Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 067354b

Browse files
bdamelebdamele
committed
Revert of last commit and proper fix to detect UNION query SQL injection against Microsoft Access
1 parent c6a0b84 commit 067354b

4 files changed

Lines changed: 417 additions & 3 deletions

File tree

lib/core/agent.py

Lines changed: 16 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -500,6 +500,22 @@ def concatQuery(self, query, unpack=True):
500500
elif fieldsNoSelect:
501501
concatenatedQuery = "'%s'+%s+'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
502502

503+
elif Backend.isDbms(DBMS.ACCESS):
504+
if fieldsExists:
505+
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
506+
concatenatedQuery += "&'%s'" % kb.misc.stop
507+
elif fieldsSelectCase:
508+
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&(SELECT " % kb.misc.start, 1)
509+
concatenatedQuery += ")&'%s'" % kb.misc.stop
510+
elif fieldsSelectFrom:
511+
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
512+
concatenatedQuery = concatenatedQuery.replace(" FROM ", "&'%s' FROM " % kb.misc.stop, 1)
513+
elif fieldsSelect:
514+
concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'&" % kb.misc.start, 1)
515+
concatenatedQuery += "&'%s'" % kb.misc.stop
516+
elif fieldsNoSelect:
517+
concatenatedQuery = "'%s'&%s&'%s'" % (kb.misc.start, concatenatedQuery, kb.misc.stop)
518+
503519
else:
504520
concatenatedQuery = query
505521

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -183,7 +183,7 @@
183183

184184
FROM_TABLE = {
185185
DBMS.ORACLE: " FROM DUAL",
186-
DBMS.ACCESS: " FROM MSysAccessObjects%00",
186+
DBMS.ACCESS: " FROM MSysAccessObjects",
187187
DBMS.FIREBIRD: " FROM RDB$DATABASE",
188188
DBMS.MAXDB: " FROM VERSIONS",
189189
DBMS.DB2: " FROM SYSIBM.SYSDUMMY1"

lib/techniques/union/test.py

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
121121
for position in positions:
122122
# Prepare expression with delimiters
123123
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
124+
phrase = "%s%s%s".lower() % (kb.misc.start, randQuery, kb.misc.stop)
124125
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
125126
randQueryUnescaped = unescaper.unescape(randQueryProcessed)
126127

@@ -134,13 +135,14 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
134135
removeReflectiveValues(listToStrValue(headers.headers if headers else None), \
135136
payload, True) or "")
136137

137-
if content and randQuery in content:
138+
if content and phrase in content:
138139
validPayload = payload
139140
vector = (position, count, comment, prefix, suffix, kb.uChar, where)
140141

141142
if where == PAYLOAD.WHERE.ORIGINAL:
142143
# Prepare expression with delimiters
143144
randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS)
145+
phrase2 = "%s%s%s".lower() % (kb.misc.start, randQuery2, kb.misc.stop)
144146
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
145147
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
146148

@@ -152,7 +154,7 @@ def __unionPosition(comment, place, parameter, value, prefix, suffix, count, whe
152154
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
153155
content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
154156

155-
if content and ((randQuery in content and randQuery2 not in content) or (randQuery not in content and randQuery2 in content)):
157+
if content and ((randQuery in content and phrase2 not in content) or (randQuery not in content and phrase2 in content)):
156158
vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE)
157159

158160
unionErrorCase = kb.errorIsNone and wasLastRequestDBMSError()

0 commit comments

Comments
 (0)