diff --git a/lib/core/agent.py b/lib/core/agent.py
index 82ecf07ee..a09cfa8e7 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -522,7 +522,7 @@ class Agent:
 
         return concatenatedQuery
 
-    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None):
+    def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None, limited=False):
         """
         Take in input an query (pseudo query) string and return its
         processed UNION ALL SELECT query.
@@ -558,17 +558,16 @@ class Agent:
 
         inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix)
 
-        if query.startswith("TOP"):
-            # TOP enumeration on DBMS.MSSQL is too specific and it has to go
-            # into its own brackets because those NULLs cause problems with
-            # ORDER BY clause
-            if Backend.isDbms(DBMS.MSSQL):
-                inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count)))
-                inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
+        if limited:
+            inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count)))
+            inbandQuery = self.suffixQuery(inbandQuery, comment, suffix)
+            inbandQuery += FROM_TABLE.get(Backend.getIdentifiedDbms(), "")
 
-                return inbandQuery
+            return inbandQuery
 
-            topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1)
+        topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I)
+        if topNumRegex:
+            topNum = topNumRegex.group(1)
             query = query[len("TOP %s " % topNum):]
             inbandQuery += "TOP %s " % topNum
 
diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py
index c28dc14fb..b95752e5a 100644
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -47,7 +47,7 @@ from lib.utils.resume import resume
 
 reqCount = 0
 
-def __oneShotUnionUse(expression, unpack=True):
+def __oneShotUnionUse(expression, unpack=True, limited=False):
     global reqCount
 
     check = "(?P<result>%s.*%s)" % (kb.misc.start, kb.misc.stop)
@@ -64,7 +64,7 @@ def __oneShotUnionUse(expression, unpack=True):
 
     # Forge the inband SQL injection request
     vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
-    query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5])
+    query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], None, limited)
     payload = agent.payload(newValue=query, where=where)
 
     # Perform the request
@@ -299,7 +299,7 @@ def unionUse(expression, unpack=True, dump=False):
                         output = resume(limitedExpr, None)
 
                         if not output:
-                            output = __oneShotUnionUse(limitedExpr, unpack)
+                            output = __oneShotUnionUse(limitedExpr, unpack, True)
 
                         if not kb.threadContinue:
                             break