Major bug fix to properly deal with EXISTS() when forging query or retrieving the query columns.

2025-12-09 14:11:29 +00:00 · 2011-01-17 23:43:37 +00:00
parent c2a358561f
commit 3822b494ea
5 changed files with 28 additions and 15 deletions
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@@ -75,12 +75,12 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
        lastChar = int(lastChar)

    if kb.dbmsDetected:
-        _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
-        nulledCastedField                = agent.nullAndCastField(fieldToCastStr)
-        expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
-        expressionUnescaped              = unescaper.unescape(expressionReplaced)
+        _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
+        nulledCastedField = agent.nullAndCastField(fieldToCastStr)
+        expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
+        expressionUnescaped = unescaper.unescape(expressionReplaced)
    else:
-        expressionUnescaped              = unescaper.unescape(expression)
+        expressionUnescaped = unescaper.unescape(expression)

    if length and not isinstance(length, int) and length.isdigit():
        length = int(length)
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -42,7 +42,7 @@ def errorUse(expression):
    query = agent.suffixQuery(query)
    check = "%s(?P<result>.*?)%s" % (kb.misc.start, kb.misc.stop)

-    _, _, _, _, _, _, fieldToCastStr = agent.getFields(expression)
+    _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
    nulledCastedField = agent.nullAndCastField(fieldToCastStr)

    if getIdentifiedDBMS() == DBMS.MYSQL:
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -95,7 +95,7 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, unpack
        expression = unescaper.unescape(expression)

    if kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == 2 and not direct:
-        _, _, _, _, _, expressionFieldsList, expressionFields = agent.getFields(origExpr)
+        _, _, _, _, _, expressionFieldsList, expressionFields, _ = agent.getFields(origExpr)

        # We have to check if the SQL query might return multiple entries
        # and in such case forge the SQL limiting the query output one