Minor bug fix to make the Partial UNION query SQL injection technique

work properly also on Oracle and Microsoft SQL Server.
2025-12-07 05:01:30 +00:00 · 2008-12-22 22:48:44 +00:00
parent 1f7810e46a
commit 64bb57d786
5 changed files with 24 additions and 19 deletions
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -261,12 +261,19 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
                        return

                    for num in xrange(startLimit, stopLimit):
-                        orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)
+                        if kb.dbms == "Microsoft SQL Server":
+                            orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)
+
+                            if orderBy:
+                                field = orderBy.group(1)
+                            else:
+                                field = expressionFieldsList[0]
+
+                        elif kb.dbms == "Oracle":
+                                field = expressionFieldsList

-                        if orderBy:
-                            field = orderBy.group(1)
                        else:
-                            field = expressionFieldsList[0]
+                            field = None

                        limitedExpr = agent.limitQuery(num, expression, field)
                        output      = unionUse(limitedExpr, direct=True, unescape=False)