Fixed custom MSSQL "limited" query support also for Partial UNION query technique

2025-02-03 05:04:11 +03:00 · 2009-01-03 00:27:04 +00:00 · 2009-01-03 00:27:04 +00:00 · 2d87a3349f
commit 2d87a3349f
parent 9c42a883be
3 changed files with 7 additions and 4 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -481,15 +481,15 @@ class Agent:
            if " ORDER BY " in limitedQuery:
                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

-            if not limitedQuery.startswith("SELECT TOP "):
+            if not limitedQuery.startswith("SELECT TOP ") and not limitedQuery.startswith("TOP "):
                limitedQuery  = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
                limitedQuery  = "%s WHERE %s " % (limitedQuery, field)
                limitedQuery += "NOT IN (%s" % (limitStr % num)
                limitedQuery += "%s %s)" % (field, fromFrom)
            else:
-                topNums         = re.search("\ASELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
+                topNums         = re.search("TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
                quantityTopNums = topNums[0]
-                limitedQuery    = limitedQuery.replace("SELECT TOP %s" % quantityTopNums, "SELECT TOP 1", 1)
+                limitedQuery    = limitedQuery.replace("TOP %s" % quantityTopNums, "TOP 1", 1)
                startTopNums    = topNums[1]
                limitedQuery    = limitedQuery.replace(" (SELECT TOP %s" % startTopNums, " (SELECT TOP %d" % num)

--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -216,6 +216,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
                        untilLimitChar = expression.index(queries[kb.dbms].limitstring)
                        expression = expression[:untilLimitChar]

+                    elif kb.dbms == "Microsoft SQL Server":
+                        stopLimit += startLimit
+
                if not stopLimit or stopLimit <= 1:
                    if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
                        test = False
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -169,7 +169,7 @@
        <isnull query="ISNULL(%s, ' ')"/>
        <delimiter query="+"/>
        <limit query="SELECT TOP %d "/>
-        <limitregexp query="SELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
+        <limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
        <limitgroupstart query="2"/>
        <limitgroupstop query="1"/>
        <limitstring/>