Fixed custom MSSQL "limited" query support also for Partial UNION query technique

bdamele · bdamele · commit 2d87a3349f4c · 2009-01-03T00:27:04.000Z
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -481,15 +481,15 @@ def limitQuery(self, num, query, field):
             if " ORDER BY " in limitedQuery:
                 limitedQuery = limitedQuery[:limitedQuery.index(" ORDER BY ")]
 
-            if not limitedQuery.startswith("SELECT TOP "):
+            if not limitedQuery.startswith("SELECT TOP ") and not limitedQuery.startswith("TOP "):
                 limitedQuery  = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
                 limitedQuery  = "%s WHERE %s " % (limitedQuery, field)
                 limitedQuery += "NOT IN (%s" % (limitStr % num)
                 limitedQuery += "%s %s)" % (field, fromFrom)
             else:
-                topNums         = re.search("\ASELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
+                topNums         = re.search("TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+", limitedQuery, re.I).groups()
                 quantityTopNums = topNums[0]
-                limitedQuery    = limitedQuery.replace("SELECT TOP %s" % quantityTopNums, "SELECT TOP 1", 1)
+                limitedQuery    = limitedQuery.replace("TOP %s" % quantityTopNums, "TOP 1", 1)
                 startTopNums    = topNums[1]
                 limitedQuery    = limitedQuery.replace(" (SELECT TOP %s" % startTopNums, " (SELECT TOP %d" % num)
 
diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py
@@ -216,6 +216,9 @@ def unionUse(expression, direct=False, unescape=True, resetCounter=False):
                         untilLimitChar = expression.index(queries[kb.dbms].limitstring)
                         expression = expression[:untilLimitChar]
 
+                    elif kb.dbms == "Microsoft SQL Server":
+                        stopLimit += startLimit
+
                 if not stopLimit or stopLimit <= 1:
                     if kb.dbms == "Oracle" and expression.endswith("FROM DUAL"):
                         test = False
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -169,7 +169,7 @@
         <isnull query="ISNULL(%s, ' ')"/>
         <delimiter query="+"/>
         <limit query="SELECT TOP %d "/>
-        <limitregexp query="SELECT\s+TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
+        <limitregexp query="TOP\s+([\d]+)\s+.+?\s+FROM\s+.+?\s+WHERE\s+.+?\s+NOT\s+IN\s+\(SELECT\s+TOP\s+([\d]+)\s+"/>
         <limitgroupstart query="2"/>
         <limitgroupstop query="1"/>
         <limitstring/>
