Major bug fix

bdamele · bdamele · commit 6dec56d616a9 · 2008-12-17T21:35:04.000Z
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -246,7 +246,7 @@ def getFields(self, query):
         @rtype: C{str}
         """
 
-        if "(SELECT " in query:
+        if query.startswith("SELECT ") and "(SELECT " in query:
             firstChar = "\\("
         else:
             firstChar = "\\A"
@@ -271,6 +271,9 @@ def getFields(self, query):
         fieldsToCastList = fieldsToCastStr.replace(", ", ",")
         fieldsToCastList = fieldsToCastList.split(",")
 
+        if query.startswith("SELECT ") and "(SELECT " in query:
+            fieldsSelectFrom = None
+
         return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsToCastList, fieldsToCastStr
 
 
@@ -390,15 +393,15 @@ def forgeInbandQuery(self, query, exprPosition=None):
                 inbandQuery += ", "
 
             if element == exprPosition:
-                if " FROM " in query:
+                if " FROM " in query and not query.startswith("SELECT ") and not "(SELECT " in query:
                     conditionIndex = query.rindex(" FROM ")
                     inbandQuery += "%s" % query[:conditionIndex]
                 else:
                     inbandQuery += "%s" % query
             else:
                 inbandQuery += "NULL"
 
-        if " FROM " in query:
+        if " FROM " in query and not query.startswith("SELECT ") and not "(SELECT " in query:
             conditionIndex = query.rindex(" FROM ")
             inbandQuery += "%s" % query[conditionIndex:]
 
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -43,6 +43,9 @@ def cmdLineParser():
     parser = OptionParser(usage=usage, version=VERSION_STRING)
 
     try:
+        parser.add_option("-v", dest="verbose", type="int",
+                          help="Verbosity level: 0-5 (default 1)")
+
         # Target options
         target = OptionGroup(parser, "Target", "At least one of these "
                              "options has to be specified to set the source "
@@ -161,6 +164,7 @@ def cmdLineParser():
         techniques.add_option("--time-test", dest="timeTest",
                               action="store_true",
                               help="Test for Time based blind SQL injection")
+
         techniques.add_option("--union-test", dest="unionTest",
                               action="store_true",
                               help="Test for UNION query (inband) SQL injection")
@@ -293,9 +297,6 @@ def cmdLineParser():
                                       "calculate the estimated time of arrival "
                                       "in real time")
 
-        miscellaneous.add_option("-v", dest="verbose", type="int",
-                                 help="Verbosity level: 0-5 (default 1)")
-
         miscellaneous.add_option("--update", dest="updateAll", action="store_true",
                                 help="Update sqlmap to the latest stable version")
 
