From b824826a89b5b8f665c4e744d0b8a6e8e6f262b1 Mon Sep 17 00:00:00 2001
From: Bernardo Damele <bernardo.damele@gmail.com>
Date: Fri, 3 Dec 2010 14:39:51 +0000
Subject: [PATCH] Minor enhancement to prefix payload in ORDER BY and GROUP BY
 clauses

---
 lib/controller/checks.py | 2 +-
 lib/core/agent.py        | 8 +++++---
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 98d3b7d2e..f82ab0583 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -257,7 +257,7 @@ def checkSqlInjection(place, parameter, value):
                 if where == 1:
                     origValue = value
                 elif where == 2:
-                    origValue = "-%s" % value
+                    origValue = "-%s" % randomInt()
                 elif where == 3:
                     origValue = ""
 
diff --git a/lib/core/agent.py b/lib/core/agent.py
index 72425aadf..f675465e3 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -83,7 +83,7 @@ class Agent:
                 if where == 1:
                     value = origValue
                 elif where == 2:
-                    value = "-%s" % origValue
+                    value = "-%s" % randomInt()
                 elif where == 3:
                     value = ""
             else:
@@ -155,10 +155,12 @@ class Agent:
         # payload, do not put a space after the prefix
         if kb.technique == 4:
             query = kb.injection.prefix
-        elif kb.technique and kb.technique in kb.injection.data:
+        elif (kb.technique and kb.technique in kb.injection.data) or \
+             (kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]):
             where = kb.injection.data[kb.technique].where
 
-            if where == 3:
+            if where == 3 or (kb.injection.clause == [2, 3] or \
+               kb.injection.clause == [ 2 ]):
                 query = kb.injection.prefix
 
         if query is None: