Blind SQLi Differential Checks False Negatives
I noticed that the sql_injection_differential
check
sends the following payloads that replace
parameter values:
-1 or 1=1
-1' or 1='2
-1' or 1='1
-1" or 1="1
-1' or 1='2
-1 or 1=1
-1' or 1='1
-1" or 1="1
-1" or 1="2
-1" or 1="2
-1 or 1=2
-1 or 1=2
These seem to be missing several blind SQL Injection vulns on an
app I'm testing and from manually testing it appears there may be a
few issues with the above generated payloads that could cause them
to miss vulnerable inputs:
- Is it possible to both append and
replace parameter values? I could see cases where
both approaches would be beneficial to improve coverage.
- Would leading the payloads with
-1
also generate errors before the boolean gets tested in some cases? - For quoted payloads like
-1' or 1='1
, should the1
after theor
be quoted as well like this-1' or '1'='1
?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Tasos Laskos on 07 Dec, 2015 05:23 PM
Btw, I've identified a bug in the differential analysis technique that caused some issues and I'll merge the fix soon, changing
-1
to a larger random negative integer solved it.I'll let you know once the nightlies are up.
Support Staff 2 Posted by Tasos Laskos on 07 Dec, 2015 05:51 PM
One thing I forgot to mention is that for cases where there are several variants for each issue (
sql_injection
,sql_injection_timing
,sql_injection_differential
) you shouldn't expect adequate coverage unless you're using all of the available checks.And the differential analysis one isn't the most reliable.
Of course, this doesn't mean that improvements aren't welcomed.
3 Posted by wspires on 07 Dec, 2015 06:03 PM
That's cool. Thanks. I'll check it again in the nightlies once it's posted.
I agree and intend to use the other variants, however in cases where a target's DB is mysql, I'm not going to be able to use the mysql timing checks to detect blind SQLi due to the previous issue I logged where the payloads are causing resource exhaustion. In cases like that, I would need to fallback to differential analysis to detect a blind SQLi against a mysql target.
Support Staff 4 Posted by Tasos Laskos on 07 Dec, 2015 06:12 PM
Yeah I figured that was the case, pushing nightlies now, it'll take a couple of hours until they're up so I'll let you know.
And I didn't run the full test suite because that takes even longer but preliminary tests pass and I don't think my changes broke anything.
If the situation isn't improved I'd like to check out those test cases (hackazon still?) myself and see if I can increase the differential analysis coverage.
With that technique the situation gets tricky when there are multiple inputs without default values so those cases are usually skipped.
And there's also a threshold of change, Arachni does noise reduction on the responses to make page comparisons reliable without using levenshtein distance, but in this case a diff ratio is also used.
So, there are a few things that can be tweaked.
5 Posted by wspires on 07 Dec, 2015 06:33 PM
Yeah. It's Hackazon that I'm currently seeing this on. I'm running it locally, but you can grab a VM with it loaded from here. Although you can reconfigure where the vuln inputs are located with Hackazon, with that image you can find a vuln test case here:
/category/view?id=[input]
It should return all rows for the true condition and a friendly 404 for the false condition.
Thanks again!
Support Staff 6 Posted by Tasos Laskos on 07 Dec, 2015 06:57 PM
Ah, that probably explains it, that check will bail out on anything other than a status 200.
I guess I can allow a 404 for these types of cases.
7 Posted by wspires on 07 Dec, 2015 08:28 PM
I pulled down the changes from the experimental branch and ran another scan with those. That seems to fix the issue:
Thanks for the quick turnaround!
Support Staff 8 Posted by Tasos Laskos on 07 Dec, 2015 08:30 PM
Sounds great, thanks for the feedback. :)
Tasos Laskos closed this discussion on 07 Dec, 2015 08:30 PM.