One more step to fully working UNION exploitation after merge into detection phase

2025-12-10 09:49:06 +00:00 · 2011-01-12 01:13:32 +00:00
parent b5c6f7556f
commit 8a67aea754
9 changed files with 38 additions and 85 deletions
--- a/plugins/dbms/mssqlserver/enumeration.py
+++ b/plugins/dbms/mssqlserver/enumeration.py
@@ -11,6 +11,7 @@ from lib.core.agent import agent
 from lib.core.common import arrayizeValue
 from lib.core.common import getRange
 from lib.core.common import isNumPosStrValue
+from lib.core.common import isTechniqueAvailable
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -52,7 +53,7 @@ class Enumeration(GenericEnumeration):
            else:
                dbs = [conf.db]

-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
            for db in dbs:
                if conf.excludeSysDbs and db in self.excludeDbsList:
                    infoMsg = "skipping system database '%s'" % db
@@ -142,7 +143,7 @@ class Enumeration(GenericEnumeration):

                    continue

-                if kb.unionPosition is not None or conf.direct:
+                if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                    query = rootQuery.inband.query % db
                    query += tblQuery
                    values = inject.getValue(query, blind=False, error=False)
@@ -227,7 +228,7 @@ class Enumeration(GenericEnumeration):

                    continue

-                if kb.unionPosition is not None or conf.direct:
+                if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                    query = rootQuery.inband.query % (db, db, db, db, db)
                    query += " AND %s" % colQuery.replace("[DB]", db)
                    values = inject.getValue(query, blind=False, error=False)
--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@@ -13,6 +13,7 @@ import os

 from lib.core.common import getRange
 from lib.core.common import isNumPosStrValue
+from lib.core.common import isTechniqueAvailable
 from lib.core.common import posixToNtSlashes
 from lib.core.common import randomStr
 from lib.core.data import conf
@@ -91,7 +92,7 @@ class Filesystem(GenericFilesystem):
        binToHexQuery = binToHexQuery.replace("    ", "").replace("\n", " ")
        inject.goStacked(binToHexQuery)

-        if kb.unionPosition is not None:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
            result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False, error=False)

        if not result:
--- a/plugins/dbms/oracle/enumeration.py
+++ b/plugins/dbms/oracle/enumeration.py
@@ -10,6 +10,7 @@ See the file 'doc/COPYING' for copying permission
 from lib.core.agent import agent
 from lib.core.common import getRange
 from lib.core.common import isNumPosStrValue
+from lib.core.common import isTechniqueAvailable
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@@ -39,7 +40,7 @@ class Enumeration(GenericEnumeration):
        # Set containing the list of DBMS administrators
        areAdmins = set()

-        if kb.unionPosition is not None or conf.direct:
+        if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
            if query2:
                query     = rootQuery.inband.query2
                condition = rootQuery.inband.condition2
@@ -199,7 +200,7 @@ class Enumeration(GenericEnumeration):
            colQuery = colQuery % column

            for db in dbs.keys():
-                if kb.unionPosition is not None or conf.direct:
+                if isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION) or conf.direct:
                    query = rootQuery.inband.query
                    query += colQuery
                    values = inject.getValue(query, blind=False, error=False)