Update for an Issue #278

lib/controller/controller.py

@@ -138,7 +138,7 @@ def __formatInjection(inj):
                 title = title.replace("columns", "column")
         elif comment:
             vector = "%s%s" % (vector, comment)
-        data += "    Type: %s\n" % (PAYLOAD.SQLINJECTION[stype] if "inline" not in title else "inline query")
+        data += "    Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
         data += "    Title: %s\n" % title
         data += "    Payload: %s\n" % agent.adjustLateValues(sdata.payload)
         data += "    Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"

lib/core/defaults.py

@@ -21,7 +21,7 @@ _defaults =  {
                "level":        1,
                "risk":         1,
                "dumpFormat":   "CSV",
-               "tech":         "BEUST",
+               "tech":         "BEUSTQ",
                "torType":      "HTTP"
              }
 

lib/core/enums.py

@@ -177,7 +177,8 @@ class PAYLOAD:
                      2: "error-based",
                      3: "UNION query",
                      4: "stacked queries",
-                     5: "AND/OR time-based blind"
+                     5: "AND/OR time-based blind",
+                     6: "inline query"
                    }
 
     PARAMETER = {
@@ -219,6 +220,7 @@ class PAYLOAD:
         UNION = 3
         STACKED = 4
         TIME = 5
+        QUERY = 6
 
     class WHERE:
         ORIGINAL = 1

lib/core/threads.py

@@ -105,7 +105,7 @@ def runThreads(numThreads, threadFunction, cleanupFunction=None, forwardExceptio
     kb.threadContinue = True
     kb.threadException = False
 
-    if threadChoice and numThreads == 1 and any(map(lambda x: x in kb.injection.data, [PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.UNION])):
+    if threadChoice and numThreads == 1 and any(map(lambda _: _ in kb.injection.data, (PAYLOAD.TECHNIQUE.BOOLEAN, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY, PAYLOAD.TECHNIQUE.UNION))):
         while True:
             message = "please enter number of threads? [Enter for %d (current)] " % numThreads
             choice = readInput(message, default=str(numThreads))

lib/request/inject.py

@@ -407,14 +407,14 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
                     count += 1
                     found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
 
-                if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
-                    kb.technique = PAYLOAD.TECHNIQUE.ERROR
+                if error and any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) and not found:
+                    kb.technique = PAYLOAD.TECHNIQUE.ERROR if isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) else PAYLOAD.TECHNIQUE.QUERY
                     value = errorUse(forgeCaseExpression if expected == EXPECTED.BOOL else query, dump)
                     count += 1
                     found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
 
                 if found and conf.dnsName:
-                    _ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E":PAYLOAD.TECHNIQUE.ERROR, "U":PAYLOAD.TECHNIQUE.UNION}.items())))
+                    _ = "".join(filter(None, (key if isTechniqueAvailable(value) else None for key, value in {"E":PAYLOAD.TECHNIQUE.ERROR, "Q":PAYLOAD.TECHNIQUE.QUERY, "U":PAYLOAD.TECHNIQUE.UNION}.items())))
                     warnMsg = "option '--dns-domain' will be ignored "
                     warnMsg += "as faster techniques are usable "
                     warnMsg += "(%s) " % _

lib/takeover/xp_cmdshell.py

@@ -209,7 +209,7 @@ class xp_cmdshell:
 
             query = "SELECT %s FROM %s" % (self.tblField, self.cmdTblName)
 
-            if conf.direct or any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR)):
+            if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct:
                 output = inject.getValue(query, resumeValue=False, blind=False, time=False)
             else:
                 output = []

lib/techniques/error/use.py

@@ -83,7 +83,7 @@ def __oneShotErrorUse(expression, field=None):
                         nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, chunk_length)
 
                 # Forge the error-based SQL injection request
-                vector = kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector
+                vector = kb.injection.data[kb.technique].vector
                 query = agent.prefixQuery(vector)
                 query = agent.suffixQuery(query)
                 injExpression = expression.replace(field, nulledCastedField, 1) if field else expression
@@ -94,7 +94,7 @@ def __oneShotErrorUse(expression, field=None):
                 # Perform the request
                 page, headers = Request.queryPage(payload, content=True)
 
-                incrementCounter(PAYLOAD.TECHNIQUE.ERROR)
+                incrementCounter(kb.technique)
 
                 # Parse the returned page to get the exact error-based
                 # SQL injection output
@@ -227,7 +227,7 @@ def errorUse(expression, dump=False):
     SQL injection vulnerability on the affected parameter.
     """
 
-    initTechnique(PAYLOAD.TECHNIQUE.ERROR)
+    initTechnique(kb.technique)
 
     abortedFlag = False
     count = None
@@ -416,7 +416,7 @@ def errorUse(expression, dump=False):
     duration = calculateDeltaSeconds(start)
 
     if not kb.bruteMode:
-        debugMsg = "performed %d queries in %d seconds" % (kb.counters[PAYLOAD.TECHNIQUE.ERROR], duration)
+        debugMsg = "performed %d queries in %d seconds" % (kb.counters[kb.technique], duration)
         logger.debug(debugMsg)
 
     return outputs