Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 90d9900

Browse files
bdamelebdamele
committed
Minor bug fix to consider --start and --stop also in partial UNION query SQL injection
1 parent 4d46f99 commit 90d9900

3 files changed

Lines changed: 21 additions & 23 deletions

File tree

lib/request/inject.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -314,7 +314,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
314314

315315
return returnValue
316316

317-
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True):
317+
def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
318318
"""
319319
Retrieve the output of a SQL query taking advantage of an inband SQL
320320
injection vulnerability on the affected parameter.
@@ -336,14 +336,14 @@ def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=Tr
336336
partial = True
337337

338338
if not output:
339-
output = unionUse(expression, resetCounter=True, unpack=unpack)
339+
output = unionUse(expression, resetCounter=True, unpack=unpack, dump=dump)
340340

341341
if output:
342342
data = parseUnionPage(output, expression, partial, condition, sort)
343343

344344
return data
345345

346-
def getValue(expression, blind=True, inband=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None):
346+
def getValue(expression, blind=True, inband=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False):
347347
"""
348348
Called each time sqlmap inject a SQL query on the SQL injection
349349
affected parameter. It can call a function to retrieve the output
@@ -361,7 +361,7 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None,
361361
expression = expression.replace("DISTINCT ", "")
362362

363363
if inband and kb.unionPosition:
364-
value = __goInband(expression, expected, sort, resumeValue, unpack)
364+
value = __goInband(expression, expected, sort, resumeValue, unpack, dump)
365365

366366
if not value:
367367
warnMsg = "for some reasons it was not possible to retrieve "

lib/techniques/inband/union/use.py

Lines changed: 11 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@
3939

4040
reqCount = 0
4141

42-
def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar="NULL", unpack=True):
42+
def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullChar="NULL", unpack=True, dump=False):
4343
"""
4444
This function tests for an inband SQL injection on the target
4545
url then call its subsidiary function to effectively perform an
@@ -73,13 +73,6 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
7373
if ( kb.unionNegative or kb.unionFalseCond ) and not direct:
7474
_, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)
7575

76-
if len(expressionFieldsList) > 1:
77-
infoMsg = "the SQL query provided has more than a field. "
78-
infoMsg += "sqlmap will now unpack it into distinct queries "
79-
infoMsg += "to be able to retrieve the output even if we "
80-
infoMsg += "are in front of a partial inband sql injection"
81-
logger.info(infoMsg)
82-
8376
# We have to check if the SQL query might return multiple entries
8477
# and in such case forge the SQL limiting the query output one
8578
# entry per time
@@ -130,6 +123,11 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
130123

131124
elif kb.dbms == "Microsoft SQL Server":
132125
stopLimit += startLimit
126+
elif dump:
127+
if conf.limitStart:
128+
startLimit = conf.limitStart
129+
if conf.limitStop:
130+
stopLimit = conf.limitStop
133131

134132
if not stopLimit or stopLimit <= 1:
135133
if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
@@ -194,10 +192,14 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
194192
field = None
195193

196194
limitedExpr = agent.limitQuery(num, expression, field)
197-
output = unionUse(limitedExpr, direct=True, unescape=False)
195+
output = resume(limitedExpr, None)
196+
197+
if not output:
198+
output = unionUse(limitedExpr, direct=True, unescape=False)
198199

199200
if output:
200201
value += output
202+
parseUnionPage(output, limitedExpr)
201203

202204
return value
203205

plugins/generic/enumeration.py

Lines changed: 6 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -1331,7 +1331,7 @@ def dumpTable(self):
13311331
query = rootQuery["inband"]["query"] % (colString, conf.tbl)
13321332
else:
13331333
query = rootQuery["inband"]["query"] % (colString, conf.db, conf.tbl)
1334-
entries = inject.getValue(query, blind=False)
1334+
entries = inject.getValue(query, blind=False, dump=True)
13351335

13361336
if entries:
13371337
if isinstance(entries, str):
@@ -1432,19 +1432,15 @@ def dumpTable(self):
14321432
else:
14331433
length = lengths[column]
14341434

1435-
kb.data.dumpedTable[column] = {
1436-
"length": length,
1437-
"values": columnEntries,
1438-
}
1435+
kb.data.dumpedTable[column] = { "length": length,
1436+
"values": columnEntries }
14391437

14401438
entriesCount = len(columnEntries)
14411439

14421440
if kb.data.dumpedTable:
1443-
kb.data.dumpedTable["__infos__"] = {
1444-
"count": entriesCount,
1445-
"table": conf.tbl,
1446-
"db": conf.db
1447-
}
1441+
kb.data.dumpedTable["__infos__"] = { "count": entriesCount,
1442+
"table": conf.tbl,
1443+
"db": conf.db }
14481444
else:
14491445
warnMsg = "unable to retrieve the entries of "
14501446
if conf.col:

0 commit comments

Comments
 (0)