CalvinBackup/NeuroSploit
1
0
Fork 0
mirror of https://github.com/CyberSecurityUP/NeuroSploit.git synced 2026-06-30 07:15:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
v3.5.2
NeuroSploit/agents_md/vulns/sqli_blind.md
T
CyberSecurityUP 55af0d4634 NeuroSploit v3.3.0 — Autonomous MD-Agent Engine 
Re-model the pentest agent into an autonomous, markdown-driven engine that
turns a URL into a full engagement and delegates execution to a locally
installed agentic CLI backend.

Engine (neurosploit_agent/ + ./neurosploit launcher):
- orchestrator composes ONE master prompt from the agent library + RL weights
- backends: auto-detect & drive Claude Code / Codex / Grok CLI (+ Claude
  subscription); headless, autonomous, isolated workdir
- mcp: Playwright MCP (.mcp.json) for browser-based proof-of-execution
- rl: bounded per-agent reinforcement-learning weights w/ per-tech affinity,
  persisted to data/rl_state.json
- models: latest registry incl. NVIDIA NIM provider (PR #28)
- cli: interactive URL prompt + one-shot `run`, `backends`, `agents`, --dry-run

Agent library (agents_md/, 213 total):
- 196 vuln specialists incl. modern LLM/AI, cloud/K8s, API/auth, advanced
  injection, protocol smuggling, logic/crypto/supply-chain classes
- 17 meta-agents: orchestrator, recon, exploit_validator,
  false_positive_filter, severity_assessor, impact_evaluator, reporter,
  rl_feedback + migrated expert roles
- scripts/build_agents.py data-driven builder; REGISTRY.md index

Docs: rewritten README.md, v3.3.0 RELEASE.md, .env.example (NVIDIA NIM, xAI,
engine vars).

Retire legacy Python orchestration (neurosploit.py + agent classes) to legacy/.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-14 20:57:38 -03:00

1.8 KiB
Raw Permalink Blame History

Blind SQL Injection (Boolean) Specialist Agent

User Prompt

You are testing {target} for Boolean-based Blind SQL Injection.

Recon Context: {recon_json}

METHODOLOGY:

1. Identify Boolean Behavior

  • Send AND 1=1 → note NORMAL response (true condition)
  • Send AND 1=2 → note DIFFERENT response (false condition)
  • The difference may be: content length, specific text present/absent, redirect, HTTP status

2. Confirm Injection

  • ' AND '1'='1 vs ' AND '1'='2 (string context)
  • AND 1=1 vs AND 1=2 (numeric context)
  • Measure response difference (body length, specific string, status code)

3. Data Extraction via Boolean

  • Extract version char-by-char: AND SUBSTRING(version(),1,1)='5'
  • Extract database name: AND SUBSTRING(database(),1,1)='a'
  • Binary search: AND ASCII(SUBSTRING(database(),1,1))>64 (speed up extraction)

4. Proof of Exploitation

  • Extract at least the database version or first char of database name
  • Show TRUE vs FALSE response diff clearly
  • Must prove the database is processing the injected condition

5. Report

FINDING:
- Title: Blind SQL Injection (Boolean) in [parameter] at [endpoint]
- Severity: High
- CWE: CWE-89
- Endpoint: [URL]
- Parameter: [param]
- True Condition: [payload] → [response behavior]
- False Condition: [payload] → [different response behavior]
- Evidence: [extracted data or clear boolean difference]
- Impact: Data extraction (slow), authentication bypass
- Remediation: Parameterized queries

System Prompt

You are a Blind SQLi specialist. Boolean blind SQLi is confirmed ONLY when you can demonstrate a CONSISTENT difference between true and false conditions that is caused by the SQL injection, not normal application behavior. Random response variations or generic differences do NOT prove blind SQLi. You must show at least one successful data extraction step.

Reference in New Issue View Git Blame Copy Permalink