From 2d87a3349f4c0e79a82b844c60e49a63dfd96bc9 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Sat, 3 Jan 2009 00:27:04 +0000
Subject: [PATCH] Fixed custom MSSQL "limited" query support also for Partial
 UNION query technique

---
 lib/core/agent.py                  | 6 +++---
 lib/techniques/inband/union/use.py | 3 +++
 xml/queries.xml                    | 2 +-
 3 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index b45dfe242..ec23ceb68 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -481,15 +481,15 @@ class Agent:
             if " ORDER BY " in limitedQuery:
                 limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
 
-            if not limitedQuery.startswith("SELECT TOP "):
+            if not limitedQuery.startswith("SELECT TOP ") and not limitedQuery.startswith("TOP "):
                 limitedQuery  = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
                 limitedQuery  = "%s WHERE %s " % (limitedQuery, field)
                 limitedQuery += "NOT IN (%s" % (limitStr % num)
                 limitedQuery += "%s %s)" % (field, fromFrom)
             else:
-                topNums         = re.search("\ASELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
+                topNums         = re.search("TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
                 quantityTopNums = topNums[0]
-                limitedQuery    = limitedQuery.replace("SELECT TOP %s" % quantityTopNums, "SELECT TOP 1", 1)
+                limitedQuery    = limitedQuery.replace("TOP %s" % quantityTopNums, "TOP 1", 1)
                 startTopNums    = topNums[1]
                 limitedQuery    = limitedQuery.replace(" (SELECT TOP %s" % startTopNums, " (SELECT TOP %d" % num)
 
diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py
index 114ed3cdc..cdfaaca46 100644
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -216,6 +216,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
                         untilLimitChar = expression.index(queries[kb.dbms].limitstring)
                         expression = expression[:untilLimitChar]
 
+                    elif kb.dbms == "Microsoft SQL Server":
+                        stopLimit += startLimit
+
                 if not stopLimit or stopLimit <= 1:
                     if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
                         test = False
diff --git a/xml/queries.xml b/xml/queries.xml
index 2bf7fd288..0b746e8e7 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -169,7 +169,7 @@
         <isnull query="ISNULL(%s, ' ')"/>
         <delimiter query="+"/>
         <limit query="SELECT TOP %d "/>
-        <limitregexp query="SELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
+        <limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
         <limitgroupstart query="2"/>
         <limitgroupstop query="1"/>
         <limitstring/>