SQL delay in EvilPot

[osxtest]

Hi,

In the EvilPot system, it goes to sleep if it matches the sleep or waitfor function.

https://github.com/chaitin/xray/blob/e0e361a596566a996f0fb4558900e981f40bbf8f/tests/evilpot/evil/evil.go#L73-L95

However, the sleep action behaves the same as a real-world time-based SQL injection.

How can I modify my plugin to fix this false negative?

$ ./xray webscan --plug sqldet -u http://localhost:8887/?id=1

____  ___.________.    ____.   _____.___.
\   \/  /\_   __   \  /  _  \  \__  |   |
 \     /  |    _  _/ /  /_\  \  /   |   |
 /     \  |    |   \/    |    \ \____   |
\___/\  \ |____|   /\____|_   / / _____/
      \_/       \_/        \_/  \/

Version: 1.9.11/eb0c331d/COMMUNITY

[INFO] 2024-07-20 17:42:02 [default:entry.go:226] Loading config file from config.yaml
[!] Warning: you should use --html-output, --webhook-output or --json-output to persist your scan result

Enabled plugins: [sqldet]

[INFO] 2024-07-20 17:42:06 [default:dispatcher.go:444] processing GET http://localhost:8887/?id=1
[*] scanned: 0, pending: 1, requestSent: 13, latency: 251.25ms, failedRatio: 0.00%
[*] scanned: 0, pending: 1, requestSent: 15, latency: 728.91ms, failedRatio: 0.00%
[Vuln: sqldet]
Target           "http://localhost:8887/?id=1"
VulnType         "blind-based/default"
Payload          "(select*from(select+sleep(2)union/**/select+1)a)"
Position         "query"
ParamKey         "id"
ParamValue       "(select*from(select+sleep(2)union/**/select+1)a)"
sleep_time       "2000"
p_time           "1"
n_time           "2002"
stat             "{\"normal\":{\"samples\":[1,0,0,1,0,1],\"avg\":0.5,\"std_dev\":0.5,\"sleep_time\":2},\"sleep_0_time\":1,\"quick_check\":{\"samples\":[2002],\"sleep\":2},\"verify\":{\"samples\":[3004,3004,3004],\"sleep\":3}}"
title            "Generic MySQL time based case [number/column]"
type             "time_based"
avg_time         "0"
std_dev          "0"

[*] All pending requests have been scanned
[*] scanned: 1, pending: 0, requestSent: 15, latency: 668.17ms, failedRatio: 0.00%
[INFO] 2024-07-20 17:42:19 [controller:dispatcher.go:573] controller released, task done

Try to perform calculation in the sleep function like sleep(1+1)?

or try to add another request with payload that will cause sql error like ssleep(1) to see if it still sleeps?

However, EvilPot can still adapt to the above false positive check,

since in time-based SQL injection, it seems like the sleep time is the only condition we can rely on.

I'm really looking forward to your reply.

Thanks

[Jarcis-cy]

This is the expected behavior, because when we use EvilPot, it's to confirm the strength of the POC, and to force the POC to add some features when writing the time blinds, or else it's easy to false alarms. Because this one does mimic real behavior, it's really unavoidable for the generic dast plugin.

[osxtest]

Hi @Jarcis-cy,

Since we want to "force the POC to add some features when writing the time blinds, or else it's easy to false alarms",

I suggest we simulate common behaviors of time-based SQL injection false positives. For example:

• When payload is sleep(0), the response sleeps for 0 seconds.
• When payload is sleep(5), the response sleeps for 5 seconds.
• When payload is sleep(2), the response still sleeps for 5 seconds.

Then if the POC is still vulnerable, it should add some false positive checks.

Currently, EvilPot accurately sleeps for the exact duration specified in the payload, which is unlikely to generate false positives.

Thanks