Class: Msf::Exploit::SQLi::MySQLi::TimeBasedBlind

Inherits:
Common
  • Object
show all
Defined in:
lib/msf/core/exploit/sqli/mysqli/time_based_blind.rb

Overview

Time-Based Blind SQL injection support for MySQL

Constant Summary

Constants inherited from Common

Common::BIT_COUNTS, Common::ENCODERS

Instance Attribute Summary

Attributes inherited from Common

#concat_separator, #datastore, #framework, #null_replacement, #safe, #second_concat_separator, #truncation_length

Attributes included from Rex::Ui::Subscriber::Input

#user_input

Attributes included from Rex::Ui::Subscriber::Output

#user_output

Instance Method Summary collapse

Methods inherited from Common

#current_database, #current_user, #dump_table_fields, #enum_database_encoding, #enum_database_names, #enum_dbms_users, #enum_table_columns, #enum_table_names, #enum_view_names, #read_from_file, #version, #write_to_file

Methods inherited from Common

#raw_run_sql

Methods included from Module::UI

#init_ui

Methods included from Module::UI::Message

#print_error, #print_good, #print_prefix, #print_status, #print_warning

Methods included from Module::UI::Message::Verbose

#vprint_error, #vprint_good, #vprint_status, #vprint_warning

Methods included from Module::UI::Line

#print_line, #print_line_prefix

Methods included from Module::UI::Line::Verbose

#vprint_line

Methods included from Rex::Ui::Subscriber

#copy_ui, #init_ui, #reset_ui

Methods included from Rex::Ui::Subscriber::Input

#gets

Methods included from Rex::Ui::Subscriber::Output

#flush, #print, #print_blank_line, #print_error, #print_good, #print_line, #print_status, #print_warning

Constructor Details

#initialize(datastore, framework, user_output, opts = {}, &query_proc) ⇒ TimeBasedBlind

Returns a new instance of TimeBasedBlind.


5
6
7
# File 'lib/msf/core/exploit/sqli/mysqli/time_based_blind.rb', line 5

def initialize(datastore, framework, user_output, opts = {}, &query_proc)
  super
end

Instance Method Details

#run_sql(query, output_charset: nil) ⇒ String

Runs an SQL query, and returns its results (time-based blind technique)

Parameters:

  • query (String)

    The SQL query to execute

  • output_charset (Range) (defaults to: nil)

    The range of characters to expect in the output, optional

Returns:

  • (String)

    The query result


16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
# File 'lib/msf/core/exploit/sqli/mysqli/time_based_blind.rb', line 16

def run_sql(query, output_charset: nil)
  # TODO: detect latency and update sleepdelay manually?
  if output_charset.is_a?(Range) && output_charset.count > 0
    known_bits, bits_to_guess = get_bitmask(output_charset)
  else
    known_bits = 0
    bits_to_guess = 8
  end
  vprint_status "{SQLi} Executing (#{query})"
  if @hex_encode_strings
    query = hex_encode_strings(query)
    vprint_status "{SQLi} Encoded to (#{query})"
  end
  # first, get the length of the output
  output_length = blind_detect_length(query, true)
  vprint_status "{SQLi} Time-based injection: expecting output of length #{output_length}"
  # now, get the output, of the given length
  blind_dump_data(query, output_length, known_bits, bits_to_guess, true)
end

#test_vulnerableObject

This method checks if the target is vulnerable to Blind time-based injection by checking if the target sleeps only when a given condition is true.


40
41
42
43
44
45
# File 'lib/msf/core/exploit/sqli/mysqli/time_based_blind.rb', line 40

def test_vulnerable
  # run_sql and check if output is what's expected, or just check for delays?
  out_true = blind_request("if(1=1,sleep(#{datastore['SqliDelay']}),0)")
  out_false = blind_request("if(1=2,sleep(#{datastore['SqliDelay']}),0)")
  out_true && !out_false
end