From 893bc04fe4976ebb0c2328481cb028cbe1d5b701 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 12 May 2010 11:30:32 +0000
Subject: [PATCH] changes regarding Feature #157 (Evaluate BETWEEN for
 inference algorithm)

---
 lib/core/optiondict.py            |  1 +
 lib/parse/cmdline.py              |  4 ++++
 lib/techniques/blind/inference.py | 26 +++++++++++++++++++-------
 sqlmap.conf                       |  3 +++
 4 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/lib/core/optiondict.py b/lib/core/optiondict.py
index c5a444023..7bd1e9871 100644
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -67,6 +67,7 @@ optDict = {
                                "regexp":            "string",
                                "eString":           "string",
                                "eRegexp":           "string",
+                               "useBetween":        "boolean",
                              },
 
             "Techniques":    {
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
index 7db4834a3..5e27bded4 100644
--- a/lib/parse/cmdline.py
+++ b/lib/parse/cmdline.py
@@ -182,6 +182,10 @@ def cmdLineParser():
                              help="Matches to be excluded before "
                                   "comparing page contents")
 
+        injection.add_option("--use-between", dest="useBetween",
+                             action="store_true",
+                             help="Use operator BETWEEN instead of default '>'")
+
         # Techniques options
         techniques = OptionGroup(parser, "Techniques", "These options can "
                                  "be used to test for specific SQL injection "
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index d6d09c6b2..445f6a3d2 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -158,18 +158,30 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                 posValueOld = posValue
                 posValue = chr(posValue)
 
-            forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            if not conf.useBetween:
+                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+            else:
+                forgedPayload = safeStringFormat(payload.replace('%3E', 'BETWEEN 0 AND '), (expressionUnescaped, idx, posValue))
+
             result        = Request.queryPage(urlencode(forgedPayload))
 
             if kb.dbms == "SQLite":
                 posValue = posValueOld
 
-            if result:
-                minValue = posValue
-                asciiTbl = asciiTbl[position:]
-            else:
-                maxValue = posValue
-                asciiTbl = asciiTbl[:position]
+            if not conf.useBetween:     #normal
+                if result:
+                    minValue = posValue
+                    asciiTbl = asciiTbl[position:]
+                else:
+                    maxValue = posValue
+                    asciiTbl = asciiTbl[:position]
+            else:                       #reversed
+                if result:
+                    maxValue = posValue
+                    asciiTbl = asciiTbl[:position]
+                else:
+                    minValue = posValue
+                    asciiTbl = asciiTbl[position:]
 
             if len(asciiTbl) == 1:
                 if maxValue == 1:
diff --git a/sqlmap.conf b/sqlmap.conf
index 2dfc98272..8c2ccd57f 100644
--- a/sqlmap.conf
+++ b/sqlmap.conf
@@ -184,6 +184,9 @@ eString =
 # (http://www.python.org/doc/2.5.2/lib/re-syntax.html)
 eRegexp = 
 
+# Use operator BETWEEN instead of default '>'
+# Valid: True or False
+useBetween = False
 
 # These options can be used to test for specific SQL injection technique
 # or to use one of them to exploit the affected parameter(s) rather than