From 17449754febd5e45172ffdc59af37f22fba25cfb Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sun, 5 Dec 2010 16:16:15 +0000 Subject: [PATCH] Got rid of UNION false cond --- lib/core/agent.py | 5 +---- lib/core/option.py | 1 - lib/core/session.py | 20 +------------------- lib/request/inject.py | 9 +++------ lib/techniques/inband/union/test.py | 16 ++-------------- lib/techniques/inband/union/use.py | 2 +- plugins/dbms/mysql/filesystem.py | 5 ----- 7 files changed, 8 insertions(+), 50 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index a177d5fcb..61ba770e0 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -49,7 +49,7 @@ class Agent: return query - def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False): + def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False): """ This method replaces the affected parameter with the SQL injection statement to request @@ -64,9 +64,6 @@ class Agent: if negative or kb.unionNegative: negValue = "-" - elif falseCond or kb.unionFalseCond: - randInt = randomInt() - falseValue = " AND %d=%d" % (randInt, randInt + 1) # After identifing the injectable parameter if kb.injection.place == PLACE.UA and kb.injection.parameter: diff --git a/lib/core/option.py b/lib/core/option.py index 7a8b38e59..656cbdded 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1182,7 +1182,6 @@ def __setKnowledgeBaseAttributes(): kb.unionCount = None kb.unionPosition = None kb.unionNegative = False - kb.unionFalseCond = False kb.userAgents = None kb.valueStack = [] kb.redirectSetCookie = None diff --git a/lib/core/session.py b/lib/core/session.py index 11338d549..c30c84872 100644 --- a/lib/core/session.py +++ b/lib/core/session.py @@ -203,7 +203,7 @@ def setTimeBased(place, parameter, payload): if condition: dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload)) -def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, char=None, payload=None): +def setUnion(comment=None, count=None, position=None, negative=False, char=None, payload=None): """ @param comment: union comment to save in session file @type comment: C{str} @@ -260,18 +260,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond= kb.unionNegative = True - if falseCond: - condition = ( - not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and - ( not kb.resumedQueries[conf.url].has_key("Union false condition") - ) ) - ) - - if condition: - dataToSessionFile("[%s][%s][%s][Union false condition][Yes]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]))) - - kb.unionFalseCond = True - if char: condition = ( not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and @@ -475,12 +463,6 @@ def resumeConfKb(expression, url, value): logMsg = "resuming union negative from session file" logger.info(logMsg) - elif expression == "Union false condition" and url == conf.url: - kb.unionFalseCond = True if value[:-1] == "Yes" else False - - logMsg = "resuming union false condition from session file" - logger.info(logMsg) - elif expression == "Union char" and url == conf.url: conf.uChar = value[:-1] diff --git a/lib/request/inject.py b/lib/request/inject.py index e87c1e092..ae61702da 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -392,10 +392,8 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex warnMsg += "technique, sqlmap is going blind" logger.warn(warnMsg) - oldParamFalseCond = kb.unionFalseCond - oldParamNegative = kb.unionNegative - kb.unionFalseCond = False - kb.unionNegative = False + oldParamNegative = kb.unionNegative + kb.unionNegative = False if error and kb.errorTest and not value: kb.technique = 2 @@ -411,8 +409,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex kb.technique = 1 value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar) - kb.unionFalseCond = oldParamFalseCond - kb.unionNegative = oldParamNegative + kb.unionNegative = oldParamNegative if value and isinstance(value, basestring): value = value.strip() diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index 5d50802d1..7ecbc480b 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -19,7 +19,7 @@ from lib.core.unescaper import unescaper from lib.parse.html import htmlParser from lib.request.connect import Connect as Request -def __unionPosition(negative=False, falseCond=False, count=None, comment=None): +def __unionPosition(negative=False, count=None, comment=None): validPayload = None if count is None: @@ -36,7 +36,7 @@ def __unionPosition(negative=False, falseCond=False, count=None, comment=None): # Forge the inband SQL injection request query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment) - payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond) + payload = agent.payload(newValue=query, negative=negative) # Perform the request resultPage, _ = Request.queryPage(payload, content=True) @@ -72,18 +72,6 @@ def __unionConfirm(count=None, comment=None): # (single entry) inband SQL injection position with negative # parameter validPayload if not isinstance(kb.unionPosition, int): - # NOTE: disable false condition for the time being, in the - # end it produces the same as prepending the original - # parameter value with a minus (negative) - #validPayload = __unionPosition(falseCond=True, count=count, comment=comment) - # - # Assure that the above function found the exploitable partial - # (single entry) inband SQL injection position by appending - # a false condition after the parameter validPayload - #if not isinstance(kb.unionPosition, int): - # return None - #else: - # setUnion(falseCond=True) return None else: setUnion(negative=True) diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index dbf722a14..f61a3139c 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -57,7 +57,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh expression = agent.concatQuery(expression, unpack) expression = unescaper.unescape(expression) - if ( kb.unionNegative or kb.unionFalseCond ) and not direct: + if kb.unionNegative and not direct: _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr) # We have to check if the SQL query might return multiple entries diff --git a/plugins/dbms/mysql/filesystem.py b/plugins/dbms/mysql/filesystem.py index 842c90dbb..99bd5382c 100644 --- a/plugins/dbms/mysql/filesystem.py +++ b/plugins/dbms/mysql/filesystem.py @@ -88,17 +88,12 @@ class Filesystem(GenericFilesystem): unionTest() - oldParamFalseCond = kb.unionFalseCond - kb.unionFalseCond = True - debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile) logger.debug(debugMsg) sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile) unionUse(sqlQuery, direct=True, unescape=False, nullChar="''") - kb.unionFalseCond = oldParamFalseCond - if confirm: self.askCheckWrittenFile(wFile, dFile, fileType)