search

arvancloud / libinjection-rs

Rust bindings for libinjection
https://crates.io/crates/libinjection
Apache License 2.0
37 stars 25 forks source link

[SECURITY] Undetectable Time-Base Injection #1

Open raminfp opened 5 years ago

raminfp commented 5 years ago

Hi,

libinection-rs unable to detect time base sql inection,

1 - Payload 1'=sleep(10)='1

let (is_sqli, fingerprint) = sqli("1'=sleep(10)='1").unwrap();
assert!(is_sqli); // false
assert_eq!("s&sos", fingerprint);

2- Payloads used to determine database version '=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1 

let (is_sqli, fingerprint) = sqli("'=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1").unwrap();
assert!(is_sqli); // false
assert_eq!("s&sos", fingerprint);

Thanks, Ramin - kernel security engineering Best regards,

yaa110 commented 5 years ago

Thank you for the report. Please note that this repository is a bindings to libinjection.