Add additional SQLi sleep tests

ronin-rb / ronin-vulns

Tests URLs for Local File Inclusion (LFI), Remote File Inclusion (RFI), SQL injection (SQLi), and Cross Site Scripting (XSS), Server Side Template Injection (SSTI), and Open Redirects.

https://ronin-rb.dev

GNU Lesser General Public License v3.0

59 stars 16 forks source link

Add additional SQLi sleep tests #45

Open mohghezal opened 1 year ago

mohghezal commented 1 year ago

add sql time

postmodern commented 1 year ago

Ronin::Vulns::SQLI already does various SQL SLEEP(5) tests. Are you referring to a different technique? https://github.com/ronin-rb/ronin-vulns/blob/45deabd6eb4efad460d4a30d92931496a7e602a0/lib/ronin/vulns/sqli.rb#L350-L388

mohghezal commented 1 year ago

add more SLEEP_TESTS = [ "'XOR(if(now()=sysdate(),sleep(5),0))XOR'Z --", "'if(now()=sysdate(),sleep(5),0) --", "'or(now()=sysdate()&&SLEEP(5))or'Z --", "'|(IF((now())LIKE(sysdate()),SLEEP(5),0))|'Z --", 'SLEEP(5)', "PG_SLEEP(5)", "WAITFOR DELAY '0:0:5'" ]

postmodern commented 1 year ago

@mohghezal could you rewrite those without the or'Z -- suffixes, since SQLI#escape(sql) is supposed to add any termination/escaping to the given SQL. I'm not sure if the XOR/or/| at the end is required or part of the escape/termination?

postmodern commented 1 year ago

@mohghezal also how are these tests better than the existing SLEEP(5) test? Are they meant to be injected into certain SQL clauses? Will these bypass WAFs?