Fix: Address PR review feedback

Module changes (cgranleese-r7):
- Remove VERBOSE from DefaultOptions
- Make COUNT required with default 0
- Simplify COUNT usage since it's now always present

Specs (bwatters-r7):
- Expand mysqli_common_spec.rb with tests for version, current_database,
  current_user, enum_database_names, enum_table_names, enum_table_columns,
  sleep_call, hex_encode_strings, hex/base64 encoders, time_blind_payload,
  and blind_detect_length binary search
- Expand mysqli_time_based_spec.rb with tests for IF/sleep payload
  generation, SqliDelay usage, test_vulnerable, and Common inheritance
- Add mysqli_benchmark_based_blind_spec.rb with tests for BENCHMARK
  multiplication payload, calibrated iterations, SHA1 seed randomization,
  test_vulnerable, and calibrate

Author: Chocapikk

modules/auxiliary/gather/avideo_catname_sqli.rb

@@ -42,7 +42,7 @@ def initialize(info = {})
           ['GHSA', 'pv87-r9qf-x56p', 'WWBN/AVideo']
         ],
         'DisclosureDate' => '2026-03-05',
-        'DefaultOptions' => { 'SqliDelay' => 1, 'VERBOSE' => true },
+        'DefaultOptions' => { 'SqliDelay' => 1 },
         'Notes' => {
           'Stability' => [CRASH_SAFE],
           'SideEffects' => [IOC_IN_LOGS],
@@ -53,7 +53,7 @@ def initialize(info = {})
 
     register_options([
       OptString.new('TARGETURI', [true, 'The base path to AVideo', '/']),
-      OptInt.new('COUNT', [false, 'Number of users to dump (default: all)', 0])
+      OptInt.new('COUNT', [true, 'Number of users to dump (default: all)', 0])
     ])
   end
 
@@ -80,7 +80,7 @@ def run
     setup_sqli
 
     columns = %w[user password]
-    count = datastore['COUNT'] > 0 ? datastore['COUNT'] : 0
+    count = datastore['COUNT']
     print_status('Dumping user credentials from the users table...')
     print_warning('Time-based blind extraction is slow (~4s per character). Be patient.')
     data = @setup_sqli.dump_table_fields('users', columns, '', count)

spec/lib/msf/core/exploit/sqli/mysqli/mysqli_benchmark_based_blind_spec.rb

@@ -0,0 +1,67 @@
+RSpec.describe Msf::Exploit::SQLi::MySQLi::BenchmarkBasedBlind do
+  let(:datastore) { { 'SqliDelay' => 1.0 } }
+
+  let(:query_proc) do
+    proc do |payload|
+      if (match = payload.match(/BENCHMARK\(\d+\*\((.+?)\),SHA1/))
+        condition = match[1]
+        # True conditions (>0) cause delay, false conditions (<0) don't
+        Timecop.travel(Time.now + 1.5) if condition.include?('>0')
+      end
+    end
+  end
+
+  let(:sqli_obj) do
+    obj = described_class.new(datastore, {}, {}, &query_proc)
+    obj.instance_variable_set(:@benchmark_iterations, 1_000_000)
+    allow(obj).to receive(:vprint_status)
+    obj
+  end
+
+  describe '#time_blind_payload' do
+    it 'generates BENCHMARK(N*(condition), SHA1(hex)) format' do
+      payload = sqli_obj.time_blind_payload('(SELECT 1)=1')
+      expect(payload).to match(/^BENCHMARK\(\d+\*\(\(SELECT 1\)=1\),SHA1\(0x[a-f0-9]+\)\)$/)
+    end
+
+    it 'uses calibrated iteration count' do
+      sqli_obj.instance_variable_set(:@benchmark_iterations, 5_000_000)
+      expect(sqli_obj.time_blind_payload('1=1')).to start_with('BENCHMARK(5000000*(1=1)')
+    end
+
+    it 'randomizes SHA1 seed per call' do
+      seed1 = sqli_obj.time_blind_payload('1=1')[/SHA1\(0x([a-f0-9]+)\)/, 1]
+      seed2 = sqli_obj.time_blind_payload('1=1')[/SHA1\(0x([a-f0-9]+)\)/, 1]
+      expect(seed1).not_to eq(seed2)
+    end
+  end
+
+  describe '#test_vulnerable' do
+    it 'confirms injection when true delays and false does not' do
+      expect(sqli_obj.test_vulnerable).to be true
+    end
+  end
+
+  describe '#calibrate' do
+    let(:uncalibrated_obj) do
+      obj = described_class.new(datastore, {}, {}, &query_proc)
+      allow(obj).to receive(:vprint_status)
+      obj
+    end
+
+    it 'sets positive iteration count from probe timing' do
+      uncalibrated_obj.send(:calibrate)
+      iterations = uncalibrated_obj.instance_variable_get(:@benchmark_iterations)
+      expect(iterations).to be_a(Integer)
+      expect(iterations).to be_positive
+    end
+  end
+
+  describe 'Common inheritance' do
+    %i[version current_database current_user enum_table_names dump_table_fields].each do |method|
+      it "responds to ##{method}" do
+        expect(sqli_obj).to respond_to(method)
+      end
+    end
+  end
+end

spec/lib/msf/core/exploit/sqli/mysqli/mysqli_common_spec.rb

@@ -1,3 +1,127 @@
 RSpec.describe Msf::Exploit::SQLi::MySQLi::Common do
   it_should_behave_like 'Msf::Exploit::SQLi::Common', described_class
+
+  let(:datastore) { { 'SqliDelay' => 1 } }
+
+  let(:query_proc) do
+    proc { |payload| payload[/'(.+?)'/, 1] || '' }
+  end
+
+  let(:sqli_obj) do
+    obj = described_class.new(datastore, {}, {}, &query_proc)
+    allow(obj).to receive(:vprint_status)
+    obj
+  end
+
+  describe 'function helpers' do
+    it '#version queries version()' do
+      allow(sqli_obj).to receive(:run_sql).with(/version\(\)/).and_return('8.0.32')
+      expect(sqli_obj.version).to eq('8.0.32')
+    end
+
+    it '#current_database queries database()' do
+      allow(sqli_obj).to receive(:run_sql).with(/database\(\)/).and_return('avideo')
+      expect(sqli_obj.current_database).to eq('avideo')
+    end
+
+    it '#current_user queries user()' do
+      allow(sqli_obj).to receive(:run_sql).with(/user\(\)/).and_return('root@localhost')
+      expect(sqli_obj.current_user).to eq('root@localhost')
+    end
+  end
+
+  describe 'enumeration' do
+    it '#enum_database_names queries information_schema.schemata' do
+      allow(sqli_obj).to receive(:run_sql).and_return('information_schema,avideo,mysql')
+      expect(sqli_obj.enum_database_names).to be_an(Array)
+    end
+
+    it '#enum_table_names queries information_schema.tables' do
+      allow(sqli_obj).to receive(:run_sql).with(/information_schema\.tables/).and_return('users,videos')
+      expect(sqli_obj.enum_table_names).to be_an(Array)
+    end
+
+    context '#enum_table_columns' do
+      it 'queries with table name' do
+        allow(sqli_obj).to receive(:run_sql).with(/table_name='users'/).and_return('id,username,password')
+        expect(sqli_obj.enum_table_columns('users')).to be_an(Array)
+      end
+
+      it 'splits database.table format' do
+        allow(sqli_obj).to receive(:run_sql).with(/table_name='users'.*table_schema/).and_return('id,username')
+        expect(sqli_obj.enum_table_columns('avideo.users')).to be_an(Array)
+      end
+    end
+  end
+
+  describe '#sleep_call' do
+    it 'returns sleep with SqliDelay value' do
+      expect(sqli_obj.sleep_call).to eq('sleep(1)')
+    end
+  end
+
+  describe '#time_blind_payload' do
+    it 'wraps condition in IF(condition, sleep, 0)' do
+      expect(sqli_obj.send(:time_blind_payload, '1=1')).to eq('if(1=1,sleep(1),0)')
+    end
+  end
+
+  describe '#hex_encode_strings' do
+    it 'converts quoted strings to hex' do
+      result = sqli_obj.send(:hex_encode_strings, "select 'admin'")
+      expect(result).to match(/0x/)
+      expect(result).not_to include("'admin'")
+    end
+
+    it 'replaces empty strings with repeat()' do
+      expect(sqli_obj.send(:hex_encode_strings, "select ''")).to match(/repeat\(0x/)
+    end
+  end
+
+  describe 'encoders' do
+    context 'hex' do
+      let(:sqli_obj) do
+        obj = described_class.new(datastore, {}, {}, { encoder: :hex }, &query_proc)
+        allow(obj).to receive(:vprint_status)
+        obj
+      end
+
+      it 'sets up hex encode/decode' do
+        encoder = sqli_obj.instance_variable_get(:@encoder)
+        expect(encoder[:encode]).to include('hex(')
+        expect(encoder[:decode]).to be_a(Proc)
+      end
+    end
+
+    context 'base64' do
+      let(:sqli_obj) do
+        obj = described_class.new(datastore, {}, {}, { encoder: :base64 }, &query_proc)
+        allow(obj).to receive(:vprint_status)
+        obj
+      end
+
+      it 'sets up base64 encode/decode' do
+        encoder = sqli_obj.instance_variable_get(:@encoder)
+        expect(encoder[:encode]).to include('to_base64(')
+        expect(encoder[:decode]).to be_a(Proc)
+      end
+    end
+  end
+
+  describe '#blind_detect_length' do
+    let(:simulated_length) { 5 }
+
+    let(:query_proc) do
+      proc do |payload|
+        if (match = payload.match(/length.*>(\d+)/)) && match[1].to_i < simulated_length
+          Timecop.travel(Time.now + 1.5)
+        end
+      end
+    end
+
+    it 'finds the correct length via binary search' do
+      length = sqli_obj.send(:blind_detect_length, 'select password from users limit 0,1', true)
+      expect(length).to eq(simulated_length)
+    end
+  end
 end

spec/lib/msf/core/exploit/sqli/mysqli/mysqli_time_based_spec.rb

@@ -1,3 +1,45 @@
 RSpec.describe Msf::Exploit::SQLi::MySQLi::TimeBasedBlind do
   it_should_behave_like 'TimeBasedBlind', described_class
+
+  let(:datastore) { { 'SqliDelay' => 1.0 } }
+
+  let(:query_proc) do
+    proc do |payload|
+      if (match = payload.match(/sleep\((\d+\.?\d*)\)/))
+        Timecop.travel(Time.now + match[1].to_f)
+      end
+    end
+  end
+
+  let(:sqli_obj) do
+    obj = described_class.new(datastore, {}, {}, &query_proc)
+    allow(obj).to receive(:vprint_status)
+    obj
+  end
+
+  describe '#time_blind_payload' do
+    it 'wraps condition in IF(condition, sleep, 0)' do
+      expect(sqli_obj.send(:time_blind_payload, '1=1')).to eq('if(1=1,sleep(1.0),0)')
+    end
+
+    it 'respects custom SqliDelay' do
+      obj = described_class.new({ 'SqliDelay' => 3.0 }, {}, {}, &query_proc)
+      allow(obj).to receive(:vprint_status)
+      expect(obj.send(:time_blind_payload, '1=1')).to eq('if(1=1,sleep(3.0),0)')
+    end
+  end
+
+  describe '#test_vulnerable' do
+    it 'confirms injection when true delays and false does not' do
+      expect(sqli_obj.test_vulnerable).to be true
+    end
+  end
+
+  describe 'Common inheritance' do
+    %i[version current_database current_user enum_table_names dump_table_fields].each do |method|
+      it "responds to ##{method}" do
+        expect(sqli_obj).to respond_to(method)
+      end
+    end
+  end
 end