One more step to fully working UNION exploitation after merge into detection phase

2025-12-28 10:29:04 +00:00 · 2011-01-12 01:13:32 +00:00
parent b5c6f7556f
commit 8a67aea754
9 changed files with 38 additions and 85 deletions
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -30,9 +30,6 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
    validPayload = None
    unionVector = None

-    if count is None:
-        count = kb.unionCount
-
    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
@@ -50,9 +47,8 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
        resultPage, _ = Request.queryPage(payload, place=place, content=True)

        if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
-            setUnion(position=exprPosition)
            validPayload = payload
-            unionVector = agent.forgeInbandQuery("[QUERY]", exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
+            unionVector = (exprPosition, count, comment, prefix, suffix)

            if where == 1:
                # Prepare expression with delimiters
@@ -80,21 +76,20 @@ def __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
-    if not isinstance(kb.unionPosition, int):
-        validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count)
+    validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count)

-        # Assure that the above function found the exploitable full inband
-        # SQL injection position
-        if not isinstance(kb.unionPosition, int):
-            validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=2)
+    # Assure that the above function found the exploitable full inband
+    # SQL injection position
+    if not validPayload:
+        validPayload, unionVector = __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, count, where=2)

-            # Assure that the above function found the exploitable partial
-            # (single entry) inband SQL injection position with negative
-            # parameter validPayload
-            if not isinstance(kb.unionPosition, int):
-                return None, None
-            else:
-                setUnion(negative=True)
+        # Assure that the above function found the exploitable partial
+        # (single entry) inband SQL injection position with negative
+        # parameter validPayload
+        if not validPayload:
+            return None, None
+        else:
+            setUnion(negative=True)

    return validPayload, unionVector

@@ -126,7 +121,6 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
        validPayload, unionVector = __unionConfirm(comment, place, parameter, value, prefix, suffix, dbms, count)

        if validPayload:
-            setUnion(count=count)
            break

    clearConsoleLine(True)
@@ -148,8 +142,5 @@ def unionTest(comment, place, parameter, value, prefix, suffix, dbms):

    if validPayload:
        validPayload = agent.removePayloadDelimiters(validPayload, False)
-        setUnion(char=conf.uChar)
-        setUnion(comment=comment)
-        setUnion(payload=validPayload)

    return validPayload, unionVector
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -51,9 +51,6 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
    if resetCounter:
        reqCount = 0

-    if not kb.unionCount:
-        return
-
    # Prepare expression with delimiters
    if unescape:
        expression = agent.concatQuery(expression, unpack)
@@ -211,8 +208,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh

    else:
        # Forge the inband SQL injection request
-        query = unescaper.unescape(expression)
-        query = agent.cleanupPayload(kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector, query=query)
+        vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
+        query = agent.forgeInbandQuery(expression, exprPosition=vector[0], count=vector[1], comment=vector[2], prefix=vector[3], suffix=vector[4])
        payload = agent.payload(newValue=query)

        # Perform the request