jsql-injection icon indicating copy to clipboard operation
jsql-injection copied to clipboard
verified publisher icon ron190

scan problem

Open RoyaSed opened this issue 4 years ago • 4 comments

hello i have 2 problems for jsql

  1. Although I entered the referer information, the scanner does not appear

  2. screenshot : indir

  3. out of band sql injection detected by burp suite tool

  4. Does the jsql tool support out of band? indir (1)

RoyaSed avatar Jan 29 '22 20:01 RoyaSed

  1. Although I entered the referer information, the scanner does not appear

The http://url syntax of the referer is messing with the key:value for field Header, you may urlencode the colon for your referer:

https%3A//url

image

  1. Does the jsql tool support out of band?

Currently I've only manually tested OOB for Postgres and Oracle but not MySQL. It's still a work in progress at the moment (Github card: https://github.com/ron190/jsql-injection/projects/1#card-61127218)

ron190 avatar Jan 29 '22 22:01 ron190

If I give you this link, would it be useful for developing oob? How can I contact you privately? is there skype?

RoyaSed avatar Jan 30 '22 09:01 RoyaSed

I prefer to manually validate OOB fully on local, in order next to integrate related tests to CI pipeline on Docker.

Still I haven't managed to make OOB work properly with MySQL on Docker, just Postgres and Oracle. MySQL running outside any container works fine and connects to a local DNS server but Docker instance does not. I don't get why, maybe image mysql:5.5.40 does not allow OOB.

I also search for a way to avoid changing the preferred DNS server on my OS, not practical at the moment.

Only if required, DM by mail to [email protected], by tweet to @ron190jsql

ron190 avatar Jan 30 '22 15:01 ron190

@ron190 Thanks for your work .

How to set the strategy at start? and stop other tests when injection found. its quite strange. waf kill all progress...( i got limited requests. plz help

sfl was set to -1' OR 321=6 AND 00088=00088 --

Tests performed: -1' OR 2+88-88-1=0+0+0+1 -- => TRUE -1' OR 3+88-88-1=0+0+0+1 -- => FALSE -1' OR 32<(0+5+88-88) -- => FALSE -1' OR 32>(0+5+88-88) -- => FALSE -1' OR 2+1-1+1=1 AND 00088=00088 -- => FALSE -1' OR 32=5 AND 00088=00088 -- => FALSE -1' OR 32=6 AND 00088=00088 -- => TRUE -1' OR 320=6 AND 00088=00088 -- => FALSE -1' OR 321=6 AND 00088=00088 -- => TRUE Original value: wr_subject||wr_content

I made - https://www...com/?id=wr_subject||wr_content&injectMe=-1' +new cookie manualy (cookie catcher like in burp - ?) But! i need to reduce requests. Its modsecurity, hard one... I need check strategy BLIND (BUT I CANT) so when i saw .. [16:29:39,652] Found character insertion [0221011100'] using Boolean match [16:29:39,653] Fingerprinting database and character insertion with Order by match.. [16:30:41,654] Vulnerable to Blind injection with OR then waf.. and bye bye

Might help (new) option like --filter-test in sqlmap and write there OR AND or CHOOOSE in strategy (make plz list inside like in error> and mark one or some techniques. or filter em) easyyy Screenshot_20220610_181449

and last - plz function stop without session lost. cause waf.. until cookie will be auto captured there will be need to stop.. change server, change cookie... jsqli - sad that parameter vuln - go to base ? or test more? --- Great. when got DB - ask - use DIOS? GREAT ) Honestly never use dios, and wanna try. y/n That will be silent assasin)

Plz guys made a scalpel from that cannon (for nuke - add some more payloads and maybe tool to identify user payloads , test and auto made tamper, waf detect, filtered params detection + tamper suggester. It have js. its quite cool, it can be more than now, really.

SantaLaMuerte avatar Jun 10 '22 15:06 SantaLaMuerte

The problem may be caused by the chinese language (site in сhinese):

[17:47:57,256] Boolean false positives spotted, stopping... [17:47:57,257] Fetching fails: no data to parse [17:47:57,257] Incorrect metadata, response from site: [17:47:57,257] >>>} [17:47:57,257] Incorrect or incomplete data: java.lang.ArrayIndexOutOfBoundsException: Index 1 out of bounds for length 1 at com.jsql.model.accessible.DataAccess.getDatabaseInfos(DataAccess.java:195) ~[jsql-injection-v0.90.jar:?] at com.jsql.model.InjectionModel.beginInjection(InjectionModel.java:221) ~[jsql-injection-v0.90.jar:?] at java.lang.Thread.run(Thread.java:1589) [?:?]

[17:47:57,263] Processing but failure is expected [17:47:57,264] Извлечение баз данных [17:47:57,275] [17:47:57,258] java.lang.InterruptedException java.lang.InterruptedException: null at java.util.concurrent.CompletableFuture.reportGet(CompletableFuture.java:386) ~[?:?] at java.util.concurrent.CompletableFuture.get(CompletableFuture.java:2073) ~[?:?] at jdk.internal.net.http.HttpClientImpl.send(HttpClientImpl.java:826) ~[java.net.http:?] at jdk.internal.net.http.HttpClientFacade.send(HttpClientFacade.java:123) ~[java.net.http:?] at com.jsql.model.InjectionModel.inject(InjectionModel.java:337) [jsql-injection-v0.90.jar:?] at com.jsql.model.AbstractModelObservable.injectWithoutIndex(AbstractModelObservable.java:54) [jsql-injection-v0.90.jar:?] at com.jsql.model.injection.strategy.blind.AbstractInjectionBoolean.callUrl(AbstractInjectionBoolean.java:300) [jsql-injection-v0.90.jar:?] at com.jsql.model.injection.strategy.blind.CallableBlind.call(CallableBlind.java:102) [jsql-injection-v0.90.jar:?] at com.jsql.model.injection.strategy.blind.CallableBlind.call(CallableBlind.java:17) [jsql-injection-v0.90.jar:?] at java.util.concurrent.FutureTask.run(FutureTask.java:317) [?:?] at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:577) [?:?] at java.util.concurrent.FutureTask.run(FutureTask.java:317) [?:?] at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1144) [?:?] at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:642) [?:?] at java.lang.Thread.run(Thread.java:1589) [?:?] java.lang.NullPointerException: Cannot invoke "java.awt.Container.getParent()" because the return value of "javax.swing.JTextPane.getParent()" is null at com.jsql.view.swing.console.AbstractColoredConsole.append(AbstractColoredConsole.java:73) ~[jsql-injection-v0.90.jar:?] at com.jsql.view.swing.console.JTextPaneAppender.lambda$append$1(JTextPaneAppender.java:118) ~[jsql-injection-v0.90.jar:?] at java.awt.event.InvocationEvent.dispatch(InvocationEvent.java:318) ~[?:?] at java.awt.EventQueue.dispatchEventImpl(EventQueue.java:773) ~[?:?] at java.awt.EventQueue$4.run(EventQueue.java:720) ~[?:?] at java.awt.EventQueue$4.run(EventQueue.java:714) ~[?:?] at java.security.AccessController.doPrivileged(AccessController.java:399) [?:?] at java.security.ProtectionDomain$JavaSecurityAccessImpl.doIntersectionPrivilege(ProtectionDomain.java:86) [?:?] at java.awt.EventQueue.dispatchEvent(EventQueue.java:742) [?:?] at java.awt.EventDispatchThread.pumpOneEventForFilters(EventDispatchThread.java:203) [?:?] at java.awt.EventDispatchThread.pumpEventsForFilter(EventDispatchThread.java:124) [?:?] at java.awt.EventDispatchThread.pumpEventsForHierarchy(EventDispatchThread.java:113) [?:?] at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:109) [?:?] at java.awt.EventDispatchThread.pumpEvents(EventDispatchThread.java:101) [?:?] at java.awt.EventDispatchThread.run(EventDispatchThread.java:90) [?:?]

refflex avatar Jul 30 '23 15:07 refflex

@refflex Host sends false positives and appears unreliable, you must look at the network logs to check what's wrong and also open a new thread.

Note: jSQL is compatible with UT8, non ascii characters should not be a problem.

image

ron190 avatar Jul 30 '23 18:07 ron190

@hastalamuerte A lot to proceed here, thanks for the feedbacks... trying to answer:

  1. How to set the strategy at start?

    Might help (new) option like --filter-test in sqlmap and write there OR AND or CHOOOSE in strategy (make plz list inside like in error> and mark one or some techniques. or filter em) easyyy !

For now it's not possible and I get that reducing strategies and reducing requests is required sometimes. I'll see if I can integrate this to the UI efficiently, while it implies:

  • Sync the Database selection with the strategies selection from address bar, because error strategies relate to the database selected
  • Display a new item to choose OR, AND

  1. --- Great. when got DB - ask - use DIOS? GREAT ) Honestly never use dios, and wanna try.

I suppose that DIOS should be integrated to the UI in a better way than just as a manual preference like it is. Maybe like a substrategy tested automatically during the process. More testing involved to verify that.

  1. cookie catcher like in burp

I don't know the feature, I'll see if I understand the purpose, for now I just display cookies set by host as the following:

[00:18:12,110] Cookies set by host: [XSRF-TOKEN=73322f68-f5e1-4531-9cbb-22ac9d49f530]

  1. plz function stop without session lost. cause waf.. until cookie will be auto captured there will be need to stop.. change server, change cookie... jsqli - sad that parameter vuln - go to base ? or test more?

Not sure about the process here, if you set the cookie in header then the session is kept. Does it relate to what the cookie catcher do?

  1. add some more payloads

Sure, I strongly invite the community to share here on Github the payloads and strategies that I'm not aware of.

  1. tool to identify user payloads

Having multiple payloads for strategies like normal, blind, time look strange because there's a single way to implement the payload. I may be unaware of different payloads existing here so I would need example to check. Or do you mean adding custom error payload to the list and run it during the process?

  1. test and auto made tamper

I don't get how it would work, any example?

  1. waf detect

Sure, I need to get example and do some testing.

  1. filtered params detection + tamper suggester

I don't get how it would work, any example?

Closing the thread as at least 3 unrelated topics opened at the same place, please open a dedicated issue.

ron190 avatar Jul 31 '23 23:07 ron190