fixes #181 - proper save/resume information about single entry UNION SQL injection

lib/core/agent.py

@@ -55,11 +55,11 @@ class Agent:
         retValue   = ""
         newValue   = urlencode(newValue)
 
-        if negative or conf.paramNegative:
+        if negative or kb.unionNegative:
             negValue = "-"
-        elif falseCond or conf.paramFalseCond:
+        elif falseCond or kb.unionFalseCond:
             randInt = randomInt()
-            falseValue = " AND %d=%d" % (randInt, randInt + 1)
+            falseValue = urlencode(" AND %d=%d" % (randInt, randInt + 1))
 
         # After identifing the injectable parameter
         if kb.injPlace == "User-Agent":

lib/core/option.py

@@ -872,8 +872,6 @@ def __setConfAttributes():
     conf.outputPath      = None
     conf.paramDict       = {}
     conf.parameters      = {}
-    conf.paramFalseCond  = False
-    conf.paramNegative   = False
     conf.path            = None
     conf.port            = None
     conf.progressWidth   = 54
@@ -932,6 +930,9 @@ def __setKnowledgeBaseAttributes():
     kb.unionComment   = ""
     kb.unionCount     = None
     kb.unionPosition  = None
+    kb.unionNegative  = False
+    kb.unionFalseCond = False
+
 
 def __saveCmdline():
     """

lib/core/session.py

@@ -199,7 +199,7 @@ def setStacked():
     if condition:
         dataToSessionFile("[%s][%s][%s][Stacked queries][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], kb.stackedTest))
 
-def setUnion(comment=None, count=None, position=None):
+def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False):
     """
     @param comment: union comment to save in session file
     @type comment: C{str}
@@ -226,7 +226,7 @@ def setUnion(comment=None, count=None, position=None):
         kb.unionComment = comment
         kb.unionCount = count
 
-    elif position:
+    if position:
         condition = (
                       not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
                       ( not kb.resumedQueries[conf.url].has_key("Union position")
@@ -238,6 +238,30 @@ def setUnion(comment=None, count=None, position=None):
 
         kb.unionPosition = position
 
+    if negative:
+        condition = (
+                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                      ( not kb.resumedQueries[conf.url].has_key("Union negative")
+                      ) )
+                    )
+
+        if condition:
+            dataToSessionFile("[%s][%s][%s][Union negative][Yes]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace]))
+
+        kb.unionNegative = True
+
+    if falseCond:
+        condition = (
+                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                      ( not kb.resumedQueries[conf.url].has_key("Union false condition")
+                      ) )
+                    )
+
+        if condition:
+            dataToSessionFile("[%s][%s][%s][Union false condition][Yes]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace]))
+
+        kb.unionFalseCond = True
+
 def setRemoteTempPath():
     condition = (
                   not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@@ -430,6 +454,20 @@ def resumeConfKb(expression, url, value):
         logMsg += "%s from session file" % kb.unionPosition
         logger.info(logMsg)
 
+    elif expression == "Union negative" and url == conf.url:
+        kb.unionNegative = True if value[:-1] == "Yes" else False
+
+        logMsg  = "resuming union negative "
+        logMsg += "%s from session file" % kb.unionPosition
+        logger.info(logMsg)
+
+    elif expression == "Union false condition" and url == conf.url:
+        kb.unionFalseCond = True if value[:-1] == "Yes" else False
+
+        logMsg  = "resuming union false condition "
+        logMsg += "%s from session file" % kb.unionPosition
+        logger.info(logMsg)
+
     elif expression == "Remote temp path" and url == conf.url:
         conf.tmpPath = value[:-1]