From 18013bc8b2b85c5d79dbe9ccf754ef5bd24d576f Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Fri, 8 Oct 2021 17:33:43 +0200
Subject: [PATCH] Fixes #4842

---
 lib/core/settings.py        |  2 +-
 lib/techniques/union/use.py | 58 ++++++++++++++++++++-----------------
 2 files changed, 32 insertions(+), 28 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index 475c51616..ed567577e 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -20,7 +20,7 @@ from thirdparty import six
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.5.10.12"
+VERSION = "1.5.10.13"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py
index 68f8b87e4..19854167a 100644
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -98,33 +98,37 @@ def _oneShotUnionUse(expression, unpack=True, limited=False):
         incrementCounter(PAYLOAD.TECHNIQUE.UNION)
 
         if kb.jsonAggMode:
-            if Backend.isDbms(DBMS.MSSQL):
-                output = extractRegexResult(r"%s(?P<result>.*)%s" % (kb.chars.start, kb.chars.stop), removeReflectiveValues(page or "", payload))
-                if output:
-                    try:
-                        retVal = ""
-                        fields = re.findall(r'"([^"]+)":', extractRegexResult(r"{(?P<result>[^}]+)}", output))
-                        for row in json.loads(output):
-                            retVal += "%s%s%s" % (kb.chars.start, kb.chars.delimiter.join(getUnicode(row[field] or NULL) for field in fields), kb.chars.stop)
-                    except:
-                        pass
-                    else:
-                        retVal = getUnicode(retVal)
-            elif Backend.isDbms(DBMS.PGSQL):
-                output = extractRegexResult(r"(?P<result>%s.*%s)" % (kb.chars.start, kb.chars.stop), removeReflectiveValues(page or "", payload))
-                if output:
-                    retVal = output
-            else:
-                output = extractRegexResult(r"%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop), removeReflectiveValues(page or "", payload))
-                if output:
-                    try:
-                        retVal = ""
-                        for row in json.loads(output):
-                            retVal += "%s%s%s" % (kb.chars.start, row, kb.chars.stop)
-                    except:
-                        pass
-                    else:
-                        retVal = getUnicode(retVal)
+            for _page in (page or "", (page or "").replace('\\"', '"')):
+                if Backend.isDbms(DBMS.MSSQL):
+                    output = extractRegexResult(r"%s(?P<result>.*)%s" % (kb.chars.start, kb.chars.stop), removeReflectiveValues(_page, payload))
+                    if output:
+                        try:
+                            retVal = ""
+                            fields = re.findall(r'"([^"]+)":', extractRegexResult(r"{(?P<result>[^}]+)}", output))
+                            for row in json.loads(output):
+                                retVal += "%s%s%s" % (kb.chars.start, kb.chars.delimiter.join(getUnicode(row[field] or NULL) for field in fields), kb.chars.stop)
+                        except:
+                            pass
+                        else:
+                            retVal = getUnicode(retVal)
+                elif Backend.isDbms(DBMS.PGSQL):
+                    output = extractRegexResult(r"(?P<result>%s.*%s)" % (kb.chars.start, kb.chars.stop), removeReflectiveValues(_page, payload))
+                    if output:
+                        retVal = output
+                else:
+                    output = extractRegexResult(r"%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop), removeReflectiveValues(_page, payload))
+                    if output:
+                        try:
+                            retVal = ""
+                            for row in json.loads(output):
+                                retVal += "%s%s%s" % (kb.chars.start, row, kb.chars.stop)
+                        except:
+                            pass
+                        else:
+                            retVal = getUnicode(retVal)
+
+                if retVal:
+                    break
         else:
             # Parse the returned page to get the exact UNION-based
             # SQL injection output