From dec4d858b3171af6f6502f87d105f2f06339bfef Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Fri, 22 Oct 2010 14:01:48 +0000
Subject: [PATCH] fix for Bug #207

---
 lib/request/inject.py          | 2 +-
 plugins/generic/enumeration.py | 8 ++++----
 xml/queries.xml                | 5 +++--
 3 files changed, 8 insertions(+), 7 deletions(-)

diff --git a/lib/request/inject.py b/lib/request/inject.py
index 55ccea1dd..01ecb3597 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -124,7 +124,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
         rdbRegExp = re.search("RDB\$GET_CONTEXT\([^)]+\)", expression, re.I)
         if rdbRegExp and kb.dbms == "Firebird":
             expressionFieldsList = [expressionFields]
-        
+
         if len(expressionFieldsList) > 1:
             infoMsg  = "the SQL query provided has more than a field. "
             infoMsg += "sqlmap will now unpack it into distinct queries "
diff --git a/plugins/generic/enumeration.py b/plugins/generic/enumeration.py
index ee30650d8..1c302ada3 100644
--- a/plugins/generic/enumeration.py
+++ b/plugins/generic/enumeration.py
@@ -1169,10 +1169,10 @@ class Enumeration:
                                                                conf.tbl.upper(),
                                                                index)
                     elif kb.dbms == "Microsoft SQL Server":
-                        query = rootQuery.blind.query % (column, conf.db,
-                                                               conf.tbl, column,
-                                                               index, column,
-                                                               conf.db, conf.tbl)
+                        query = rootQuery.blind.query % (column, index + 1, conf.db,
+                                                               conf.tbl, colList[0],
+                                                               colList[0], colList[0])
+
                     elif kb.dbms == "SQLite":
                         query = rootQuery.blind.query % (column, conf.tbl, index)
 
diff --git a/xml/queries.xml b/xml/queries.xml
index f4097fd9d..3e78509f9 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -273,7 +273,8 @@
         </columns>
         <dump_table>
             <inband query="SELECT %s FROM %s..%s"/>
-            <blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>
+            <!--<blind query="SELECT TOP 1 %s FROM %s..%s WHERE %s NOT IN (SELECT TOP %d %s FROM %s..%s)" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>-->
+            <blind query="SELECT TOP 1 %s FROM (SELECT TOP 1 * FROM ( SELECT TOP %d * FROM %s..%s ORDER BY %s ASC ) AS t1 ORDER BY %s DESC) AS t2 ORDER BY %s ASC" count="SELECT LTRIM(STR(COUNT(*))) FROM %s..%s"/>
         </dump_table>
         <search_db>
             <inband query="SELECT name FROM master..sysdatabases WHERE " condition="name"/>
@@ -358,7 +359,7 @@
         <current_db/>
         <inference query="AND ASC(MID((%s), %d, 1)) > %d"/>
         <is_dba query="IIF(CURRENTUSER()='Admin',1,0)"/>
-        <dbs/> 
+        <dbs/>
         <tables>
             <inband query="SELECT Name FROM MSysObjects WHERE (Left([Name],1) &lt;&gt; '~') AND (Left([Name],4) &lt;&gt; 'MSys') AND ([Type] In (1, 4, 6))"/>
         </tables>