mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-26 21:51:12 +03:00 
			
		
		
		
	improvement for limited queries (more stable to have TOP/LIMIT/OFFSET mechanisms as part of a subquery)
This commit is contained in:
		
							parent
							
								
									0627bb02cb
								
							
						
					
					
						commit
						018d7ed646
					
				|  | @ -522,7 +522,7 @@ class Agent: | |||
| 
 | ||||
|         return concatenatedQuery | ||||
| 
 | ||||
|     def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None): | ||||
|     def forgeInbandQuery(self, query, position, count, comment, prefix, suffix, char, multipleUnions=None, limited=False): | ||||
|         """ | ||||
|         Take in input an query (pseudo query) string and return its | ||||
|         processed UNION ALL SELECT query. | ||||
|  | @ -558,17 +558,16 @@ class Agent: | |||
| 
 | ||||
|         inbandQuery = self.prefixQuery("UNION ALL SELECT ", prefix=prefix) | ||||
| 
 | ||||
|         if query.startswith("TOP"): | ||||
|             # TOP enumeration on DBMS.MSSQL is too specific and it has to go | ||||
|             # into its own brackets because those NULLs cause problems with | ||||
|             # ORDER BY clause | ||||
|             if Backend.isDbms(DBMS.MSSQL): | ||||
|                 inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count))) | ||||
|                 inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) | ||||
|         if limited: | ||||
|             inbandQuery += ",".join(map(lambda x: char if x != position else '(SELECT %s)' % query, range(0, count))) | ||||
|             inbandQuery = self.suffixQuery(inbandQuery, comment, suffix) | ||||
|             inbandQuery += FROM_TABLE.get(Backend.getIdentifiedDbms(), "") | ||||
| 
 | ||||
|                 return inbandQuery | ||||
|             return inbandQuery | ||||
| 
 | ||||
|             topNum = re.search("\ATOP\s+([\d]+)\s+", query, re.I).group(1) | ||||
|         topNumRegex = re.search("\ATOP\s+([\d]+)\s+", query, re.I) | ||||
|         if topNumRegex: | ||||
|             topNum = topNumRegex.group(1) | ||||
|             query = query[len("TOP %s " % topNum):] | ||||
|             inbandQuery += "TOP %s " % topNum | ||||
| 
 | ||||
|  |  | |||
|  | @ -47,7 +47,7 @@ from lib.utils.resume import resume | |||
| 
 | ||||
| reqCount = 0 | ||||
| 
 | ||||
| def __oneShotUnionUse(expression, unpack=True): | ||||
| def __oneShotUnionUse(expression, unpack=True, limited=False): | ||||
|     global reqCount | ||||
| 
 | ||||
|     check = "(?P<result>%s.*%s)" % (kb.misc.start, kb.misc.stop) | ||||
|  | @ -64,7 +64,7 @@ def __oneShotUnionUse(expression, unpack=True): | |||
| 
 | ||||
|     # Forge the inband SQL injection request | ||||
|     vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector | ||||
|     query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5]) | ||||
|     query = agent.forgeInbandQuery(expression, vector[0], vector[1], vector[2], vector[3], vector[4], vector[5], None, limited) | ||||
|     payload = agent.payload(newValue=query, where=where) | ||||
| 
 | ||||
|     # Perform the request | ||||
|  | @ -299,7 +299,7 @@ def unionUse(expression, unpack=True, dump=False): | |||
|                         output = resume(limitedExpr, None) | ||||
| 
 | ||||
|                         if not output: | ||||
|                             output = __oneShotUnionUse(limitedExpr, unpack) | ||||
|                             output = __oneShotUnionUse(limitedExpr, unpack, True) | ||||
| 
 | ||||
|                         if not kb.threadContinue: | ||||
|                             break | ||||
|  |  | |||
		Loading…
	
		Reference in New Issue
	
	Block a user