Properly deal with partial (single entry) UNION injections.

Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase.
2025-12-06 20:51:31 +00:00 · 2011-01-12 12:01:32 +00:00
parent d7a7993e0d
commit af9725214a
6 changed files with 25 additions and 34 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -378,8 +378,12 @@ def checkSqlInjection(place, parameter, value):

                        # In case of UNION query SQL injection
                        elif method == PAYLOAD.METHOD.UNION:
+                            # Test for UNION injection and set the sample
+                            # payload as well as the vector.
+                            # NOTE: vector is set to a tuple with 6 elements,
+                            # used afterwards by Agent.forgeInbandQuery()
+                            # method to forge the UNION query payload
                            configUnion(test.request.char, test.request.columns)
-
                            dbmsToUnescape = dbms if dbms is not None else injection.dbms
                            reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix, dbmsToUnescape)

@@ -389,6 +393,10 @@ def checkSqlInjection(place, parameter, value):

                                injectable = True

+                                # Overwrite 'where' because it can differ
+                                # in unionTest()'s vector (1 or 2)
+                                where = vector[5]
+
                    # If the injection test was successful feed the injection
                    # object with the test's details
                    if injectable is True: