Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit c1b8226

Browse files
stamparmstamparm
committed
Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)
1 parent a435ba6 commit c1b8226

16 files changed

Lines changed: 92 additions & 94 deletions

File tree

lib/controller/checks.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -436,7 +436,7 @@ def genCmpPayload():
436436
# Test for UNION injection and set the sample
437437
# payload as well as the vector.
438438
# NOTE: vector is set to a tuple with 6 elements,
439-
# used afterwards by Agent.forgeInbandQuery()
439+
# used afterwards by Agent.forgeUnionQuery()
440440
# method to forge the UNION query payload
441441

442442
configUnion(test.request.char, test.request.columns)

lib/controller/controller.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -133,7 +133,7 @@ def __formatInjection(inj):
133133
if stype == PAYLOAD.TECHNIQUE.UNION:
134134
count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
135135
title = re.sub(r"\d+ to \d+", str(count), title)
136-
vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
136+
vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
137137
if count == 1:
138138
title = title.replace("columns", "column")
139139
elif comment:

lib/core/agent.py

Lines changed: 24 additions & 24 deletions
Original file line numberDiff line numberDiff line change
@@ -561,7 +561,7 @@ def concatQuery(self, query, unpack=True):
561561

562562
return concatenatedQuery
563563

564-
def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
564+
def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
565565
"""
566566
Take in input an query (pseudo query) string and return its
567567
processed UNION ALL SELECT query.
@@ -602,72 +602,72 @@ def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char
602602
if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
603603
limitOriginal = "%s " % (queries[Backend.getIdentifiedDbms()].limit.query % (0, 1))
604604

605-
inbandQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
605+
unionQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
606606

607607
if limited:
608-
inbandQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
609-
inbandQuery += fromTable
610-
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
608+
unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
609+
unionQuery += fromTable
610+
unionQuery = self.suffixQuery(unionQuery, comment, suffix)
611611

612-
return inbandQuery
612+
return unionQuery
613613

614614
topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
615615
if topNumRegex:
616616
topNum = topNumRegex.group(1)
617617
query = query[len("TOP %s " % topNum):]
618-
inbandQuery += "TOP %s " % topNum
618+
unionQuery += "TOP %s " % topNum
619619

620620
intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
621621

622622
if intoRegExp:
623623
intoRegExp = intoRegExp.group(1)
624624
query = query[:query.index(intoRegExp)]
625625

626-
if fromTable and inbandQuery.endswith(fromTable):
627-
inbandQuery = inbandQuery[:-len(fromTable)]
626+
if fromTable and unionQuery.endswith(fromTable):
627+
unionQuery = unionQuery[:-len(fromTable)]
628628

629629
for element in xrange(0, count):
630630
if element > 0:
631-
inbandQuery += ','
631+
unionQuery += ','
632632

633633
if element == position:
634634
if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
635635
conditionIndex = query.index(" FROM ")
636-
inbandQuery += query[:conditionIndex]
636+
unionQuery += query[:conditionIndex]
637637
else:
638-
inbandQuery += query
638+
unionQuery += query
639639
else:
640-
inbandQuery += char
640+
unionQuery += char
641641

642642
if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
643643
conditionIndex = query.index(" FROM ")
644-
inbandQuery += query[conditionIndex:]
644+
unionQuery += query[conditionIndex:]
645645

646646
if fromTable:
647-
if " FROM " not in inbandQuery or "(CASE " in inbandQuery or "(IIF" in inbandQuery:
648-
inbandQuery += fromTable
647+
if " FROM " not in unionQuery or "(CASE " in unionQuery or "(IIF" in unionQuery:
648+
unionQuery += fromTable
649649

650650
if intoRegExp:
651-
inbandQuery += intoRegExp
651+
unionQuery += intoRegExp
652652

653653
if multipleUnions:
654-
inbandQuery += " UNION ALL SELECT "
654+
unionQuery += " UNION ALL SELECT "
655655

656656
for element in xrange(count):
657657
if element > 0:
658-
inbandQuery += ','
658+
unionQuery += ','
659659

660660
if element == position:
661-
inbandQuery += multipleUnions
661+
unionQuery += multipleUnions
662662
else:
663-
inbandQuery += char
663+
unionQuery += char
664664

665665
if fromTable:
666-
inbandQuery += fromTable
666+
unionQuery += fromTable
667667

668-
inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
668+
unionQuery = self.suffixQuery(unionQuery, comment, suffix)
669669

670-
return inbandQuery
670+
return unionQuery
671671

672672
def limitQuery(self, num, query, field=None, uniqueField=None):
673673
"""

lib/core/common.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1150,7 +1150,7 @@ def getLimitRange(count, dump=False, plusOne=False):
11501150

11511151
def parseUnionPage(page):
11521152
"""
1153-
Returns resulting items from inband query inside provided page content
1153+
Returns resulting items from union query inside provided page content
11541154
"""
11551155

11561156
if page is None:

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -435,7 +435,7 @@
435435
# Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content)
436436
DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters)
437437

438-
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION/inband injections)
438+
# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
439439
MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
440440

441441
# Maximum response total page size (trimmed if larger)

lib/request/inject.py

Lines changed: 6 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -347,9 +347,9 @@ def __goBooleanProxy(expression):
347347

348348
return output
349349

350-
def __goInband(expression, unpack=True, dump=False):
350+
def __goUnion(expression, unpack=True, dump=False):
351351
"""
352-
Retrieve the output of a SQL query taking advantage of an inband SQL
352+
Retrieve the output of a SQL query taking advantage of an union SQL
353353
injection vulnerability on the affected parameter.
354354
"""
355355

@@ -360,12 +360,10 @@ def __goInband(expression, unpack=True, dump=False):
360360

361361
return output
362362

363-
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
363+
def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
364364
"""
365365
Called each time sqlmap inject a SQL query on the SQL injection
366-
affected parameter. It can call a function to retrieve the output
367-
through inband SQL injection (if selected) and/or blind SQL injection
368-
(if selected).
366+
affected parameter.
369367
"""
370368

371369
kb.safeCharEncode = safeCharEncode
@@ -400,9 +398,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
400398
query = query.replace("DISTINCT ", "")
401399

402400
if not conf.forceDns:
403-
if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
401+
if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
404402
kb.technique = PAYLOAD.TECHNIQUE.UNION
405-
value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
403+
value = __goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
406404
count += 1
407405
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
408406

lib/takeover/xp_cmdshell.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -213,12 +213,12 @@ def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
213213
output = inject.getValue(query, resumeValue=False, blind=False, time=False)
214214
else:
215215
output = []
216-
count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
216+
count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
217217

218218
if isNumPosStrValue(count):
219219
for index in getLimitRange(count):
220220
query = agent.limitQuery(index, query, self.tblField)
221-
output.append(inject.getValue(query, inband=False, error=False, resumeValue=False))
221+
output.append(inject.getValue(query, union=False, error=False, resumeValue=False))
222222

223223
inject.goStacked("DELETE FROM %s" % self.cmdTblName)
224224

lib/techniques/union/test.py

Lines changed: 11 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -101,7 +101,7 @@ def __orderByTest(cols):
101101
pages = {}
102102

103103
for count in xrange(lowerCount, upperCount+1):
104-
query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
104+
query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
105105
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
106106
page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
107107
if not isNullValue(kb.uChar):
@@ -166,16 +166,16 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
166166

167167
# For each column of the table (# of NULL) perform a request using
168168
# the UNION ALL SELECT statement to test it the target url is
169-
# affected by an exploitable inband SQL injection vulnerability
169+
# affected by an exploitable union SQL injection vulnerability
170170
for position in positions:
171171
# Prepare expression with delimiters
172172
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
173173
phrase = "%s%s%s".lower() % (kb.chars.start, randQuery, kb.chars.stop)
174174
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
175175
randQueryUnescaped = unescaper.unescape(randQueryProcessed)
176176

177-
# Forge the inband SQL injection request
178-
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
177+
# Forge the union SQL injection request
178+
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
179179
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
180180

181181
# Perform the request
@@ -196,8 +196,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
196196
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
197197
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
198198

199-
# Confirm that it is a full inband SQL injection
200-
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
199+
# Confirm that it is a full union SQL injection
200+
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
201201
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
202202

203203
# Perform the request
@@ -210,7 +210,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
210210
fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr())
211211

212212
# Check for limited row output
213-
query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
213+
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
214214
payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
215215

216216
# Perform the request
@@ -239,11 +239,11 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
239239
validPayload = None
240240
vector = None
241241

242-
# Confirm the inband SQL injection and get the exact column
242+
# Confirm the union SQL injection and get the exact column
243243
# position which can be used to extract data
244244
validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count)
245245

246-
# Assure that the above function found the exploitable full inband
246+
# Assure that the above function found the exploitable full union
247247
# SQL injection position
248248
if not validPayload:
249249
validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.NEGATIVE)
@@ -252,7 +252,7 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
252252

253253
def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):
254254
"""
255-
This method tests if the target url is affected by an inband
255+
This method tests if the target url is affected by an union
256256
SQL injection vulnerability. The test is done up to 50 columns
257257
on the target database table
258258
"""
@@ -297,7 +297,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
297297

298298
def unionTest(comment, place, parameter, value, prefix, suffix):
299299
"""
300-
This method tests if the target url is affected by an inband
300+
This method tests if the target url is affected by an union
301301
SQL injection vulnerability. The test is done up to 3*50 times
302302
"""
303303

lib/techniques/union/use.py

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
from lib.request.connect import Connect as Request
4949

5050
def __oneShotUnionUse(expression, unpack=True, limited=False):
51-
retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as inband data is stored raw unconverted
51+
retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True) # as union data is stored raw unconverted
5252

5353
threadData = getCurrentThreadData()
5454
threadData.resumed = retVal is not None
@@ -59,10 +59,10 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
5959

6060
where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None
6161

62-
# Forge the inband SQL injection request
62+
# Forge the union SQL injection request
6363
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
6464
kb.unionDuplicates = vector[7]
65-
query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
65+
query = agent.forgeUnionQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
6666
payload = agent.payload(newValue=query, where=where)
6767

6868
# Perform the request
@@ -90,7 +90,7 @@ def _(regex):
9090
if retVal is not None:
9191
retVal = getUnicode(retVal, kb.pageEncoding)
9292

93-
# Special case when DBMS is Microsoft SQL Server and error message is used as a result of inband injection
93+
# Special case when DBMS is Microsoft SQL Server and error message is used as a result of union injection
9494
if Backend.isDbms(DBMS.MSSQL) and wasLastRequestDBMSError():
9595
retVal = htmlunescape(retVal).replace("<br>", "\n")
9696

@@ -140,9 +140,9 @@ def __configUnionCols(columns):
140140

141141
def unionUse(expression, unpack=True, dump=False):
142142
"""
143-
This function tests for an inband SQL injection on the target
143+
This function tests for an union SQL injection on the target
144144
url then call its subsidiary function to effectively perform an
145-
inband SQL injection on the affected url
145+
union SQL injection on the affected url
146146
"""
147147

148148
initTechnique(PAYLOAD.TECHNIQUE.UNION)
@@ -341,7 +341,7 @@ def unionThread():
341341
kb.suppressResumeInfo = False
342342

343343
if not value and not abortedFlag:
344-
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full inband doesn't play well with ORDER BY
344+
expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union doesn't play well with ORDER BY
345345
value = __oneShotUnionUse(expression, unpack)
346346

347347
duration = calculateDeltaSeconds(start)

lib/utils/pivotdumptable.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,7 +35,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
3535

3636
if count is None:
3737
query = dumpNode.count % table
38-
count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
38+
count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
3939

4040
if isinstance(count, basestring) and count.isdigit():
4141
count = int(count)
@@ -65,7 +65,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
6565
logger.info(infoMsg)
6666

6767
query = dumpNode.count2 % (column, table)
68-
value = inject.getValue(query, blind=blind, inband=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
68+
value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
6969

7070
if isNumPosStrValue(value):
7171
validColumnList = True
@@ -110,7 +110,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
110110
else:
111111
query = dumpNode.query2 % (column, table, colList[0], pivotValue)
112112

113-
value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, inband=not blind, error=not blind))
113+
value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
114114

115115
if column == colList[0]:
116116
if isNoneValue(value):

0 commit comments

Comments
 (0)