Implementation for an Issue #423

stamparm · stamparm · commit ad039c335dbe · 2013-03-21T11:28:44.000+01:00
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -647,7 +647,10 @@ def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char,
         @rtype: C{str}
         """
 
-        fromTable = fromTable or FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "")
+        if conf.uFrom:
+            fromTable = " FROM %s" % conf.uFrom
+        else:
+            fromTable = fromTable or FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "")
 
         if query.startswith("SELECT "):
             query = query[len("SELECT "):]
diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
@@ -88,6 +88,7 @@
                                "timeSec":           "integer",
                                "uCols":             "string",
                                "uChar":             "string",
+                               "uFrom":             "string",
                                "dnsName":           "string",
                                "secondOrder":       "string",
                              },
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -287,6 +287,9 @@ def cmdLineParser():
         techniques.add_option("--union-char", dest="uChar",
                               help="Character to use for bruteforcing number of columns")
 
+        techniques.add_option("--union-from", dest="uFrom",
+                              help="Table to use in FROM part of UNION query SQL injection")
+
         techniques.add_option("--dns-domain", dest="dnsName",
                               help="Domain name used for DNS exfiltration attack")
 
diff --git a/sqlmap.conf b/sqlmap.conf
@@ -303,6 +303,11 @@ uCols =
 # Example: NULL
 uChar = 
 
+# Table to use in FROM part of UNION query SQL injection
+# Valid: string
+# Example: INFORMATION_SCHEMA.COLLATIONS
+uFrom = 
+
 # Domain name used for DNS exfiltration attack
 # Valid: string
 dnsName =
