From 3464a70ac2407b20c0cced436aa6940003ce468a Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 16 Jan 2013 01:53:33 +0000 Subject: [PATCH] bug fix: without this generic concatenation of strings in concatQuery(), detection of UNION query SQLi only (--technique U) when the page did not disclose any DBMS error message and it was not MySQL (for which there are UNION SQLi specific payloads) was not detected --- lib/core/agent.py | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index d7cf5c18a..45ec83a77 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -588,7 +588,23 @@ class Agent(object): concatenatedQuery = "'%s'&%s&'%s'" % (kb.chars.start, concatenatedQuery, kb.chars.stop) else: - concatenatedQuery = query + warnMsg = "applying generic concatenation with double pipes ('||')" + singleTimeWarnMessage(warnMsg) + + if fieldsExists: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1) + concatenatedQuery += "||'%s'" % kb.chars.stop + elif fieldsSelectCase: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||(SELECT " % kb.chars.start, 1) + concatenatedQuery += ")||'%s'" % kb.chars.stop + elif fieldsSelectFrom: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1) + concatenatedQuery = concatenatedQuery.replace(" FROM ", "||'%s' FROM " % kb.chars.stop, 1) + elif fieldsSelect: + concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1) + concatenatedQuery += "||'%s'" % kb.chars.stop + elif fieldsNoSelect: + concatenatedQuery = "'%s'||%s||'%s'" % (kb.chars.start, concatenatedQuery, kb.chars.stop) return concatenatedQuery