Skip to content

Commit dcaad75

Browse files
stamparmstamparm
committed
Fix for an Issue sqlmapproject#794 
1 parent d74b803 commit dcaad75

File tree

4 files changed

+9
-7
lines changed

4 files changed

+9
-7
lines changed

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -480,7 +480,7 @@
480480
HASHDB_END_TRANSACTION_RETRIES = 3
481481

482482
# Unique milestone value used for forced deprecation of old HashDB values (e.g. when changing hash/pickle mechanism)
483-
HASHDB_MILESTONE_VALUE = "OZkQMtwHoP" # r9e02816 "".join(random.sample(string.ascii_letters, 10))
483+
HASHDB_MILESTONE_VALUE = "nXkbwIURlN" # rd74b803 "".join(random.sample(string.ascii_letters, 10))
484484

485485
# Warn user of possible delay due to large page dump in full UNION query injections
486486
LARGE_OUTPUT_THRESHOLD = 1024 ** 2

lib/request/inject.py

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -367,11 +367,12 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
367367
if not conf.forceDns:
368368
if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
369369
kb.technique = PAYLOAD.TECHNIQUE.UNION
370+
kb.forcePartialUnion = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector[8]
370371
value = _goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
371372
count += 1
372373
found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
373374

374-
if not found and not expected and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL:
375+
if not found and not expected and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL and not kb.forcePartialUnion:
375376
warnMsg = "something went wrong with full UNION "
376377
warnMsg += "technique (could be because of "
377378
warnMsg += "limitation on retrieved number of entries)"

lib/techniques/union/test.py

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -187,7 +187,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
187187
if content and phrase in content:
188188
validPayload = payload
189189
kb.unionDuplicates = len(re.findall(phrase, content, re.I)) > 1
190-
vector = (position, count, comment, prefix, suffix, kb.uChar, where, kb.unionDuplicates)
190+
vector = (position, count, comment, prefix, suffix, kb.uChar, where, kb.unionDuplicates, False)
191191

192192
if where == PAYLOAD.WHERE.ORIGINAL:
193193
# Prepare expression with delimiters
@@ -205,7 +205,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
205205
content = "%s%s".lower() % (page or "", listToStrValue(headers.headers if headers else None) or "")
206206

207207
if not all(_ in content for _ in (phrase, phrase2)):
208-
vector = (position, count, comment, prefix, suffix, kb.uChar, where, kb.unionDuplicates)
208+
vector = (position, count, comment, prefix, suffix, kb.uChar, where, kb.unionDuplicates, True)
209209
elif not kb.unionDuplicates:
210210
fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr())
211211

@@ -221,7 +221,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
221221
if content.count(phrase) > 0 and content.count(phrase) < LIMITED_ROWS_TEST_NUMBER:
222222
warnMsg = "output with limited number of rows detected. Switching to partial mode"
223223
logger.warn(warnMsg)
224-
vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE, kb.unionDuplicates)
224+
vector = (position, count, comment, prefix, suffix, kb.uChar, PAYLOAD.WHERE.NEGATIVE, kb.unionDuplicates, False)
225225

226226
unionErrorCase = kb.errorIsNone and wasLastResponseDBMSError()
227227

lib/techniques/union/use.py

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -67,6 +67,7 @@ def _oneShotUnionUse(expression, unpack=True, limited=False):
6767
# Forge the union SQL injection request
6868
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
6969
kb.unionDuplicates = vector[7]
70+
kb.forcePartialUnion = vector[8]
7071
query = agent.forgeUnionQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
7172
where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else vector[6]
7273
payload = agent.payload(newValue=query, where=where)
@@ -182,12 +183,12 @@ def unionUse(expression, unpack=True, dump=False):
182183
# NOTE: we assume that only queries that get data from a table can
183184
# return multiple entries
184185
if (kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.NEGATIVE or \
186+
kb.forcePartialUnion or \
185187
(dump and (conf.limitStart or conf.limitStop)) or "LIMIT " in expression.upper()) and \
186188
" FROM " in expression.upper() and ((Backend.getIdentifiedDbms() \
187189
not in FROM_DUMMY_TABLE) or (Backend.getIdentifiedDbms() in FROM_DUMMY_TABLE \
188190
and not expression.upper().endswith(FROM_DUMMY_TABLE[Backend.getIdentifiedDbms()]))) \
189-
and not re.search(SQL_SCALAR_REGEX, expression, re.I)\
190-
or kb.forcePartialUnion:
191+
and not re.search(SQL_SCALAR_REGEX, expression, re.I):
191192
expression, limitCond, topLimit, startLimit, stopLimit = agent.limitCondition(expression, dump)
192193

193194
if limitCond:

0 commit comments

Comments
 (0)