fixed issue with JSON body when content-type header is not properly s…

…et, fixed retry mechanism as it goes into an infinite loop on error, fixed r0oth3x49#104, bumped version 1.2.6
oliver9090 · Oct 17, 2023 · dad5607 · dad5607
1 parent d13ed67
commit dad5607
Show file tree

Hide file tree

Showing 7 changed files with 68 additions and 44 deletions.
diff --git a/README.md b/README.md
@@ -1,4 +1,4 @@
-[![GitHub release](https://img.shields.io/badge/release-v1.2.5-brightgreen?style=flat-square)](https://github.com/r0oth3x49/ghauri/releases/tag/1.2.5)
+[![GitHub release](https://img.shields.io/badge/release-v1.2.6-brightgreen?style=flat-square)](https://github.com/r0oth3x49/ghauri/releases/tag/1.2.6)
 [![GitHub stars](https://img.shields.io/github/stars/r0oth3x49/ghauri?style=flat-square)](https://github.com/r0oth3x49/ghauri/stargazers)
 [![GitHub forks](https://img.shields.io/github/forks/r0oth3x49/ghauri?style=flat-square)](https://github.com/r0oth3x49/ghauri/network)
 [![GitHub issues](https://img.shields.io/github/issues/r0oth3x49/ghauri?style=flat-square)](https://github.com/r0oth3x49/ghauri/issues)

diff --git a/ghauri/__init__.py b/ghauri/__init__.py
@@ -24,7 +24,7 @@
 
 """
 
-__version__ = "1.2.5"
+__version__ = "1.2.6"
 __author__ = "Nasir Khan (r0ot h3x49)"
 __license__ = "MIT"
 __copyright__ = "Copyright (c) 2016-2025 Nasir Khan (r0ot h3x49)"

diff --git a/ghauri/common/config.py b/ghauri/common/config.py
@@ -107,6 +107,7 @@ def __init__(
  self._bool_ctf = None
  self._match_ratio_check = False
  self.fresh_queries = False
+ self.retry_counter = 0
 
  @property
  def session_filepath(self):

diff --git a/ghauri/common/payloads.py b/ghauri/common/payloads.py
@@ -468,7 +468,7 @@
  "dbms": "MySQL",
  },
  {
- "payload": "IF(now()=sysdate(),SLEEP([SLEEPTIME]),0)",
+ "payload": "if(now()=sysdate(),SLEEP([SLEEPTIME]),0)",
  "comments": [
  {"pref": "'XOR(", "suf": ")XOR'Z"},
  {"pref": '"XOR(', "suf": ')XOR"Z'},
@@ -488,7 +488,7 @@
  # {"pref": '") OR ', "suf": 'OR("1"="1-- wXyW'},
  ],
  "title": "MySQL >= 5.0.12 time-based blind (IF - comment)",
- "vector": "IF([INFERENCE],SLEEP([SLEEPTIME]),0)",
+ "vector": "if([INFERENCE],SLEEP([SLEEPTIME]),0)",
  "dbms": "MySQL",
  },
  {

diff --git a/ghauri/common/utils.py b/ghauri/common/utils.py
@@ -121,6 +121,19 @@ def __body(self):
  "application/json;charset=UTF-8",
  ]:
  return body
+ if (
+ body
+ and content_type
+ and content_type
+ not in [
+ "application/x-www-form-urlencoded",
+ "application/x-www-form-urlencoded; charset=UTF-8",
+ "application/json",
+ "application/json; charset=UTF-8",
+ "application/json;charset=UTF-8",
+ ]
+ ):
+ return body
 
  @property
  def type(self):
@@ -1422,7 +1435,7 @@ def fetch_payloads_by_suffix_prefix(
  payloads, prefix=None, suffix=None, is_parameter_replace=False
 ):
  _temp = []
- # logger.debug(f"prefix=({prefix}), suffix=({suffix})")
+ logger.debug(f"prefix=('{prefix}'), suffix=('{suffix}')")
  if is_parameter_replace:
  # in case of payload type is parameter replace then we don't need prefix and suffix in that case
  # we will use the default payload base prefixes and suffixes if any from Ghauri
@@ -1441,39 +1454,39 @@ def fetch_payloads_by_suffix_prefix(
  ]
  if prefix == None and suffix == None:
  _temp = payloads
- if prefix and suffix == None:
+ if (prefix or prefix == "") and suffix == None:
+ prefix = urldecode(prefix)
+ payload = payloads[-1].raw
+ suf_seen = set()
  for entry in payloads:
- prefix = urldecode(prefix)
- _pref = entry.prefix
- if prefix.startswith(" "):
- prefix = " "
- if _pref and prefix and _pref[0] != prefix[0]:
- pass
- # logger.debug(f"skipping payload '{entry.raw}'")
- if _pref and prefix and _pref[0] == prefix[0]:
- _temp.append(entry)
- # we should try all the prefix for now
- if suffix and prefix == None:
+ if entry.suffix not in suf_seen:
+ suf_seen.add(entry.suffix)
+ _payload = Payload(
+ prefix=prefix,
+ suffix=entry.suffix,
+ string=f"{prefix}{payload}{entry.suffix}",
+ raw=payload,
+ )
+ _temp.append(_payload)
+ if (suffix or suffix == "" or isinstance(suffix, list)) and prefix == None:
+ if isinstance(suffix, list):
+ suffix = "--"
+ payload = payloads[-1].raw
+ suffix = urldecode(suffix)
+ pref_seen = set()
  for entry in payloads:
- suffix = urldecode(suffix)
- _suff = entry.suffix
- # if suffix not in _suff:
- # logger.debug(f"skipping payload '{entry.raw}'")
- if suffix in _suff:
- _temp.append(entry)
+ if entry.prefix not in pref_seen:
+ pref_seen.add(entry.prefix)
+ _payload = Payload(
+ prefix=entry.prefix,
+ suffix=suffix,
+ string=f"{entry.prefix}{payload}{suffix}",
+ raw=payload,
+ )
+ _temp.append(_payload)
  if prefix is not None and suffix is not None:
  if isinstance(suffix, list):
  suffix = "--"
- # logger.debug(
- # f" both prefix and suffix are found for injection.. '{prefix}', '{suffix}'"
- # )
- # logger.debug("checking payloads for provided prefix and suffix..")
- # for entry in payloads:
- # _pref = entry.prefix
- # prefix = urldecode(prefix)
- # if _pref and prefix and prefix[0] == _pref[0]:
- # _temp.append(entry)
- # if not _temp:
  payload = payloads[-1].raw
  if prefix and prefix[-1] in [")", "'", '"']:
  if not prefix.endswith(" "):

diff --git a/ghauri/core/inject.py b/ghauri/core/inject.py
@@ -100,10 +100,17 @@ def inject_expression(
  logger.end("ending")
  exit(0)
  except URLError as e:
- tried = 1
- logger.critical(f"{e.reason}. Ghauri is going to retry..")
  response_ok = False
- while tried <= conf.retry:
+ conf.retry_counter += 1
+ if conf.retry_counter == conf.retry:
+ logger.critical("target URL is not responding..")
+ logger.debug(f"Reason: URLError: {e.reason}")
+ logger.debug(
+ "Ghauri was not able to establish connection to the target URL due to internet connectivity issue.."
+ )
+ logger.end("ending")
+ exit(0)
+ if conf.retry_counter <= conf.retry:
  attack = inject_expression(
  url,
  data,
@@ -117,10 +124,8 @@ def inject_expression(
  is_multipart=is_multipart,
  injection_type=injection_type,
  )
- tried += 1
  if attack.ok:
  response_ok = True
- break
  if response_ok:
  return attack
  else:
@@ -137,10 +142,17 @@ def inject_expression(
  except TimeoutError as e:
  raise e
  except Exception as e:
- tried = 1
- logger.critical(f"{e.reason}. Ghauri is going to retry..")
+ # logger.critical(f"{e.reason}. Ghauri is going to retry..")
  response_ok = False
- while tried <= conf.retry:
+ conf.retry_counter += 1
+ if conf.retry_counter == conf.retry:
+ logger.critical(
+ "target URL is not responding, Please check the target menually.."
+ )
+ logger.debug(f"Reason: URLError: {e.reason}")
+ logger.end("ending")
+ exit(0)
+ if conf.retry_counter <= conf.retry:
  attack = inject_expression(
  url,
  data,
@@ -154,10 +166,8 @@ def inject_expression(
  is_multipart=is_multipart,
  injection_type=injection_type,
  )
- tried += 1
  if attack.ok:
  response_ok = True
- break
  if response_ok:
  return attack
  raise e

diff --git a/setup.py b/setup.py
@@ -5,7 +5,7 @@
 
 setup(
  name="ghauri",
- version="1.2.5",
+ version="1.2.6",
  description="An advanced SQL injection detection & exploitation tool.",
  classifiers=["Programming Language :: Python3"],
  author="Nasir Khan",