Major bug fix to --union-test

2025-10-31 07:57:47 +03:00 · 2010-10-25 23:39:55 +00:00 · 2010-10-25 23:39:55 +00:00 · f5904d0bc0
commit f5904d0bc0
parent 7effd0c301
9 changed files with 29 additions and 29 deletions
--- a/lib/controller/action.py
+++ b/lib/controller/action.py
@ -64,7 +64,7 @@ def action():
    if conf.timeTest:
        conf.dumper.technic("time based blind sql injection payload", timeTest())
-    if conf.unionTest and not kb.unionPosition:
+    if conf.unionTest and kb.unionPosition is None:
        conf.dumper.technic("valid union", unionTest())
    # Enumeration options
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -453,7 +453,7 @@ class Agent:
            query        = query[len("TOP %s " % topNum):]
            inbandQuery += "TOP %s " % topNum
-        if not exprPosition:
+        if not isinstance(exprPosition, int):
            exprPosition = kb.unionPosition
        intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
--- a/lib/core/session.py
+++ b/lib/core/session.py
@ -232,7 +232,7 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
        kb.unionComment = comment
        kb.unionCount = count
-    if position:
+    if position is not None:
        condition = (
                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
                      ( not kb.resumedQueries[conf.url].has_key("Union position")
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -358,10 +358,10 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
            if not value:
                warnMsg  = "for some reason(s) it was not possible to retrieve "
                warnMsg += "the query output through error SQL injection "
-                warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition else "blind")
+                warnMsg += "technique, sqlmap is going %s" % ("inband" if inband and kb.unionPosition is not None else "blind")
                logger.warn(warnMsg)
-        if inband and kb.unionPosition and not value:
+        if inband and kb.unionPosition is not None and not value:
            value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
            if not value:
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@ -108,23 +108,23 @@ def __unionConfirm():
        # Assure that the above function found the exploitable full inband
        # SQL injection position
        if not isinstance(kb.unionPosition, int):
-            value = __unionPosition(falseCond=True)
+            value = __unionPosition(negative=True)
            # Assure that the above function found the exploitable partial
-            # (single entry) inband SQL injection position by appending
+            # (single entry) inband SQL injection position with negative
-            # a false condition after the parameter value
+            # parameter value
            if not isinstance(kb.unionPosition, int):
-                value = __unionPosition(negative=True)
+                value = __unionPosition(falseCond=True)
                # Assure that the above function found the exploitable partial
-                # (single entry) inband SQL injection position with negative
+                # (single entry) inband SQL injection position by appending
-                # parameter value
+                # a false condition after the parameter value
                if not isinstance(kb.unionPosition, int):
                    return
                else:
-                    setUnion(negative=True)
+                    setUnion(falseCond=True)
            else:
-                setUnion(falseCond=True)
+                setUnion(negative=True)
    return value
--- a/plugins/dbms/mssqlserver/enumeration.py
+++ b/plugins/dbms/mssqlserver/enumeration.py
@ -48,7 +48,7 @@ class Enumeration(GenericEnumeration):
            else:
                dbs = [conf.db]
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            for db in dbs:
                if conf.excludeSysDbs and db in self.excludeDbsList:
                    infoMsg = "skipping system database '%s'" % db
@ -138,7 +138,7 @@ class Enumeration(GenericEnumeration):
                    continue
-                if kb.unionPosition or conf.direct:
+                if kb.unionPosition is not None or conf.direct:
                    query = rootQuery["inband"]["query"] % db
                    query += tblQuery
                    values = inject.getValue(query, blind=False, error=False)
@ -223,7 +223,7 @@ class Enumeration(GenericEnumeration):
                    continue
-                if kb.unionPosition or conf.direct:
+                if kb.unionPosition is not None or conf.direct:
                    query = rootQuery["inband"]["query"] % (db, db, db, db, db)
                    query += " AND %s" % colQuery.replace("[DB]", db)
                    values = inject.getValue(query, blind=False, error=False)
--- a/plugins/dbms/mssqlserver/filesystem.py
+++ b/plugins/dbms/mssqlserver/filesystem.py
@ -92,7 +92,7 @@ class Filesystem(GenericFilesystem):
        binToHexQuery = urlencode(binToHexQuery, convall=True)
        inject.goStacked(binToHexQuery)
-        if kb.unionPosition:
+        if kb.unionPosition is not None:
            result = inject.getValue("SELECT %s FROM %s ORDER BY id ASC" % (self.tblField, hexTbl), sort=False, resumeValue=False, blind=False, error=False)
        if not result:
--- a/plugins/dbms/oracle/enumeration.py
+++ b/plugins/dbms/oracle/enumeration.py
@ -36,7 +36,7 @@ class Enumeration(GenericEnumeration):
        # Set containing the list of DBMS administrators
        areAdmins = set()
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if query2:
                query     = rootQuery.inband.query2
                condition = rootQuery.inband.condition2
@ -196,7 +196,7 @@ class Enumeration(GenericEnumeration):
            colQuery = colQuery % column
            for db in dbs.keys():
-                if kb.unionPosition or conf.direct:
+                if kb.unionPosition is not None or conf.direct:
                    query = rootQuery.inband.query
                    query += colQuery
                    values = inject.getValue(query, blind=False, error=False)
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -135,7 +135,7 @@ class Enumeration:
        condition  = ( kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ) )
        condition |= ( kb.dbms == "MySQL" and not kb.data.has_information_schema )
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if condition:
                query = rootQuery.inband.query2
            else:
@ -194,7 +194,7 @@ class Enumeration:
        logger.info(infoMsg)
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if kb.dbms == "Microsoft SQL Server" and kb.dbmsVersion[0] in ( "2005", "2008" ):
                query = rootQuery.inband.query2
            else:
@ -393,7 +393,7 @@ class Enumeration:
                         "E": "EXECUTE"
                     }
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if kb.dbms == "MySQL" and not kb.data.has_information_schema:
                query     = rootQuery.inband.query2
                condition = rootQuery.inband.condition2
@ -639,7 +639,7 @@ class Enumeration:
        rootQuery = queries[kb.dbms].dbs
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if kb.dbms == "MySQL" and not kb.data.has_information_schema:
                query = rootQuery.inband.query2
            else:
@ -708,7 +708,7 @@ class Enumeration:
        rootQuery = queries[kb.dbms].tables
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            query = rootQuery.inband.query
            condition = rootQuery.inband.condition
@ -906,7 +906,7 @@ class Enumeration:
        infoMsg += "on database '%s'" % conf.db
        logger.info(infoMsg)
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if kb.dbms in ( "MySQL", "PostgreSQL" ):
                query = rootQuery.inband.query % (conf.tbl, conf.db)
                query += condQuery
@ -1085,7 +1085,7 @@ class Enumeration:
        entriesCount = 0
-        if kb.unionPosition or conf.direct:
+        if kb.unionPosition is not None or conf.direct:
            if kb.dbms == "Oracle":
                query = rootQuery.inband.query % (colString, conf.tbl.upper())
            elif kb.dbms == "SQLite":
@ -1343,7 +1343,7 @@ class Enumeration:
            dbQuery = "%s%s" % (dbCond, dbCondParam)
            dbQuery = dbQuery % db
-            if kb.unionPosition or conf.direct:
+            if kb.unionPosition is not None or conf.direct:
                if kb.dbms == "MySQL" and not kb.data.has_information_schema:
                    query = rootQuery.inband.query2
                else:
@ -1431,7 +1431,7 @@ class Enumeration:
            tblQuery = "%s%s" % (tblCond, tblCondParam)
            tblQuery = tblQuery % tbl
-            if kb.unionPosition or conf.direct:
+            if kb.unionPosition is not None or conf.direct:
                query = rootQuery.inband.query
                query += tblQuery
                query += exclDbsQuery
@ -1552,7 +1552,7 @@ class Enumeration:
            colQuery = "%s%s" % (colCond, colCondParam)
            colQuery = colQuery % column
-            if kb.unionPosition or conf.direct:
+            if kb.unionPosition is not None or conf.direct:
                query = rootQuery.inband.query
                query += colQuery
                query += exclDbsQuery