Got rid of UNION false cond

This commit is contained in:
Bernardo Damele 2010-12-05 16:16:15 +00:00
parent a1e89d3e94
commit 17449754fe
7 changed files with 8 additions and 50 deletions

View File

@ -49,7 +49,7 @@ class Agent:
return query
def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False):
def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False):
"""
This method replaces the affected parameter with the SQL
injection statement to request
@ -64,9 +64,6 @@ class Agent:
if negative or kb.unionNegative:
negValue = "-"
elif falseCond or kb.unionFalseCond:
randInt = randomInt()
falseValue = " AND %d=%d" % (randInt, randInt + 1)
# After identifing the injectable parameter
if kb.injection.place == PLACE.UA and kb.injection.parameter:

View File

@ -1182,7 +1182,6 @@ def __setKnowledgeBaseAttributes():
kb.unionCount = None
kb.unionPosition = None
kb.unionNegative = False
kb.unionFalseCond = False
kb.userAgents = None
kb.valueStack = []
kb.redirectSetCookie = None

View File

@ -203,7 +203,7 @@ def setTimeBased(place, parameter, payload):
if condition:
dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload))
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, char=None, payload=None):
def setUnion(comment=None, count=None, position=None, negative=False, char=None, payload=None):
"""
@param comment: union comment to save in session file
@type comment: C{str}
@ -260,18 +260,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
kb.unionNegative = True
if falseCond:
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
( not kb.resumedQueries[conf.url].has_key("Union false condition")
) )
)
if condition:
dataToSessionFile("[%s][%s][%s][Union false condition][Yes]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place])))
kb.unionFalseCond = True
if char:
condition = (
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@ -475,12 +463,6 @@ def resumeConfKb(expression, url, value):
logMsg = "resuming union negative from session file"
logger.info(logMsg)
elif expression == "Union false condition" and url == conf.url:
kb.unionFalseCond = True if value[:-1] == "Yes" else False
logMsg = "resuming union false condition from session file"
logger.info(logMsg)
elif expression == "Union char" and url == conf.url:
conf.uChar = value[:-1]

View File

@ -392,9 +392,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
warnMsg += "technique, sqlmap is going blind"
logger.warn(warnMsg)
oldParamFalseCond = kb.unionFalseCond
oldParamNegative = kb.unionNegative
kb.unionFalseCond = False
kb.unionNegative = False
if error and kb.errorTest and not value:
@ -411,7 +409,6 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
kb.technique = 1
value = __goInferenceProxy(expression, fromUser, expected, batch, resumeValue, unpack, charsetType, firstChar, lastChar)
kb.unionFalseCond = oldParamFalseCond
kb.unionNegative = oldParamNegative
if value and isinstance(value, basestring):

View File

@ -19,7 +19,7 @@ from lib.core.unescaper import unescaper
from lib.parse.html import htmlParser
from lib.request.connect import Connect as Request
def __unionPosition(negative=False, falseCond=False, count=None, comment=None):
def __unionPosition(negative=False, count=None, comment=None):
validPayload = None
if count is None:
@ -36,7 +36,7 @@ def __unionPosition(negative=False, falseCond=False, count=None, comment=None):
# Forge the inband SQL injection request
query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment)
payload = agent.payload(newValue=query, negative=negative, falseCond=falseCond)
payload = agent.payload(newValue=query, negative=negative)
# Perform the request
resultPage, _ = Request.queryPage(payload, content=True)
@ -72,18 +72,6 @@ def __unionConfirm(count=None, comment=None):
# (single entry) inband SQL injection position with negative
# parameter validPayload
if not isinstance(kb.unionPosition, int):
# NOTE: disable false condition for the time being, in the
# end it produces the same as prepending the original
# parameter value with a minus (negative)
#validPayload = __unionPosition(falseCond=True, count=count, comment=comment)
#
# Assure that the above function found the exploitable partial
# (single entry) inband SQL injection position by appending
# a false condition after the parameter validPayload
#if not isinstance(kb.unionPosition, int):
# return None
#else:
# setUnion(falseCond=True)
return None
else:
setUnion(negative=True)

View File

@ -57,7 +57,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
expression = agent.concatQuery(expression, unpack)
expression = unescaper.unescape(expression)
if ( kb.unionNegative or kb.unionFalseCond ) and not direct:
if kb.unionNegative and not direct:
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)
# We have to check if the SQL query might return multiple entries

View File

@ -88,17 +88,12 @@ class Filesystem(GenericFilesystem):
unionTest()
oldParamFalseCond = kb.unionFalseCond
kb.unionFalseCond = True
debugMsg = "exporting the %s file content to file '%s'" % (fileType, dFile)
logger.debug(debugMsg)
sqlQuery = "%s INTO DUMPFILE '%s'" % (fcEncodedStr, dFile)
unionUse(sqlQuery, direct=True, unescape=False, nullChar="''")
kb.unionFalseCond = oldParamFalseCond
if confirm:
self.askCheckWrittenFile(wFile, dFile, fileType)