Proper return from error-based technique enumeration

2024-11-22 17:46:37 +03:00 · 2011-01-31 21:13:29 +00:00 · 2011-01-31 21:13:29 +00:00 · e3a3ae11cc
commit e3a3ae11cc
parent fa58a9c86b
3 changed files with 13 additions and 12 deletions
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -97,7 +97,9 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
                logger.warn(warnMsg)

            output = __oneShotErrorUse(expressionReplaced, field)
-            logger.info("retrieved: %s" % output)
+
+            if output is not None:
+                logger.info("retrieved: %s" % output)

        if isinstance(num, int):
            expression = origExpr
@ -145,7 +147,7 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
    # entry per time
    # NOTE: I assume that only queries that get data from a table can
    # return multiple entries
-    if " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) and "EXISTS(" not in expression.upper():
+    if " FROM " in expression.upper() and ((Backend.getIdentifiedDbms() not in FROM_TABLE) or (Backend.getIdentifiedDbms() in FROM_TABLE and not expression.upper().endswith(FROM_TABLE[Backend.getIdentifiedDbms()]))) and "EXISTS(" not in expression.upper() and "(CASE" not in expression.upper():
        limitRegExp = re.search(queries[Backend.getIdentifiedDbms()].limitregexp.query, expression, re.I)
        topLimit = re.search("TOP\s+([\d]+)\s+", expression, re.I)

@ -258,6 +260,9 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
                try:
                    for num in xrange(startLimit, stopLimit):
                        output = __errorFields(expression, expressionFields, expressionFieldsList, expected, num, resumeValue)
+                        if output and isinstance(output, list) and len(output) == 1:
+                            output = output[0]
+
                        outputs.append(output)

                except KeyboardInterrupt:
@ -270,8 +275,10 @@ def errorUse(expression, expected=None, resumeValue=True, dump=False):
                debugMsg = "performed %d queries in %d seconds" % (reqCount, duration)
                logger.debug(debugMsg)

-                return outputs
-    else:
-        return __errorFields(expression, expressionFields, expressionFieldsList)
+    if not outputs:
+        outputs = __errorFields(expression, expressionFields, expressionFieldsList)
+
+    if outputs and isinstance(outputs, list) and len(outputs) == 1:
+        outputs = outputs[0]

    return outputs
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -254,7 +254,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, unpack
        reqCount += 1

        if kb.misc.start not in content or kb.misc.stop not in content:
-            return
+            return None

        # Parse the returned page to get the exact inband
        # sql injection output
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -267,9 +267,6 @@ class Enumeration:
                    if parsedUser:
                        user = parsedUser.groups()[0]

-                if isinstance(user, list):
-                    user = user[0]
-
                if not user or user in retrievedUsers:
                    continue

@ -539,9 +536,6 @@ class Enumeration:
                if Backend.getIdentifiedDbms() == DBMS.MYSQL and kb.data.has_information_schema:
                    unescapedUser = unescaper.unescape(user, quote=False)

-                if isinstance(user, list):
-                    user = user[0]
-
                if not user or user in retrievedUsers:
                    continue