From a074efe75ed7302d4106c42eee253a52d841b5b7 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 5 Nov 2014 10:46:11 +0100
Subject: [PATCH] Minor improvement of error-based SQLi when trimmed output is
 detected (trying to reconstruct)

---
 lib/techniques/error/use.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index f6c960484..47098eb44 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -74,7 +74,7 @@ def _oneShotErrorUse(expression, field=None):
         try:
             while True:
                 check = "%s(?P<result>.*?)%s" % (kb.chars.start, kb.chars.stop)
-                trimcheck = "%s(?P<result>.*?)</" % (kb.chars.start)
+                trimcheck = "%s(?P<result>[^<]*)" % (kb.chars.start)
 
                 if field:
                     nulledCastedField = agent.nullAndCastField(field)
@@ -130,6 +130,10 @@ def _oneShotErrorUse(expression, field=None):
                         warnMsg += safecharencode(trimmed)
                         logger.warn(warnMsg)
 
+                        if not kb.testMode:
+                            check = "(?P<result>.*?)%s" % kb.chars.stop[:2]
+                            output = extractRegexResult(check, trimmed, re.IGNORECASE)
+
                 if any(Backend.isDbms(dbms) for dbms in (DBMS.MYSQL, DBMS.MSSQL)):
                     if offset == 1:
                         retVal = output