Land #16651, [SQLi library] Ensure the encoder is always used in the #test_vulnerable methods

gwillcox-r7 · gwillcox-r7 · commit 63822f6e376f · 2022-06-08T17:15:22.000-05:00
diff --git a/lib/msf/core/exploit/sqli/mssqli/common.rb b/lib/msf/core/exploit/sqli/mssqli/common.rb
@@ -182,7 +182,11 @@ def dump_table_fields(table, columns, condition = '', num_limit = 0)
     def test_vulnerable
       random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
       random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
     #
diff --git a/lib/msf/core/exploit/sqli/mysqli/common.rb b/lib/msf/core/exploit/sqli/mysqli/common.rb
@@ -197,7 +197,11 @@ def dump_table_fields(table, columns, condition = '', num_limit = 0)
     def test_vulnerable
       random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
       random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
     #
diff --git a/lib/msf/core/exploit/sqli/postgresqli/common.rb b/lib/msf/core/exploit/sqli/postgresqli/common.rb
@@ -189,7 +189,11 @@ def dump_table_fields(table, columns, condition = '', num_limit = 0)
     def test_vulnerable
       random_string_len = @truncation_length ? [rand(2..10), @truncation_length].min : rand(2..10)
       random_string = Rex::Text.rand_text_alphanumeric(random_string_len)
-      run_sql("select '#{random_string}'") == random_string
+      query_string = "'#{random_string}'"
+      query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
+      output = run_sql("select #{query_string}")
+      return false if output.nil?
+      (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
     #
diff --git a/lib/msf/core/exploit/sqli/sqlitei/common.rb b/lib/msf/core/exploit/sqli/sqlitei/common.rb
@@ -146,6 +146,7 @@ def test_vulnerable
       query_string = "'#{random_string}'"
       query_string = @encoder[:encode].sub(/\^DATA\^/, query_string) if @encoder
       output = run_sql("select #{query_string}")
+      return false if output.nil?
       (@encoder ? @encoder[:decode].call(output) : output) == random_string
     end
 
