Major bug fix to properly prepare UNION technique statement for --os-pwn and --is-dba

2025-12-22 23:49:04 +00:00 · 2011-02-21 16:00:56 +00:00
parent 90582ed7dc
commit 3e8c204121
5 changed files with 11 additions and 8 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -328,7 +328,7 @@ class Agent:
        if not Backend.getDbms():
            return fields

-        if fields.startswith("(CASE"):
+        if fields.startswith("(CASE") or fields.startswith("SUBSTR"):
            nulledCastedConcatFields = fields
        else:
            fields = fields.replace(", ", ",")
@@ -368,9 +368,12 @@ class Agent:
        fieldsSelectFrom = re.search("\ASELECT%s\s+(.+?)\s+FROM\s+" % prefixRegex, query, re.I)
        fieldsExists = re.search("EXISTS(.*)", query, re.I)
        fieldsSelect = re.search("\ASELECT%s\s+(.*)" % prefixRegex, query, re.I)
+        fieldsSubstr = re.search("\ASUBSTR", query, re.I)
        fieldsNoSelect = query

-        if fieldsExists:
+        if fieldsSubstr:
+            fieldsToCastStr = query
+        elif fieldsExists:
            fieldsToCastStr = fieldsSelect.groups()[0]
        elif fieldsSelectTop:
            fieldsToCastStr = fieldsSelectTop.groups()[0]
@@ -386,7 +389,7 @@ class Agent:
            fieldsToCastStr = fieldsNoSelect

        # Function
-        if re.search("\A\w+\(.*\)", fieldsToCastStr, re.I) or fieldsSelectCase:
+        if re.search("\A\w+\(.*\)", fieldsToCastStr, re.I) or fieldsSelectCase or fieldsSubstr:
            fieldsToCastList = [fieldsToCastStr]
        else:
            fieldsToCastList = fieldsToCastStr.replace(", ", ",")
--- a/lib/takeover/udf.py
+++ b/lib/takeover/udf.py
@@ -51,8 +51,8 @@ class UDF:
    def __checkExistUdf(self, udf):
        logger.info("checking if UDF '%s' already exist" % udf)

-        query  = agent.forgeCaseStatement(queries[Backend.getIdentifiedDbms()].check_udf.query % (udf, udf))
-        exists = inject.getValue(query, resumeValue=False, unpack=False, charsetType=2)
+        query = agent.forgeCaseStatement(queries[Backend.getIdentifiedDbms()].check_udf.query % (udf, udf))
+        exists = inject.getValue(query, resumeValue=False, charsetType=2)

        if exists == "1":
            return True