some refactoring/speedup around UNION technique

lib/core/common.py

@@ -1328,7 +1328,7 @@ def getRange(count, dump=False, plusOne=False):
 
     return indexRange
 
-def parseUnionPage(output, expression, partial=False, sort=True):
+def parseUnionPage(output, expression, partial=False, unique=True):
     if output is None:
         return None
 
@@ -1336,31 +1336,21 @@ def parseUnionPage(output, expression, partial=False, sort=True):
 
     if output.startswith(kb.chars.start) and output.endswith(kb.chars.stop):
         regExpr = '%s(.*?)%s' % (kb.chars.start, kb.chars.stop)
-
         output = re.findall(regExpr, output, re.DOTALL | re.IGNORECASE)
-
-        if sort:
-            _ = []
-            unique = set()
-            for entry in output:
-                key = entry.lower()
-                if key not in unique:
-                    unique.add(key)
-                    _.append(entry)
-            output = _
+        _ = set()
 
         for entry in output:
+            if unique:
+                key = entry.lower()
+                if key not in _:
+                    _.add(key)
+                else:
+                    continue
+
             entry = safecharencode(entry) if kb.safeCharEncode else entry
+            entry = entry.split(DUMP_DEL_MARKER if DUMP_DEL_MARKER in entry else kb.chars.delimiter)
 
-            if DUMP_DEL_MARKER in entry:
-                entry = entry.split(DUMP_DEL_MARKER)
-            else:
-                entry = entry.split(kb.chars.delimiter)
-
-            if len(entry) == 1:
-                data.append(entry[0])
-            else:
-                data.append(entry)
+            data.append(entry[0] if len(entry) == 1 else entry)
     else:
         data = output
 

lib/request/inject.py

@@ -368,7 +368,7 @@ def __goError(expression, expected=None, resumeValue=True, dump=False):
 
     return output
 
-def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=True, dump=False):
+def __goInband(expression, expected=None, unique=True, resumeValue=True, unpack=True, dump=False):
     """
     Retrieve the output of a SQL query taking advantage of an inband SQL
     injection vulnerability on the affected parameter.
@@ -384,11 +384,11 @@ def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=Tr
     if isinstance(output, list):
         data = output
     else:
-        data = parseUnionPage(output, expression, partial, sort)
+        data = parseUnionPage(output, expression, partial, unique)
 
     return data
 
-def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
+def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, unique=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
     """
     Called each time sqlmap inject a SQL query on the SQL injection
     affected parameter. It can call a function to retrieve the output
@@ -429,9 +429,9 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
                 kb.technique = PAYLOAD.TECHNIQUE.UNION
 
                 if expected == EXPECTED.BOOL:
-                    value = __goInband(forgeCaseExpression, expected, sort, resumeValue, unpack, dump)
+                    value = __goInband(forgeCaseExpression, expected, unique, resumeValue, unpack, dump)
                 else:
-                    value = __goInband(query, expected, sort, resumeValue, unpack, dump)
+                    value = __goInband(query, expected, unique, resumeValue, unpack, dump)
 
                 count += 1
                 found = (value is not None) or (value is None and expectingNone) or count >= MAX_TECHNIQUES_PER_VALUE

lib/takeover/xp_cmdshell.py

@@ -121,7 +121,7 @@ class xp_cmdshell:
 
         self.delRemoteFile(tmpFile)
 
-        output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, sort=False, firstChar=first, lastChar=last, safeCharEncode=False)
+        output = inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, unique=False, firstChar=first, lastChar=last, safeCharEncode=False)
         inject.goStacked("DELETE FROM %s" % self.cmdTblName)
 
         if output and isinstance(output, (list, tuple)):