From 2c4f6d2e9980d61ce5b7d13de918b58974b9ea12 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 7 Feb 2011 21:53:05 +0000
Subject: [PATCH] fix (lol. we were using same comparison payload through the
 all test. it's a nono :) p.s. this way we are dealing with "reflective"
 problem too

---
 lib/controller/checks.py | 24 ++++++++++++++----------
 1 file changed, 14 insertions(+), 10 deletions(-)

diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 71a5c6a9b..6d57e5aed 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -286,20 +286,24 @@ def checkSqlInjection(place, parameter, value):
 
                         # In case of boolean-based blind SQL injection
                         if method == PAYLOAD.METHOD.COMPARISON:
-                            sndPayload = agent.cleanupPayload(test.response.comparison, origValue=value)
+                            # Generate payload used for comparison
+                            def genCmpPayload():
+                                sndPayload = agent.cleanupPayload(test.response.comparison, origValue=value)
 
-                            # Forge response payload by prepending with
-                            # boundary's prefix and appending the boundary's
-                            # suffix to the test's ' <payload><comment> '
-                            # string
-                            boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
-                            boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
-                            cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
+                                # Forge response payload by prepending with
+                                # boundary's prefix and appending the boundary's
+                                # suffix to the test's ' <payload><comment> '
+                                # string
+                                boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
+                                boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
+                                cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
+                                
+                                return cmpPayload
 
                             # Useful to set kb.matchRatio at first based on
                             # the False response content
                             kb.matchRatio = None
-                            _ = Request.queryPage(cmpPayload, place, raise404=False)
+                            _ = Request.queryPage(genCmpPayload(), place, raise404=False)
 
                             # If in the comparing stage there was an error
                             # then anything non-error will be considered as True
@@ -310,7 +314,7 @@ def checkSqlInjection(place, parameter, value):
                             trueResult = Request.queryPage(reqPayload, place, raise404=False)
 
                             if trueResult:
-                                falseResult = Request.queryPage(cmpPayload, place, raise404=False)
+                                falseResult = Request.queryPage(genCmpPayload(), place, raise404=False)
 
                                 # Perform the test's False request
                                 if not falseResult: