Store and resume also UNION char to session file (--union-char)

bdamele · bdamele · commit c00ea7f5e529 · 2010-12-01T10:59:58.000Z
diff --git a/lib/core/session.py b/lib/core/session.py
@@ -215,7 +215,7 @@ def setTimeBased(place, parameter, payload):
     if condition:
         dataToSessionFile("[%s][%s][%s][Time-based blind injection][%s]\n" % (conf.url, place, safeFormatString(conf.parameters[place]), payload))
 
-def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, payload=None):
+def setUnion(comment=None, count=None, position=None, negative=False, falseCond=False, char=None, payload=None):
     """
     @param comment: union comment to save in session file
     @type comment: C{str}
@@ -284,6 +284,16 @@ def setUnion(comment=None, count=None, position=None, negative=False, falseCond=
 
         kb.unionFalseCond = True
 
+    if char:
+        condition = (
+                      not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
+                      ( not kb.resumedQueries[conf.url].has_key("Union char")
+                      ) )
+                    )
+
+        if condition:
+            dataToSessionFile("[%s][%s][%s][Union char][%s]\n" % (conf.url, kb.injection.place, safeFormatString(conf.parameters[kb.injection.place]), char))
+
     if payload:
         condition = (
                       not kb.resumedQueries or ( kb.resumedQueries.has_key(conf.url) and
@@ -568,6 +578,12 @@ def resumeConfKb(expression, url, value):
         logMsg = "resuming union false condition from session file"
         logger.info(logMsg)
 
+    elif expression == "Union char" and url == conf.url:
+        conf.uChar = value[:-1]
+
+        logMsg = "resuming union char %s from session file" % conf.uChar
+        logger.info(logMsg)
+
     elif expression == "Union payload" and url == conf.url:
         kb.unionTest = value[:-1]
 
diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py
@@ -138,26 +138,24 @@ def unionTest():
     infoMsg += "'%s' with %s technique" % (kb.injection.parameter, technique)
     logger.info(infoMsg)
 
-    validPayload = None
     comment = queries[kb.dbms].comment.query
-
     validPayload = __unionTestByCharBruteforce(comment)
 
     if validPayload:
+        validPayload = agent.removePayloadDelimiters(validPayload, False)
+        setUnion(char=conf.uChar)
         setUnion(comment=comment)
+        setUnion(payload=validPayload)
 
-    if isinstance(kb.unionPosition, int):
-        infoMsg  = "the target url is affected by an exploitable "
+    if kb.unionTest is not None:
+        infoMsg = "the target url is affected by an exploitable "
         infoMsg += "inband sql injection vulnerability "
         infoMsg += "on parameter '%s' with %d columns" % (kb.injection.parameter, kb.unionCount)
         logger.info(infoMsg)
     else:
-        infoMsg  = "the target url is not affected by an exploitable "
+        infoMsg = "the target url is not affected by an exploitable "
         infoMsg += "inband sql injection vulnerability "
         infoMsg += "on parameter '%s'" % kb.injection.parameter
         logger.info(infoMsg)
 
-    validPayload = agent.removePayloadDelimiters(validPayload, False)
-    setUnion(payload=validPayload)
-
     return kb.unionTest
