Patching silent per-thread issue with technique switching (fixes #3784)

2025-12-06 12:41:30 +00:00 · 2019-07-01 10:43:05 +02:00
parent 32e09c8dfb
commit 3abd3e1a8d
9 changed files with 74 additions and 53 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -12,6 +12,7 @@ from lib.core.common import Backend
 from lib.core.common import extractRegexResult
 from lib.core.common import filterNone
 from lib.core.common import getSQLSnippet
+from lib.core.common import getTechnique
 from lib.core.common import isDBMSVersionAtLeast
 from lib.core.common import isNumber
 from lib.core.common import isTechniqueAvailable
@@ -89,8 +90,8 @@ class Agent(object):

        if kb.forceWhere:
            where = kb.forceWhere
-        elif where is None and isTechniqueAvailable(kb.technique):
-            where = kb.injection.data[kb.technique].where
+        elif where is None and isTechniqueAvailable(getTechnique()):
+            where = kb.injection.data[getTechnique()].where

        if kb.injection.place is not None:
            place = kb.injection.place
@@ -234,8 +235,8 @@ class Agent(object):
        expression = unescaper.escape(expression)
        query = None

-        if where is None and kb.technique and kb.technique in kb.injection.data:
-            where = kb.injection.data[kb.technique].where
+        if where is None and getTechnique() is not None and getTechnique() in kb.injection.data:
+            where = kb.injection.data[getTechnique()].where

        # If we are replacing (<where>) the parameter original value with
        # our payload do not prepend with the prefix
@@ -244,7 +245,7 @@ class Agent(object):

        # If the technique is stacked queries (<stype>) do not put a space
        # after the prefix or it is in GROUP BY / ORDER BY (<clause>)
-        elif kb.technique == PAYLOAD.TECHNIQUE.STACKED:
+        elif getTechnique() == PAYLOAD.TECHNIQUE.STACKED:
            query = kb.injection.prefix
        elif kb.injection.clause == [2, 3] or kb.injection.clause == [2] or kb.injection.clause == [3]:
            query = kb.injection.prefix
@@ -282,9 +283,9 @@ class Agent(object):
        # Take default values if None
        suffix = kb.injection.suffix if kb.injection and suffix is None else suffix

-        if kb.technique and kb.technique in kb.injection.data:
-            where = kb.injection.data[kb.technique].where if where is None else where
-            comment = kb.injection.data[kb.technique].comment if comment is None else comment
+        if getTechnique() is not None and getTechnique() in kb.injection.data:
+            where = kb.injection.data[getTechnique()].where if where is None else where
+            comment = kb.injection.data[getTechnique()].comment if comment is None else comment

        if Backend.getIdentifiedDbms() == DBMS.ACCESS and any((comment or "").startswith(_) for _ in ("--", "[GENERIC_SQL_COMMENT]")):
            comment = queries[DBMS.ACCESS].comment.query