You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
verdict= ["no value could be read back through the injection (tried a random arithmetic product and the DBMS banner)"]
362
366
ifsuspectWaf:
363
367
verdict.append("the TRUE/FALSE difference is only an HTTP %s (blocked) response - characteristic of a WAF/IPS, not a database answer"%signal.get("trueCode"))
364
-
ifwafInterfering:
368
+
ifnotcanReadBack:
369
+
# e.g. stacked-query-only: no confirmed technique returns data inline, so a value cannot be read
370
+
# back here - that is expected by design and is NOT evidence of a false positive
371
+
verdict.append("this injection point exposes no data-returning channel (e.g. stacked queries), so a value cannot be read back inline - expected here, not a false positive")
372
+
verdict.append("=> confirm exploitation through a side effect instead (e.g. '--os-shell', or '--sql-query' run with '--technique=S')")
373
+
elifwafInterfering:
365
374
# behind a WAF, an unconfirmed read-back is ambiguous: a genuine injection whose data-retrieval
366
375
# payloads are being blocked looks the same as a pure WAF artifact - so don't assert "false
367
376
# positive", point the user at the way to disambiguate instead
0 commit comments