From df5dc101117f2acb0babcc5ab1f40facfea93847 Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Sat, 13 Nov 2010 22:47:37 +0000 Subject: [PATCH] Major enhancement to --union-test check --- lib/techniques/inband/union/test.py | 43 ++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 13 deletions(-) diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index 63255ded1..3ab4fe6ab 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -83,13 +83,13 @@ def __unionPosition(negative=False, falseCond=False): return validPayload -def __unionConfirm(): +def __unionConfirm(negative=False, falseCond=False): validPayload = None # Confirm the inband SQL injection and get the exact column - # position + # position which can be used to extract data if not isinstance(kb.unionPosition, int): - validPayload = __unionPosition() + validPayload = __unionPosition(negative=negative, falseCond=falseCond) # Assure that the above function found the exploitable full inband # SQL injection position @@ -114,7 +114,7 @@ def __unionConfirm(): return validPayload -def __unionTestByNULLBruteforce(comment): +def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False): """ This method tests if the target url is affected by an inband SQL injection vulnerability. The test is done up to 50 columns @@ -135,7 +135,7 @@ def __unionTestByNULLBruteforce(comment): query += " FROM DUAL" commentedQuery = agent.postfixQuery(query, comment) - payload = agent.payload(newValue=commentedQuery) + payload = agent.payload(newValue=commentedQuery, negative=negative, falseCond=falseCond) seqMatcher = Request.queryPage(payload, getSeqMatcher=True) if seqMatcher >= 0.6: @@ -145,14 +145,14 @@ def __unionTestByNULLBruteforce(comment): return columns -def __unionTestByOrderBy(comment): +def __unionTestByOrderBy(comment, negative=False, falseCond=False): columns = None prevPayload = "" for count in range(1, 51): query = agent.prefixQuery("ORDER BY %d" % count) orderByQuery = agent.postfixQuery(query, comment) - payload = agent.payload(newValue=orderByQuery) + payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond) seqMatcher = Request.queryPage(payload, getSeqMatcher=True) if seqMatcher >= 0.6: @@ -165,6 +165,16 @@ def __unionTestByOrderBy(comment): return columns +def __unionTestAll(comment="", negative=False, falseCond=False): + columns = None + + if conf.uTech == "orderby": + columns = __unionTestByOrderBy(comment, negative=negative, falseCond=falseCond) + else: + columns = __unionTestByNULLBruteforce(comment, negative=negative, falseCond=falseCond) + + return columns + def unionTest(): """ This method tests if the target url is affected by an inband @@ -188,20 +198,27 @@ def unionTest(): validPayload = None columns = None + negative = False + falseCond = False for comment in (queries[kb.dbms].comment.query, ""): - if conf.uTech == "orderby": - columns = __unionTestByOrderBy(comment) - else: - columns = __unionTestByNULLBruteforce(comment) + columns = __unionTestAll(comment) + + if not columns: + negative = True + columns = __unionTestAll(comment, negative=negative) + + if not columns: + falseCond = True + columns = __unionTestAll(comment, falseCond=falseCond) if columns: - setUnion(comment=comment, count=columns) + setUnion(comment=comment, count=columns, negative=negative, falseCond=falseCond) break if kb.unionCount: - validPayload = __unionConfirm() + validPayload = __unionConfirm(negative=negative, falseCond=falseCond) else: warnMsg = "the target url is not affected by an " warnMsg += "inband sql injection vulnerability"