More bug fixes to properly distinguish between full inband and single-entry inband sql injections

2025-12-08 21:51:29 +00:00 · 2010-12-22 15:47:52 +00:00
parent b3da473840
commit c1f2534e9a
2 changed files with 35 additions and 1 deletions
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -8,6 +8,8 @@ See the file 'doc/COPYING' for copying permission
 """

 from lib.core.agent import agent
+from lib.core.common import getUnicode
+from lib.core.common import parseUnionPage
 from lib.core.common import randomStr
 from lib.core.data import conf
 from lib.core.data import kb
@@ -46,6 +48,22 @@ def __unionPosition(negative=False, count=None, comment=None):
            setUnion(position=exprPosition)
            validPayload = payload

+            if not negative:
+                # Prepare expression with delimiters
+                randQuery2 = randomStr()
+                randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
+                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
+
+                # Confirm that it is a full inband SQL injection
+                query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, multipleUnions=randQueryUnescaped2)
+                payload = agent.payload(newValue=query, negative=negative)
+
+                # Perform the request
+                resultPage, _ = Request.queryPage(payload, content=True)
+
+                if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
+                    setUnion(negative=True)
+
            break

    return validPayload