Major bug fix to --union-test

lib/controller/action.py

@@ -64,7 +64,7 @@ def action():
     if conf.timeTest:
         conf.dumper.technic("time based blind sql injection payload", timeTest())
 
-    if conf.unionTest and not kb.unionPosition:
+    if conf.unionTest and kb.unionPosition is None:
         conf.dumper.technic("valid union", unionTest())
 
     # Enumeration options

lib/core/agent.py

@@ -453,7 +453,7 @@ class Agent:
             query        = query[len("TOP %s " % topNum):]
             inbandQuery += "TOP %s " % topNum
 
-        if not exprPosition:
+        if not isinstance(exprPosition, int):
             exprPosition = kb.unionPosition
 
         intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)

lib/core/session.py

@@ -232,7 +232,7 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
         kb.unionComment = comment
         kb.unionCount = count
 
-    if position:
+    if position is not None:
         condition = (
                       not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
                       ( not kb.resumedQueries[conf.url].has_key("Union position")

lib/request/inject.py

@@ -358,10 +358,10 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
             if not value:
                 warnMsg  = "for some reason(s) it was not possible to retrieve "
                 warnMsg += "the query output through error SQL injection "
-                warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition else "blind")
+                warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition is not None else "blind")
                 logger.warn(warnMsg)
 
-        if inband and kb.unionPosition and not value:
+        if inband and kb.unionPosition is not None and not value:
             value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
 
             if not value:

lib/techniques/inband/union/test.py

@@ -108,23 +108,23 @@ def __unionConfirm():
         # Assure that the above function found the exploitable full inband
         # SQL injection position
         if not isinstance(kb.unionPosition, int):
-            value = __unionPosition(falseCond=True)
+            value = __unionPosition(negative=True)
 
             # Assure that the above function found the exploitable partial
-            # (single entry) inband SQL injection position by appending
-            # a false condition after the parameter value
+            # (single entry) inband SQL injection position with negative
+            # parameter value
             if not isinstance(kb.unionPosition, int):
-                value = __unionPosition(negative=True)
+                value = __unionPosition(falseCond=True)
 
                 # Assure that the above function found the exploitable partial
-                # (single entry) inband SQL injection position with negative
-                # parameter value
+                # (single entry) inband SQL injection position by appending
+                # a false condition after the parameter value
                 if not isinstance(kb.unionPosition, int):
                     return
                 else:
-                    setUnion(negative=True)
+                    setUnion(falseCond=True)
             else:
-                setUnion(falseCond=True)
+                setUnion(negative=True)
 
     return value