Fixes non-deterministic unsorted results for most of the DBMSes - see #185

2026-01-09 16:19:07 +00:00 · 2010-04-09 15:48:53 +00:00
parent 822d22299f
commit b72ddb6f1e
4 changed files with 36 additions and 40 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -507,11 +507,12 @@ class Agent:
        @rtype: C{str}
        """

-        limitedQuery  = query
-        limitStr      = queries[kb.dbms].limit
-        fromIndex     = limitedQuery.index(" FROM ")
-        untilFrom     = limitedQuery[:fromIndex]
-        fromFrom      = limitedQuery[fromIndex+1:]
+        limitedQuery = query
+        limitStr = queries[kb.dbms].limit
+        fromIndex = limitedQuery.index(" FROM ")
+        untilFrom = limitedQuery[:fromIndex]
+        fromFrom = limitedQuery[fromIndex+1:]
+        orderBy = False

        if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ):
            limitStr = queries[kb.dbms].limit % (num, 1)
@@ -523,6 +524,7 @@ class Agent:

        elif kb.dbms == "Oracle":
            if " ORDER BY " in limitedQuery and "(SELECT " in limitedQuery:
+                orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

            if query.startswith("SELECT "):
@@ -536,6 +538,7 @@ class Agent:
            forgeNotIn = True

            if " ORDER BY " in limitedQuery:
+                orderBy = limitedQuery[limitedQuery.index(" ORDER BY "):]
                limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]

            notDistincts = re.findall("DISTINCT[\(\s+](.+?)\)*\s+", limitedQuery, re.I)
@@ -569,6 +572,9 @@ class Agent:
                limitedQuery += "NOT IN (%s" % (limitStr % num)
                limitedQuery += "%s %s)" % (field, fromFrom)

+        if orderBy:
+            limitedQuery += orderBy
+
        return limitedQuery

    def forgeCaseStatement(self, expression):
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -362,9 +362,6 @@ def getValue(expression, blind=True, inband=True, fromUser=False, expected=None,
    expression = expression.replace("DISTINCT ", "")

    if inband and kb.unionPosition:
-        if kb.dbms == "Oracle" and " ORDER BY " in expression:
-            expression = expression[:expression.index(" ORDER BY ")]
-
        value = __goInband(expression, expected, sort, resumeValue, unpack)

        if not value:
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@@ -187,16 +187,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False, nullCh

                    for num in xrange(startLimit, stopLimit):
                        if kb.dbms == "Microsoft SQL Server":
-                            orderBy = re.search(" ORDER BY ([\w\_]+)", expression, re.I)
-
-                            if orderBy:
-                                field = orderBy.group(1)
-                            else:
-                                field = expressionFieldsList[0]
-
+                            field = expressionFieldsList[0]
                        elif kb.dbms == "Oracle":
                            field = expressionFieldsList
-
                        else:
                            field = None