String resBodyANDErr = null;
String resBodyOR = null;
long defaultTimeUsed = 0;
HttpMessage msg = getNewMsg();
// always try normal query first
sendAndReceive(msg);
defaultTimeUsed = msg.getTimeElapsedMillis();
if (msg.getResponseHeader().getStatusCode() != HttpStatusCode.OK) {
return;
}
mResBodyNormal = msg.getResponseBody().toString();
// 2nd try an always error SQL query
newQuery = setParameter(msg, param, value + SQL_CHECK_ERR);
sendAndReceive(msg);
if (checkANDResult(msg, newQuery)) {
return;
}
// blind sql injections
for (int i = 0; i < SQL_AND.length; i++) {
bingoQuery = setParameter(msg, param, value + SQL_AND[i]);
sendAndReceive(msg);
displayURI = msg.getRequestHeader().getURI().toString();
if (checkANDResult(msg, bingoQuery)) {
return;
}
if (msg.getResponseHeader().getStatusCode() == HttpStatusCode.OK) {
resBodyAND = stripOff(msg.getResponseBody().toString(), SQL_AND[i]);
if (resBodyAND.compareTo(mResBodyNormal) == 0) {
newQuery = setParameter(msg, param, value + SQL_AND_ERR[i]);
sendAndReceive(msg);
resBodyANDErr = stripOff(msg.getResponseBody().toString(), SQL_AND_ERR[i]);
// build a always false AND query. Result should be
// different to prove the SQL works.
if (resBodyANDErr.compareTo(mResBodyNormal) != 0) {
getKb().add(msg.getRequestHeader().getURI(), "sql/and", new Boolean(true));
bingo(Alert.RISK_HIGH, Alert.WARNING, displayURI, bingoQuery, "", msg);
return;
} else {
// OR check is used to figure out if there is any
// diffrence if a AND query return nothing
newQuery = setParameter(msg, param, value + SQL_OR[i]);
sendAndReceive(msg);
resBodyOR = stripOff(msg.getResponseBody().toString(), SQL_OR[i]);
if (resBodyOR.compareTo(mResBodyNormal) != 0) {
getKb().add(msg.getRequestHeader().getURI(), "sql/or", new Boolean(true));
bingo(Alert.RISK_HIGH, Alert.WARNING, displayURI, newQuery, "", msg);
return;
}
}
}
}
}
if (getKb().getBoolean(msg.getRequestHeader().getURI(), "sql/mssql")) {
return;
}
// try BLIND SQL SELECT using timing
newQuery = setParameter(msg, param, value + SQL_DELAY_1);
sendAndReceive(msg);
if (checkTimeResult(msg, newQuery, defaultTimeUsed, msg.getTimeElapsedMillis())) {
return;
}
newQuery = setParameter(msg, param, value + SQL_DELAY_2);
sendAndReceive(msg);
if (checkTimeResult(msg, newQuery, defaultTimeUsed, msg.getTimeElapsedMillis())) {
return;
}
// try BLIND MSSQL INSERT using timing