cleanup for issue #68

2024-11-25 11:03:47 +03:00 · 2012-07-12 15:38:43 +01:00 · 2012-07-12 15:38:43 +01:00 · ea9c66108e
commit ea9c66108e
parent 569c9214bf
2 changed files with 16 additions and 38 deletions
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -94,7 +94,7 @@ def __goInference(payload, expression, charsetType=None, firstChar=None, lastCha

    return value

-def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
+def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
    outputs = []
    origExpr = None

@ -122,7 +122,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl

    return outputs

-def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
+def __goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
    """
    Retrieve the output of a SQL query characted by character taking
    advantage of an blind SQL injection vulnerability on the affected
@ -304,7 +304,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, u

                try:
                    for num in xrange(startLimit, stopLimit):
-                        output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
+                        output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, num=num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
                        outputs.append(output)

                except KeyboardInterrupt:
@ -317,7 +317,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, u
    elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
        expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]

-    outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
+    outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)

    return ", ".join(output for output in outputs) if not isNoneValue(outputs) else None

@ -345,23 +345,14 @@ def __goBooleanProxy(expression):

    return output

-def __goError(expression, expected=None, dump=False):
-    """
-    Retrieve the output of a SQL query taking advantage of an error-based
-    SQL injection vulnerability on the affected parameter.
-    """
-
-    output = errorUse(expression, expected, dump)
-
-    return output
-
-def __goInband(expression, expected=None, unpack=True, dump=False):
+def __goInband(expression, unpack=True, dump=False):
    """
    Retrieve the output of a SQL query taking advantage of an inband SQL
    injection vulnerability on the affected parameter.
    """

    output = unionUse(expression, unpack=unpack, dump=dump)
+
    if isinstance(output, basestring):
        output = parseUnionPage(output)

@ -392,41 +383,27 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                forgeCaseExpression = agent.forgeCaseStatement(expression)

        if conf.direct:
-            if expected == EXPECTED.BOOL:
-                value = direct(forgeCaseExpression)
-            else:
-                value = direct(expression)
+            value = direct(forgeCaseExpression if expected == EXPECTED.BOOL else expression)

        elif any(map(isTechniqueAvailable, getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True))):
            query = cleanQuery(expression)
            query = expandAsteriskForColumns(query)
            value = None
            found = False
+            count = 0

            if query and not 'COUNT(*)' in query:
                query = query.replace("DISTINCT ", "")

-            count = 0
-
            if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                kb.technique = PAYLOAD.TECHNIQUE.UNION
-
-                if expected == EXPECTED.BOOL:
-                    value = __goInband(forgeCaseExpression, expected, unpack, dump)
-                else:
-                    value = __goInband(query, expected, unpack, dump)
-
+                value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
                count += 1
                found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE

            if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
                kb.technique = PAYLOAD.TECHNIQUE.ERROR
-
-                if expected == EXPECTED.BOOL:
-                    value = __goError(forgeCaseExpression, expected, dump)
-                else:
-                    value = __goError(query, expected, dump)
-
+                value = errorUse(forgeCaseExpression if expected == EXPECTED.BOOL else query, dump)
                count += 1
                found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE

@ -436,7 +413,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                if expected == EXPECTED.BOOL:
                    value = __goBooleanProxy(booleanExpression)
                else:
-                    value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
+                    value = __goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump)

                count += 1
                found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
@ -450,7 +427,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                if expected == EXPECTED.BOOL:
                    value = __goBooleanProxy(booleanExpression)
                else:
-                    value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
+                    value = __goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump)

            if value and isinstance(value, basestring):
                value = value.strip()
@ -461,6 +438,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse

    finally:
        kb.resumeValues = True
+
        if suppressOutput is not None:
            getCurrentThreadData().disableStdOut = popValue()

--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -153,7 +153,7 @@ def __oneShotErrorUse(expression, field=None):

    return safecharencode(retVal) if kb.safeCharEncode else retVal

-def __errorFields(expression, expressionFields, expressionFieldsList, expected=None, num=None, emptyFields=None):
+def __errorFields(expression, expressionFields, expressionFieldsList, num=None, emptyFields=None):
    outputs = []
    origExpr = None

@ -217,7 +217,7 @@ def __formatPartialContent(value):
            value = safecharencode(value)
    return value

-def errorUse(expression, expected=None, dump=False):
+def errorUse(expression, dump=False):
    """
    Retrieve the output of a SQL query taking advantage of the error-based
    SQL injection vulnerability on the affected parameter.
@ -380,7 +380,7 @@ def errorUse(expression, expected=None, dump=False):
                            except StopIteration:
                                break

-                        output = __errorFields(expression, expressionFields, expressionFieldsList, expected, num, emptyFields)
+                        output = __errorFields(expression, expressionFields, expressionFieldsList, num, emptyFields)

                        if not kb.threadContinue:
                            break