Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!

2025-12-07 05:01:30 +00:00 · 2010-11-17 22:00:09 +00:00
parent ca5125bbe0
commit 17486e472a
20 changed files with 77 additions and 78 deletions
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -128,7 +128,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
        if kb.dbms == DBMS.ORACLE:
            query += " FROM DUAL"

-        commentedQuery = agent.postfixQuery(query, comment)
+        commentedQuery = agent.suffixQuery(query, comment)
        payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond)
        test, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)

@@ -145,7 +145,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):

    for count in range(1, conf.uCols+2):
        query = agent.prefixQuery("ORDER BY %d" % count)
-        orderByQuery = agent.postfixQuery(query, comment)
+        orderByQuery = agent.suffixQuery(query, comment)
        payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
        _, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)