Minor bug fix to properly deal --prefix and --suffix and parameter replace payloads

lib/controller/checks.py

@@ -189,32 +189,6 @@ def checkSqlInjection(place, parameter, value):
             fstPayload = agent.cleanupPayload(test.request.payload, value)
             fstPayload = unescaper.unescape(fstPayload, dbms=dbms)
 
-            if conf.prefix is not None and conf.suffix is not None:
-                # Create a custom boundary object for user's supplied prefix
-                # and suffix
-                boundary = advancedDict()
-
-                boundary.level = 1
-                boundary.clause = [ 0 ]
-                boundary.where = [ 1, 2, 3 ]
-                boundary.prefix = conf.prefix
-                boundary.suffix = conf.suffix
-
-                if " like" in boundary.suffix.lower():
-                    if "'" in boundary.suffix.lower():
-                        boundary.ptype = 3
-                    elif '"' in boundary.suffix.lower():
-                        boundary.ptype = 5
-                elif "'" in boundary.suffix:
-                    boundary.ptype = 2
-                elif '"' in boundary.suffix:
-                    boundary.ptype = 4
-                else:
-                    boundary.ptype = 1
-
-                # Prepend user's provided boundaries to all others boundaries
-                conf.boundaries.insert(0, boundary)
-
             for boundary in conf.boundaries:
                 injectable = False
 
@@ -287,7 +261,7 @@ def checkSqlInjection(place, parameter, value):
                     # prefix and appending the boundary's suffix to the
                     # test's ' <payload><comment> ' string
                     boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
-                    boundPayload = agent.suffixQuery(boundPayload, comment, suffix)
+                    boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
                     boundPayload = agent.cleanupPayload(boundPayload, value)
                     reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
 
@@ -307,7 +281,7 @@ def checkSqlInjection(place, parameter, value):
                             # suffix to the test's ' <payload><comment> '
                             # string
                             boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
-                            boundPayload = agent.suffixQuery(boundPayload, comment, suffix)
+                            boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
                             boundPayload = agent.cleanupPayload(boundPayload, value)
                             cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
 

lib/core/agent.py

@@ -139,25 +139,28 @@ class Agent:
 
         query = None
 
-        # Either if the technique is stacked queries (<stype>) or we are
+        if where is None and kb.technique and kb.technique in kb.injection.data:
-        # replacing (<where>) the parameter original value with our
-        # payload, do not put a space after the prefix
-        if kb.technique == PAYLOAD.TECHNIQUE.STACKED:
-            query = kb.injection.prefix
-        elif where == 3 or clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]:
-            query = prefix
-        elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]:
-            query = kb.injection.prefix
-        elif kb.technique and kb.technique in kb.injection.data:
             where = kb.injection.data[kb.technique].where
 
-            if where == 3:
+        # If we are replacing (<where>) the parameter original value with
-                query = kb.injection.prefix
+        # our payload do not prepend with the prefix
+        if where == 3:
+            query = ""
 
-        if query is None:
+        # If the technique is stacked queries (<stype>) do not put a space
-            query = kb.injection.prefix or prefix or ''
+        # after the prefix or it is in GROUP BY / ORDER BY (<clause>)
+        elif kb.technique == PAYLOAD.TECHNIQUE.STACKED:
+            query = kb.injection.prefix
+        elif kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ] or kb.injection.clause == [ 3 ]:
+            query = kb.injection.prefix
+        elif clause == [2, 3] or clause == [ 2 ] or clause == [ 3 ]:
+            query = prefix
 
-            if not (string and string[0] == ';'):
+        # In any other case prepend with the full prefix
+        else:
+            query = kb.injection.prefix or prefix or ""
+
+            if not (string and string[0] == ";"):
                 query += " "
 
         query = "%s%s" % (query, string)
@@ -165,7 +168,7 @@ class Agent:
 
         return query
 
-    def suffixQuery(self, string, comment=None, suffix=None):
+    def suffixQuery(self, string, comment=None, suffix=None, where=None):
         """
         This method appends the DBMS comment to the
         SQL injection request
@@ -177,10 +180,18 @@ class Agent:
         if comment is not None:
             string += comment
 
-        if kb.injection.suffix is None and suffix is not None:
+        if where is None and kb.technique and kb.technique in kb.injection.data:
-            string += " %s" % suffix
+            where = kb.injection.data[kb.technique].where
-        else:
+
+        # If we are replacing (<where>) the parameter original value with
+        # our payload do not append the suffix
+        if where == 3:
+            pass
+
+        elif kb.injection.suffix is not None:
             string += " %s" % kb.injection.suffix
+        elif suffix is not None:
+            string += " %s" % suffix
 
         string = self.cleanupPayload(string)
 

lib/core/option.py

@@ -785,6 +785,32 @@ def __setPrefixSuffix():
         errMsg += "the payload prefix"
         raise sqlmapSyntaxException, errMsg
 
+    if conf.prefix is not None and conf.suffix is not None:
+        # Create a custom boundary object for user's supplied prefix
+        # and suffix
+        boundary = advancedDict()
+
+        boundary.level = 1
+        boundary.clause = [ 0 ]
+        boundary.where = [ 1, 2, 3 ]
+        boundary.prefix = conf.prefix
+        boundary.suffix = conf.suffix
+
+        if " like" in boundary.suffix.lower():
+            if "'" in boundary.suffix.lower():
+                boundary.ptype = 3
+            elif '"' in boundary.suffix.lower():
+                boundary.ptype = 5
+        elif "'" in boundary.suffix:
+            boundary.ptype = 2
+        elif '"' in boundary.suffix:
+            boundary.ptype = 4
+        else:
+            boundary.ptype = 1
+
+        # Prepend user's provided boundaries to all others boundaries
+        conf.boundaries.insert(0, boundary)
+
 def __setHTTPAuthentication():
     """
     Check and set the HTTP(s) authentication method (Basic, Digest, NTLM or Certificate),
@@ -1415,7 +1441,6 @@ def init(inputOptions=advancedDict()):
         __setHTTPAuthentication()
         __setHTTPProxy()
         __setSafeUrl()
-        __setPrefixSuffix()
         __setGoogleDorking()
         __urllib2Opener()
         __findPageForms()
@@ -1428,5 +1453,6 @@ def init(inputOptions=advancedDict()):
     __setMetasploit()
 
     loadPayloads()
+    __setPrefixSuffix()
     update()
     __loadQueries()