The Chronicle re.capture() function only returns the first match in the text, and it supports only 0 or 1 capture group. If the regex contains 0 capture groups, Chronicle returns the first full substring that matches the expression. If the regex contains 1 capture group, it returns only the first captured value from that match. Chronicle never scans beyond the first match and cannot return multiple matches like extracting all regex on the statement. If the regex contains two or more capture groups, Chronicle throws a compiler error.
Used Regex : (?:%3A%3A|::)?[?&][^=]+=([A-Za-z0-9+/]{8,}(?:={0,2})|[0-9]{1,3}(?:\.[0-9]{1,3}){3})
Error : compilation error compiling query: generating predicates: regex passed to capture() must have 0 or 1 capture groups, but got: 4 capture groups line: 7 column: 59-127 : invalid argument
Because Chronicle stops at the first match, SQL statements containing multiple comparisons—such as 0=1 followed later by 1=1—will only match the earliest = expression in the string, preventing Chronicle from detecting the later valid tautology even if it exists.
I attached some Example also for you reference….
1.
Statement:
select * from t where 0=1 where 1=1;Used Regex:
([0-9]+)\s*=Chronicle returns:
"0" because 0= is the first match.
2.
Statement:
select * from t where 0=1 where 0=1 where 1=1;Used Regex:
[0-9]+\s*=\s*[0-9]+Chronicle returns:
"0=1" because it only returns the first matching substring and cannot reach the later 1=1. which is the real Blind SQLi indicator .this limitation makes it impossible to detect Blind SQL Injection using multi-match logic, because the first comparison may not be harmful 0=1, and the harmful one may be later, so is there any way to resolve this issue…
@cmmartin_google @jstoner
