From f5904d0bc07150510c2dd094063443ffa4c94b9a Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 25 Oct 2010 23:39:55 +0000 Subject: [PATCH] Major bug fix to --union-test --- lib/controller/action.py | 2 +- lib/core/agent.py | 2 +- lib/core/session.py | 2 +- lib/request/inject.py | 4 ++-- lib/techniques/inband/union/test.py | 16 ++++++++-------- plugins/dbms/mssqlserver/enumeration.py | 6 +++--- plugins/dbms/mssqlserver/filesystem.py | 2 +- plugins/dbms/oracle/enumeration.py | 4 ++-- plugins/generic/enumeration.py | 20 ++++++++++---------- 9 files changed, 29 insertions(+), 29 deletions(-) diff --git a/lib/controller/action.py b/lib/controller/action.py index 0d0eec076..530a481cd 100644 --- a/lib/controller/action.py +++ b/lib/controller/action.py @@ -64,7 +64,7 @@ def action(): if conf.timeTest: conf.dumper.technic("time based blind sql injection payload", timeTest()) - if conf.unionTest and not kb.unionPosition: + if conf.unionTest and kb.unionPosition is None: conf.dumper.technic("valid union", unionTest()) # Enumeration options diff --git a/lib/core/agent.py b/lib/core/agent.py index 095e79d0e..b70700aa2 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -453,7 +453,7 @@ class Agent: query = query[len("TOP %s " % topNum):] inbandQuery += "TOP %s " % topNum - if not exprPosition: + if not isinstance(exprPosition, int): exprPosition = kb.unionPosition intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I) diff --git a/lib/core/session.py b/lib/core/session.py index 8cb2c955a..62a3f4ad7 100644 --- a/lib/core/session.py +++ b/lib/core/session.py @@ -232,7 +232,7 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond= kb.unionComment = comment kb.unionCount = count - if position: + if position is not None: condition = ( not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and ( not kb.resumedQueries[conf.url].has_key("Union position") diff --git a/lib/request/inject.py b/lib/request/inject.py index 63384c431..40470decb 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -358,10 +358,10 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex if not value: warnMsg = "for some reason(s) it was not possible to retrieve " warnMsg += "the query output through error SQL injection " - warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition else "blind") + warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition is not None else "blind") logger.warn(warnMsg) - if inband and kb.unionPosition and not value: + if inband and kb.unionPosition is not None and not value: value = __goInband(expression, expected, sort, resumeValue, unpack, dump) if not value: diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py index 3620e9ce6..89d287143 100644 --- a/lib/techniques/inband/union/test.py +++ b/lib/techniques/inband/union/test.py @@ -108,23 +108,23 @@ def __unionConfirm(): # Assure that the above function found the exploitable full inband # SQL injection position if not isinstance(kb.unionPosition, int): - value = __unionPosition(falseCond=True) + value = __unionPosition(negative=True) # Assure that the above function found the exploitable partial - # (single entry) inband SQL injection position by appending - # a false condition after the parameter value + # (single entry) inband SQL injection position with negative + # parameter value if not isinstance(kb.unionPosition, int): - value = __unionPosition(negative=True) + value = __unionPosition(falseCond=True) # Assure that the above function found the exploitable partial - # (single entry) inband SQL injection position with negative - # parameter value + # (single entry) inband SQL injection position by appending + # a false condition after the parameter value if not isinstance(kb.unionPosition, int): return else: - setUnion(negative=True) + setUnion(falseCond=True) else: - setUnion(falseCond=True) + setUnion(negative=True) return value diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py index 368dd7090..3d0feb48b 100644 --- a/plugins/dbms/mssqlserver/enumeration.py +++ b/plugins/dbms/mssqlserver/enumeration.py @@ -48,7 +48,7 @@ class Enumeration(GenericEnumeration): else: dbs = [conf.db] - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: for db in dbs: if conf.excludeSysDbs and db in self.excludeDbsList: infoMsg = "skipping system database '%s'" % db @@ -138,7 +138,7 @@ class Enumeration(GenericEnumeration): continue - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: query = rootQuery["inband"]["query"] % db query += tblQuery values = inject.getValue(query, blind=False, error=False) @@ -223,7 +223,7 @@ class Enumeration(GenericEnumeration): continue - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: query = rootQuery["inband"]["query"] % (db, db, db, db, db) query += " AND %s" % colQuery.replace("[DB]", db) values = inject.getValue(query, blind=False, error=False) diff --git a/plugins/dbms/mssqlserver/filesystem.py b/plugins/dbms/mssqlserver/filesystem.py index 272feedb2..fb46cf6e1 100644 --- a/plugins/dbms/mssqlserver/filesystem.py +++ b/plugins/dbms/mssqlserver/filesystem.py @@ -92,7 +92,7 @@ class Filesystem(GenericFilesystem): binToHexQuery = urlencode(binToHexQuery, convall=True) inject.goStacked(binToHexQuery) - if kb.unionPosition: + if kb.unionPosition is not None: result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False, error=False) if not result: diff --git a/plugins/dbms/oracle/enumeration.py b/plugins/dbms/oracle/enumeration.py index ff502b688..bf398d079 100644 --- a/plugins/dbms/oracle/enumeration.py +++ b/plugins/dbms/oracle/enumeration.py @@ -36,7 +36,7 @@ class Enumeration(GenericEnumeration): # Set containing the list of DBMS administrators areAdmins = set() - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if query2: query = rootQuery.inband.query2 condition = rootQuery.inband.condition2 @@ -196,7 +196,7 @@ class Enumeration(GenericEnumeration): colQuery = colQuery % column for db in dbs.keys(): - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: query = rootQuery.inband.query query += colQuery values = inject.getValue(query, blind=False, error=False) diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py index 07d311c9a..6381215cc 100644 --- a/plugins/generic/enumeration.py +++ b/plugins/generic/enumeration.py @@ -135,7 +135,7 @@ class Enumeration: condition = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) ) condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema ) - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if condition: query = rootQuery.inband.query2 else: @@ -194,7 +194,7 @@ class Enumeration: logger.info(infoMsg) - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ): query = rootQuery.inband.query2 else: @@ -393,7 +393,7 @@ class Enumeration: "E": "EXECUTE" } - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if kb.dbms == "MySQL" and not kb.data.has_information_schema: query = rootQuery.inband.query2 condition = rootQuery.inband.condition2 @@ -639,7 +639,7 @@ class Enumeration: rootQuery = queries[kb.dbms].dbs - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if kb.dbms == "MySQL" and not kb.data.has_information_schema: query = rootQuery.inband.query2 else: @@ -708,7 +708,7 @@ class Enumeration: rootQuery = queries[kb.dbms].tables - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: query = rootQuery.inband.query condition = rootQuery.inband.condition @@ -906,7 +906,7 @@ class Enumeration: infoMsg += "on database '%s'" % conf.db logger.info(infoMsg) - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if kb.dbms in ( "MySQL", "PostgreSQL" ): query = rootQuery.inband.query % (conf.tbl, conf.db) query += condQuery @@ -1085,7 +1085,7 @@ class Enumeration: entriesCount = 0 - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if kb.dbms == "Oracle": query = rootQuery.inband.query % (colString, conf.tbl.upper()) elif kb.dbms == "SQLite": @@ -1343,7 +1343,7 @@ class Enumeration: dbQuery = "%s%s" % (dbCond, dbCondParam) dbQuery = dbQuery % db - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: if kb.dbms == "MySQL" and not kb.data.has_information_schema: query = rootQuery.inband.query2 else: @@ -1431,7 +1431,7 @@ class Enumeration: tblQuery = "%s%s" % (tblCond, tblCondParam) tblQuery = tblQuery % tbl - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: query = rootQuery.inband.query query += tblQuery query += exclDbsQuery @@ -1552,7 +1552,7 @@ class Enumeration: colQuery = "%s%s" % (colCond, colCondParam) colQuery = colQuery % column - if kb.unionPosition or conf.direct: + if kb.unionPosition is not None or conf.direct: query = rootQuery.inband.query query += colQuery query += exclDbsQuery