From 7bf9e3e7b4fef6b451e8722a7880e5343955aa04 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 6 Nov 2024 12:51:23 +0100
Subject: [PATCH] Another patch for #5798

---
 data/txt/sha256sums.txt     | 4 ++--
 lib/core/settings.py        | 2 +-
 lib/techniques/union/use.py | 6 +++++-
 3 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
index 502654f7e..d4fe04072 100644
--- a/data/txt/sha256sums.txt
+++ b/data/txt/sha256sums.txt
@@ -188,7 +188,7 @@ bf77f9fc4296f239687297aee1fd6113b34f855965a6f690b52e26bd348cb353  lib/core/profi
 4eff81c639a72b261c8ba1c876a01246e718e6626e8e77ae9cc6298b20a39355  lib/core/replication.py
 bbd1dcda835934728efc6d68686e9b0da72b09b3ee38f3c0ab78e8c18b0ba726  lib/core/revision.py
 eed6b0a21b3e69c5583133346b0639dc89937bd588887968ee85f8389d7c3c96  lib/core/session.py
-adc1416c7893869711eda091bb4d8b0699a528f012a79377be3cf3e336b4474a  lib/core/settings.py
+a867a1f50577f9e6d17bc5f4c977bab7ea817ba3d1cdea023306fdf2d2a05d61  lib/core/settings.py
 2bec97d8a950f7b884e31dfe9410467f00d24f21b35672b95f8d68ed59685fd4  lib/core/shell.py
 e90a359b37a55c446c60e70ccd533f87276714d0b09e34f69b0740fd729ddbf8  lib/core/subprocessng.py
 54f7c70b4c7a9931f7ff3c1c12030180bde38e35a306d5e343ad6052919974cd  lib/core/target.py
@@ -240,7 +240,7 @@ f948fefb0fa67da8cf037f7abbcdbb740148babda9ad8a58fab1693456834817  lib/techniques
 99d0e94dd5fe60137abf48bfa051129fb251f5c40f0f7a270c89fbcb07323730  lib/techniques/__init__.py
 99d0e94dd5fe60137abf48bfa051129fb251f5c40f0f7a270c89fbcb07323730  lib/techniques/union/__init__.py
 700cc5e8cae85bd86674d0cb6c97093fde2c52a480cc1e40ae0010fffd649395  lib/techniques/union/test.py
-4252a1829e60bb9a69e3927bf68a320976b8ef637804b7032d7497699f2e89e7  lib/techniques/union/use.py
+a78235881a80d2ce8a069a3c743b4af415ed6f0a54b120190909d1e206048259  lib/techniques/union/use.py
 6b3f83a85c576830783a64e943a58e90b1f25e9e24cd51ae12b1d706796124e9  lib/utils/api.py
 e00740b9a4c997152fa8b00d3f0abf45ae15e23c33a92966eaa658fde83c586f  lib/utils/brute.py
 c0a4765aa80c5d9b7ef1abe93401a78dd45b2766a1f4ff6286287dc6188294de  lib/utils/crawler.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 640e0ede6..d8f79e7df 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import OS
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.8.11.1"
+VERSION = "1.8.11.2"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/techniques/union/use.py b/lib/techniques/union/use.py
index 0a7535649..982861b2d 100644
--- a/lib/techniques/union/use.py
+++ b/lib/techniques/union/use.py
@@ -37,6 +37,7 @@ from lib.core.common import singleTimeWarnMessage
 from lib.core.common import unArrayizeValue
 from lib.core.common import wasLastResponseDBMSError
 from lib.core.compat import xrange
+from lib.core.convert import decodeBase64
 from lib.core.convert import getUnicode
 from lib.core.convert import htmlUnescape
 from lib.core.data import conf
@@ -126,6 +127,9 @@ def _oneShotUnionUse(expression, unpack=True, limited=False):
                         try:
                             retVal = ""
                             for row in json.loads(output):
+                                # NOTE: for cases with automatic MySQL Base64 encoding of JSON array values, like: ["base64:type15:MQ=="]
+                                for match in re.finditer(r"base64:type\d+:([^ ]+)", row):
+                                    row = row.replace(match.group(0), decodeBase64(match.group(1), binary=False))
                                 retVal += "%s%s%s" % (kb.chars.start, row, kb.chars.stop)
                         except:
                             retVal = None
@@ -254,7 +258,7 @@ def unionUse(expression, unpack=True, dump=False):
 
     if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ORACLE, DBMS.PGSQL, DBMS.MSSQL, DBMS.SQLITE) and expressionFields and not any((conf.binaryFields, conf.limitStart, conf.limitStop, conf.forcePartial, conf.disableJson)):
         match = re.search(r"SELECT\s*(.+?)\bFROM", expression, re.I)
-        if match and not (Backend.isDbms(DBMS.ORACLE) and FROM_DUMMY_TABLE[DBMS.ORACLE] in expression) and not re.search(r"\b(MIN|MAX|COUNT)\(", expression):
+        if match and not (Backend.isDbms(DBMS.ORACLE) and FROM_DUMMY_TABLE[DBMS.ORACLE] in expression) and not re.search(r"\b(MIN|MAX|COUNT|EXISTS)\(", expression):
             kb.jsonAggMode = True
             if Backend.isDbms(DBMS.MYSQL):
                 query = expression.replace(expressionFields, "CONCAT('%s',JSON_ARRAYAGG(CONCAT_WS('%s',%s)),'%s')" % (kb.chars.start, kb.chars.delimiter, expressionFields, kb.chars.stop), 1)