diff --git a/lib/core/agent.py b/lib/core/agent.py
index d4c2c22c5..9ced673b6 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -12,6 +12,7 @@ import re
from xml.etree import ElementTree as ET
from lib.core.common import getCompiledRegex
+from lib.core.common import isDBMSVersionAtLeast
from lib.core.common import randomInt
from lib.core.common import randomStr
from lib.core.convert import urlencode
@@ -214,7 +215,14 @@ class Agent:
if "[INFERENCE]" in payload:
if kb.dbms is not None:
- inferenceQuery = queries[kb.dbms].inference.query
+ inference = queries[kb.dbms].inference
+ if "dbms_version" in inference:
+ if isDBMSVersionAtLeast(inference.dbms_version):
+ inferenceQuery = inference.query
+ else:
+ inferenceQuery = inference.query2
+ else:
+ inferenceQuery = inference.query
payload = payload.replace("[INFERENCE]", inferenceQuery)
elif kb.misc.testedDbms is not None:
inferenceQuery = queries[kb.misc.testedDbms].inference.query
diff --git a/lib/core/settings.py b/lib/core/settings.py
index f6f19a995..8f0817cac 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -46,9 +46,9 @@ DUMP_TAB_MARKER = "__TAB__"
DUMP_START_MARKER = "__START__"
DUMP_STOP_MARKER = "__STOP__"
-PAYLOAD_DELIMITER = "\x00"
-
-MIN_TIME_RESPONSES = 10
+PAYLOAD_DELIMITER = "\x00"
+CHAR_INFERENCE_MARK = "%c"
+MIN_TIME_RESPONSES = 10
# System variables
IS_WIN = subprocess.mswindows
diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py
index 7e4868f57..df5dfbec7 100644
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -33,6 +33,7 @@ from lib.core.exception import sqlmapValueException
from lib.core.exception import sqlmapThreadException
from lib.core.exception import unhandledException
from lib.core.progress import ProgressBar
+from lib.core.settings import CHAR_INFERENCE_MARK
from lib.core.unescaper import unescaper
from lib.request.connect import Connect as Request
@@ -141,7 +142,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
continuousOrder means that distance between each two neighbour's
numerical values is exactly 1
"""
-
+
result = tryHint(idx)
if result:
@@ -170,18 +171,14 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
position = (len(charTbl) >> 1)
posValue = charTbl[position]
- if dbms in (DBMS.SQLITE, DBMS.MAXDB):
- pushValue(posValue)
- posValue = chr(posValue) if posValue < 128 else unichr(posValue)
-
- forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+ if CHAR_INFERENCE_MARK not in payload:
+ forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
+ else:
+ forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else unichr(posValue))
queriesCount[0] += 1
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
- if dbms in (DBMS.SQLITE, DBMS.MAXDB):
- posValue = popValue()
-
if result:
minValue = posValue
diff --git a/xml/queries.xml b/xml/queries.xml
index 9cec8a179..43e4dacee 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -303,7 +303,7 @@
-
+
@@ -386,7 +386,7 @@
-
+
@@ -429,7 +429,7 @@
-
+