From 386e98a0e3759320628212ad88d7889786e74213 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 22 Feb 2012 09:41:58 +0000
Subject: [PATCH] using UNION SELECT for where=..NEGATIVE

---
 lib/controller/controller.py | 2 +-
 lib/core/agent.py            | 4 ++--
 lib/techniques/union/test.py | 6 +++---
 lib/techniques/union/use.py  | 2 +-
 4 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/lib/controller/controller.py b/lib/controller/controller.py
index 56b359022..a68d0de14 100644
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -132,7 +132,7 @@ def __formatInjection(inj):
         if stype == PAYLOAD.TECHNIQUE.UNION:
             count = re.sub(r"\(.+\)", "", sdata.payload).count(",") + 1
             title = re.sub(r"\d+ to \d+", str(count), title)
-            vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5])
+            vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
             if count == 1:
                 title = title.replace("columns", "column")
         data += "    Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
diff --git a/lib/core/agent.py b/lib/core/agent.py
index eb1f1b1e5..9f65a925b 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -528,7 +528,7 @@ class Agent:
 
         return concatenatedQuery
 
-    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None, limited=False):
+    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False):
         """
         Take in input an query (pseudo query) string and return its
         processed UNION ALL SELECT query.
@@ -562,7 +562,7 @@ class Agent:
         if query.startswith("SELECT "):
             query = query[len("SELECT "):]
 
-        inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix)
+        inbandQuery = self.prefixQuery("UNION ALL SELECT " if not (where == PAYLOAD.WHERE.NEGATIVE or multipleUnions) else "UNION SELECT ", prefix=prefix)
 
         if limited:
             inbandQuery += ",".join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py
index 132747b68..eee0dbfbc 100644
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -107,7 +107,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
     pages = {}
 
     for count in xrange(lowerCount, upperCount+1):
-        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar)
+        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
         payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
         page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
         if not isNullValue(kb.uChar):
@@ -181,7 +181,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
         randQueryUnescaped = unescaper.unescape(randQueryProcessed)
 
         # Forge the inband SQL injection request
-        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar)
+        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
         payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
 
         # Perform the request
@@ -202,7 +202,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
                 randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
 
                 # Confirm that it is a full inband SQL injection
-                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, multipleUnions=randQueryUnescaped2)
+                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
                 payload = agent.payload(place=place, parameter=parameter, newValue=query, where=PAYLOAD.WHERE.NEGATIVE)
 
                 # Perform the request
diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py
index ab3917285..dcd7142c8 100644
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -61,7 +61,7 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
 
         # Forge the inband SQL injection request
         vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
-        query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], None, limited)
+        query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
         payload = agent.payload(newValue=query, where=where)
 
         # Perform the request