using UNION SELECT for where=..NEGATIVE

2025-12-28 02:19:05 +00:00 · 2012-02-22 09:41:58 +00:00
parent c9d570c83b
commit 386e98a0e3
4 changed files with 7 additions and 7 deletions
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -107,7 +107,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
    pages = {}

    for count in xrange(lowerCount, upperCount+1):
-        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar)
+        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
        page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
        if not isNullValue(kb.uChar):
@@ -181,7 +181,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
-        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar)
+        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)

        # Perform the request
@@ -202,7 +202,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)

                # Confirm that it is a full inband SQL injection
-                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, multipleUnions=randQueryUnescaped2)
+                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
                payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)

                # Perform the request
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -61,7 +61,7 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):

        # Forge the inband SQL injection request
        vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
-        query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], None, limited)
+        query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
        payload = agent.payload(newValue=query, where=where)

        # Perform the request