-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SQL delay in EvilPot #1811
Comments
This is the expected behavior, because when we use EvilPot, it's to confirm the strength of the POC, and to force the POC to add some features when writing the time blinds, or else it's easy to false alarms. |
Hi @Jarcis-cy, Since we want to "force the POC to add some features when writing the time blinds, or else it's easy to false alarms", I suggest we simulate common behaviors of time-based SQL injection false positives. For example:
Then if the POC is still vulnerable, it should add some false positive checks. Currently, EvilPot accurately sleeps for the exact duration specified in the payload, which is unlikely to generate false positives. Thanks |
Hi,
In the EvilPot system, it goes to sleep if it matches the
sleep
orwaitfor
function.xray/tests/evilpot/evil/evil.go
Lines 73 to 95 in e0e361a
However, the sleep action behaves the same as a real-world time-based SQL injection.
How can I modify my plugin to fix this false negative?
Try to perform calculation in the sleep function like
sleep(1+1)
?or try to add another request with payload that will cause sql error like
ssleep(1)
to see if it still sleeps?However, EvilPot can still adapt to the above false positive check,
since in time-based SQL injection, it seems like the sleep time is the only condition we can rely on.
I'm really looking forward to your reply.
Thanks
The text was updated successfully, but these errors were encountered: