@@ -171,7 +171,7 @@ def xpCmdshellForgeCmd(self, cmd, insertIntoTable=None):
171171 # retrieve the output when OPENROWSET is used hence the redirection
172172 # to a temporary file from above
173173 if insertIntoTable and not conf .dbmsCred :
174- self ._forgedCmd += "INSERT INTO %s " % insertIntoTable
174+ self ._forgedCmd += "INSERT INTO %s(data) " % insertIntoTable
175175
176176 self ._forgedCmd += "EXEC %s @%s" % (self .xpCmdshellStr , self ._randStr )
177177
@@ -205,13 +205,13 @@ def xpCmdshellEvalCmd(self, cmd, first=None, last=None):
205205 inject .goStacked ("BULK INSERT %s FROM '%s' WITH (CODEPAGE='RAW', FIELDTERMINATOR='%s', ROWTERMINATOR='%s')" % (self .cmdTblName , self .tmpFile , randomStr (10 ), randomStr (10 )))
206206 self .delRemoteFile (self .tmpFile )
207207
208- query = "SELECT %s FROM %s" % (self .tblField , self .cmdTblName )
208+ query = "SELECT %s FROM %s ORDER BY id " % (self .tblField , self .cmdTblName )
209209
210210 if any (isTechniqueAvailable (_ ) for _ in (PAYLOAD .TECHNIQUE .UNION , PAYLOAD .TECHNIQUE .ERROR , PAYLOAD .TECHNIQUE .QUERY )) or conf .direct :
211211 output = inject .getValue (query , resumeValue = False , blind = False , time = False )
212212 else :
213213 output = []
214- count = inject .getValue ("SELECT COUNT(* ) FROM %s" % self .cmdTblName , resumeValue = False , union = False , error = False , expected = EXPECTED .INT , charsetType = CHARSET_TYPE .DIGITS )
214+ count = inject .getValue ("SELECT COUNT(id ) FROM %s" % self .cmdTblName , resumeValue = False , union = False , error = False , expected = EXPECTED .INT , charsetType = CHARSET_TYPE .DIGITS )
215215
216216 if isNumPosStrValue (count ):
217217 for index in getLimitRange (count ):
0 commit comments