Minor bug fix with --sql-query/shell when providing a statement with DISTINCT

2025-03-14 15:14:31 +03:00 · 2010-01-05 16:15:31 +00:00 · 2010-01-05 16:15:31 +00:00 · 80df1fdcf9
commit 80df1fdcf9
parent 954a927cee
5 changed files with 15 additions and 4 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -502,6 +502,12 @@ class Agent:
            if " ORDER BY " in limitedQuery:
                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

+            notDistincts = re.findall("DISTINCT[\(\s+](.+?)\)*\s+", limitedQuery, re.I)
+
+            for notDistinct in notDistincts:
+                limitedQuery = limitedQuery.replace("DISTINCT(%s)" % notDistinct, notDistinct)
+                limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
+
            if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
                topNums         = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I)

@ -517,11 +523,13 @@ class Agent:
                    limitedQuery    = limitedQuery.replace("TOP %s " % topNum, "")

            if forgeNotIn:
-                limitedQuery  = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
+                limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
+
                if " WHERE " in limitedQuery:
                    limitedQuery  = "%s AND %s " % (limitedQuery, field)
                else:
                    limitedQuery  = "%s WHERE %s " % (limitedQuery, field)
+
                limitedQuery += "NOT IN (%s" % (limitStr % num)
                limitedQuery += "%s %s)" % (field, fromFrom)

--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -510,7 +510,7 @@ def parsePasswordHash(password):
            password += "%suppercase: %s" % (blank, hexPassword[54:])

    return password
-        
+
 def cleanQuery(query):
    upperQuery = query

--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -74,6 +74,7 @@ SQL_STATEMENTS     = {
                             "select ",
                             "show ",
                             " top ",
+                             " distinct ",
                             " from ",
                             " from dual",
                             " where ",
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -350,6 +350,8 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None,
    expression = expandAsteriskForColumns(expression)
    value      = None

+    expression = expression.replace("DISTINCT ", "")
+
    if inband and kb.unionPosition:
        if kb.dbms == "Oracle" and " ORDER BY " in expression:
            expression = expression[:expression.index(" ORDER BY ")]
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@ -1076,8 +1076,8 @@ class Enumeration:
                    dumper.dbTableValues(data)

    def sqlQuery(self, query):
-        output      = None
-        sqlType     = None
+        output  = None
+        sqlType = None

        for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
            for sqlStatement in sqlStatements: