Got rid of unreliable 'ORDER BY' technique to detect UNION query SQL injection, consequently switch --union-tech has gone now.

Minor code refactoring too.

lib/controller/controller.py

@@ -45,29 +45,6 @@ from lib.core.session import setTimeBased
 from lib.core.target import initTargetEnv
 from lib.core.target import setupTargetEnv
 
-def __saveToSessionFile():
-    for inj in kb.injections:
-        setInjection(inj)
-
-        place = inj.place
-        parameter = inj.parameter
-
-        for stype, sdata in inj.data.items():
-            payload = sdata[0]
-
-            if stype == 1:
-                kb.booleanTest = payload
-                setBooleanBased(place, parameter, payload)
-            elif stype == 2:
-                kb.errorTest = payload
-                setError(place, parameter, payload)
-            elif stype == 4:
-                kb.stackedTest = payload
-                setStacked(place, parameter, payload)
-            elif stype == 5:
-                kb.timeTest = payload
-                setTimeBased(place, parameter, payload)
-
 def __selectInjection():
     """
     Selection function for injection place, parameters and type.
@@ -144,6 +121,29 @@ def __showInjections():
 
     dumper.technic(header, data)
 
+def __saveToSessionFile():
+    for inj in kb.injections:
+        setInjection(inj)
+
+        place = inj.place
+        parameter = inj.parameter
+
+        for stype, sdata in inj.data.items():
+            payload = sdata[0]
+
+            if stype == 1:
+                kb.booleanTest = payload
+                setBooleanBased(place, parameter, payload)
+            elif stype == 2:
+                kb.errorTest = payload
+                setError(place, parameter, payload)
+            elif stype == 4:
+                kb.stackedTest = payload
+                setStacked(place, parameter, payload)
+            elif stype == 5:
+                kb.timeTest = payload
+                setTimeBased(place, parameter, payload)
+
 def start():
     """
     This function calls a function that performs checks on both URL

lib/core/option.py

@@ -499,24 +499,6 @@ def __setWriteFile():
     conf.wFileType = getFileType(conf.wFile)
 
 def __setUnion():
-    if isinstance(conf.uTech, basestring):
-        debugMsg = "setting the UNION query SQL injection detection technique"
-        logger.debug(debugMsg)
-
-        uTechOriginal = conf.uTech
-        conf.uTech = conf.uTech.lower()
-
-        if conf.uTech and conf.uTech not in ( "char", "orderby" ):
-            infoMsg  = "resetting the UNION query detection technique to "
-            infoMsg += "'char', '%s' is not a valid technique" % uTechOriginal
-            logger.info(infoMsg)
-
-            conf.uTech = "char"
-        else:
-            debugMsg  = "setting UNION query detection technique to "
-            debugMsg += "'%s'" % uTechOriginal
-            logger.debug(debugMsg)
-
     if isinstance(conf.uCols, basestring) and conf.uChar != "1-20":
         debugMsg = "setting the UNION query SQL injection range of columns"
         logger.debug(debugMsg)

lib/core/optiondict.py

@@ -77,7 +77,6 @@ optDict = {
             "Techniques":    {
                                "timeSec":           "integer",
                                "unionTest":         "boolean",
-                               "uTech":             "string",
                                "uCols":             "integer",
                                "uChar":             "string"
                              },

lib/parse/cmdline.py

@@ -235,9 +235,6 @@ def cmdLineParser():
                               action="store_true", default=False,
                               help="Test for and use UNION query (inband) SQL injection")
 
-        techniques.add_option("--union-tech", dest="uTech", default="char",
-                              help="Technique to test for UNION query SQL injection")
-
         techniques.add_option("--union-cols", dest="uCols", default="1-20",
                               help="Range of columns to test for UNION query SQL injection")
 

lib/techniques/inband/union/test.py

@@ -117,26 +117,6 @@ def __unionTestByCharBruteforce(comment):
 
     return validPayload
 
-def __unionTestByOrderBy(comment):
-    columns = None
-    prevPayload = ""
-
-    for count in range(conf.uColsStart, conf.uColsStop+1):
-        query = agent.prefixQuery("ORDER BY %d" % count)
-        orderByQuery = agent.suffixQuery(query, comment)
-        payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
-        _, seqMatcher = Request.queryPage(payload, getSeqMatcher=True)
-
-        if seqMatcher >= 0.6:
-            columns = count
-            setUnion(count=count)
-        elif columns:
-            break
-
-        prevPayload = payload
-
-    return columns
-
 def unionTest():
     """
     This method tests if the target url is affected by an inband
@@ -149,9 +129,7 @@ def unionTest():
     if kb.unionTest is not None:
         return kb.unionTest
 
-    if conf.uTech == "orderby":
+    if conf.uChar == "NULL":
-        technique = "ORDER BY clause bruteforcing"
-    elif conf.uChar == "NULL":
         technique = "NULL bruteforcing"
     else:
         technique = "char (%s) bruteforcing" % conf.uChar
@@ -163,10 +141,7 @@ def unionTest():
     validPayload = None
     comment = queries[kb.dbms].comment.query
 
-    if conf.uTech == "orderby":
+    validPayload = __unionTestByCharBruteforce(comment)
-        validPayload = __unionTestByOrderBy(comment)
-    else:
-        validPayload = __unionTestByCharBruteforce(comment)
 
     if validPayload:
         setUnion(comment=comment)

sqlmap.conf

@@ -255,13 +255,6 @@ timeSec = 5
 # Valid: True or False
 unionTest = False
 
-# Technique to test for UNION query SQL injection
-# The possible techniques are by NULL bruteforcing (bf) or by ORDER BY
-# clause (ob)
-# Valid: char, OrderBy
-# Default: char
-uTech = char
-
 # Range of columns to test for
 # Valid: range of integers
 # Default: 1-20