From 919f75db9b3a6cd93668048fc23a5351be8ecac8 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Sun, 28 Oct 2012 23:09:35 +0100
Subject: [PATCH] Improvement and fix for pivotDumpTable mechanism

---
 lib/utils/pivotdumptable.py | 13 ++++---------
 xml/queries.xml             |  2 +-
 2 files changed, 5 insertions(+), 10 deletions(-)

diff --git a/lib/utils/pivotdumptable.py b/lib/utils/pivotdumptable.py
index 52304db5a..01305cc84 100644
--- a/lib/utils/pivotdumptable.py
+++ b/lib/utils/pivotdumptable.py
@@ -23,6 +23,7 @@ from lib.core.exception import sqlmapConnectionException
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.settings import INFERENCE_UNKNOWN_CHAR
 from lib.core.settings import MAX_INT
+from lib.core.unescaper import unescaper
 from lib.request import inject
 
 def pivotDumpTable(table, colList, count=None, blind=True):
@@ -101,23 +102,17 @@ def pivotDumpTable(table, colList, count=None, blind=True):
 
             for column in colList:
                 def _(pivotValue):
-                    # Correction for pivotValues with unrecognized/problematic chars
-                    for char in (INFERENCE_UNKNOWN_CHAR, '\''):
-                        if pivotValue and char in pivotValue and pivotValue[0] != char:
-                            pivotValue = pivotValue.split(char)[0]
-                            pivotValue = pivotValue[:-1] + decodeIntToUnicode(ord(pivotValue[-1]) + 1)
-                            break
                     if column == colList[0]:
-                        query = dumpNode.query % (column, table, column, pivotValue)
+                        query = dumpNode.query.replace("'%s'", "%s") % (column, table, column, unescaper.unescape(pivotValue, False))
                     else:
-                        query = dumpNode.query2 % (column, table, colList[0], pivotValue)
+                        query = dumpNode.query2.replace("'%s'", "%s") % (column, table, colList[0], unescaper.unescape(pivotValue, False))
 
                     return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))
 
                 value = _(pivotValue)
                 if column == colList[0]:
                     if isNoneValue(value):
-                        for pivotValue in filter(None, ("  " if pivotValue == " " else None, "%s%s" % (pivotValue[0], chr(ord(pivotValue[1]) + 1)) if len(pivotValue) > 1 else None, chr(ord(pivotValue[0]) + 1))):
+                        for pivotValue in filter(None, ("  " if pivotValue == " " else None, "%s%s" % (pivotValue[0], unichr(ord(pivotValue[1]) + 1)) if len(pivotValue) > 1 else None, unichr(ord(pivotValue[0]) + 1))):
                             value = _(pivotValue)
                             if not isNoneValue(value):
                                 break
diff --git a/xml/queries.xml b/xml/queries.xml
index 888ee82d7..658ca1026 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -472,7 +472,7 @@
         <substring query="SUBSTR((%s),%d,%d)"/>
         <users>
             <inband query="SELECT username FROM domain.users"/>
-            <blind query="SELECT MIN(username) FROM domain.users WHERE username > '%s'" count="SELECT CHR(COUNT(*)) FROM domain.users"/>
+            <blind query="SELECT MIN(username) FROM domain.users WHERE username>'%s'" count="SELECT CHR(COUNT(*)) FROM domain.users"/>
         </users>
         <columns>
             <inband query="SELECT columnname,datatype,len FROM domain.columns WHERE tablename='%s' AND schemaname=%s"/>