diff --git a/lib/controller/checks.py b/lib/controller/checks.py index f477cfd78..f9dd0bfd4 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -395,7 +395,7 @@ def checkSqlInjection(place, parameter, value): # Overwrite 'where' because it can differ # in unionTest()'s vector (1 or 2) - where = vector[5] + where = vector[6] # If the injection test was successful feed the injection # object with the test's details diff --git a/lib/core/agent.py b/lib/core/agent.py index f836e7b45..1e568c1e1 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -478,7 +478,7 @@ class Agent: return concatenatedQuery - def forgeInbandQuery(self, query, exprPosition=None, count=None, comment=None, prefix=None, suffix=None, multipleUnions=None): + def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None): """ Take in input an query (pseudo query) string and return its processed UNION ALL SELECT query. @@ -501,9 +501,9 @@ class Agent: forged within an UNION ALL SELECT statement @type query: C{str} - @param exprPosition: it is the NULL position where it is possible + @param position: it is the NULL position where it is possible to inject the query - @type exprPosition: C{int} + @type position: C{int} @return: UNION ALL SELECT query string forged @rtype: C{str} @@ -532,14 +532,14 @@ class Agent: if element > 0: inbandQuery += ", " - if element == exprPosition: + if element == position: if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query: conditionIndex = query.index(" FROM ") inbandQuery += query[:conditionIndex] else: inbandQuery += query else: - inbandQuery += conf.uChar + inbandQuery += char if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query: conditionIndex = query.index(" FROM ") @@ -559,10 +559,10 @@ class Agent: if element > 0: inbandQuery += ", " - if element == exprPosition: + if element == position: inbandQuery += multipleUnions else: - inbandQuery += conf.uChar + inbandQuery += char if kb.dbms == DBMS.ORACLE: inbandQuery += " FROM DUAL" diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index bec353ea1..16fc06fe9 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -32,14 +32,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun # For each column of the table (# of NULL) perform a request using # the UNION ALL SELECT statement to test it the target url is # affected by an exploitable inband SQL injection vulnerability - for exprPosition in range(0, count): + for position in range(0, count): # Prepare expression with delimiters randQuery = randomStr() randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryUnescaped = unescaper.unescape(randQueryProcessed, dbms=dbms) # Forge the inband SQL injection request - query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix) + query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) # Perform the request @@ -47,7 +47,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage: validPayload = payload - vector = (exprPosition, count, comment, prefix, suffix, where) + vector = (position, count, comment, prefix, suffix, conf.uChar, where) if where == 1: # Prepare expression with delimiters @@ -56,14 +56,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2, dbms=dbms) # Confirm that it is a full inband SQL injection - query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix, multipleUnions=randQueryUnescaped2) + query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2) # Perform the request resultPage, _ = Request.queryPage(payload, place=place, content=True) if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage): - vector = (exprPosition, count, comment, prefix, suffix, 2) + vector = (position, count, comment, prefix, suffix, conf.uChar, 2) break diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index f1862b6f9..3702b287e 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -211,7 +211,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh else: # Forge the inband SQL injection request vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector - query = agent.forgeInbandQuery(expression, exprPosition=vector[0], count=vector[1], comment=vector[2], prefix=vector[3], suffix=vector[4]) + query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]) payload = agent.payload(newValue=query) # Perform the request