From e3a3ae11cc159285074ac6a9bc0a9603e3f0b64a Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 31 Jan 2011 21:13:29 +0000 Subject: [PATCH] Proper return from error-based technique enumeration --- lib/techniques/error/use.py | 17 ++++++++++++----- lib/techniques/inband/union/use.py | 2 +- plugins/generic/enumeration.py | 6 ------ 3 files changed, 13 insertions(+), 12 deletions(-) diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index 02ee45a32..51b15893d 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -97,7 +97,9 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N logger.warn(warnMsg) output = __oneShotErrorUse(expressionReplaced, field) - logger.info("retrieved: %s" % output) + + if output is not None: + logger.info("retrieved: %s" % output) if isinstance(num, int): expression = origExpr @@ -145,7 +147,7 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False): # entry per time # NOTE: I assume that only queries that get data from a table can # return multiple entries - if " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) and "EXISTS(" not in expression.upper(): + if " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) and "EXISTS(" not in expression.upper() and "(CASE" not in expression.upper(): limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I) topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I) @@ -258,6 +260,9 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False): try: for num in xrange(startLimit, stopLimit): output = __errorFields(expression, expressionFields, expressionFieldsList, expected, num, resumeValue) + if output and isinstance(output, list) and len(output) == 1: + output = output[0] + outputs.append(output) except KeyboardInterrupt: @@ -270,8 +275,10 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False): debugMsg = "performed %d queries in %d seconds" % (reqCount, duration) logger.debug(debugMsg) - return outputs - else: - return __errorFields(expression, expressionFields, expressionFieldsList) + if not outputs: + outputs = __errorFields(expression, expressionFields, expressionFieldsList) + + if outputs and isinstance(outputs, list) and len(outputs) == 1: + outputs = outputs[0] return outputs diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index 060c40a13..371057bb3 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -254,7 +254,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, unpack reqCount += 1 if kb.misc.start not in content or kb.misc.stop not in content: - return + return None # Parse the returned page to get the exact inband # sql injection output diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index 5790a5b17..5ff2e10c5 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -267,9 +267,6 @@ class Enumeration: if parsedUser: user = parsedUser.groups()[0] - if isinstance(user, list): - user = user[0] - if not user or user in retrievedUsers: continue @@ -539,9 +536,6 @@ class Enumeration: if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema: unescapedUser = unescaper.unescape(user, quote=False) - if isinstance(user, list): - user = user[0] - if not user or user in retrievedUsers: continue