Massive renaming (proper naming is inband = union & error techniques! - query naming stays as they are/in code things like forgeInbandQuery are renamed to forgeUnionQuery)

Author: stamparm

lib/controller/checks.py

@@ -436,7 +436,7 @@ def genCmpPayload():
                             # Test for UNION injection and set the sample
                             # payload as well as the vector.
                             # NOTE: vector is set to a tuple with 6 elements,
-                            # used afterwards by Agent.forgeInbandQuery()
+                            # used afterwards by Agent.forgeUnionQuery()
                             # method to forge the UNION query payload
 
                             configUnion(test.request.char, test.request.columns)

lib/controller/controller.py

@@ -133,7 +133,7 @@ def __formatInjection(inj):
         if stype == PAYLOAD.TECHNIQUE.UNION:
             count = re.sub(r"(?i)(\(.+\))|(\blimit[^A-Za-z]+)", "", sdata.payload).count(',') + 1
             title = re.sub(r"\d+ to \d+", str(count), title)
-            vector = agent.forgeInbandQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
+            vector = agent.forgeUnionQuery("[QUERY]", vector[0], vector[1], vector[2], None, None, vector[5], vector[6])
             if count == 1:
                 title = title.replace("columns", "column")
         elif comment:

lib/core/agent.py

@@ -561,7 +561,7 @@ def concatQuery(self, query, unpack=True):
 
         return concatenatedQuery
 
-    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
+    def forgeUnionQuery(self, query, position, count, comment, prefix, suffix, char, where, multipleUnions=None, limited=False, fromTable=None):
         """
         Take in input an query (pseudo query) string and return its
         processed UNION ALL SELECT query.
@@ -602,72 +602,72 @@ def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char
             if Backend.getIdentifiedDbms() in (DBMS.MYSQL, ):
                 limitOriginal = "%s " % (queries[Backend.getIdentifiedDbms()].limit.query % (0, 1))
 
-        inbandQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
+        unionQuery = self.prefixQuery("%sUNION ALL SELECT " % limitOriginal, prefix=prefix)
 
         if limited:
-            inbandQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
-            inbandQuery += fromTable
-            inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
+            unionQuery += ','.join(char if _ != position else '(SELECT %s)' % query for _ in xrange(0, count))
+            unionQuery += fromTable
+            unionQuery = self.suffixQuery(unionQuery, comment, suffix)
 
-            return inbandQuery
+            return unionQuery
 
         topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
         if topNumRegex:
             topNum = topNumRegex.group(1)
             query = query[len("TOP %s " % topNum):]
-            inbandQuery += "TOP %s " % topNum
+            unionQuery += "TOP %s " % topNum
 
         intoRegExp = re.search("(\s+INTO (DUMP|OUT)FILE\s+\'(.+?)\')", query, re.I)
 
         if intoRegExp:
             intoRegExp = intoRegExp.group(1)
             query = query[:query.index(intoRegExp)]
 
-        if fromTable and inbandQuery.endswith(fromTable):
-            inbandQuery = inbandQuery[:-len(fromTable)]
+        if fromTable and unionQuery.endswith(fromTable):
+            unionQuery = unionQuery[:-len(fromTable)]
 
         for element in xrange(0, count):
             if element > 0:
-                inbandQuery += ','
+                unionQuery += ','
 
             if element == position:
                 if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
                     conditionIndex = query.index(" FROM ")
-                    inbandQuery += query[:conditionIndex]
+                    unionQuery += query[:conditionIndex]
                 else:
-                    inbandQuery += query
+                    unionQuery += query
             else:
-                inbandQuery += char
+                unionQuery += char
 
         if " FROM " in query and ("(CASE " not in query or ("(CASE " in query and "WHEN use" in query)) and "EXISTS(" not in query and not query.startswith("SELECT "):
             conditionIndex = query.index(" FROM ")
-            inbandQuery += query[conditionIndex:]
+            unionQuery += query[conditionIndex:]
 
         if fromTable:
-            if " FROM " not in inbandQuery or "(CASE " in inbandQuery or "(IIF" in inbandQuery:
-                inbandQuery += fromTable
+            if " FROM " not in unionQuery or "(CASE " in unionQuery or "(IIF" in unionQuery:
+                unionQuery += fromTable
 
         if intoRegExp:
-            inbandQuery += intoRegExp
+            unionQuery += intoRegExp
 
         if multipleUnions:
-            inbandQuery += " UNION ALL SELECT "
+            unionQuery += " UNION ALL SELECT "
 
             for element in xrange(count):
                 if element > 0:
-                    inbandQuery += ','
+                    unionQuery += ','
 
                 if element == position:
-                    inbandQuery += multipleUnions
+                    unionQuery += multipleUnions
                 else:
-                    inbandQuery += char
+                    unionQuery += char
 
             if fromTable:
-                inbandQuery += fromTable
+                unionQuery += fromTable
 
-        inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
+        unionQuery = self.suffixQuery(unionQuery, comment, suffix)
 
-        return inbandQuery
+        return unionQuery
 
     def limitQuery(self, num, query, field=None, uniqueField=None):
         """

lib/core/common.py

@@ -1150,7 +1150,7 @@ def getLimitRange(count, dump=False, plusOne=False):
 
 def parseUnionPage(page):
     """
-    Returns resulting items from inband query inside provided page content
+    Returns resulting items from union query inside provided page content
     """
 
     if page is None:

lib/core/settings.py

@@ -435,7 +435,7 @@
 # Alphabet used for prefix and suffix strings of name resolution requests in DNS technique (excluding hexadecimal chars for not mixing with inner content)
 DNS_BOUNDARIES_ALPHABET = re.sub("[a-fA-F]", "", string.letters)
 
-# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION/inband injections)
+# Connection chunk size (processing large responses in chunks to avoid MemoryError crashes - e.g. large table dump in full UNION injections)
 MAX_CONNECTION_CHUNK_SIZE = 10 * 1024 * 1024
 
 # Maximum response total page size (trimmed if larger)

lib/request/inject.py

@@ -347,9 +347,9 @@ def __goBooleanProxy(expression):
 
     return output
 
-def __goInband(expression, unpack=True, dump=False):
+def __goUnion(expression, unpack=True, dump=False):
     """
-    Retrieve the output of a SQL query taking advantage of an inband SQL
+    Retrieve the output of a SQL query taking advantage of an union SQL
     injection vulnerability on the affected parameter.
     """
 
@@ -360,12 +360,10 @@ def __goInband(expression, unpack=True, dump=False):
 
     return output
 
-def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
+def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
     """
     Called each time sqlmap inject a SQL query on the SQL injection
-    affected parameter. It can call a function to retrieve the output
-    through inband SQL injection (if selected) and/or blind SQL injection
-    (if selected).
+    affected parameter.
     """
 
     kb.safeCharEncode = safeCharEncode
@@ -400,9 +398,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                 query = query.replace("DISTINCT ", "")
 
             if not conf.forceDns:
-                if inband and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
+                if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION):
                     kb.technique = PAYLOAD.TECHNIQUE.UNION
-                    value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
+                    value = __goUnion(forgeCaseExpression if expected == EXPECTED.BOOL else query, unpack, dump)
                     count += 1
                     found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE
 

lib/takeover/xp_cmdshell.py

@@ -213,12 +213,12 @@ def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
                 output = inject.getValue(query, resumeValue=False, blind=False, time=False)
             else:
                 output = []
-                count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+                count = inject.getValue("SELECT COUNT(*) FROM %s" % self.cmdTblName, resumeValue=False, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
                 if isNumPosStrValue(count):
                     for index in getLimitRange(count):
                         query = agent.limitQuery(index, query, self.tblField)
-                        output.append(inject.getValue(query, inband=False, error=False, resumeValue=False))
+                        output.append(inject.getValue(query, union=False, error=False, resumeValue=False))
 
             inject.goStacked("DELETE FROM %s" % self.cmdTblName)
 

lib/techniques/union/test.py

@@ -101,7 +101,7 @@ def __orderByTest(cols):
     pages = {}
 
     for count in xrange(lowerCount, upperCount+1):
-        query = agent.forgeInbandQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
+        query = agent.forgeUnionQuery('', -1, count, comment, prefix, suffix, kb.uChar, where)
         payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
         page, headers = Request.queryPage(payload, place=place, content=True, raise404=False)
         if not isNullValue(kb.uChar):
@@ -166,16 +166,16 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
 
     # For each column of the table (# of NULL) perform a request using
     # the UNION ALL SELECT statement to test it the target url is
-    # affected by an exploitable inband SQL injection vulnerability
+    # affected by an exploitable union SQL injection vulnerability
     for position in positions:
         # Prepare expression with delimiters
         randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
         phrase = "%s%s%s".lower() % (kb.chars.start, randQuery, kb.chars.stop)
         randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
         randQueryUnescaped = unescaper.unescape(randQueryProcessed)
 
-        # Forge the inband SQL injection request
-        query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
+        # Forge the union SQL injection request
+        query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
         payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
 
         # Perform the request
@@ -196,8 +196,8 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
                 randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
                 randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2)
 
-                # Confirm that it is a full inband SQL injection
-                query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
+                # Confirm that it is a full union SQL injection
+                query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)
                 payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
 
                 # Perform the request
@@ -210,7 +210,7 @@ def __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYL
                     fromTable = " FROM (%s) AS %s" % (" UNION ".join("SELECT %d%s%s" % (_, FROM_DUMMY_TABLE.get(Backend.getIdentifiedDbms(), ""), " AS %s" % randomStr() if _ == 0 else "") for _ in xrange(LIMITED_ROWS_TEST_NUMBER)), randomStr())
 
                     # Check for limited row output
-                    query = agent.forgeInbandQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
+                    query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, fromTable=fromTable)
                     payload = agent.payload(place=place, parameter=parameter, newValue=query, where=where)
 
                     # Perform the request
@@ -239,11 +239,11 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
     validPayload = None
     vector = None
 
-    # Confirm the inband SQL injection and get the exact column
+    # Confirm the union SQL injection and get the exact column
     # position which can be used to extract data
     validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count)
 
-    # Assure that the above function found the exploitable full inband
+    # Assure that the above function found the exploitable full union
     # SQL injection position
     if not validPayload:
         validPayload, vector = __unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLOAD.WHERE.NEGATIVE)
@@ -252,7 +252,7 @@ def __unionConfirm(comment, place, parameter, prefix, suffix, count):
 
 def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix):
     """
-    This method tests if the target url is affected by an inband
+    This method tests if the target url is affected by an union
     SQL injection vulnerability. The test is done up to 50 columns
     on the target database table
     """
@@ -297,7 +297,7 @@ def __unionTestByCharBruteforce(comment, place, parameter, value, prefix, suffix
 
 def unionTest(comment, place, parameter, value, prefix, suffix):
     """
-    This method tests if the target url is affected by an inband
+    This method tests if the target url is affected by an union
     SQL injection vulnerability. The test is done up to 3*50 times
     """
 

lib/techniques/union/use.py

@@ -48,7 +48,7 @@
 from lib.request.connect import Connect as Request
 
 def __oneShotUnionUse(expression, unpack=True, limited=False):
-    retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True)  # as inband data is stored raw unconverted
+    retVal = hashDBRetrieve("%s%s" % (conf.hexConvert, expression), checkConf=True)  # as union data is stored raw unconverted
 
     threadData = getCurrentThreadData()
     threadData.resumed = retVal is not None
@@ -59,10 +59,10 @@ def __oneShotUnionUse(expression, unpack=True, limited=False):
 
         where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None
 
-        # Forge the inband SQL injection request
+        # Forge the union SQL injection request
         vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
         kb.unionDuplicates = vector[7]
-        query = agent.forgeInbandQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
+        query = agent.forgeUnionQuery(injExpression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], vector[6], None, limited)
         payload = agent.payload(newValue=query, where=where)
 
         # Perform the request
@@ -90,7 +90,7 @@ def _(regex):
         if retVal is not None:
             retVal = getUnicode(retVal, kb.pageEncoding)
 
-            # Special case when DBMS is Microsoft SQL Server and error message is used as a result of inband injection
+            # Special case when DBMS is Microsoft SQL Server and error message is used as a result of union injection
             if Backend.isDbms(DBMS.MSSQL) and wasLastRequestDBMSError():
                 retVal = htmlunescape(retVal).replace("<br>", "\n")
 
@@ -140,9 +140,9 @@ def __configUnionCols(columns):
 
 def unionUse(expression, unpack=True, dump=False):
     """
-    This function tests for an inband SQL injection on the target
+    This function tests for an union SQL injection on the target
     url then call its subsidiary function to effectively perform an
-    inband SQL injection on the affected url
+    union SQL injection on the affected url
     """
 
     initTechnique(PAYLOAD.TECHNIQUE.UNION)
@@ -341,7 +341,7 @@ def unionThread():
                 kb.suppressResumeInfo = False
 
     if not value and not abortedFlag:
-        expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full inband doesn't play well with ORDER BY
+        expression = re.sub("\s*ORDER BY\s+[\w,]+", "", expression, re.I) # full union doesn't play well with ORDER BY
         value = __oneShotUnionUse(expression, unpack)
 
     duration = calculateDeltaSeconds(start)

lib/utils/pivotdumptable.py

@@ -35,7 +35,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
 
     if count is None:
         query = dumpNode.count % table
-        count = inject.getValue(query, inband=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
+        count = inject.getValue(query, union=False, error=False, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS) if blind else inject.getValue(query, blind=False, time=False, expected=EXPECTED.INT)
 
     if isinstance(count, basestring) and count.isdigit():
         count = int(count)
@@ -65,7 +65,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
         logger.info(infoMsg)
 
         query = dumpNode.count2 % (column, table)
-        value = inject.getValue(query, blind=blind, inband=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
+        value = inject.getValue(query, blind=blind, union=not blind, error=not blind, expected=EXPECTED.INT, charsetType=CHARSET_TYPE.DIGITS)
 
         if isNumPosStrValue(value):
             validColumnList = True
@@ -110,7 +110,7 @@ def pivotDumpTable(table, colList, count=None, blind=True):
                 else:
                     query = dumpNode.query2 % (column, table, colList[0], pivotValue)
 
-                value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, inband=not blind, error=not blind))
+                value = unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
 
                 if column == colList[0]:
                     if isNoneValue(value):