From 80df1fdcf9eb2433bd39af52820afcb1d0281683 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Tue, 5 Jan 2010 16:15:31 +0000
Subject: [PATCH] Minor bug fix with --sql-query/shell when providing a
 statement with DISTINCT

---
 lib/core/agent.py              | 10 +++++++++-
 lib/core/common.py             |  2 +-
 lib/core/settings.py           |  1 +
 lib/request/inject.py          |  2 ++
 plugins/generic/enumeration.py |  4 ++--
 5 files changed, 15 insertions(+), 4 deletions(-)

diff --git a/lib/core/agent.py b/lib/core/agent.py
index be05eb5f4..5853cfbd2 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -502,6 +502,12 @@ class Agent:
             if " ORDER BY " in limitedQuery:
                 limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
 
+            notDistincts = re.findall("DISTINCT[\(\s+](.+?)\)*\s+", limitedQuery, re.I)
+
+            for notDistinct in notDistincts:
+                limitedQuery = limitedQuery.replace("DISTINCT(%s)" % notDistinct, notDistinct)
+                limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
+
             if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
                 topNums         = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I)
 
@@ -517,11 +523,13 @@ class Agent:
                     limitedQuery    = limitedQuery.replace("TOP %s " % topNum, "")
 
             if forgeNotIn:
-                limitedQuery  = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
+                limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
+
                 if " WHERE " in limitedQuery:
                     limitedQuery  = "%s AND %s " % (limitedQuery, field)
                 else:
                     limitedQuery  = "%s WHERE %s " % (limitedQuery, field)
+
                 limitedQuery += "NOT IN (%s" % (limitStr % num)
                 limitedQuery += "%s %s)" % (field, fromFrom)
 
diff --git a/lib/core/common.py b/lib/core/common.py
index 101870e38..b45c31132 100644
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -510,7 +510,7 @@ def parsePasswordHash(password):
             password += "%suppercase: %s" % (blank, hexPassword[54:])
 
     return password
-        
+
 def cleanQuery(query):
     upperQuery = query
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
index c7e1a9cd7..4238da9c0 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -74,6 +74,7 @@ SQL_STATEMENTS     = {
                              "select ",
                              "show ",
                              " top ",
+                             " distinct ",
                              " from ",
                              " from dual",
                              " where ",
diff --git a/lib/request/inject.py b/lib/request/inject.py
index 524055ca5..113ec5ab1 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -350,6 +350,8 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None,
     expression = expandAsteriskForColumns(expression)
     value      = None
 
+    expression = expression.replace("DISTINCT ", "")
+
     if inband and kb.unionPosition:
         if kb.dbms == "Oracle" and " ORDER BY " in expression:
             expression = expression[:expression.index(" ORDER BY ")]
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index 7f4ff1d41..05c1c921c 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -1076,8 +1076,8 @@ class Enumeration:
                     dumper.dbTableValues(data)
 
     def sqlQuery(self, query):
-        output      = None
-        sqlType     = None
+        output  = None
+        sqlType = None
 
         for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
             for sqlStatement in sqlStatements: