From 35708a0b975f89357e75f8f74999900da9fe9894 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Sun, 21 Dec 2008 16:35:03 +0000
Subject: [PATCH] Minor adjustment to UNION query SQL injection detection
 function. Updated command line help message based upon recent developments.
 Updated copyright note of lib/contrib/multipartpost.py.

---
 lib/contrib/multipartpost.py        |  6 ++++++
 lib/controller/checks.py            |  7 ++-----
 lib/parse/cmdline.py                |  4 ++--
 lib/request/comparison.py           |  4 ++--
 lib/techniques/inband/union/test.py | 16 ++++++++--------
 5 files changed, 20 insertions(+), 17 deletions(-)

diff --git a/lib/contrib/multipartpost.py b/lib/contrib/multipartpost.py
index 9cc7a48d9..8a1ddc643 100644
--- a/lib/contrib/multipartpost.py
+++ b/lib/contrib/multipartpost.py
@@ -5,6 +5,8 @@ $Id$
 
 02/2006 Will Holcomb <wholcomb@gmail.com>
 
+Reference: http://odin.himinbi.org/MultipartPostHandler.py
+
 This library is free software; you can redistribute it and/or
 modify it under the terms of the GNU Lesser General Public
 License as published by the Free Software Foundation; either
@@ -14,6 +16,10 @@ This library is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 Lesser General Public License for more details.
+
+You should have received a copy of the GNU Lesser General Public
+License along with this library; if not, write to the Free Software
+Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
 
 
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 3050728c1..2202dab0d 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -295,15 +295,12 @@ def checkStability():
     logger.info(infoMsg)
 
     firstPage, firstHeaders = Request.queryPage(content=True)
-    time.sleep(0.5)
+    time.sleep(1)
 
     secondPage, secondHeaders = Request.queryPage(content=True)
     time.sleep(0.5)
 
-    thirdPage, thirdHeaders = Request.queryPage(content=True)
-
-    condition  = firstPage == secondPage
-    condition &= secondPage == thirdPage
+    condition = firstPage == secondPage
 
     if condition == False:
         warnMsg  = "url is not stable, sqlmap will base the page "
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index f3349f130..c89180de5 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -189,7 +189,7 @@ def cmdLineParser():
                                   "be used to enumerate the back-end database "
                                   "management system information, structure "
                                   "and data contained in the tables. Moreover "
-                                  "you can run your own SQL SELECT queries.")
+                                  "you can run your own SQL statements.")
 
         enumeration.add_option("-b", "--banner", dest="getBanner",
                                action="store_true", help="Retrieve DBMS banner")
@@ -258,7 +258,7 @@ def cmdLineParser():
                                help="Last table entry to dump")
 
         enumeration.add_option("--sql-query", dest="query",
-                               help="SQL SELECT query to be executed")
+                               help="SQL statement to be executed")
 
         enumeration.add_option("--sql-shell", dest="sqlShell",
                                action="store_true",
diff --git a/lib/request/comparison.py b/lib/request/comparison.py
index a42542bf4..3c520818f 100644
--- a/lib/request/comparison.py
+++ b/lib/request/comparison.py
@@ -72,9 +72,9 @@ def comparison(page, headers=None, getSeqMatcher=False):
     conf.seqMatcher.set_seq2(page)
 
     if getSeqMatcher:
-        return round(conf.seqMatcher.ratio(), 5)
+        return round(conf.seqMatcher.ratio(), 3)
 
-    elif round(conf.seqMatcher.ratio(), 5) >= MATCH_RATIO:
+    elif round(conf.seqMatcher.ratio(), 3) >= MATCH_RATIO:
         return True
 
     else:
diff --git a/lib/techniques/inband/union/test.py b/lib/techniques/inband/union/test.py
index e0bd1e5dc..3ef577b7f 100644
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@@ -54,27 +54,27 @@ def __effectiveUnionTest(query, comment):
 
         commentedQuery = agent.postfixQuery(query, comment)
         payload = agent.payload(newValue=commentedQuery)
-        newResult = Request.queryPage(payload)
+        newResult = Request.queryPage(payload, getSeqMatcher=True)
 
         if not newResult in resultDict.keys():
             resultDict[newResult] = (1, commentedQuery)
         else:
             resultDict[newResult] = (resultDict[newResult][0] + 1, commentedQuery)
 
-        if count:
-            for element in resultDict.values():
-                if element[0] == 1:
+        if count > 3:
+            for ratio, element in resultDict.items():
+                if element[0] == 1 and ratio > 0.5:
                     if kb.injPlace == "GET":
-                        value = "%s?%s" % (conf.url, payload)
+                        value = "%s?%s" % (conf.url, element[1])
                     elif kb.injPlace == "POST":
                         value  = "URL:\t'%s'" % conf.url
-                        value += "\nPOST:\t'%s'\n" % payload
+                        value += "\nPOST:\t'%s'\n" % element[1]
                     elif kb.injPlace == "Cookie":
                         value  = "URL:\t'%s'" % conf.url
-                        value += "\nCookie:\t'%s'\n" % payload
+                        value += "\nCookie:\t'%s'\n" % element[1]
                     elif kb.injPlace == "User-Agent":
                         value  = "URL:\t\t'%s'" % conf.url
-                        value += "\nUser-Agent:\t'%s'\n" % payload
+                        value += "\nUser-Agent:\t'%s'\n" % element[1]
 
                     return value