Ahead with UNION exploitation after UNION test moved to detection phase - a lot to do yet.

lib/controller/checks.py

@@ -280,6 +280,7 @@ def checkSqlInjection(place, parameter, value):
                 # For each test's <where>
                 for where in test.where:
                     templatePayload = None
+                    vector = None
 
                     # Threat the parameter original value according to the
                     # test's <where> tag
@@ -380,7 +381,7 @@ def checkSqlInjection(place, parameter, value):
                             configUnion(test.request.char, test.request.columns)
 
                             dbmsToUnescape = dbms if dbms is not None else injection.dbms
-                            reqPayload, unionVector = unionTest(comment, place, parameter, value, prefix, suffix, dbmsToUnescape)
+                            reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix, dbmsToUnescape)
 
                             if isinstance(reqPayload, basestring):
                                 infoMsg = "%s parameter '%s' is '%s' injectable" % (place, parameter, title)
@@ -405,17 +406,15 @@ def checkSqlInjection(place, parameter, value):
                             injection.suffix = suffix
                             injection.clause = clause
 
-                        if "vector" in test and test.vector is not None:
+                        if vector is None and "vector" in test and test.vector is not None:
                             vector = "%s%s" % (test.vector, comment)
-                        else:
-                            vector = None
 
                         # Feed with test details every time a test is successful
                         injection.data[stype] = advancedDict()
                         injection.data[stype].title = title
                         injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload, False)
                         injection.data[stype].where = where
-                        injection.data[stype].vector = agent.cleanupPayload(vector, unionVector=unionVector)
+                        injection.data[stype].vector = vector
                         injection.data[stype].comment = comment
                         injection.data[stype].matchRatio = kb.matchRatio
                         injection.data[stype].templatePayload = templatePayload

lib/core/agent.py

@@ -108,7 +108,6 @@ class Agent:
                 retValue = paramString.replace("%s=%s" % (parameter, origValue),
                                                "%s=%s" % (parameter, self.addPayloadDelimiters(newValue)))
 
-#        print "retValue:", retValue
         return retValue
 
     def fullPayload(self, query):
@@ -180,7 +179,7 @@ class Agent:
 
         return string.rstrip()
 
-    def cleanupPayload(self, payload, origvalue=None, unionVector=None):
+    def cleanupPayload(self, payload, origvalue=None, unionVector=None, query=None):
         if payload is None:
             return
 
@@ -199,6 +198,9 @@ class Agent:
         payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
         payload = payload.replace("[UNION]", str(unionVector))
 
+        if query is not None:
+            payload = payload.replace("[QUERY]", query.lstrip())
+
         if origvalue is not None:
             payload = payload.replace("[ORIGVALUE]", origvalue)
 
@@ -220,11 +222,10 @@ class Agent:
                 inferenceQuery = queries[kb.misc.testedDbms].inference.query
                 payload = payload.replace("[INFERENCE]", inferenceQuery)
 
-            # NOTE: Leave this commented for the time being
-            #else:
-            #    errMsg = "invalid usage of inference payload without "
-            #    errMsg += "knowledge of underlying DBMS"
-            #    raise sqlmapNoneDataException, errMsg
+            else:
+                errMsg = "invalid usage of inference payload without "
+                errMsg += "knowledge of underlying DBMS"
+                raise sqlmapNoneDataException, errMsg
 
         return payload
 

lib/core/session.py

@@ -215,9 +215,6 @@ def setUnion(comment=None, count=None, position=None, negative=False, char=None,
     if negative:
         kb.unionNegative = True
 
-    if payload:
-        kb.unionTest = payload
-
 def setRemoteTempPath():
     condition = (
                   not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@@ -390,46 +387,6 @@ def resumeConfKb(expression, url, value):
 
         kb.brute.columns.append((db, table, colName, colType))
 
-    elif expression == "Union comment" and url == conf.url:
-        kb.unionComment = unSafeFormatString(value[:-1])
-
-        logMsg = "resuming union comment "
-        logMsg += "'%s' from session file" % kb.unionComment
-        logger.info(logMsg)
-
-    elif expression == "Union count" and url == conf.url:
-        kb.unionCount = int(value[:-1])
-
-        logMsg = "resuming union count "
-        logMsg += "%s from session file" % kb.unionCount
-        logger.info(logMsg)
-
-    elif expression == "Union position" and url == conf.url:
-        kb.unionPosition = int(value[:-1])
-
-        logMsg = "resuming union position "
-        logMsg += "%s from session file" % kb.unionPosition
-        logger.info(logMsg)
-
-    elif expression == "Union negative" and url == conf.url:
-        kb.unionNegative = True if value[:-1] == "Yes" else False
-
-        logMsg = "resuming union negative from session file"
-        logger.info(logMsg)
-
-    elif expression == "Union char" and url == conf.url:
-        conf.uChar = value[:-1]
-
-        logMsg = "resuming union char %s from session file" % conf.uChar
-        logger.info(logMsg)
-
-    elif expression == "Union payload" and url == conf.url:
-        kb.unionTest = value[:-1]
-
-        logMsg = "resuming union payload "
-        logMsg += "%s from session file" % kb.unionTest
-        logger.info(logMsg)
-
     elif expression == "Remote temp path" and url == conf.url:
         conf.tmpPath = unSafeFormatString(value[:-1])
 

lib/techniques/inband/union/test.py

@@ -52,7 +52,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
         if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
             setUnion(position=exprPosition)
             validPayload = payload
-            unionVector = agent.forgeInbandQuery("[PAYLOAD]", exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
+            unionVector = agent.forgeInbandQuery("[QUERY]", exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
 
             if where == 1:
                 # Prepare expression with delimiters

lib/techniques/inband/union/use.py

@@ -211,12 +211,10 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
 
     else:
         # Forge the inband SQL injection request
-        query = agent.forgeInbandQuery(expression, nullChar=nullChar)
+        query = unescaper.unescape(expression)
+        query = agent.cleanupPayload(kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector, query=query)
         payload = agent.payload(newValue=query)
 
-        debugMsg = "query: %s" % query
-        logger.debug(debugMsg)
-
         # Perform the request
         resultPage, _ = Request.queryPage(payload, content=True)
         reqCount += 1

plugins/generic/enumeration.py

@@ -52,7 +52,6 @@ from lib.request import inject
 from lib.request.connect import Connect as Request
 from lib.techniques.brute.use import columnExists
 from lib.techniques.brute.use import tableExists
-from lib.techniques.inband.union.test import unionTest
 from lib.utils.hash import attackDumpedTable
 from lib.utils.hash import attackCachedUsersPasswords
 
@@ -87,9 +86,6 @@ class Enumeration:
             infoMsg = "fetching banner"
             logger.info(infoMsg)
 
-            if conf.unionTest:
-                conf.dumper.technic("inband injection payload", unionTest())
-
             query = queries[kb.dbms].banner.query
             kb.data.banner = inject.getValue(query)
             bannerParser(kb.data.banner)