search

PortSwigger / BChecks

BChecks collection for Burp Suite Professional and Burp Suite Enterprise Edition
https://portswigger.net/burp/documentation/scanner/bchecks
GNU Lesser General Public License v3.0
590 stars 105 forks source link

appending with multiple payload is giving error #70

Closed Pcoder7 closed 10 months ago

Pcoder7 commented 12 months ago

metadata: language: v1-beta name: "SQL Injection " description: "Classic SQL Injection" author: "Carlos Montoya"

given query insertion point then

# only run for successful base response
if {base.response.status_code} is "200" then
    send payload called weaponized:
        appending: "'", "))", "\", "\""

    #different status code for single quote -sus!
    if {weaponized.response.status_code} differs from  {base.response.status_code} then 
        send payload called benign: 
            appending:"''"
        if {benign.response.status_code} is {base.response.status_code} then 
            report issue:
                severity: high
                confidence: certain
                detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
        end if
     end if
end if
Pcoder7 commented 11 months ago

Why no one has replied to my issue.

Hannah-PortSwigger commented 11 months ago

Hi.

Could you provide some more information on the issue that you are having please?

Is the issue that your BCheck is not passing validation, and you would like some further help in writing this BCheck?

Hannah-PortSwigger commented 11 months ago

Hi

We've looked into this in some more detail.

We'd recommend using a "run for each" rather than providing multiple comma-separated values to "append". You will also need to use backticks for some of your variable declarations in the run for each loop.

Please find an example below:

metadata:
language: v1-beta
name: "SQL Injection"
description: "Classic SQL Injection"
author: "Carlos Montoya"

run for each:
        test = "'", "))", `\\`, `"`

given query insertion point then
      if {base.response.status_code} is "200" then
            send payload called weaponized:
                appending: {test}

            if {weaponized.response.status_code} differs from  {base.response.status_code} then 
                send payload called benign: 
                    appending:"''"
                if {benign.response.status_code} is {base.response.status_code} then 
                    report issue:
                        severity: high
                        confidence: certain
                        detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                        remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
                end if
            end if
    end if
Pcoder7 commented 11 months ago

The B-check template you provided is not sending each payload it is sending one payload . I've checked my logger history and only 3 request are being sent. I want them to send all the payload that are in run for each variable.

Hannah-PortSwigger commented 11 months ago

Hi. When only three requests are being sent, has an issue been found and reported?

Once an issue has been reported, the BCheck will stop and not continue past this point. This can result in early termination of the BCheck, without it iterating through all of the "run for each" payloads.

Pcoder7 commented 11 months ago

Ok I tested it further and found out this code behaving unexpectedly. If you see the code I clearly mentioned report only if weaponized response status code differs from base response status code . So If base response status is 200 , weaponized response status code should be 500 or any other status code than 200 then only it should report Sql Injection. But It still reports Sql Injection even if the code is weaponized status code is 200 which is same as base response status code. I looked it further and got to know that even if I provide the condition as weaponized.response.status.code it is reporting me instead of checking the status code its checking if response.status.code or response.body differs from the base response. I saw the Sql injection report in Target section and its reporting me based on difference on Content length but I clearly mentioned in the code only report if response.status.code is different from base.response.status.code. Please look into the matter

metadata:
language: v1-beta
name: "Sql Injection"
description: "Classic SQL Injection"
author: "Carlos Montoya"

run for each:
        test =  
           "))",
           "[",
           "]",
           "'"

given query insertion point then
      if {base.response.status_code} is "200" then
            send payload called weaponized:
                appending: {test}

            if {weaponized.response.status_code} differs from  {base.response.status_code} then 
                send payload called benign: 
                    appending:"''"
                if {benign.response.status_code} is {base.response.status_code} and {weaponized.response.status_code} differs from {base.response.status_code} then 
                    report issue:
                        severity: high
                        confidence: certain
                        detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                        remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
                end if
            end if
    end if
Hannah-PortSwigger commented 11 months ago

Hi.

We will be releasing a "BChecks" testing tool in the future, which should make it easier to debug issues like this. You can find this detailed in our roadmap here: https://portswigger.net/burp/pro/roadmap

Are you able to drop us an email at support@portswigger.net with some screenshots of this behavior? If you're able to, could you also share a sample site that has this behavior so that we can replicate this?

A-J-C commented 10 months ago

Closing due to lack of reply