Working on a bug (fix for Partial UNION query SQL injection technique

bdamele · bdamele · commit 04c187c66a1d · 2008-12-22T00:51:09.000Z
both Oracle and Microsoft SQL Server).
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -456,7 +456,10 @@ def limitQuery(self, num, query, fieldsList=None):
         # TODO: fix for Partial UNION query SQL injection technique both
         # Oracle and Microsoft SQL Server
         elif kb.dbms == "Oracle":
-            limitedQuery  = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr)
+            if query.startswith("SELECT "):
+                limitedQuery = "%s FROM (%s, %s" % (untilFrom, untilFrom, limitStr)
+            else:
+                limitedQuery = "%s FROM (SELECT %s, %s" % (untilFrom, ", ".join(field for field in fieldsList), limitStr) 
             limitedQuery  = limitedQuery % fromFrom
             limitedQuery += "=%d" % (num + 1)
 
