ronin-vulns icon indicating copy to clipboard operation
ronin-vulns copied to clipboard

Published 20 hours ago verified publisher icon ronin-rb

Add additional SQLi sleep tests

Open mohghezal opened this issue 1 year ago • 4 comments

add sql time

mohghezal avatar Aug 04 '23 10:08 mohghezal

Ronin::Vulns::SQLI already does various SQL SLEEP(5) tests. Are you referring to a different technique? https://github.com/ronin-rb/ronin-vulns/blob/45deabd6eb4efad460d4a30d92931496a7e602a0/lib/ronin/vulns/sqli.rb#L350-L388

postmodern avatar Aug 04 '23 10:08 postmodern

add more SLEEP_TESTS = [ "'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z --", "'if(now()=sysdate(),sleep(5),0) --", "'or(now()=sysdate()&&SLEEP(5))or'Z --", "'|(IF((now())LIKE(sysdate()),SLEEP(5),0))|'Z --", 'SLEEP(5)', "PG_SLEEP(5)", "WAITFOR DELAY '0:0:5'" ]

mohghezal avatar Aug 04 '23 15:08 mohghezal

@mohghezal could you rewrite those without the or'Z -- suffixes, since SQLI#escape(sql) is supposed to add any termination/escaping to the given SQL. I'm not sure if the XOR/or/| at the end is required or part of the escape/termination?

postmodern avatar Aug 04 '23 23:08 postmodern

@mohghezal also how are these tests better than the existing SLEEP(5) test? Are they meant to be injected into certain SQL clauses? Will these bypass WAFs?

postmodern avatar Aug 05 '23 00:08 postmodern