bug fix: without this generic concatenation of strings in concatQuery(), detection of UNION query SQLi only (--technique U) when the page did not disclose any DBMS error message and it was not MySQL (for which there are UNION SQLi specific payloads) was not detected

2025-01-24 08:14:24 +03:00 · 2013-01-16 01:53:33 +00:00 · 2013-01-16 01:53:33 +00:00 · 3464a70ac2
commit 3464a70ac2
parent 542f6de72e
1 changed files with 17 additions and 1 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -588,7 +588,23 @@ class Agent(object):
                concatenatedQuery = "'%s'&%s&'%s'" % (kb.chars.start, concatenatedQuery, kb.chars.stop)

        else:
-            concatenatedQuery = query
+            warnMsg = "applying generic concatenation with double pipes ('||')"
+            singleTimeWarnMessage(warnMsg)
+
+            if fieldsExists:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
+                concatenatedQuery += "||'%s'" % kb.chars.stop
+            elif fieldsSelectCase:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||(SELECT " % kb.chars.start, 1)
+                concatenatedQuery += ")||'%s'" % kb.chars.stop
+            elif fieldsSelectFrom:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
+                concatenatedQuery = concatenatedQuery.replace(" FROM ", "||'%s' FROM " % kb.chars.stop, 1)
+            elif fieldsSelect:
+                concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
+                concatenatedQuery += "||'%s'" % kb.chars.stop
+            elif fieldsNoSelect:
+                concatenatedQuery = "'%s'||%s||'%s'" % (kb.chars.start, concatenatedQuery, kb.chars.stop)

        return concatenatedQuery