Fixed resume functionality on --read-file when using MySQL's LOAD_FILE() via blind SQL injection.

bdamele · bdamele · commit d55175a3407a · 2010-01-02T01:35:13.000Z
diff --git a/lib/utils/resume.py b/lib/utils/resume.py
@@ -22,8 +22,6 @@
 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 """
 
-
-
 import re
 
 from lib.core.common import dataToSessionFile
@@ -34,7 +32,6 @@
 from lib.core.unescaper import unescaper
 from lib.techniques.blind.inference import bisection
 
-
 def queryOutputLength(expression, payload):
     """
     Returns the query output length.
@@ -45,14 +42,17 @@ def queryOutputLength(expression, payload):
     select              = re.search("\ASELECT\s+", expression, re.I)
     selectTopExpr       = re.search("\ASELECT\s+TOP\s+[\d]+\s+(.+?)\s+FROM", expression, re.I)
     selectDistinctExpr  = re.search("\ASELECT\s+DISTINCT\((.+?)\)\s+FROM", expression, re.I)
-    selectExpr          = re.search("\ASELECT\s+(.+?)\s+FROM", expression, re.I)
+    selectFromExpr      = re.search("\ASELECT\s+(.+?)\s+FROM", expression, re.I)
+    selectExpr          = re.search("\ASELECT\s+(.+)$", expression, re.I)
     miscExpr            = re.search("\A(.+)", expression, re.I)
 
-    if selectTopExpr or selectDistinctExpr or selectExpr:
+    if selectTopExpr or selectDistinctExpr or selectFromExpr or selectExpr:
         if selectTopExpr:
             regExpr = selectTopExpr.groups()[0]
         elif selectDistinctExpr:
             regExpr = selectDistinctExpr.groups()[0]
+        elif selectFromExpr:
+            regExpr = selectFromExpr.groups()[0]
         elif selectExpr:
             regExpr = selectExpr.groups()[0]
     elif miscExpr:
@@ -84,7 +84,6 @@ def queryOutputLength(expression, payload):
 
     return count, length, regExpr
 
-
 def resume(expression, payload):
     """
     This function can be called to resume part or entire output of a
