From 45ec8c169a9b7a4b83ed51ae99788175a80d01c7 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Mon, 8 Nov 2010 16:46:25 +0000
Subject: [PATCH] Consistency between --*-test switches/output

---
 lib/core/option.py                  |  1 +
 lib/request/inject.py               | 25 +++++++++++++++++++++----
 lib/techniques/blind/timebased.py   |  7 +++++--
 lib/techniques/error/test.py        |  8 +++-----
 lib/techniques/error/use.py         |  1 +
 lib/techniques/inband/union/test.py |  8 +++++---
 lib/techniques/outband/stacked.py   |  3 ++-
 7 files changed, 38 insertions(+), 15 deletions(-)

diff --git a/lib/core/option.py b/lib/core/option.py
index a1961e573..bbf3aa2b3 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1112,6 +1112,7 @@ def __setKnowledgeBaseAttributes():
     kb.unionPosition   = None
     kb.unionNegative   = False
     kb.unionFalseCond  = False
+    kb.unionTest       = None
     kb.userAgents      = None
     kb.valueStack      = []
 
diff --git a/lib/request/inject.py b/lib/request/inject.py
index 256135bb5..08b26c3ac 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -353,7 +353,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
         expression = expression.replace("DISTINCT ", "")
 
         if error and conf.errorTest:
-            value = errorUse(expression)
+            value = goError(expression)
 
             if not value:
                 warnMsg  = "for some reason(s) it was not possible to retrieve "
@@ -408,7 +408,12 @@ def goStacked(expression, silent=False):
     return payload, page
 
 def goError(expression, suppressOutput=False, returnPayload=False):
-    #expression = cleanQuery(expression)
+    """
+    Retrieve the output of a SQL query taking advantage of an error-based
+    SQL injection vulnerability on the affected parameter.
+    """
+
+    result = None
 
     if suppressOutput:
         pushValue(conf.verbose)
@@ -417,9 +422,21 @@ def goError(expression, suppressOutput=False, returnPayload=False):
     if conf.direct:
         return direct(expression), None
 
-    result, payload = errorUse(expression, returnPayload)
+    condition = (
+                  kb.resumedQueries and conf.url in kb.resumedQueries.keys()
+                  and expression in kb.resumedQueries[conf.url].keys()
+                )
+
+    if condition:
+        result = resume(expression, None)
+
+    if not result:
+        result = errorUse(expression, returnPayload)
+
+        if not returnPayload:
+            dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, result))
 
     if suppressOutput:
         conf.verbose = popValue()
 
-    return result, payload
+    return result
diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py
index 8135658ff..ab44a8cc0 100644
--- a/lib/techniques/blind/timebased.py
+++ b/lib/techniques/blind/timebased.py
@@ -19,6 +19,9 @@ from lib.request import inject
 from lib.request.connect import Connect as Request
 
 def timeTest():
+    if kb.timeTest is not None:
+        return kb.timeTest
+
     infoMsg  = "testing time-based blind sql injection on parameter "
     infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic)
     logger.info(infoMsg)
@@ -37,7 +40,7 @@ def timeTest():
         infoMsg += "'%s'" % kb.injParameter
         logger.info(infoMsg)
 
-        kb.timeTest = payload
+        kb.timeTest = agent.removePayloadDelimiters(payload, False)
     else:
         warnMsg  = "the target url is not affected by a time-based blind "
         warnMsg += "sql injection with AND condition syntax on parameter "
@@ -59,7 +62,7 @@ def timeTest():
             infoMsg += "'%s'" % kb.injParameter
             logger.info(infoMsg)
 
-            kb.timeTest = payload
+            kb.timeTest = agent.removePayloadDelimiters(payload, False)
         else:
             warnMsg  = "the target url is not affected by a time-based blind "
             warnMsg += "sql injection with stacked queries syntax on parameter "
diff --git a/lib/techniques/error/test.py b/lib/techniques/error/test.py
index 6fa1f5bbe..337a33eb2 100644
--- a/lib/techniques/error/test.py
+++ b/lib/techniques/error/test.py
@@ -9,6 +9,7 @@ See the file 'doc/COPYING' for copying permission
 
 import time
 
+from lib.core.agent import agent
 from lib.core.common import getUnicode
 from lib.core.common import randomInt
 from lib.core.data import conf
@@ -38,7 +39,7 @@ def errorTest():
         infoMsg += "injection on parameter '%s'" % kb.injParameter
         logger.info(infoMsg)
 
-        kb.errorTest = True
+        kb.errorTest = agent.removePayloadDelimiters(usedPayload, False)
     else:
         warnMsg  = "the target url is not affected by an error-based sql "
         warnMsg += "injection on parameter '%s'" % kb.injParameter
@@ -48,7 +49,4 @@ def errorTest():
 
     setError()
 
-    if kb.errorTest:
-        return usedPayload
-    else:
-        return False
+    return kb.errorTest
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index e2a396ab3..fb6049ea2 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -73,6 +73,7 @@ def errorUse(expression, returnPayload=False):
 
     if match:
         output = match.group('result')
+
         if output:
             output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
 
diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py
index 4d19bb647..63255ded1 100644
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -174,8 +174,8 @@ def unionTest():
     if conf.direct:
         return
 
-    if kb.unionCount is not None and kb.unionPosition is not None:
-        return
+    if kb.unionTest is not None:
+        return kb.unionTest
 
     if conf.uTech == "orderby":
         technique = "ORDER BY clause bruteforcing"
@@ -209,5 +209,7 @@ def unionTest():
 
     if validPayload is None:
         validPayload = ""
+    elif isinstance(validPayload, basestring):
+        kb.unionTest = agent.removePayloadDelimiters(validPayload, False)
 
-    return validPayload
+    return kb.unionTest
diff --git a/lib/techniques/outband/stacked.py b/lib/techniques/outband/stacked.py
index 20f493e24..2e79931eb 100644
--- a/lib/techniques/outband/stacked.py
+++ b/lib/techniques/outband/stacked.py
@@ -9,6 +9,7 @@ See the file 'doc/COPYING' for copying permission
 
 import time
 
+from lib.core.agent import agent
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import getDelayQuery
 from lib.core.data import conf
@@ -38,7 +39,7 @@ def stackedTest():
         infoMsg += "sql injection on parameter '%s'" % kb.injParameter
         logger.info(infoMsg)
 
-        kb.stackedTest = payload
+        kb.stackedTest = agent.removePayloadDelimiters(payload, False)
     else:
         warnMsg  = "the target url is not affected by a stacked queries "
         warnMsg += "sql injection on parameter '%s'" % kb.injParameter