Major bug fix

2024-11-22 09:36:35 +03:00 · 2008-12-17 21:35:04 +00:00 · 2008-12-17 21:35:04 +00:00 · 6dec56d616
commit 6dec56d616
parent bb9079aa9d
2 changed files with 10 additions and 6 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -246,7 +246,7 @@ class Agent:
        @rtype: C{str}
        """

-        if "(SELECT " in query:
+        if query.startswith("SELECT ") and "(SELECT " in query:
            firstChar = "\\("
        else:
            firstChar = "\\A"
@ -271,6 +271,9 @@ class Agent:
        fieldsToCastList = fieldsToCastStr.replace(", ", ",")
        fieldsToCastList = fieldsToCastList.split(",")

+        if query.startswith("SELECT ") and "(SELECT " in query:
+            fieldsSelectFrom = None
+
        return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsToCastList, fieldsToCastStr


@ -390,7 +393,7 @@ class Agent:
                inbandQuery += ", "

            if element == exprPosition:
-                if " FROM " in query:
+                if " FROM " in query and not query.startswith("SELECT ") and not "(SELECT " in query:
                    conditionIndex = query.rindex(" FROM ")
                    inbandQuery += "%s" % query[:conditionIndex]
                else:
@ -398,7 +401,7 @@ class Agent:
            else:
                inbandQuery += "NULL"

-        if " FROM " in query:
+        if " FROM " in query and not query.startswith("SELECT ") and not "(SELECT " in query:
            conditionIndex = query.rindex(" FROM ")
            inbandQuery += "%s" % query[conditionIndex:]

--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@ -43,6 +43,9 @@ def cmdLineParser():
    parser = OptionParser(usage=usage, version=VERSION_STRING)

    try:
+        parser.add_option("-v", dest="verbose", type="int",
+                          help="Verbosity level: 0-5 (default 1)")
+
        # Target options
        target = OptionGroup(parser, "Target", "At least one of these "
                             "options has to be specified to set the source "
@ -161,6 +164,7 @@ def cmdLineParser():
        techniques.add_option("--time-test", dest="timeTest",
                              action="store_true",
                              help="Test for Time based blind SQL injection")
+
        techniques.add_option("--union-test", dest="unionTest",
                              action="store_true",
                              help="Test for UNION query (inband) SQL injection")
@ -293,9 +297,6 @@ def cmdLineParser():
                                      "calculate the estimated time of arrival "
                                      "in real time")

-        miscellaneous.add_option("-v", dest="verbose", type="int",
-                                 help="Verbosity level: 0-5 (default 1)")
-
        miscellaneous.add_option("--update", dest="updateAll", action="store_true",
                                help="Update sqlmap to the latest stable version")