-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[GSoC] SQLi library with support to MySQL (and MariaDB) #13596
Conversation
… into GSOC/SQLi_Engine
… into GSOC/SQLi_Engine
…s/multibyte characters
I think the wiki would be a good place to add examples of how to use this. However, i'm not sure you have permissions to add a page to the wiki. Maybe a markdown in a comment or something for the time being? Edit: oh oh oh!!! Here's what would be cool... use This would give an easy roadmap to devs on how to take the most popular sqli tool and use it in msf. |
I like the idea of a usage guide with walk thru on how an exploit might be developed. For now adding that as a markdown file in |
Other ideas, I think if you include/require *sqli, it should load in advanced options like |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the through refactor. Still working thru some test runs to validate module changes here.
The calls to puts
& print
are a concern. We had previously discussed that you wanted to use print_status
and there were issues with access to datastore['VERBOSE']
, I will test out some options and provide a suggestion on that shortly.
In the mean time please look into code reuse ideas I have suggested in comments.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Minor adjustments.
# @param output_charset [Range] The range of characters to expect in the output, optional | ||
# @return [String] The query results | ||
# | ||
def run_sql(query, output_charset = nil) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
def run_sql(query, output_charset = nil) | |
def run_sql(query, output_charset: nil) |
Prefer named optional arguments.
Also note that the run_sql
has 2 signatures, can that be avoided?
def run_sql(query)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
For the different signatures, having output_charset in non-blind injections is useless, they are primarly there to save time and requests, also, run_sql is not the method users should use to dump data from a table, dump_table_fields
and other high-level enumeration methods are there for that, it's a lower-level method to be used when we need to run custom queries, or we only care about one thing, and want to retrieve it fast (session_id for example in eyesofnetwork).
I could rename it, make it blind_run_sql
, and make run_sql
call it with output_charset being nil
, if that has advantages, please let me know (for me, different signatures with optional additional options are okay).
Co-authored-by: Jeffrey Martin <jeffrey_martin@rapid7.com>
…oit-framework into GSOC/SQLi_Engine
refactor mixin as factory for SQLi classes
…ass to instanciate
…y verbose message
… to attr_accessor
Release NotesA new SQL injection library was added to the Metasploit Framework, making it easier for module writers to exploit SQLi vulnerabilities. The library currently supports the MySQL database management system, and existing modules |
Expirience of sqlmap will be very helpfull! (maybe whole integrating in framework (hope in pro version too) Thank you Rapid7, your products are best! |
What is it
This pull request adds an SQL injection library to the metasploit framework, to make it easier for module writers to exploit these vulnerabilities, supports the MySQL database management system for now (support for others will be added).
Features
(data is casted to Binary already, to make sure it works on other character sets, substr returns a one-byte character, but sometimes, the encoding on the web application is different, or some unprintable characters are filtered on the output, see the OpenEMR example).
Test modules
I rewrote two metasploit modules to use the new library, they are working exactly as the original ones, except the changes:
auxiliary/sqli/openemr/openemr_sqli_dump.rb
: query result truncated to 31 bytes, can contain non-ascii characters:where table_schema=database()
added to the condition when enumerating table names), let me know if I should change that.lang_definitions
table added toskiptables
, it's a large (>4mb) table that contains the strings in different languages.base64
encoder is now used (see (1) for the reason)For testing, you can use this docker-compose.yml
exploits/linux/http/eyesofnetwork_autodiscovery_rce.rb
: time-based SQL injection.Tested on Eyesofnetwork 5.1
(1) :
Results can also include a comma, using base64 (or dealing with these issues is necessary to get correct results).
Feedback
Any feedback is much appreciated, I am working on implementing a similar interface to
sqlite
, but if there is a feature request, or something should be changed, I'll be more than happy to make changes that can make the library better / more useful for module writers.