cleanup for issue #68

lib/request/inject.py

@@ -94,7 +94,7 @@ def __goInference(payload, expression, charsetType=None, firstChar=None, lastCha
 
     return value
 
-def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected=None, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
+def __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, num=None, charsetType=None, firstChar=None, lastChar=None, dump=False):
     outputs = []
     origExpr = None
 
@@ -122,7 +122,7 @@ def __goInferenceFields(expression, expressionFields, expressionFieldsList, payl
 
     return outputs
 
-def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
+def __goInferenceProxy(expression, fromUser=False, batch=False, unpack=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
     """
     Retrieve the output of a SQL query characted by character taking
     advantage of an blind SQL injection vulnerability on the affected
@@ -304,7 +304,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, u
 
                 try:
                     for num in xrange(startLimit, stopLimit):
-                        output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
+                        output = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, num=num, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
                         outputs.append(output)
 
                 except KeyboardInterrupt:
@@ -317,7 +317,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, u
     elif Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE and expression.upper().startswith("SELECT ") and " FROM " not in expression.upper():
         expression += FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]
 
-    outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, expected, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
+    outputs = __goInferenceFields(expression, expressionFields, expressionFieldsList, payload, charsetType=charsetType, firstChar=firstChar, lastChar=lastChar, dump=dump)
 
     return ", ".join(output for output in outputs) if not isNoneValue(outputs) else None
 
@@ -345,23 +345,14 @@ def __goBooleanProxy(expression):
 
     return output
 
-def __goError(expression, expected=None, dump=False):
+def __goInband(expression, unpack=True, dump=False):
-    """
-    Retrieve the output of a SQL query taking advantage of an error-based
-    SQL injection vulnerability on the affected parameter.
-    """
-
-    output = errorUse(expression, expected, dump)
-
-    return output
-
-def __goInband(expression, expected=None, unpack=True, dump=False):
     """
     Retrieve the output of a SQL query taking advantage of an inband SQL
     injection vulnerability on the affected parameter.
     """
 
     output = unionUse(expression, unpack=unpack, dump=dump)
+
     if isinstance(output, basestring):
         output = parseUnionPage(output)
 
@@ -392,41 +383,27 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                 forgeCaseExpression = agent.forgeCaseStatement(expression)
 
         if conf.direct:
-            if expected == EXPECTED.BOOL:
+            value = direct(forgeCaseExpression if expected == EXPECTED.BOOL else expression)
-                value = direct(forgeCaseExpression)
-            else:
-                value = direct(expression)
 
         elif any(map(isTechniqueAvailable, getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True))):
             query = cleanQuery(expression)
             query = expandAsteriskForColumns(query)
             value = None
             found = False
+            count = 0
 
             if query and not 'COUNT(*)' in query:
                 query = query.replace("DISTINCT ", "")
 
-            count = 0
-
             if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                 kb.technique = PAYLOAD.TECHNIQUE.UNION
-
+                value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
-                if expected == EXPECTED.BOOL:
-                    value = __goInband(forgeCaseExpression, expected, unpack, dump)
-                else:
-                    value = __goInband(query, expected, unpack, dump)
-
                 count += 1
                 found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
 
             if error and isTechniqueAvailable(PAYLOAD.TECHNIQUE.ERROR) and not found:
                 kb.technique = PAYLOAD.TECHNIQUE.ERROR
-
+                value = errorUse(forgeCaseExpression if expected == EXPECTED.BOOL else query, dump)
-                if expected == EXPECTED.BOOL:
-                    value = __goError(forgeCaseExpression, expected, dump)
-                else:
-                    value = __goError(query, expected, dump)
-
                 count += 1
                 found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
 
@@ -436,7 +413,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                 if expected == EXPECTED.BOOL:
                     value = __goBooleanProxy(booleanExpression)
                 else:
-                    value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
+                    value = __goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump)
 
                 count += 1
                 found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
@@ -450,7 +427,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                 if expected == EXPECTED.BOOL:
                     value = __goBooleanProxy(booleanExpression)
                 else:
-                    value = __goInferenceProxy(query, fromUser, expected, batch, unpack, charsetType, firstChar, lastChar, dump)
+                    value = __goInferenceProxy(query, fromUser, batch, unpack, charsetType, firstChar, lastChar, dump)
 
             if value and isinstance(value, basestring):
                 value = value.strip()
@@ -461,6 +438,7 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
 
     finally:
         kb.resumeValues = True
+
         if suppressOutput is not None:
             getCurrentThreadData().disableStdOut = popValue()
 

lib/techniques/error/use.py

@@ -153,7 +153,7 @@ def __oneShotErrorUse(expression, field=None):
 
     return safecharencode(retVal) if kb.safeCharEncode else retVal
 
-def __errorFields(expression, expressionFields, expressionFieldsList, expected=None, num=None, emptyFields=None):
+def __errorFields(expression, expressionFields, expressionFieldsList, num=None, emptyFields=None):
     outputs = []
     origExpr = None
 
@@ -217,7 +217,7 @@ def __formatPartialContent(value):
             value = safecharencode(value)
     return value
 
-def errorUse(expression, expected=None, dump=False):
+def errorUse(expression, dump=False):
     """
     Retrieve the output of a SQL query taking advantage of the error-based
     SQL injection vulnerability on the affected parameter.
@@ -380,7 +380,7 @@ def errorUse(expression, expected=None, dump=False):
                             except StopIteration:
                                 break
 
-                        output = __errorFields(expression, expressionFields, expressionFieldsList, expected, num, emptyFields)
+                        output = __errorFields(expression, expressionFields, expressionFieldsList, num, emptyFields)
 
                         if not kb.threadContinue:
                             break