Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 8d07272

Browse files
bdamelebdamele
committed
Added --union-cols switch to specify the max number of columns to test for UNION query sql injection.
Now stores/resumes also the exact UNION payload to session file.
1 parent df5dc10 commit 8d07272

6 files changed

Lines changed: 36 additions & 10 deletions

File tree

lib/core/optiondict.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -78,7 +78,8 @@
7878
"timeTest": "boolean",
7979
"timeSec": "integer",
8080
"unionTest": "boolean",
81-
"uTech": "string"
81+
"uTech": "string",
82+
"uCols": "integer"
8283
},
8384

8485
"Fingerprint": {
@@ -115,7 +116,7 @@
115116

116117
"Brute": {
117118
"commonTables": "boolean",
118-
"commonColumns": "boolean",
119+
"commonColumns": "boolean"
119120
},
120121

121122
"User-defined function": {

lib/core/session.py

Lines changed: 20 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -207,7 +207,7 @@ def setError():
207207
if condition:
208208
dataToSessionFile("[%s][%s][%s][Error based injection][Yes]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace])))
209209

210-
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False):
210+
def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, payload=None):
211211
"""
212212
@param comment: union comment to save in session file
213213
@type comment: C{str}
@@ -270,6 +270,18 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
270270

271271
kb.unionFalseCond = True
272272

273+
if payload:
274+
condition = (
275+
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
276+
( not kb.resumedQueries[conf.url].has_key("Union payload")
277+
) )
278+
)
279+
280+
if condition:
281+
dataToSessionFile("[%s][%s][%s][Union payload][%s]\n" % (conf.url, kb.injPlace, safeFormatString(conf.parameters[kb.injPlace]), payload))
282+
283+
kb.unionTest = payload
284+
273285
def setRemoteTempPath():
274286
condition = (
275287
not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@@ -483,6 +495,13 @@ def resumeConfKb(expression, url, value):
483495
logMsg += "%s from session file" % kb.unionPosition
484496
logger.info(logMsg)
485497

498+
elif expression == "Union payload" and url == conf.url:
499+
kb.unionTest = value[:-1]
500+
501+
logMsg = "resuming union payload "
502+
logMsg += "%s from session file" % kb.unionTest
503+
logger.info(logMsg)
504+
486505
elif expression == "Remote temp path" and url == conf.url:
487506
conf.tmpPath = unSafeFormatString(value[:-1])
488507

lib/parse/cmdline.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -243,6 +243,9 @@ def cmdLineParser():
243243
techniques.add_option("--union-tech", dest="uTech",
244244
help="Technique to test for UNION query SQL injection")
245245

246+
techniques.add_option("--union-cols", dest="uCols", type="int", default=50,
247+
help="Maximum number of columns to test for")
248+
246249
# Fingerprint options
247250
fingerprint = OptionGroup(parser, "Fingerprint")
248251

lib/techniques/inband/union/test.py

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -124,7 +124,7 @@ def __unionTestByNULLBruteforce(comment, negative=False, falseCond=False):
124124
columns = None
125125
query = agent.prefixQuery("UNION ALL SELECT NULL")
126126

127-
for count in range(0, 50):
127+
for count in range(0, conf.uCols+1):
128128
if kb.dbms == DBMS.ORACLE and query.endswith(" FROM DUAL"):
129129
query = query[:-len(" FROM DUAL")]
130130

@@ -149,7 +149,7 @@ def __unionTestByOrderBy(comment, negative=False, falseCond=False):
149149
columns = None
150150
prevPayload = ""
151151

152-
for count in range(1, 51):
152+
for count in range(1, conf.uCols+2):
153153
query = agent.prefixQuery("ORDER BY %d" % count)
154154
orderByQuery = agent.postfixQuery(query, comment)
155155
payload = agent.payload(newValue=orderByQuery, negative=negative, falseCond=falseCond)
@@ -224,9 +224,7 @@ def unionTest():
224224
warnMsg += "inband sql injection vulnerability"
225225
logger.warn(warnMsg)
226226

227-
if validPayload is None:
228-
validPayload = ""
229-
elif isinstance(validPayload, basestring):
230-
kb.unionTest = agent.removePayloadDelimiters(validPayload, False)
227+
validPayload = agent.removePayloadDelimiters(validPayload, False)
228+
setUnion(payload=validPayload)
231229

232230
return kb.unionTest

lib/techniques/inband/union/use.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -46,7 +46,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
4646
if resetCounter:
4747
reqCount = 0
4848

49-
if not kb.unionCount:
49+
if not kb.unionTest:
5050
unionTest()
5151

5252
if not kb.unionCount:

sqlmap.conf

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -262,6 +262,11 @@ unionTest = False
262262
# Default: NULL
263263
uTech = NULL
264264

265+
# Maximum number of columns to test for
266+
# Valid: integer
267+
# Default: 50
268+
uCols = 50
269+
265270

266271
[Fingerprint]
267272

0 commit comments

Comments
 (0)