From 3fa05374bd7f534bf3065d15efb62e0666c8c22b Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 18 Dec 2012 12:07:19 +0000
Subject: [PATCH 1/4] added tests for all MySQL techniques now (except stacked
 queries (S) as it is not supported on MySQL/PHP)

---
 xml/livetests.xml | 172 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 172 insertions(+)

diff --git a/xml/livetests.xml b/xml/livetests.xml
index 8baf085e1..f44550ec7 100644
--- a/xml/livetests.xml
+++ b/xml/livetests.xml
@@ -92,6 +92,178 @@
             <item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
         </parse>
     </case>
+    <case name="MySQL UNION query multi-threaded enumeration - all entries">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int.php?id=1"/>
+            <threads value="4"/>
+            <tech value="U"/>
+            <extensiveFp value="True"/>
+            <getBanner value="True"/>
+            <getCurrentUser value="True"/>
+            <getCurrentDb value="True"/>
+            <getHostname value="True"/>
+            <isDba value="True"/>
+            <getUsers value="True"/>
+            <getPasswordHashes value="True"/>
+            <getPrivileges value="True"/>
+            <getRoles value="True"/>
+            <getDbs value="True"/>
+            <getTables value="True"/>
+            <getColumns value="True"/>
+            <getCount value="True"/>
+            <dumpTable value="True"/>
+            <db value="testdb"/>
+            <tbl value="users"/>
+            <excludeSysDbs value="True"/>
+        </switches>
+        <parse>
+            <item value="Title: MySQL UNION query (NULL) - 3 columns"/>
+            <item value="r'back-end DBMS: active fingerprint: MySQL &gt;= 5.1.12 and &lt; 5.5.0'"/>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="current user:    'root@localhost'"/>
+            <item value="current database:    'testdb'"/>
+            <item value="hostname:    'debian"/>
+            <item value="current user is DBA:    True"/>
+            <item value="r'database management system users \[.+'debian-sys-maint'@'localhost'.+'root'@''"/>
+            <item value="r'database management system users password hashes:.+root \[.+password hash: \*00E247AC5F9AF26AE0194B41E1E769DEE1429A29.+clear-text password: testpass'"/>
+            <item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
+            <item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
+            <item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
+            <item value="r'Database: testdb.+1 table.+users'"/>
+            <item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
+            <item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
+            <item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
+        </parse>
+    </case>
+    <case name="MySQL partial UNION query multi-threaded enumeration - all entries">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_partialunion.php?id=1"/>
+            <threads value="4"/>
+            <tech value="U"/>
+            <extensiveFp value="True"/>
+            <getBanner value="True"/>
+            <getCurrentUser value="True"/>
+            <getCurrentDb value="True"/>
+            <getHostname value="True"/>
+            <isDba value="True"/>
+            <getUsers value="True"/>
+            <getPasswordHashes value="True"/>
+            <getPrivileges value="True"/>
+            <getRoles value="True"/>
+            <getDbs value="True"/>
+            <getTables value="True"/>
+            <getColumns value="True"/>
+            <getCount value="True"/>
+            <dumpTable value="True"/>
+            <db value="testdb"/>
+            <tbl value="users"/>
+            <excludeSysDbs value="True"/>
+        </switches>
+        <parse>
+            <item value="Title: MySQL UNION query (NULL) - 3 columns"/>
+            <item value="r'back-end DBMS: active fingerprint: MySQL &gt;= 5.1.12 and &lt; 5.5.0'"/>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="current user:    'root@localhost'"/>
+            <item value="current database:    'testdb'"/>
+            <item value="hostname:    'debian"/>
+            <item value="current user is DBA:    True"/>
+            <item value="r'database management system users \[.+'debian-sys-maint'@'localhost'.+'root'@''"/>
+            <item value="r'database management system users password hashes:.+root \[.+password hash: \*00E247AC5F9AF26AE0194B41E1E769DEE1429A29.+clear-text password: testpass'"/>
+            <item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
+            <item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
+            <item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
+            <item value="r'Database: testdb.+1 table.+users'"/>
+            <item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
+            <item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
+            <item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
+        </parse>
+    </case>
+    <case name="MySQL time-based single-threaded enumeration - all entries">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_nooutput.php?id=1"/>
+            <tech value="T"/>
+            <timeSec value="1"/>
+            <extensiveFp value="True"/>
+            <getBanner value="True"/>
+            <getCurrentUser value="True"/>
+            <getCurrentDb value="True"/>
+            <getHostname value="True"/>
+            <isDba value="True"/>
+            <getUsers value="True"/>
+            <getPasswordHashes value="True"/>
+            <getPrivileges value="True"/>
+            <getRoles value="True"/>
+            <getDbs value="True"/>
+            <getTables value="True"/>
+            <getColumns value="True"/>
+            <getCount value="True"/>
+            <dumpTable value="True"/>
+            <db value="testdb"/>
+            <tbl value="users"/>
+            <excludeSysDbs value="True"/>
+        </switches>
+        <parse>
+            <item value="Title: MySQL &gt; 5.0.11 AND time-based blind"/>
+            <item value="r'back-end DBMS: active fingerprint: MySQL &gt;= 5.1.12 and &lt; 5.5.0'"/>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="current user:    'root@localhost'"/>
+            <item value="current database:    'testdb'"/>
+            <item value="hostname:    'debian"/>
+            <item value="current user is DBA:    True"/>
+            <item value="r'database management system users \[.+'debian-sys-maint'@'localhost'.+'root'@''"/>
+            <item value="r'database management system users password hashes:.+root \[.+password hash: \*00E247AC5F9AF26AE0194B41E1E769DEE1429A29.+clear-text password: testpass'"/>
+            <item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
+            <item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
+            <item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
+            <item value="r'Database: testdb.+1 table.+users'"/>
+            <item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
+            <item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
+            <item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
+        </parse>
+    </case>
+    <case name="MySQL inline queries multi-threaded enumeration - all entries">
+        <switches>
+            <url value="http://debiandev/sqlmap/mysql/get_int_inline.php?id=1"/>
+            <threads value="4"/>
+            <tech value="Q"/>
+            <extensiveFp value="True"/>
+            <getBanner value="True"/>
+            <getCurrentUser value="True"/>
+            <getCurrentDb value="True"/>
+            <getHostname value="True"/>
+            <isDba value="True"/>
+            <getUsers value="True"/>
+            <getPasswordHashes value="True"/>
+            <getPrivileges value="True"/>
+            <getRoles value="True"/>
+            <getDbs value="True"/>
+            <getTables value="True"/>
+            <getColumns value="True"/>
+            <getCount value="True"/>
+            <dumpTable value="True"/>
+            <db value="testdb"/>
+            <tbl value="users"/>
+            <excludeSysDbs value="True"/>
+        </switches>
+        <parse>
+            <item value="Title: MySQL inline queries"/>
+            <item value="r'back-end DBMS: active fingerprint: MySQL &gt;= 5.1.12 and &lt; 5.5.0'"/>
+            <item value="banner:    '5.1.63-0+squeeze1'"/>
+            <item value="current user:    'root@localhost'"/>
+            <item value="current database:    'testdb'"/>
+            <item value="hostname:    'debian"/>
+            <item value="current user is DBA:    True"/>
+            <item value="r'database management system users \[.+'debian-sys-maint'@'localhost'.+'root'@''"/>
+            <item value="r'database management system users password hashes:.+root \[.+password hash: \*00E247AC5F9AF26AE0194B41E1E769DEE1429A29.+clear-text password: testpass'"/>
+            <item value="r'database management system users privileges:.+debian-sys-maint.+\(administrator\).+root.+\(administrator\).+privilege: SUPER'"/>
+            <item value="r'database management system users roles:.+debian-sys-maint.+\[.+root.+\[.+role: SUPER'"/>
+            <item value="r'available databases \[.+information_schema.+mysql.+owasp10.+testdb'"/>
+            <item value="r'Database: testdb.+1 table.+users'"/>
+            <item value="r'Database: testdb.+Table: users.+3 columns.+surname.+varchar\(1000\)'"/>
+            <item value="r'Database: testdb.+Table.+Entries.+users.+5'"/>
+            <item value="r'Database: testdb.+Table: users.+5 entries.+luther.+nameisnull.+'"/>
+        </parse>
+    </case>
 
     <!-- Old test cases -->
     <case name="MySQL (--technique=E --is-dba --banner --current-user --current-db --dbs --tables -D testdb -T users --columns --dump)">

From 57412f8475ea823bea2c638f3c399db90908ddd0 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 18 Dec 2012 13:55:26 +0000
Subject: [PATCH 2/4] default to --search shall stay LIKE

---
 plugins/generic/misc.py | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/plugins/generic/misc.py b/plugins/generic/misc.py
index 9dc88b5b3..2ab1a9cc4 100644
--- a/plugins/generic/misc.py
+++ b/plugins/generic/misc.py
@@ -177,10 +177,10 @@ class Miscellaneous:
 
     def likeOrExact(self, what):
         message = "do you want sqlmap to consider provided %s(s):\n" % what
-        message += "[1] as LIKE %s names\n" % what
-        message += "[2] as exact %s names (default)" % what
+        message += "[1] as LIKE %s names (default)\n" % what
+        message += "[2] as exact %s names" % what
 
-        choice = readInput(message, default='2')
+        choice = readInput(message, default='1')
 
         if not choice or choice == '1':
             choice = '1'

From e1b7a6350e23f72fa20d997695a0f9dec317b32c Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 18 Dec 2012 14:37:04 +0000
Subject: [PATCH 3/4] consistency between --tables and --columns when -T and -C
 are respectively provided - there was a leftover from when --search called
 getColumns() as --columns: this is no longer the case (closes issue #306)

---
 plugins/generic/databases.py | 80 +++++++-----------------------------
 1 file changed, 15 insertions(+), 65 deletions(-)

diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py
index 075ad8489..34b2989c8 100644
--- a/plugins/generic/databases.py
+++ b/plugins/generic/databases.py
@@ -388,19 +388,6 @@ class Databases:
 
         conf.db = safeSQLIdentificatorNaming(conf.db)
 
-        if conf.col:
-            if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
-                conf.col = conf.col.upper()
-
-            colList = conf.col.split(",")
-        else:
-            colList = []
-
-        for col in colList:
-            colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
-
-        colList = filter(None, colList)
-
         if conf.tbl:
             if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                 conf.tbl = conf.tbl.upper()
@@ -440,7 +427,19 @@ class Databases:
                 logger.error(errMsg)
                 bruteForce = True
 
-        if bruteForce or colList:
+        if bruteForce:
+            if conf.col:
+                if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
+                    conf.col = conf.col.upper()
+
+                colList = conf.col.split(",")
+            else:
+                colList = []
+
+            for col in colList:
+                colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
+
+            colList = filter(None, colList)
             resumeAvailable = False
 
             for tbl in tblList:
@@ -491,37 +490,17 @@ class Databases:
 
                     return {conf.db: kb.data.cachedColumns[conf.db]}
 
-                infoMsg = "fetching columns "
-
-                if len(colList) > 0:
-                    if colTuple is None:
-                        colConsider, colCondParam = self.likeOrExact("column")
-                    else:
-                        colConsider, colCondParam = colTuple
-                    condQueryStr = "%%s%s" % colCondParam
-                    condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
-
-                    if colConsider == "1":
-                        infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
-                    else:
-                        infoMsg += "'%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
-                else:
-                    condQuery = ""
-
-                infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
+                infoMsg = "fetching columns for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
                 infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
                 logger.info(infoMsg)
 
                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                     query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
-                    query += condQuery
                 elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                     query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(tbl.upper())
-                    query += condQuery
                 elif Backend.isDbms(DBMS.MSSQL):
                     query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db,
                                                       conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
-                    query += condQuery.replace("[DB]", conf.db)
                 elif Backend.isDbms(DBMS.SQLITE):
                     query = rootQuery.inband.query % tbl
 
@@ -560,44 +539,19 @@ class Databases:
 
                     return {conf.db: kb.data.cachedColumns[conf.db]}
 
-                infoMsg = "fetching columns "
-
-                if len(colList) > 0:
-                    if colTuple is None:
-                        colConsider, colCondParam = self.likeOrExact("column")
-                    else:
-                        colConsider, colCondParam = colTuple
-                    condQueryStr = "%%s%s" % colCondParam
-                    condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
-
-                    if colConsider == "1":
-                        infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
-                    else:
-                        infoMsg += "'%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
-                else:
-                    condQuery = ""
-
-                infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
+                infoMsg = "fetching columns for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
                 infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
                 logger.info(infoMsg)
 
                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                     query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
-                    query += condQuery
-
                 elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                     query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl.upper())
-                    query += condQuery
-
                 elif Backend.isDbms(DBMS.MSSQL):
                     query = rootQuery.blind.count % (conf.db, conf.db, \
                         unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
-                    query += condQuery.replace("[DB]", conf.db)
-
                 elif Backend.isDbms(DBMS.FIREBIRD):
                     query = rootQuery.blind.count % (tbl)
-                    query += condQuery
-
                 elif Backend.isDbms(DBMS.SQLITE):
                     query = rootQuery.blind.query % tbl
                     value = inject.getValue(query, union=False, error=False)
@@ -620,19 +574,15 @@ class Databases:
                 for index in getLimitRange(count):
                     if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                         query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
-                        query += condQuery
                         field = None
                     elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                         query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl.upper())
-                        query += condQuery
                         field = None
                     elif Backend.isDbms(DBMS.MSSQL):
                         query = rootQuery.blind.query.replace("'%s'", "'%s'" % unsafeSQLIdentificatorNaming(tbl).split(".")[-1]).replace("%s", conf.db).replace("%d", str(index))
-                        query += condQuery.replace("[DB]", conf.db)
                         field = condition.replace("[DB]", conf.db)
                     elif Backend.isDbms(DBMS.FIREBIRD):
                         query = rootQuery.blind.query % (tbl)
-                        query += condQuery
                         field = None
 
                     query = agent.limitQuery(index, query, field, field)

From 6b1dd05e622d152fba690ef07af40c7439c10266 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 18 Dec 2012 14:51:04 +0000
Subject: [PATCH 4/4] reverted

---
 plugins/generic/databases.py | 80 +++++++++++++++++++++++++++++-------
 1 file changed, 65 insertions(+), 15 deletions(-)

diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py
index 34b2989c8..075ad8489 100644
--- a/plugins/generic/databases.py
+++ b/plugins/generic/databases.py
@@ -388,6 +388,19 @@ class Databases:
 
         conf.db = safeSQLIdentificatorNaming(conf.db)
 
+        if conf.col:
+            if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
+                conf.col = conf.col.upper()
+
+            colList = conf.col.split(",")
+        else:
+            colList = []
+
+        for col in colList:
+            colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
+
+        colList = filter(None, colList)
+
         if conf.tbl:
             if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                 conf.tbl = conf.tbl.upper()
@@ -427,19 +440,7 @@ class Databases:
                 logger.error(errMsg)
                 bruteForce = True
 
-        if bruteForce:
-            if conf.col:
-                if Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
-                    conf.col = conf.col.upper()
-
-                colList = conf.col.split(",")
-            else:
-                colList = []
-
-            for col in colList:
-                colList[colList.index(col)] = safeSQLIdentificatorNaming(col)
-
-            colList = filter(None, colList)
+        if bruteForce or colList:
             resumeAvailable = False
 
             for tbl in tblList:
@@ -490,17 +491,37 @@ class Databases:
 
                     return {conf.db: kb.data.cachedColumns[conf.db]}
 
-                infoMsg = "fetching columns for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
+                infoMsg = "fetching columns "
+
+                if len(colList) > 0:
+                    if colTuple is None:
+                        colConsider, colCondParam = self.likeOrExact("column")
+                    else:
+                        colConsider, colCondParam = colTuple
+                    condQueryStr = "%%s%s" % colCondParam
+                    condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
+
+                    if colConsider == "1":
+                        infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
+                    else:
+                        infoMsg += "'%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
+                else:
+                    condQuery = ""
+
+                infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
                 infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
                 logger.info(infoMsg)
 
                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                     query = rootQuery.inband.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
+                    query += condQuery
                 elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                     query = rootQuery.inband.query % unsafeSQLIdentificatorNaming(tbl.upper())
+                    query += condQuery
                 elif Backend.isDbms(DBMS.MSSQL):
                     query = rootQuery.inband.query % (conf.db, conf.db, conf.db, conf.db,
                                                       conf.db, conf.db, conf.db, unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
+                    query += condQuery.replace("[DB]", conf.db)
                 elif Backend.isDbms(DBMS.SQLITE):
                     query = rootQuery.inband.query % tbl
 
@@ -539,19 +560,44 @@ class Databases:
 
                     return {conf.db: kb.data.cachedColumns[conf.db]}
 
-                infoMsg = "fetching columns for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
+                infoMsg = "fetching columns "
+
+                if len(colList) > 0:
+                    if colTuple is None:
+                        colConsider, colCondParam = self.likeOrExact("column")
+                    else:
+                        colConsider, colCondParam = colTuple
+                    condQueryStr = "%%s%s" % colCondParam
+                    condQuery = " AND (%s)" % " OR ".join(condQueryStr % (condition, unsafeSQLIdentificatorNaming(col)) for col in sorted(colList))
+
+                    if colConsider == "1":
+                        infoMsg += "like '%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
+                    else:
+                        infoMsg += "'%s' " % ", ".join(unsafeSQLIdentificatorNaming(col) for col in sorted(colList))
+                else:
+                    condQuery = ""
+
+                infoMsg += "for table '%s' " % unsafeSQLIdentificatorNaming(tbl)
                 infoMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
                 logger.info(infoMsg)
 
                 if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                     query = rootQuery.blind.count % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
+                    query += condQuery
+
                 elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                     query = rootQuery.blind.count % unsafeSQLIdentificatorNaming(tbl.upper())
+                    query += condQuery
+
                 elif Backend.isDbms(DBMS.MSSQL):
                     query = rootQuery.blind.count % (conf.db, conf.db, \
                         unsafeSQLIdentificatorNaming(tbl).split(".")[-1])
+                    query += condQuery.replace("[DB]", conf.db)
+
                 elif Backend.isDbms(DBMS.FIREBIRD):
                     query = rootQuery.blind.count % (tbl)
+                    query += condQuery
+
                 elif Backend.isDbms(DBMS.SQLITE):
                     query = rootQuery.blind.query % tbl
                     value = inject.getValue(query, union=False, error=False)
@@ -574,15 +620,19 @@ class Databases:
                 for index in getLimitRange(count):
                     if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.PGSQL):
                         query = rootQuery.blind.query % (unsafeSQLIdentificatorNaming(tbl), unsafeSQLIdentificatorNaming(conf.db))
+                        query += condQuery
                         field = None
                     elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.DB2):
                         query = rootQuery.blind.query % unsafeSQLIdentificatorNaming(tbl.upper())
+                        query += condQuery
                         field = None
                     elif Backend.isDbms(DBMS.MSSQL):
                         query = rootQuery.blind.query.replace("'%s'", "'%s'" % unsafeSQLIdentificatorNaming(tbl).split(".")[-1]).replace("%s", conf.db).replace("%d", str(index))
+                        query += condQuery.replace("[DB]", conf.db)
                         field = condition.replace("[DB]", conf.db)
                     elif Backend.isDbms(DBMS.FIREBIRD):
                         query = rootQuery.blind.query % (tbl)
+                        query += condQuery
                         field = None
 
                     query = agent.limitQuery(index, query, field, field)