Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

appending with multiple payload is giving error #70

Closed
Pcoder7 opened this issue Jul 26, 2023 · 8 comments
Closed

appending with multiple payload is giving error #70

Pcoder7 opened this issue Jul 26, 2023 · 8 comments

Comments

@Pcoder7
Copy link

Pcoder7 commented Jul 26, 2023

metadata:
language: v1-beta
name: "SQL Injection "
description: "Classic SQL Injection"
author: "Carlos Montoya"

given query insertion point then

# only run for successful base response
if {base.response.status_code} is "200" then
    send payload called weaponized:
        appending: "'", "))", "\", "\""
                   
    #different status code for single quote -sus!
    if {weaponized.response.status_code} differs from  {base.response.status_code} then 
        send payload called benign: 
            appending:"''"
        if {benign.response.status_code} is {base.response.status_code} then 
            report issue:
                severity: high
                confidence: certain
                detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
        end if
     end if
end if
@Pcoder7
Copy link
Author

Pcoder7 commented Jul 31, 2023

Why no one has replied to my issue.

@Hannah-PortSwigger
Copy link
Contributor

Hi.

Could you provide some more information on the issue that you are having please?

Is the issue that your BCheck is not passing validation, and you would like some further help in writing this BCheck?

@Hannah-PortSwigger
Copy link
Contributor

Hannah-PortSwigger commented Jul 31, 2023
edited
Loading

Hi

We've looked into this in some more detail.

We'd recommend using a "run for each" rather than providing multiple comma-separated values to "append". You will also need to use backticks for some of your variable declarations in the run for each loop.

Please find an example below:

metadata:
language: v1-beta
name: "SQL Injection"
description: "Classic SQL Injection"
author: "Carlos Montoya"

run for each:
		test = "'", "))", `\\`, `"`

given query insertion point then
      if {base.response.status_code} is "200" then
    		send payload called weaponized:
        		appending: {test}

    		if {weaponized.response.status_code} differs from  {base.response.status_code} then 
        		send payload called benign: 
            		appending:"''"
        		if {benign.response.status_code} is {base.response.status_code} then 
            		report issue:
                		severity: high
                		confidence: certain
                		detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                		remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
        		end if
     		end if
	end if

@Pcoder7
Copy link
Author

Pcoder7 commented Aug 7, 2023

The B-check template you provided is not sending each payload it is sending one payload . I've checked my logger history and only 3 request are being sent. I want them to send all the payload that are in run for each variable.

@Hannah-PortSwigger
Copy link
Contributor

Hi. When only three requests are being sent, has an issue been found and reported?

Once an issue has been reported, the BCheck will stop and not continue past this point. This can result in early termination of the BCheck, without it iterating through all of the "run for each" payloads.

@Pcoder7
Copy link
Author

Pcoder7 commented Aug 7, 2023

Ok I tested it further and found out this code behaving unexpectedly. If you see the code I clearly mentioned report only if weaponized response status code differs from base response status code . So If base response status is 200 , weaponized response status code should be 500 or any other status code than 200 then only it should report Sql Injection. But It still reports Sql Injection even if the code is weaponized status code is 200 which is same as base response status code. I looked it further and got to know that even if I provide the condition as weaponized.response.status.code it is reporting me instead of checking the status code its checking if response.status.code or response.body differs from the base response. I saw the Sql injection report in Target section and its reporting me based on difference on Content length but I clearly mentioned in the code only report if response.status.code is different from base.response.status.code.
Please look into the matter

metadata:
language: v1-beta
name: "Sql Injection"
description: "Classic SQL Injection"
author: "Carlos Montoya"

run for each:
		test =  
           "))",
           "[",
           "]",
           "'"
          

given query insertion point then
      if {base.response.status_code} is "200" then
    		send payload called weaponized:
        		appending: {test}

    		if {weaponized.response.status_code} differs from  {base.response.status_code} then 
        		send payload called benign: 
            		appending:"''"
        		if {benign.response.status_code} is {base.response.status_code} and {weaponized.response.status_code} differs from {base.response.status_code} then 
            		report issue:
                		severity: high
                		confidence: certain
                		detail: `When adding a single quote, the status code of the response changed from {base.response.status_code} to
                          {weaponized.response.status_code}. When two quote were injected the status of the {base.response.status_code}                              
                          changed to 200. this indicates that the server is passing the user-supplied input without sanitizing.`
                		remediation: "Never pass user input directly to a database. Use a prepared statement when interacting with 
                            sql databases."
        		end if
     		end if
	end if

@Hannah-PortSwigger
Copy link
Contributor

Hi.

We will be releasing a "BChecks" testing tool in the future, which should make it easier to debug issues like this. You can find this detailed in our roadmap here: https://portswigger.net/burp/pro/roadmap

Are you able to drop us an email at [email protected] with some screenshots of this behavior? If you're able to, could you also share a sample site that has this behavior so that we can replicate this?

@A-J-C
Copy link
Collaborator

A-J-C commented Aug 29, 2023

Closing due to lack of reply

@A-J-C A-J-C closed this as completed Aug 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@A-J-C @Pcoder7 @Hannah-PortSwigger