From dd450b53f402633680ca9dad639c4ae370c376bc Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Mon, 20 May 2019 15:13:52 +0200
Subject: [PATCH] Less requests in case of non-injectable parameters

---
 lib/controller/checks.py     | 34 ++++++++++++++++++++++++++--------
 lib/core/settings.py         |  2 +-
 lib/techniques/union/test.py |  4 +++-
 3 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 4ba0079f1..9de54213b 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -345,15 +345,16 @@ def checkSqlInjection(place, parameter, value):
                 match = re.search(r"(\d+)-(\d+)", test.request.columns)
                 if match and not injection.data:
                     _ = test.request.columns.split('-')[-1]
-                    if conf.uCols is None and _.isdigit() and int(_) > 10:
+                    if conf.uCols is None and _.isdigit():
                         if kb.futileUnion is None:
-                            msg = "it is not recommended to perform "
-                            msg += "extended UNION tests if there is not "
+                            msg = "it is recommended to perform "
+                            msg += "only basic UNION tests if there is not "
                             msg += "at least one other (potential) "
-                            msg += "technique found. Do you want to skip? [Y/n] "
-                            kb.futileUnion = not readInput(msg, default='Y', boolean=True)
+                            msg += "technique found. Do you want to reduce "
+                            msg +="the number of requests? [Y/n] "
+                            kb.futileUnion = readInput(msg, default='Y', boolean=True)
 
-                        if kb.futileUnion is False:
+                        if kb.futileUnion and int(_) > 10:
                             debugMsg = "skipping test '%s'" % title
                             logger.debug(debugMsg)
                             continue
@@ -499,14 +500,31 @@ def checkSqlInjection(place, parameter, value):
 
                                 return cmpPayload
 
-                            # Useful to set kb.matchRatio at first based on
-                            # the False response content
+                            # Useful to set kb.matchRatio at first based on False response content
                             kb.matchRatio = None
                             kb.negativeLogic = (where == PAYLOAD.WHERE.NEGATIVE)
                             Request.queryPage(genCmpPayload(), place, raise404=False)
                             falsePage, falseHeaders, falseCode = threadData.lastComparisonPage or "", threadData.lastComparisonHeaders, threadData.lastComparisonCode
                             falseRawResponse = "%s%s" % (falseHeaders, falsePage)
 
+                            # Checking if there is difference between current FALSE, original and heuristics page (i.e. not used parameter)
+                            if not kb.negativeLogic:
+                                try:
+                                    ratio = 1.0
+                                    seqMatcher = getCurrentThreadData().seqMatcher
+
+                                    for current in (kb.originalPage, kb.heuristicPage):
+                                        seqMatcher.set_seq1(current)
+                                        seqMatcher.set_seq2(falsePage)
+                                        ratio *= seqMatcher.quick_ratio()
+
+                                    if ratio == 1.0:
+                                        continue
+                                except MemoryError:
+                                    pass
+
+                            kb.prevFalsePage = falsePage
+
                             # Perform the test's True request
                             trueResult = Request.queryPage(reqPayload, place, raise404=False)
                             truePage, trueHeaders, trueCode = threadData.lastComparisonPage or "", threadData.lastComparisonHeaders, threadData.lastComparisonCode
diff --git a/lib/core/settings.py b/lib/core/settings.py
index 97ee3965d..fc0903a0d 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.5.117"
+VERSION = "1.3.5.118"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/lib/techniques/union/test.py b/lib/techniques/union/test.py
index 53f72d01a..32f5f8dbc 100644
--- a/lib/techniques/union/test.py
+++ b/lib/techniques/union/test.py
@@ -91,13 +91,15 @@ def _findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=
         kb.errorIsNone = False
         lowerCount, upperCount = conf.uColsStart, conf.uColsStop
 
-        if kb.orderByColumns is None and (lowerCount == 1 or conf.uCols):  # ORDER BY is not bullet-proof
+        if kb.orderByColumns is None and (lowerCount == 1 or conf.uCols):  # Note: ORDER BY is not bullet-proof
             found = _orderByTechnique(lowerCount, upperCount) if conf.uCols else _orderByTechnique()
             if found:
                 kb.orderByColumns = found
                 infoMsg = "target URL appears to have %d column%s in query" % (found, 's' if found > 1 else "")
                 singleTimeLogMessage(infoMsg)
                 return found
+            elif kb.futileUnion:
+                return None
 
         if abs(upperCount - lowerCount) < MIN_UNION_RESPONSES:
             upperCount = lowerCount + MIN_UNION_RESPONSES