More bug fixes to properly distinguish between full inband and single-entry inband sql injections

2026-06-10 10:07:17 +00:00 · 2010-12-22 15:47:52 +00:00 · 2010-12-22 15:47:52 +00:00 · c1f2534e9a
commit c1f2534e9a
parent b3da473840
2 changed files with 35 additions and 1 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -483,7 +483,7 @@ class Agent:

        return concatenatedQuery

-    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None):
+    def forgeInbandQuery(self, query, exprPosition=None, nullChar=None, count=None, comment=None, multipleUnions=None):
        """
        Take in input an query (pseudo query) string and return its
        processed UNION ALL SELECT query.
@ -569,6 +569,22 @@ class Agent:
        if intoRegExp:
            inbandQuery += intoRegExp

+        if multipleUnions:
+            inbandQuery += " UNION ALL SELECT "
+
+            for element in range(count):
+                if element > 0:
+                    inbandQuery += ", "
+
+                if element == exprPosition:
+                    inbandQuery += multipleUnions
+                else:
+                    inbandQuery += nullChar
+
+            if kb.dbms == DBMS.ORACLE:
+                inbandQuery += " FROM DUAL"
+
+
        inbandQuery = self.suffixQuery(inbandQuery, comment)

        return inbandQuery