Major bug fix to make partial UNION query sql injection work properly

also on Microsoft SQL Server
2025-12-10 09:49:06 +00:00 · 2008-12-22 19:36:01 +00:00
parent 064029cb2d
commit 1f7810e46a
3 changed files with 50 additions and 25 deletions
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -261,7 +261,14 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
                        return

                    for num in xrange(startLimit, stopLimit):
-                        limitedExpr = agent.limitQuery(num, expression, expressionFieldsList)
+                        orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)
+
+                        if orderBy:
+                            field = orderBy.group(1)
+                        else:
+                            field = expressionFieldsList[0]
+
+                        limitedExpr = agent.limitQuery(num, expression, field)
                        output      = unionUse(limitedExpr, direct=True, unescape=False)

                        if output: