One more step to fully working UNION exploitation after merge into detection phase

2026-01-22 14:19:03 +00:00 · 2011-01-12 01:13:32 +00:00
parent b5c6f7556f
commit 8a67aea754
9 changed files with 38 additions and 85 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -473,7 +473,7 @@ class Agent:

        return concatenatedQuery

-    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None, prefix=None, suffix=None, multipleUnions=None):
+    def forgeInbandQuery(self, query, exprPosition=None, count=None, comment=None, prefix=None, suffix=None, multipleUnions=None):
        """
        Take in input an query (pseudo query) string and return its
        processed UNION ALL SELECT query.
@@ -504,15 +504,6 @@ class Agent:
        @rtype: C{str}
        """

-        if nullChar is None:
-            nullChar = conf.uChar
-
-        if count is None:
-            count = kb.unionCount
-
-        if comment is None:
-            comment = kb.unionComment
-
        if query.startswith("SELECT "):
            query        = query[len("SELECT "):]

@@ -523,9 +514,6 @@ class Agent:
            query        = query[len("TOP %s " % topNum):]
            inbandQuery += "TOP %s " % topNum

-        if not isinstance(exprPosition, int):
-            exprPosition = kb.unionPosition
-
        intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)

        if intoRegExp:
@@ -546,7 +534,7 @@ class Agent:
                else:
                    inbandQuery += query
            else:
-                inbandQuery += nullChar
+                inbandQuery += conf.uChar

        if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
            conditionIndex = query.index(" FROM ")
@@ -569,7 +557,7 @@ class Agent:
                if element == exprPosition:
                    inbandQuery += multipleUnions
                else:
-                    inbandQuery += nullChar
+                    inbandQuery += conf.uChar

            if kb.dbms == DBMS.ORACLE:
                inbandQuery += " FROM DUAL"
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1109,9 +1109,6 @@ def __setKnowledgeBaseAttributes(flushAll=True):

    kb.data            = advancedDict()

-    # Old style injection flag
-    kb.unionTest       = None
-
    # Basic back-end DBMS fingerprint
    kb.dbms            = None
    kb.dbmsDetected    = False
@@ -1167,9 +1164,6 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.threadContinue  = True
    kb.threadException = False
    kb.threadData      = {}
-    kb.unionComment    = ""
-    kb.unionCount      = None
-    kb.unionPosition   = None
    kb.unionNegative   = False

    if flushAll:
--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -191,27 +191,7 @@ def setOs():
    if condition:
        dataToSessionFile("[%s][%s][%s][OS][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), safeFormatString(kb.os)))

-def setUnion(comment=None, count=None, position=None, negative=False, char=None, payload=None):
-    """
-    @param comment: union comment to save in session file
-    @type comment: C{str}
-
-    @param count: union count to save in session file
-    @type count: C{str}
-
-    @param position: union position to save in session file
-    @type position: C{str}
-    """
-
-    if comment:
-        kb.unionComment = comment
-
-    if count:
-        kb.unionCount = count
-
-    if position is not None:
-        kb.unionPosition = position
-
+def setUnion(negative=False):
    if negative:
        kb.unionNegative = True

--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -30,9 +30,6 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
    validPayload = None
    unionVector = None

-    if count is None:
-        count = kb.unionCount
-
    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
@@ -50,9 +47,8 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
        resultPage, _ = Request.queryPage(payload, place=place, content=True)

        if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
-            setUnion(position=exprPosition)
            validPayload = payload
-            unionVector = agent.forgeInbandQuery("[QUERY]", exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
+            unionVector = (exprPosition, count, comment, prefix, suffix)

            if where == 1:
                # Prepare expression with delimiters
@@ -80,21 +76,20 @@ def __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
-    if not isinstance(kb.unionPosition, int):
-        validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count)
+    validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count)

-        # Assure that the above function found the exploitable full inband
-        # SQL injection position
-        if not isinstance(kb.unionPosition, int):
-            validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=2)
+    # Assure that the above function found the exploitable full inband
+    # SQL injection position
+    if not validPayload:
+        validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=2)

-            # Assure that the above function found the exploitable partial
-            # (single entry) inband SQL injection position with negative
-            # parameter validPayload
-            if not isinstance(kb.unionPosition, int):
-                return None, None
-            else:
-                setUnion(negative=True)
+        # Assure that the above function found the exploitable partial
+        # (single entry) inband SQL injection position with negative
+        # parameter validPayload
+        if not validPayload:
+            return None, None
+        else:
+            setUnion(negative=True)

    return validPayload, unionVector

@@ -126,7 +121,6 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
        validPayload, unionVector = __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count)

        if validPayload:
-            setUnion(count=count)
            break

    clearConsoleLine(True)
@@ -148,8 +142,5 @@ def unionTest(comment, place, parameter, value, prefix, suffix, dbms):

    if validPayload:
        validPayload = agent.removePayloadDelimiters(validPayload, False)
-        setUnion(char=conf.uChar)
-        setUnion(comment=comment)
-        setUnion(payload=validPayload)

    return validPayload, unionVector
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -51,9 +51,6 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
    if resetCounter:
        reqCount = 0

-    if not kb.unionCount:
-        return
-
    # Prepare expression with delimiters
    if unescape:
        expression = agent.concatQuery(expression, unpack)
@@ -211,8 +208,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh

    else:
        # Forge the inband SQL injection request
-        query = unescaper.unescape(expression)
-        query = agent.cleanupPayload(kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector, query=query)
+        vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
+        query = agent.forgeInbandQuery(expression, exprPosition=vector[0], count=vector[1], comment=vector[2], prefix=vector[3], suffix=vector[4])
        payload = agent.payload(newValue=query)

        # Perform the request