Major bug fix to detect UNION query technique and various improvements to parsing and using of --union-char and --union-cols switches

2025-12-09 22:21:30 +00:00 · 2011-05-10 15:34:54 +00:00
parent 707edc7b1a
commit 3a8309c4b0
5 changed files with 301 additions and 49 deletions
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -61,7 +61,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
    min_, max_ = MAX_RATIO, MIN_RATIO

    for count in range(lowerCount, upperCount+1):
-        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, conf.uChar)
+        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
        page, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
        ratio = comparison(page, True) or MIN_RATIO
@@ -122,7 +122,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
-        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
+        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)

        # Perform the request
@@ -141,7 +141,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe

        if content and phrase in content:
            validPayload = payload
-            vector = (position, count, comment, prefix, suffix, conf.uChar, where)
+            vector = (position, count, comment, prefix, suffix, kb.uChar, where)

            if where == PAYLOAD.WHERE.ORIGINAL:
                # Prepare expression with delimiters
@@ -151,7 +151,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)

                # Confirm that it is a full inband SQL injection
-                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
+                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, multipleUnions=randQueryUnescaped2)
                payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)

                # Perform the request
@@ -159,7 +159,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
                content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")

                if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)):
-                    vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE)
+                    vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE)

            if not unionErrorCase:
                break
@@ -190,7 +190,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix

    validPayload = None
    vector = None
-    query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)
+    query = agent.prefixQuery("UNION ALL SELECT %s" % kb.uChar)
    total = conf.uColsStop+1 - conf.uColsStart

    count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix)
@@ -200,7 +200,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
            query = query[:-len(FROM_TABLE[Backend.getIdentifiedDbms()])]

        if count:
-            query += ", %s" % conf.uChar
+            query += ", %s" % kb.uChar

        if Backend.getIdentifiedDbms() in FROM_TABLE:
            query += FROM_TABLE[Backend.getIdentifiedDbms()]
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -88,13 +88,18 @@ def __oneShotUnionUse(expression, unpack=True):

 def configUnion(char=None, columns=None):
    def __configUnionChar(char):
-        if isinstance(char, basestring):
-            if any([char.isdigit(), char == "NULL", char == "[RANDNUM]"]):
-                conf.uChar = char
-            else:
-                conf.uChar = "'%s'" % char.strip("'")
+        if not isinstance(char, basestring):
+            return
+
+        kb.uChar = char
+
+        if conf.uChar is not None:
+            kb.uChar = char.replace("[CHAR]", conf.uChar if conf.uChar.isdigit() else "'%s'" % conf.uChar.strip("'"))

    def __configUnionCols(columns):
+        if not isinstance(columns, basestring):
+            return
+
        columns = columns.replace(" ", "")
        colsStart, colsStop = columns.split("-")

@@ -109,15 +114,8 @@ def configUnion(char=None, columns=None):
            errMsg += "higher number of columns"
            raise sqlmapSyntaxException, errMsg

-    if isinstance(conf.uChar, basestring):
-        __configUnionChar(conf.uChar)
-    elif isinstance(char, basestring):
-        __configUnionChar(char)
-
-    if isinstance(conf.uCols, basestring):
-        __configUnionCols(conf.uCols)
-    elif isinstance(columns, basestring):
-        __configUnionCols(columns)
+    __configUnionChar(char)
+    __configUnionCols(conf.uCols or columns)

 def unionUse(expression, unpack=True, dump=False):
    """