Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!

2025-12-09 06:01:29 +00:00 · 2010-11-17 22:00:09 +00:00
parent ca5125bbe0
commit 17486e472a
20 changed files with 77 additions and 78 deletions
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -442,7 +442,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    # One-shot query containing equals commonValue
                    testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
                    query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
-                    query = agent.postfixQuery(query)
+                    query = agent.suffixQuery(query)
                    queriesCount[0] += 1
                    result = Request.queryPage(agent.payload(newValue=query))

@@ -466,7 +466,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
                    testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
                    query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
-                    query = agent.postfixQuery(query)
+                    query = agent.suffixQuery(query)
                    queriesCount[0] += 1
                    result = Request.queryPage(agent.payload(newValue=query))

--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -28,7 +28,7 @@ def timeTest():

    timeQuery = getDelayQuery(andCond=True)
    query     = agent.prefixQuery("AND %s" % timeQuery)
-    query     = agent.postfixQuery(query)
+    query     = agent.suffixQuery(query)
    payload   = agent.payload(newValue=query)
    start     = time.time()
    _         = Request.queryPage(payload)
--- a/lib/techniques/brute/use.py
+++ b/lib/techniques/brute/use.py
@@ -38,7 +38,7 @@ def tableExists(tableFile):
        if conf.db and '(*)' not in conf.db:
            table = "%s.%s" % (conf.db, table)
        query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %d FROM %s)", (randomInt(1), table)))
-        query = agent.postfixQuery(query)
+        query = agent.suffixQuery(query)
        result = Request.queryPage(agent.payload(newValue=query))

        if result:
@@ -89,7 +89,7 @@ def columnExists(columnFile):

    for column in columns:
        query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s)", (column, table)))
-        query = agent.postfixQuery(query)
+        query = agent.suffixQuery(query)
        result = Request.queryPage(agent.payload(newValue=query))

        if result:
@@ -114,7 +114,7 @@ def columnExists(columnFile):

        for column in retVal:
            query = agent.prefixQuery("%s" % safeStringFormat("AND EXISTS(SELECT %s FROM %s WHERE %s>0)", (column, table, column)))
-            query = agent.postfixQuery(query)
+            query = agent.suffixQuery(query)
            result = Request.queryPage(agent.payload(newValue=query))

            if result:
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -40,7 +40,7 @@ def errorUse(expression, returnPayload=False):
    logic          = conf.logic
    randInt        = randomInt(1)
    query          = agent.prefixQuery(queries[kb.misc.testedDbms].error.query)
-    query          = agent.postfixQuery(query)
+    query          = agent.suffixQuery(query)
    startLimiter   = ""
    endLimiter     = ""

--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -128,7 +128,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
        if kb.dbms == DBMS.ORACLE:
            query += " FROM DUAL"

-        commentedQuery = agent.postfixQuery(query, comment)
+        commentedQuery = agent.suffixQuery(query, comment)
        payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
        test, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)

@@ -145,7 +145,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):

    for count in range(1, conf.uCols+2):
        query = agent.prefixQuery("ORDER BY %d" % count)
-        orderByQuery = agent.postfixQuery(query, comment)
+        orderByQuery = agent.suffixQuery(query, comment)
        payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
        _, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)