diff --git a/lib/core/agent.py b/lib/core/agent.py
index f4a6cd9f7..d86c73f4a 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -507,11 +507,12 @@ class Agent:
@rtype: C{str}
"""
- limitedQuery = query
- limitStr = queries[kb.dbms].limit
- fromIndex = limitedQuery.index(" FROM ")
- untilFrom = limitedQuery[:fromIndex]
- fromFrom = limitedQuery[fromIndex+1:]
+ limitedQuery = query
+ limitStr = queries[kb.dbms].limit
+ fromIndex = limitedQuery.index(" FROM ")
+ untilFrom = limitedQuery[:fromIndex]
+ fromFrom = limitedQuery[fromIndex+1:]
+ orderBy = False
if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ):
limitStr = queries[kb.dbms].limit % (num, 1)
@@ -523,6 +524,7 @@ class Agent:
elif kb.dbms == "Oracle":
if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
+ orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
if query.startswith("SELECT "):
@@ -536,6 +538,7 @@ class Agent:
forgeNotIn = True
if " ORDER BY " in limitedQuery:
+ orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
notDistincts = re.findall("DISTINCT[\(\s+](.+?)\)*\s+", limitedQuery, re.I)
@@ -569,6 +572,9 @@ class Agent:
limitedQuery += "NOT IN (%s" % (limitStr % num)
limitedQuery += "%s %s)" % (field, fromFrom)
+ if orderBy:
+ limitedQuery += orderBy
+
return limitedQuery
def forgeCaseStatement(self, expression):
diff --git a/lib/request/inject.py b/lib/request/inject.py
index 61b13b690..cd2913f4c 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -362,9 +362,6 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None,
expression = expression.replace("DISTINCT ", "")
if inband and kb.unionPosition:
- if kb.dbms == "Oracle" and " ORDER BY " in expression:
- expression = expression[:expression.index(" ORDER BY ")]
-
value = __goInband(expression, expected, sort, resumeValue, unpack)
if not value:
diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py
index b3fada7bc..06f91223f 100644
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -187,16 +187,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh
for num in xrange(startLimit, stopLimit):
if kb.dbms == "Microsoft SQL Server":
- orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)
-
- if orderBy:
- field = orderBy.group(1)
- else:
- field = expressionFieldsList[0]
-
+ field = expressionFieldsList[0]
elif kb.dbms == "Oracle":
field = expressionFieldsList
-
else:
field = None
diff --git a/xml/queries.xml b/xml/queries.xml
index 941fb3a3e..b24aa9c81 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -31,25 +31,25 @@
-
-
+
+
-
+
-
+
-
-
+
+
-
+
@@ -92,7 +92,7 @@
-->
-
+
@@ -166,25 +166,25 @@
-
-
+
+
-
+
-
+
-
-
+
+
-
+
@@ -223,23 +223,23 @@
-
-
+
+
-
+
-
-
+
+
-
-
+
+
@@ -287,8 +287,8 @@
-
-
+
+