Consistency between --*-test switches/output

bdamele · bdamele · commit 45ec8c169a9b · 2010-11-08T16:46:25.000Z
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -1112,6 +1112,7 @@ def __setKnowledgeBaseAttributes():
     kb.unionPosition   = None
     kb.unionNegative   = False
     kb.unionFalseCond  = False
+    kb.unionTest       = None
     kb.userAgents      = None
     kb.valueStack      = []
 
diff --git a/lib/request/inject.py b/lib/request/inject.py
@@ -353,7 +353,7 @@ def getValue(expression, blind=True, inband=True, error=True, fromUser=False, ex
         expression = expression.replace("DISTINCT ", "")
 
         if error and conf.errorTest:
-            value = errorUse(expression)
+            value = goError(expression)
 
             if not value:
                 warnMsg  = "for some reason(s) it was not possible to retrieve "
@@ -408,7 +408,12 @@ def goStacked(expression, silent=False):
     return payload, page
 
 def goError(expression, suppressOutput=False, returnPayload=False):
-    #expression = cleanQuery(expression)
+    """
+    Retrieve the output of a SQL query taking advantage of an error-based
+    SQL injection vulnerability on the affected parameter.
+    """
+
+    result = None
 
     if suppressOutput:
         pushValue(conf.verbose)
@@ -417,9 +422,21 @@ def goError(expression, suppressOutput=False, returnPayload=False):
     if conf.direct:
         return direct(expression), None
 
-    result, payload = errorUse(expression, returnPayload)
+    condition = (
+                  kb.resumedQueries and conf.url in kb.resumedQueries.keys()
+                  and expression in kb.resumedQueries[conf.url].keys()
+                )
+
+    if condition:
+        result = resume(expression, None)
+
+    if not result:
+        result = errorUse(expression, returnPayload)
+
+        if not returnPayload:
+            dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, result))
 
     if suppressOutput:
         conf.verbose = popValue()
 
-    return result, payload
+    return result
diff --git a/lib/techniques/blind/timebased.py b/lib/techniques/blind/timebased.py
@@ -19,6 +19,9 @@
 from lib.request.connect import Connect as Request
 
 def timeTest():
+    if kb.timeTest is not None:
+        return kb.timeTest
+
     infoMsg  = "testing time-based blind sql injection on parameter "
     infoMsg += "'%s' with %s condition syntax" % (kb.injParameter, conf.logic)
     logger.info(infoMsg)
@@ -37,7 +40,7 @@ def timeTest():
         infoMsg += "'%s'" % kb.injParameter
         logger.info(infoMsg)
 
-        kb.timeTest = payload
+        kb.timeTest = agent.removePayloadDelimiters(payload, False)
     else:
         warnMsg  = "the target url is not affected by a time-based blind "
         warnMsg += "sql injection with AND condition syntax on parameter "
@@ -59,7 +62,7 @@ def timeTest():
             infoMsg += "'%s'" % kb.injParameter
             logger.info(infoMsg)
 
-            kb.timeTest = payload
+            kb.timeTest = agent.removePayloadDelimiters(payload, False)
         else:
             warnMsg  = "the target url is not affected by a time-based blind "
             warnMsg += "sql injection with stacked queries syntax on parameter "
diff --git a/lib/techniques/error/test.py b/lib/techniques/error/test.py
@@ -9,6 +9,7 @@
 
 import time
 
+from lib.core.agent import agent
 from lib.core.common import getUnicode
 from lib.core.common import randomInt
 from lib.core.data import conf
@@ -38,7 +39,7 @@ def errorTest():
         infoMsg += "injection on parameter '%s'" % kb.injParameter
         logger.info(infoMsg)
 
-        kb.errorTest = True
+        kb.errorTest = agent.removePayloadDelimiters(usedPayload, False)
     else:
         warnMsg  = "the target url is not affected by an error-based sql "
         warnMsg += "injection on parameter '%s'" % kb.injParameter
@@ -48,7 +49,4 @@ def errorTest():
 
     setError()
 
-    if kb.errorTest:
-        return usedPayload
-    else:
-        return False
+    return kb.errorTest
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
@@ -73,6 +73,7 @@ def errorUse(expression, returnPayload=False):
 
     if match:
         output = match.group('result')
+
         if output:
             output = output.replace(ERROR_SPACE, " ").replace(ERROR_EMPTY_CHAR, "")
 
diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py
@@ -174,8 +174,8 @@ def unionTest():
     if conf.direct:
         return
 
-    if kb.unionCount is not None and kb.unionPosition is not None:
-        return
+    if kb.unionTest is not None:
+        return kb.unionTest
 
     if conf.uTech == "orderby":
         technique = "ORDER BY clause bruteforcing"
@@ -209,5 +209,7 @@ def unionTest():
 
     if validPayload is None:
         validPayload = ""
+    elif isinstance(validPayload, basestring):
+        kb.unionTest = agent.removePayloadDelimiters(validPayload, False)
 
-    return validPayload
+    return kb.unionTest
diff --git a/lib/techniques/outband/stacked.py b/lib/techniques/outband/stacked.py
@@ -9,6 +9,7 @@
 
 import time
 
+from lib.core.agent import agent
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import getDelayQuery
 from lib.core.data import conf
@@ -38,7 +39,7 @@ def stackedTest():
         infoMsg += "sql injection on parameter '%s'" % kb.injParameter
         logger.info(infoMsg)
 
-        kb.stackedTest = payload
+        kb.stackedTest = agent.removePayloadDelimiters(payload, False)
     else:
         warnMsg  = "the target url is not affected by a stacked queries "
         warnMsg += "sql injection on parameter '%s'" % kb.injParameter
