Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.

2025-12-24 08:29:07 +00:00 · 2011-01-12 00:47:39 +00:00
parent 873951ab92
commit 8bdb7ec58c
6 changed files with 16 additions and 65 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -108,7 +108,6 @@ class Agent:
                retValue = paramString.replace("%s=%s" % (parameter, origValue),
                                               "%s=%s" % (parameter, self.addPayloadDelimiters(newValue)))

-#        print "retValue:", retValue
        return retValue

    def fullPayload(self, query):
@@ -180,7 +179,7 @@ class Agent:

        return string.rstrip()

-    def cleanupPayload(self, payload, origvalue=None, unionVector=None):
+    def cleanupPayload(self, payload, origvalue=None, unionVector=None, query=None):
        if payload is None:
            return

@@ -199,6 +198,9 @@ class Agent:
        payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
        payload = payload.replace("[UNION]", str(unionVector))

+        if query is not None:
+            payload = payload.replace("[QUERY]", query.lstrip())
+
        if origvalue is not None:
            payload = payload.replace("[ORIGVALUE]", origvalue)

@@ -220,11 +222,10 @@ class Agent:
                inferenceQuery = queries[kb.misc.testedDbms].inference.query
                payload = payload.replace("[INFERENCE]", inferenceQuery)

-            # NOTE: Leave this commented for the time being
-            #else:
-            #    errMsg = "invalid usage of inference payload without "
-            #    errMsg += "knowledge of underlying DBMS"
-            #    raise sqlmapNoneDataException, errMsg
+            else:
+                errMsg = "invalid usage of inference payload without "
+                errMsg += "knowledge of underlying DBMS"
+                raise sqlmapNoneDataException, errMsg

        return payload

--- a/lib/core/session.py
+++ b/lib/core/session.py
@@ -215,9 +215,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, char=None,
    if negative:
        kb.unionNegative = True

-    if payload:
-        kb.unionTest = payload
-
 def setRemoteTempPath():
    condition = (
                  not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@@ -390,46 +387,6 @@ def resumeConfKb(expression, url, value):

        kb.brute.columns.append((db, table, colName, colType))

-    elif expression == "Union comment" and url == conf.url:
-        kb.unionComment = unSafeFormatString(value[:-1])
-
-        logMsg = "resuming union comment "
-        logMsg += "'%s' from session file" % kb.unionComment
-        logger.info(logMsg)
-
-    elif expression == "Union count" and url == conf.url:
-        kb.unionCount = int(value[:-1])
-
-        logMsg = "resuming union count "
-        logMsg += "%s from session file" % kb.unionCount
-        logger.info(logMsg)
-
-    elif expression == "Union position" and url == conf.url:
-        kb.unionPosition = int(value[:-1])
-
-        logMsg = "resuming union position "
-        logMsg += "%s from session file" % kb.unionPosition
-        logger.info(logMsg)
-
-    elif expression == "Union negative" and url == conf.url:
-        kb.unionNegative = True if value[:-1] == "Yes" else False
-
-        logMsg = "resuming union negative from session file"
-        logger.info(logMsg)
-
-    elif expression == "Union char" and url == conf.url:
-        conf.uChar = value[:-1]
-
-        logMsg = "resuming union char %s from session file" % conf.uChar
-        logger.info(logMsg)
-
-    elif expression == "Union payload" and url == conf.url:
-        kb.unionTest = value[:-1]
-
-        logMsg = "resuming union payload "
-        logMsg += "%s from session file" % kb.unionTest
-        logger.info(logMsg)
-
    elif expression == "Remote temp path" and url == conf.url:
        conf.tmpPath = unSafeFormatString(value[:-1])