CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/lib/msf/core/exploit/sqli.rb
Views: 11784
1
module Msf
2
#
3
# This mixin provides helpers to perform SQL injection
4
# - provides a level of abstraction for common queries, for example, querying the table names
5
# - implements blind and time-based SQL injection in a reusable manner
6
# - Highly extendable (user can run any code to perform the requests, encode payloads and parse results)
7
#
8
module Exploit::SQLi
9
def initialize(info = {})
10
super
11
register_advanced_options(
12
[
13
OptFloat.new('SqliDelay', [ false, 'The delay to sleep on time-based blind SQL injections', 1.0 ])
14
]
15
)
16
end
17
18
#
19
# Creates an SQL injection object, this is the method module writers should use
20
# @param dbms [Class] The SQL injection class you intend to use
21
# @param opts [Hash] The options to use with this SQL injection
22
# @param query_proc [Proc] The proc that takes an SQL payload as a parameter, and queries the server
23
# @return [Object] an instance of dbms
24
#
25
def create_sqli(dbms:, opts: {}, &query_proc)
26
raise ArgumentError, 'Invalid dbms class' unless dbms.is_a?(Class) && dbms.ancestors.include?(Msf::Exploit::SQLi::Common)
27
28
dbms.new(datastore, framework, user_output, opts, &query_proc)
29
end
30
end
31
end
32
33