@@ -48,26 +48,26 @@ def _findUnionCharCount(comment, place, parameter, value, prefix, suffix, where=
4848 """
4949 retVal = None
5050
51- def _orderByTechnique ():
51+ def _orderByTechnique (lowerCount , upperCount ):
5252 def _orderByTest (cols ):
5353 query = agent .prefixQuery ("ORDER BY %d" % cols , prefix = prefix )
5454 query = agent .suffixQuery (query , suffix = suffix , comment = comment )
5555 payload = agent .payload (newValue = query , place = place , parameter = parameter , where = where )
5656 page , headers , code = Request .queryPage (payload , place = place , content = True , raise404 = False )
5757 return not any (re .search (_ , page or "" , re .I ) and not re .search (_ , kb .pageTemplate or "" , re .I ) for _ in ("(warning|error):" , "order by" , "unknown column" , "failed" )) and comparison (page , headers , code ) or re .search (r"data types cannot be compared or sorted" , page or "" , re .I )
5858
59- if _orderByTest (1 ) and not _orderByTest (randomInt ()):
59+ if _orderByTest (1 if lowerCount is None else lowerCount ) and not _orderByTest (randomInt () if upperCount is None else upperCount + 1 ):
6060 infoMsg = "'ORDER BY' technique appears to be usable. "
6161 infoMsg += "This should reduce the time needed "
6262 infoMsg += "to find the right number "
6363 infoMsg += "of query columns. Automatically extending the "
6464 infoMsg += "range for current UNION query injection technique test"
6565 singleTimeLogMessage (infoMsg )
6666
67- lowCols , highCols = 1 , ORDER_BY_STEP
67+ lowCols , highCols = 1 if lowerCount is None else lowerCount , ORDER_BY_STEP if upperCount is None else upperCount
6868 found = None
6969 while not found :
70- if _orderByTest (highCols ):
70+ if not conf . uCols and _orderByTest (highCols ):
7171 lowCols = highCols
7272 highCols += ORDER_BY_STEP
7373 else :
@@ -88,8 +88,8 @@ def _orderByTest(cols):
8888 kb .errorIsNone = False
8989 lowerCount , upperCount = conf .uColsStart , conf .uColsStop
9090
91- if lowerCount == 1 :
92- found = kb .orderByColumns or _orderByTechnique ()
91+ if lowerCount == 1 or conf . uCols :
92+ found = kb .orderByColumns or _orderByTechnique (lowerCount , upperCount )
9393 if found :
9494 kb .orderByColumns = found
9595 infoMsg = "target URL appears to have %d column%s in query" % (found , 's' if found > 1 else "" )
0 commit comments