Minor enhancement to prefix payload in ORDER BY and GROUP BY clauses

bdamele · bdamele · commit b824826a89b5 · 2010-12-03T14:39:51.000Z
diff --git a/lib/controller/checks.py b/lib/controller/checks.py
@@ -257,7 +257,7 @@ def checkSqlInjection(place, parameter, value):
                 if where == 1:
                     origValue = value
                 elif where == 2:
-                    origValue = "-%s" % value
+                    origValue = "-%s" % randomInt()
                 elif where == 3:
                     origValue = ""
 
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -83,7 +83,7 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
                 if where == 1:
                     value = origValue
                 elif where == 2:
-                    value = "-%s" % origValue
+                    value = "-%s" % randomInt()
                 elif where == 3:
                     value = ""
             else:
@@ -155,10 +155,12 @@ def prefixQuery(self, string):
         # payload, do not put a space after the prefix
         if kb.technique == 4:
             query = kb.injection.prefix
-        elif kb.technique and kb.technique in kb.injection.data:
+        elif (kb.technique and kb.technique in kb.injection.data) or \
+             (kb.injection.clause == [2, 3] or kb.injection.clause == [ 2 ]):
             where = kb.injection.data[kb.technique].where
 
-            if where == 3:
+            if where == 3 or (kb.injection.clause == [2, 3] or \
+               kb.injection.clause == [ 2 ]):
                 query = kb.injection.prefix
 
         if query is None:
