Giters

arvancloud / libinjection-rs

Rust bindings for libinjection

Home Page:https://crates.io/crates/libinjection

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

[SECURITY] Undetectable Time-Base Injection

raminfp opened this issue · comments

commented

Hi,

libinection-rs unable to detect time base sql inection,

1 - Payload 1'=sleep(10)='1 

let (is_sqli, fingerprint) = sqli("1'=sleep(10)='1").unwrap();
assert!(is_sqli); // false
assert_eq!("s&sos", fingerprint);

2- Payloads used to determine database version '=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1

let (is_sqli, fingerprint) = sqli("'=IF(MID(VERSION(),1,1)=1,SLEEP(10),0)='1").unwrap();
assert!(is_sqli); // false
assert_eq!("s&sos", fingerprint);

Thanks,
Ramin - kernel security engineering
Best regards,

commented

Thank you for the report. Please note that this repository is a bindings to libinjection.