Added a precaution when, in some rare circumstances, fingerprinted DBMS differ during detection phase.

Adapted UNION tests' titles when --union-char is provided. Lots of comment adjustments. Code cleanup
2025-03-27 05:14:18 +03:00 · 2011-01-18 23:03:50 +00:00 · 2011-01-18 23:03:50 +00:00 · eda0b41859
commit eda0b41859
parent cffa17f5a6
1 changed files with 65 additions and 32 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -100,14 +100,19 @@ def checkSqlInjection(place, parameter, value):
            stype = test.stype
            clause = test.clause

-            if stype == 3 and test.request.columns == "[COLSTART]-[COLSTOP]":
+            if stype == 3:
+                configUnion(test.request.char)
+
+                if test.request.columns == "[COLSTART]-[COLSTOP]":
                    if conf.uCols is None:
                        continue
                    else:
-                    configUnion()
                        title = title.replace("[COLSTART]", str(conf.uColsStart))
                        title = title.replace("[COLSTOP]", str(conf.uColsStop))

+                if "[CHAR]" in title:
+                    title = title.replace("[CHAR]", conf.uChar)
+
            # Skip test if the user's wants to test only for a specific
            # technique
            if conf.technique and isinstance(conf.technique, int) and stype != conf.technique:
@ -136,7 +141,8 @@ def checkSqlInjection(place, parameter, value):
                continue

            # Skip DBMS-specific test if it does not match either the
-            # previously identified or the user's provided DBMS
+            # previously identified or the user's provided DBMS (either
+            # from program switch or from parsed error message(s))
            if "details" in test and "dbms" in test.details:
                dbms = test.details.dbms
            else:
@ -387,10 +393,12 @@ def checkSqlInjection(place, parameter, value):
                            # used afterwards by Agent.forgeInbandQuery()
                            # method to forge the UNION query payload

-                            # Set fingerprinted DBMS according to the
-                            # current test settings for proper unescaping
+                            # Force back-end DBMS according to the current
+                            # test value for proper payload unescaping
                            kb.misc.forcedDbms = dbms

+                            # Skip test if the user provided custom column
+                            # range and this is not a custom UNION test
                            if conf.uCols is not None and test.request.columns != "[COLSTART]-[COLSTOP]":
                                debugMsg = "skipping test '%s' because custom " % title
                                debugMsg += "UNION columns range was provided"
@ -405,6 +413,7 @@ def checkSqlInjection(place, parameter, value):
                                warnMsg += "back-end DBMS"
                                logger.warn(warnMsg)

+                            # Test for UNION query SQL injection
                            reqPayload, vector = unionTest(comment, place, parameter, value, prefix, suffix)

                            if isinstance(reqPayload, basestring):
@ -417,6 +426,7 @@ def checkSqlInjection(place, parameter, value):
                                # by unionTest() directly
                                where = vector[6]

+                            # Reset back-end DBMS value
                            kb.misc.forcedDbms = None

                    # If the injection test was successful feed the injection
@ -454,15 +464,38 @@ def checkSqlInjection(place, parameter, value):
                        injection.conf.regexp = conf.regexp

                        if hasattr(test, "details"):
-                            for detailKey, detailValue in test.details.items():
-                                if detailKey == "dbms" and injection.dbms is None:
-                                    injection.dbms = detailValue
-                                    kb.dbms = aliasToDbmsEnum(detailValue)
-                                elif detailKey == "dbms_version" and injection.dbms_version is None:
-                                    injection.dbms_version = detailValue
-                                    kb.dbmsVersion = [ detailValue ]
-                                elif detailKey == "os" and injection.os is None:
-                                    injection.os = detailValue
+                            for dKey, dValue in test.details.items():
+                                # Little precaution, in theory this condition
+                                # should always be false
+                                if dKey == "dbms" and injection.dbms is not None and dValue != injection.dbms:
+                                    msg = "previous test(s) identified that the "
+                                    msg += "back-end DBMS possibly is %s. " % injection.dbms
+                                    msg += "However the last successful test "
+                                    msg += "fingerprinted %s. " % dValue
+                                    msg += "Please, specify which DBMS is "
+                                    msg += "correct [%s (default)/%s] " % (injection.dbms, dValue)
+
+                                    while True:
+                                        inp = readInput(msg, default=injection.dbms)
+
+                                        if inp == injection.dbms:
+                                            break
+                                        elif inp == dValue:
+                                            kb.dbms = aliasToDbmsEnum(inp)
+                                            injection.dbms = aliasToDbmsEnum(inp)
+                                            injection.dbms_version = None
+                                            break
+                                        else:
+                                            warnMsg = "invalid value"
+                                            logger.warn(warnMsg)
+                                elif dKey == "dbms" and injection.dbms is None:
+                                    kb.dbms = aliasToDbmsEnum(dValue)
+                                    injection.dbms = aliasToDbmsEnum(dValue)
+                                elif dKey == "dbms_version" and injection.dbms_version is None:
+                                    kb.dbmsVersion = [ dValue ]
+                                    injection.dbms_version = dValue
+                                elif dKey == "os" and injection.os is None:
+                                    injection.os = dValue

                        if conf.beep or conf.realTest:
                            beep()