Finally a proper union query SQL injection test engine for --union-test. It does much more requests, but for god sake now it works well!

lib/core/agent.py

@@ -425,7 +425,7 @@ class Agent:
 
         return concatenatedQuery
 
-    def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL"):
+    def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL", count=None, comment=None):
         """
         Take in input an query (pseudo query) string and return its
         processed UNION ALL SELECT query.
@@ -456,6 +456,12 @@ class Agent:
         @rtype: C{str}
         """
 
+        if count is None:
+            count = kb.unionCount
+
+        if comment is None:
+            comment = kb.unionComment
+
         inbandQuery = self.prefixQuery("UNION ALL SELECT ")
 
         if query.startswith("TOP"):
@@ -475,7 +481,7 @@ class Agent:
         if kb.dbms == DBMS.ORACLE and inbandQuery.endswith(" FROM DUAL"):
             inbandQuery = inbandQuery[:-len(" FROM DUAL")]
 
-        for element in range(kb.unionCount):
+        for element in range(count):
             if element > 0:
                 inbandQuery += ", "
 
@@ -499,7 +505,7 @@ class Agent:
         if intoRegExp:
             inbandQuery += intoRegExp
 
-        inbandQuery = self.suffixQuery(inbandQuery, kb.unionComment)
+        inbandQuery = self.suffixQuery(inbandQuery, comment)
 
         return inbandQuery
 

lib/core/session.py

@@ -219,26 +219,32 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
     @type position: C{str}
     """
 
-    if comment and count:
+    if comment:
         condition = (
                       not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
-                      ( not kb.resumedQueries[conf.url].has_key("Union comment") 
-                      or not kb.resumedQueries[conf.url].has_key("Union count")
-                      ) )
+                      not kb.resumedQueries[conf.url].has_key("Union comment") )
                     )
 
         if condition:
             dataToSessionFile("[%s][%s][%s][Union comment][%s]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), safeFormatString(comment)))
-            dataToSessionFile("[%s][%s][%s][Union count][%s]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), count))
 
         kb.unionComment = comment
+
+    if count:
+        condition = (
+                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                      not kb.resumedQueries[conf.url].has_key("Union count") )
+                    )
+
+        if condition:
+            dataToSessionFile("[%s][%s][%s][Union count][%d]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), count))
+
         kb.unionCount = count
 
     if position is not None:
         condition = (
                       not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
-                      ( not kb.resumedQueries[conf.url].has_key("Union position")
-                      ) )
+                      not kb.resumedQueries[conf.url].has_key("Union position") )
                     )
 
         if condition:
@@ -485,15 +491,13 @@ def resumeConfKb(expression, url, value):
     elif expression == "Union negative" and url == conf.url:
         kb.unionNegative = True if value[:-1] == "Yes" else False
 
-        logMsg  = "resuming union negative "
-        logMsg += "%s from session file" % kb.unionPosition
+        logMsg = "resuming union negative from session file"
         logger.info(logMsg)
 
     elif expression == "Union false condition" and url == conf.url:
         kb.unionFalseCond = True if value[:-1] == "Yes" else False
 
-        logMsg  = "resuming union false condition "
-        logMsg += "%s from session file" % kb.unionPosition
+        logMsg = "resuming union false condition from session file"
         logger.info(logMsg)
 
     elif expression == "Union payload" and url == conf.url: