Important bug fix.

Minor code restyling.

lib/controller/checks.py

@@ -395,7 +395,7 @@ def checkSqlInjection(place, parameter, value):
 
                                 # Overwrite 'where' because it can differ
                                 # in unionTest()'s vector (1 or 2)
-                                where = vector[5]
+                                where = vector[6]
 
                     # If the injection test was successful feed the injection
                     # object with the test's details

lib/core/agent.py

@@ -478,7 +478,7 @@ class Agent:
 
         return concatenatedQuery
 
-    def forgeInbandQuery(self, query, exprPosition=None, count=None, comment=None, prefix=None, suffix=None, multipleUnions=None):
+    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None):
         """
         Take in input an query (pseudo query) string and return its
         processed UNION ALL SELECT query.
@@ -501,9 +501,9 @@ class Agent:
         forged within an UNION ALL SELECT statement
         @type query: C{str}
 
-        @param exprPosition: it is the NULL position where it is possible
+        @param position: it is the NULL position where it is possible
         to inject the query
-        @type exprPosition: C{int}
+        @type position: C{int}
 
         @return: UNION ALL SELECT query string forged
         @rtype: C{str}
@@ -532,14 +532,14 @@ class Agent:
             if element > 0:
                 inbandQuery += ", "
 
-            if element == exprPosition:
+            if element == position:
                 if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
                     conditionIndex = query.index(" FROM ")
                     inbandQuery += query[:conditionIndex]
                 else:
                     inbandQuery += query
             else:
-                inbandQuery += conf.uChar
+                inbandQuery += char
 
         if " FROM " in query and not query.startswith("SELECT ") and "(CASE WHEN (" not in query:
             conditionIndex = query.index(" FROM ")
@@ -559,10 +559,10 @@ class Agent:
                 if element > 0:
                     inbandQuery += ", "
 
-                if element == exprPosition:
+                if element == position:
                     inbandQuery += multipleUnions
                 else:
-                    inbandQuery += conf.uChar
+                    inbandQuery += char
 
             if kb.dbms == DBMS.ORACLE:
                 inbandQuery += " FROM DUAL"

lib/techniques/inband/union/test.py

@@ -32,14 +32,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
     # For each column of the table (# of NULL) perform a request using
     # the UNION ALL SELECT statement to test it the target url is
     # affected by an exploitable inband SQL injection vulnerability
-    for exprPosition in range(0, count):
+    for position in range(0, count):
         # Prepare expression with delimiters
         randQuery = randomStr()
         randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
         randQueryUnescaped = unescaper.unescape(randQueryProcessed, dbms=dbms)
 
         # Forge the inband SQL injection request
-        query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix)
+        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar)
         payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
 
         # Perform the request
@@ -47,7 +47,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
 
         if resultPage and randQuery in resultPage and " UNION ALL SELECT " not in resultPage:
             validPayload = payload
-            vector = (exprPosition, count, comment, prefix, suffix, where)
+            vector = (position, count, comment, prefix, suffix, conf.uChar, where)
 
             if where == 1:
                 # Prepare expression with delimiters
@@ -56,14 +56,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, dbms, coun
                 randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2, dbms=dbms)
 
                 # Confirm that it is a full inband SQL injection
-                query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, prefix=prefix, suffix=suffix, multipleUnions=randQueryUnescaped2)
+                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, conf.uChar, multipleUnions=randQueryUnescaped2)
                 payload = agent.payload(place=place, parameter=parameter, newValue=query, where=2)
 
                 # Perform the request
                 resultPage, _ = Request.queryPage(payload, place=place, content=True)
 
                 if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
-                    vector = (exprPosition, count, comment, prefix, suffix, 2)
+                    vector = (position, count, comment, prefix, suffix, conf.uChar, 2)
 
             break
 

lib/techniques/inband/union/use.py

@@ -211,7 +211,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
     else:
         # Forge the inband SQL injection request
         vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
-        query = agent.forgeInbandQuery(expression, exprPosition=vector[0], count=vector[1], comment=vector[2], prefix=vector[3], suffix=vector[4])
+        query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5])
         payload = agent.payload(newValue=query)
 
         # Perform the request