One more step to fully working UNION exploitation after merge into detection phase

plugins/dbms/mssqlserver/enumeration.py

@@ -11,6 +11,7 @@ from lib.core.agent import agent
 from lib.core.common import arrayizeValue
 from lib.core.common import getRange
 from lib.core.common import isNumPosStrValue
+from lib.core.common import isTechniqueAvailable
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -52,7 +53,7 @@ class Enumeration(GenericEnumeration):
             else:
                 dbs = [conf.db]
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             for db in dbs:
                 if conf.excludeSysDbs and db in self.excludeDbsList:
                     infoMsg = "skipping system database '%s'" % db
@@ -142,7 +143,7 @@ class Enumeration(GenericEnumeration):
 
                     continue
 
-                if kb.unionPosition is not None or conf.direct:
+                if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                     query = rootQuery.inband.query % db
                     query += tblQuery
                     values = inject.getValue(query, blind=False, error=False)
@@ -227,7 +228,7 @@ class Enumeration(GenericEnumeration):
 
                     continue
 
-                if kb.unionPosition is not None or conf.direct:
+                if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                     query = rootQuery.inband.query % (db, db, db, db, db)
                     query += " AND %s" % colQuery.replace("[DB]", db)
                     values = inject.getValue(query, blind=False, error=False)

plugins/dbms/mssqlserver/filesystem.py

@@ -13,6 +13,7 @@ import os
 
 from lib.core.common import getRange
 from lib.core.common import isNumPosStrValue
+from lib.core.common import isTechniqueAvailable
 from lib.core.common import posixToNtSlashes
 from lib.core.common import randomStr
 from lib.core.data import conf
@@ -91,7 +92,7 @@ class Filesystem(GenericFilesystem):
         binToHexQuery = binToHexQuery.replace("    ", "").replace("\n", " ")
         inject.goStacked(binToHexQuery)
 
-        if kb.unionPosition is not None:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
             result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False, error=False)
 
         if not result:

plugins/dbms/oracle/enumeration.py

@@ -10,6 +10,7 @@ See the file 'doc/COPYING' for copying permission
 from lib.core.agent import agent
 from lib.core.common import getRange
 from lib.core.common import isNumPosStrValue
+from lib.core.common import isTechniqueAvailable
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -39,7 +40,7 @@ class Enumeration(GenericEnumeration):
         # Set containing the list of DBMS administrators
         areAdmins = set()
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if query2:
                 query     = rootQuery.inband.query2
                 condition = rootQuery.inband.condition2
@@ -199,7 +200,7 @@ class Enumeration(GenericEnumeration):
             colQuery = colQuery % column
 
             for db in dbs.keys():
-                if kb.unionPosition is not None or conf.direct:
+                if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                     query = rootQuery.inband.query
                     query += colQuery
                     values = inject.getValue(query, blind=False, error=False)

plugins/generic/enumeration.py

@@ -151,7 +151,7 @@ class Enumeration:
         condition  = ( kb.dbms == DBMS.MSSQL and kb.dbmsVersion[0] in ( "2005", "2008" ) )
         condition |= ( kb.dbms == DBMS.MYSQL and not kb.data.has_information_schema )
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if condition:
                 query = rootQuery.inband.query2
             else:
@@ -210,7 +210,7 @@ class Enumeration:
 
         logger.info(infoMsg)
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if kb.dbms == DBMS.MSSQL and kb.dbmsVersion[0] in ( "2005", "2008" ):
                 query = rootQuery.inband.query2
             else:
@@ -431,7 +431,7 @@ class Enumeration:
                          "E": "EXECUTE"
                      }
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if kb.dbms == DBMS.MYSQL and not kb.data.has_information_schema:
                 query     = rootQuery.inband.query2
                 condition = rootQuery.inband.condition2
@@ -677,7 +677,7 @@ class Enumeration:
 
         rootQuery = queries[kb.dbms].dbs
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if kb.dbms == DBMS.MYSQL and not kb.data.has_information_schema:
                 query = rootQuery.inband.query2
             else:
@@ -784,7 +784,7 @@ class Enumeration:
             else:
                 dbs = kb.data.cachedDbs
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             query = rootQuery.inband.query
             condition = rootQuery.inband.condition if 'condition' in rootQuery.inband else None
 
@@ -977,7 +977,7 @@ class Enumeration:
         infoMsg += "on database '%s'" % conf.db
         logger.info(infoMsg)
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if kb.dbms in ( DBMS.MYSQL, DBMS.PGSQL ):
                 query = rootQuery.inband.query % (conf.tbl, conf.db)
                 query += condQuery
@@ -1174,7 +1174,7 @@ class Enumeration:
 
         entriesCount = 0
 
-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
             if kb.dbms == DBMS.ORACLE:
                 query = rootQuery.inband.query % (colString, conf.tbl.upper())
             elif kb.dbms == DBMS.SQLITE:
@@ -1516,7 +1516,7 @@ class Enumeration:
             dbQuery = "%s%s" % (dbCond, dbCondParam)
             dbQuery = dbQuery % db
 
-            if kb.unionPosition is not None or conf.direct:
+            if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                 if kb.dbms == DBMS.MYSQL and not kb.data.has_information_schema:
                     query = rootQuery.inband.query2
                 else:
@@ -1624,7 +1624,7 @@ class Enumeration:
             tblQuery = "%s%s" % (tblCond, tblCondParam)
             tblQuery = tblQuery % tbl
 
-            if kb.unionPosition is not None or conf.direct:
+            if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                 query = rootQuery.inband.query
                 query += tblQuery
                 query += exclDbsQuery
@@ -1774,7 +1774,7 @@ class Enumeration:
             colQuery = "%s%s" % (colCond, colCondParam)
             colQuery = colQuery % column
 
-            if kb.unionPosition is not None or conf.direct:
+            if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                 query = rootQuery.inband.query
                 query += colQuery
                 query += exclDbsQuery