From 78ba33737ef06cecdee019cad56ffda267d191ee Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Tue, 1 Dec 2020 12:16:15 +0100
Subject: [PATCH] Patch for known NCHAR/UNION-query SQLi problems

---
 lib/core/agent.py           | 3 +++
 lib/core/option.py          | 1 +
 lib/core/settings.py        | 2 +-
 lib/techniques/union/use.py | 8 ++++++++
 4 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index a7b52ac47..2ef651584 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -499,6 +499,9 @@ class Agent(object):
         if suffix:
             nulledCastedField += suffix
 
+        if not kb.nchar:
+            nulledCastedField = re.sub(r"( AS )N(CHAR|VARCHAR)", r"\g<1>\g<2>", nulledCastedField)
+
         return nulledCastedField
 
     def nullCastConcatFields(self, fields):
diff --git a/lib/core/option.py b/lib/core/option.py
index 1d9a6bf2d..7049b4036 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -2071,6 +2071,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
     kb.mergeCookies = None
     kb.multipleCtrlC = False
     kb.negativeLogic = False
+    kb.nchar = True
     kb.nullConnection = None
     kb.oldMsf = None
     kb.orderByColumns = None
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 3a0e74484..9139d024f 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.4.11.17"
+VERSION = "1.4.12.0"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py
index af3a80c75..3b39a832d 100644
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -157,12 +157,20 @@ def _oneShotUnionUse(expression, unpack=True, limited=False):
                 warnMsg += "(probably due to its length and/or content): "
                 warnMsg += safecharencode(trimmed)
                 logger.warn(warnMsg)
+
             elif re.search(r"ORDER BY [^ ]+\Z", expression):
                 debugMsg = "retrying failed SQL query without the ORDER BY clause"
                 singleTimeDebugMessage(debugMsg)
 
                 expression = re.sub(r"\s*ORDER BY [^ ]+\Z", "", expression)
                 retVal = _oneShotUnionUse(expression, unpack, limited)
+
+            elif kb.nchar and re.search(r" AS N(CHAR|VARCHAR)", agent.nullAndCastField(expression)):
+                debugMsg = "turning off NATIONAL CHARACTER casting"  # NOTE: in some cases there are "known" incompatibilities between original columns and NCHAR (e.g. http://testphp.vulnweb.com/artists.php?artist=1)
+                singleTimeDebugMessage(debugMsg)
+
+                kb.nchar = False
+                retVal = _oneShotUnionUse(expression, unpack, limited)
     else:
         vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
         kb.unionDuplicates = vector[7]