From 3532d2393345fb36d0121a042a6736d0285d9163 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 23 Apr 2012 13:41:36 +0000
Subject: [PATCH] automatically extending ranges for UNION tests in case where
 at least one other injection technique is usable (boundaries has been
 established)

---
 lib/controller/checks.py     | 15 +++++++++++++++
 lib/techniques/union/test.py |  2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 98300e010..958c9e694 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -34,6 +34,7 @@ from lib.core.common import randomInt
 from lib.core.common import randomStr
 from lib.core.common import readInput
 from lib.core.common import showStaticWords
+from lib.core.common import singleTimeLogMessage
 from lib.core.common import singleTimeWarnMessage
 from lib.core.common import wasLastRequestDBMSError
 from lib.core.common import wasLastRequestHTTPError
@@ -108,6 +109,20 @@ def checkSqlInjection(place, parameter, value):
                     logger.debug(debugMsg)
                     continue
 
+                match = re.search(r"(\d+)-(\d+)", test.request.columns)
+                if injection.data and match:
+                    lower, upper = int(match.group(1)), int(match.group(2))
+                    for _ in (lower, upper):
+                        if _ > 1:
+                            infoMsg = "automatically extending ranges "
+                            infoMsg += "for further UNION query injection technique tests as "
+                            infoMsg += "there is at least one other injection technique found"
+                            singleTimeLogMessage(infoMsg)
+
+                            test.request.columns = re.sub(r"\b%d\b" % _, str(2 * _), test.request.columns)
+                            title = re.sub(r"\b%d\b" % _, str(2 * _), title)
+                            test.title = re.sub(r"\b%d\b" % _, str(2 * _), test.title)
+
             # Skip test if the user's wants to test only for a specific
             # technique
             if conf.tech and isinstance(conf.tech, list) and stype not in conf.tech:
diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py
index 4812fa3ab..817c38164 100644
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -59,7 +59,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
             infoMsg += "This should reduce the time needed "
             infoMsg += "to find the right number "
             infoMsg += "of query columns. Automatically extending the "
-            infoMsg += "range for UNION query injection technique"
+            infoMsg += "range for current UNION query injection technique test"
             singleTimeLogMessage(infoMsg)
 
             lowCols, highCols = 1, ORDER_BY_STEP