diff --git a/lib/controller/checks.py b/lib/controller/checks.py index fb1bb30ca..6c803a5aa 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -167,6 +167,10 @@ def checkSqlInjection(place, parameter, value): continue + # Force back-end DBMS according to the current + # test value for proper payload unescaping + Backend.forceDbms(dbms) + # Skip test if it does not match the same SQL injection clause # already identified by another test clauseMatch = False @@ -359,10 +363,6 @@ def checkSqlInjection(place, parameter, value): # used afterwards by Agent.forgeInbandQuery() # method to forge the UNION query payload - # Force back-end DBMS according to the current - # test value for proper payload unescaping - Backend.forceDbms(dbms) - configUnion(test.request.char, test.request.columns) if not Backend.getIdentifiedDbms(): @@ -384,9 +384,6 @@ def checkSqlInjection(place, parameter, value): # by unionTest() directly where = vector[6] - # Reset forced back-end DBMS value - Backend.flushForcedDbms() - # If the injection test was successful feed the injection # object with the test's details if injectable is True: @@ -442,6 +439,9 @@ def checkSqlInjection(place, parameter, value): # boundaries break + # Reset forced back-end DBMS value + Backend.flushForcedDbms() + except KeyboardInterrupt: warnMsg = "Ctrl+C detected in detection phase" logger.warn(warnMsg) @@ -458,6 +458,10 @@ def checkSqlInjection(place, parameter, value): elif test[0] in ("q", "Q"): raise sqlmapUserQuitException + finally: + # Reset forced back-end DBMS value + Backend.flushForcedDbms() + # Return the injection object if injection.place is not None and injection.parameter is not None: return injection