few just in case fixes (unarrayizeValue in dumpTable entries) and and some refactoring (unique is now not done for every union case but only if detected that there are duplicates in union test)

2025-12-27 09:59:07 +00:00 · 2012-06-15 20:41:53 +00:00
parent 76c873a222
commit 06be7bbb18
10 changed files with 19 additions and 20 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -1189,7 +1189,7 @@ def getLimitRange(count, dump=False, plusOne=False):

    return retVal

-def parseUnionPage(page, unique=True):
+def parseUnionPage(page):
    """
    Returns resulting items from inband query inside provided page content
    """
@@ -1211,7 +1211,7 @@ def parseUnionPage(page, unique=True):
            if kb.chars.start in entry:
                entry = entry.split(kb.chars.start)[-1]

-            if unique:
+            if kb.unionDuplicates:
                key = entry.lower()
                if key not in _:
                    _.append(key)
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1512,6 +1512,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.threadException = False
    kb.timeValidCharsRun = 0
    kb.uChar = NULL
+    kb.unionDuplicates = False
    kb.xpCmdshellAvailable = False

    kb.chars = AttribDict()
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -456,7 +456,7 @@ DEFAULT_COOKIE_DELIMITER = ';'
 HASHDB_FLUSH_THRESHOLD = 32

 # Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
-HASHDB_MILESTONE_VALUE = "EfjamfhMVw"  # r4856
+HASHDB_MILESTONE_VALUE = "ZTuyinSUvN"  # r5125 "".join(random.sample(string.letters, 10))

 # Warn user of possible delay due to large page dump in full UNION query injections
 LARGE_OUTPUT_THRESHOLD = 1024**2
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -356,7 +356,7 @@ def __goError(expression, expected=None, dump=False):

    return output

-def __goInband(expression, expected=None, unique=True, unpack=True, dump=False):
+def __goInband(expression, expected=None, unpack=True, dump=False):
    """
    Retrieve the output of a SQL query taking advantage of an inband SQL
    injection vulnerability on the affected parameter.
@@ -364,11 +364,11 @@ def __goInband(expression, expected=None, unique=True, unpack=True, dump=False):

    output = unionUse(expression, unpack=unpack, dump=dump)
    if isinstance(output, basestring):
-        output = parseUnionPage(output, unique)
+        output = parseUnionPage(output)

    return output

-def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, unique=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
+def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
    """
    Called each time sqlmap inject a SQL query on the SQL injection
    affected parameter. It can call a function to retrieve the output
@@ -413,9 +413,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                kb.technique = PAYLOAD.TECHNIQUE.UNION

                if expected == EXPECTED.BOOL:
-                    value = __goInband(forgeCaseExpression, expected, unique, unpack, dump)
+                    value = __goInband(forgeCaseExpression, expected, unpack, dump)
                else:
-                    value = __goInband(query, expected, unique, unpack, dump)
+                    value = __goInband(query, expected, unpack, dump)

                count += 1
                found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
--- a/lib/takeover/xp_cmdshell.py
+++ b/lib/takeover/xp_cmdshell.py
@@ -188,7 +188,7 @@ class xp_cmdshell:

            self.delRemoteFile(tmpFile)

-            output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, unique=False, firstChar=first, lastChar=last, safeCharEncode=False)
+            output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)
            inject.goStacked("DELETE FROM %s" % self.cmdTblName)

            if output and isinstance(output, (list, tuple)):
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -186,7 +186,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL

        if content and phrase in content:
            validPayload = payload
-            vector = (position, count, comment, prefix, suffix, kb.uChar, where)
+            vector = (position, count, comment, prefix, suffix, kb.uChar, where, content.count(phrase) > 1)

            if where == PAYLOAD.WHERE.ORIGINAL:
                # Prepare expression with delimiters
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -66,6 +66,7 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):

        # Forge the inband SQL injection request
        vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
+        kb.unionDuplicates = vector[7]
        query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
        payload = agent.payload(newValue=query, where=where)