
id having (1 or true)	
id having (true or 1)

client9 avatar May 21 '17 18:05 client9