Properly deal with partial (single entry) UNION injections.

Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase.
2025-12-09 06:01:29 +00:00 · 2011-01-12 12:01:32 +00:00
parent d7a7993e0d
commit af9725214a
6 changed files with 25 additions and 34 deletions
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -56,7 +56,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
        expression = agent.concatQuery(expression, unpack)
        expression = unescaper.unescape(expression)

-    if kb.unionNegative and not direct:
+    if kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == 2 and not direct:
        _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)

        # We have to check if the SQL query might return multiple entries
@@ -194,6 +194,8 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
                                    status = '%d/%d entries (%d%s)' % (count, length, round(100.0*count/length), '%')
                                    dataToStdout("\r[%s] [INFO] retrieved: %s" % (time.strftime("%X"), status), True)

+                        dataToStdout("\n")
+
                    except KeyboardInterrupt:
                        print
                        warnMsg = "Ctrl+C detected in dumping phase"