Class: Msf::Exploit::SQLi::MySQLi::BooleanBasedBlind

Inherits:
Common
  • Object
show all
Defined in:
lib/msf/core/exploit/sqli/mysqli/boolean_based_blind.rb

Overview

Boolean-Based Blind SQL injection support for MySQL

Constant Summary

Constants inherited from Common

Common::BIT_COUNTS, Common::ENCODERS

Instance Attribute Summary

Attributes inherited from Common

#concat_separator, #datastore, #framework, #null_replacement, #safe, #second_concat_separator, #truncation_length

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Instance Method Summary collapse

Methods inherited from Common

#current_database, #current_user, #dump_table_fields, #enum_database_encoding, #enum_database_names, #enum_dbms_users, #enum_table_columns, #enum_table_names, #enum_view_names, #read_from_file, #version, #write_to_file

Methods inherited from Common

#raw_run_sql

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Constructor Details

#initialize(datastore, framework, user_output, opts = {}, &query_proc) ⇒ BooleanBasedBlind

Returns a new instance of BooleanBasedBlind.


5
6
7
# File 'lib/msf/core/exploit/sqli/mysqli/boolean_based_blind.rb', line 5

def initialize(datastore, framework, user_output, opts = {}, &query_proc)
  super
end

Instance Method Details

#run_sql(query, output_charset: nil) ⇒ Object

Gets the output of the given SQL query, in a boolean-based blind manner.

The block given to initialize must return true if querying its parameter
gave a result, false otherwise.
@param query [String] The SQL query to execute
@param output_charset [Range] The range of characters to expect in the output, optional
can improve performance a lot, as fewer bits need to be guessed on each character.
example : ('0' .. '9') if you know the output of your query contains only numeric characters
@return [String] The query results

19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# File 'lib/msf/core/exploit/sqli/mysqli/boolean_based_blind.rb', line 19

def run_sql(query, output_charset: nil)
  if output_charset.is_a?(Range) && output_charset.count > 0
    known_bits, bits_to_guess = get_bitmask(output_charset)
  else
    known_bits = 0
    bits_to_guess = 8
  end
  vprint_status "{SQLi} Executing (#{query})"
  if @hex_encode_strings
    query = hex_encode_strings(query)
    vprint_status "{SQLi} Encoded to (#{query})"
  end
  # first, get the length of the output
  output_length = blind_detect_length(query, false)
  vprint_status "{SQLi} Boolean-based injection: expecting output of length #{output_length}"
  # now, get the output, of the given length
  blind_dump_data(query, output_length, known_bits, bits_to_guess, false)
end

#test_vulnerableObject

This method checks if the target is vulnerable to Blind boolean-based injection by checking that the values returned by the bloc for some boolean queries are correct.


42
43
44
45
46
# File 'lib/msf/core/exploit/sqli/mysqli/boolean_based_blind.rb', line 42

def test_vulnerable
  out_true = blind_request('1=1')
  out_false = blind_request('1=2')
  out_true && !out_false
end