Bug fix for fingerprinting MySQL

stamparm · stamparm · commit 7a21109ad0ac · 2025-12-25T14:11:57.000+01:00
diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
@@ -173,7 +173,7 @@ ae500647c4074681749735a4f3b17b7eca44868dd3f39f9cab0a575888ba04a1  lib/core/data.
 ffae7cfe9f9afb92e887b9a8dbc1630d0063e865f35984ae417b04a4513e5024  lib/core/datatype.py
 1d70d75a1c1a2a0ad295f727ee9f1d90cea851dfc2f8c9a85ef79c7975007ead  lib/core/decorators.py
 d573a37bb00c8b65f75b275aa92549683180fb209b75fd0ff3870e3848939900  lib/core/defaults.py
-ce6e1c1766acd95168f7708ddcacaa4a586c21ffc9e92024c4715611c802b60c  lib/core/dicts.py
+bb7e6521edad1cbfffa89fd7d5e255ed4ff148d984ffadbeac8d42baa2d76dea  lib/core/dicts.py
 1e801218f301968181cb876ca27bace622b8646f041bdab72cda5d6a57542408  lib/core/dump.py
 2ca709fb52b4a1bc83cfe2acdad7e7d4dca1fee6a775e9290f0f1f517955d0b9  lib/core/enums.py
 00a9b29caa81fe4a5ef145202f9c92e6081f90b2a85cd76c878d520d900ad856  lib/core/exception.py
@@ -188,7 +188,7 @@ c4bfb493a03caf84dd362aec7c248097841de804b7413d0e1ecb8a90c8550bc0  lib/core/readl
 d1bd70c1a55858495c727fbec91e30af267459c8f64d50fabf9e4ee2c007e920  lib/core/replication.py
 1d0f80b0193ac5204527bfab4bde1a7aee0f693fd008e86b4b29f606d1ef94f3  lib/core/revision.py
 d2eb8e4b05ac93551272b3d4abfaf5b9f2d3ac92499a7704c16ed0b4f200db38  lib/core/session.py
-ee57c7420ef2648450c540411f881a4807fcf1be70fefabfa701f3200340c99e  lib/core/settings.py
+b99f7125c2b73e9aa026a4c915b07ba5668bd72d3c85d7078e14aede79a6d3e8  lib/core/settings.py
 1c5eab9494eb969bc9ce118a2ea6954690c6851cbe54c18373c723b99734bf09  lib/core/shell.py
 4eea6dcf023e41e3c64b210cb5c2efc7ca893b727f5e49d9c924f076bb224053  lib/core/subprocessng.py
 cdd352e1331c6b535e780f6edea79465cb55af53aa2114dcea0e8bf382e56d1a  lib/core/target.py
@@ -399,7 +399,7 @@ bb0edf756903d8a9df7b60272541768102c64e562e6e7a356c5a761b835efde3  plugins/dbms/m
 d471eb61a33bd3aa1290cdcce40a5966ebc84af79970f75e8992a2688da4be42  plugins/dbms/mysql/connector.py
 1e29529d6c4938a728a2d42ef4276b46a40bf4309570213cf3c08871a83abdc1  plugins/dbms/mysql/enumeration.py
 200b2c910e6902ef8021fe40b3fb426992a016926414cbf9bb74a3630f40842d  plugins/dbms/mysql/filesystem.py
-55da8384ba32fe9b69022c8d5429acfacd4d44e55c14f902818d6794ed1bd0a2  plugins/dbms/mysql/fingerprint.py
+49e39e43e4f45f69d5a7b384c00deb09c5e474d535eb30b0a429519ec6e1bcc7  plugins/dbms/mysql/fingerprint.py
 88daad9cf2f62757949cb27128170f33268059e2f0a05d3bd9f75417b99149de  plugins/dbms/mysql/__init__.py
 20108fe32ae3025036aa02b4702c4eda81db01c04a2e0e2e4494d8f1b1717eca  plugins/dbms/mysql/syntax.py
 91f34b67fe3ad5bfa6eae5452a007f97f78b7af000457e9d1c75f4d0207f3d39  plugins/dbms/mysql/takeover.py
diff --git a/lib/core/dicts.py b/lib/core/dicts.py
@@ -270,7 +270,7 @@
     DBMS.ACCESS: "CVAR(NULL)",
     DBMS.MAXDB: "ALPHA(NULL)",
     DBMS.MSSQL: "IIF(1=1,DIFFERENCE(NULL,NULL),0)",
-    DBMS.MYSQL: "QUARTER(NULL XOR NULL)",
+    DBMS.MYSQL: "IFNULL(QUARTER(NULL),NULL XOR NULL)",  # NOTE: previous form (i.e., QUARTER(NULL XOR NULL)) was bad as some optimization engines wrongly evaluate QUARTER(NULL XOR NULL) to 0
     DBMS.ORACLE: "INSTR2(NULL,NULL)",
     DBMS.PGSQL: "QUOTE_IDENT(NULL)",
     DBMS.SQLITE: "UNLIKELY(NULL)",
@@ -282,7 +282,7 @@
     DBMS.PRESTO: "FROM_HEX(NULL)",
     DBMS.ALTIBASE: "TDESENCRYPT(NULL,NULL)",
     DBMS.MIMERSQL: "ASCII_CHAR(256)",
-    DBMS.CRATEDB: "MD5(NULL~NULL)",  # Note: NULL~NULL also being evaluated on H2 and Ignite
+    DBMS.CRATEDB: "MD5(NULL~NULL)",  # NOTE: NULL~NULL also being evaluated on H2 and Ignite
     DBMS.CUBRID: "(NULL SETEQ NULL)",
     DBMS.CACHE: "%SQLUPPER NULL",
     DBMS.EXTREMEDB: "NULLIFZERO(hashcode(NULL))",
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -19,7 +19,7 @@
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.9.12.10"
+VERSION = "1.9.12.11"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/plugins/dbms/mysql/fingerprint.py b/plugins/dbms/mysql/fingerprint.py
@@ -187,7 +187,7 @@ def checkDbms(self):
         infoMsg = "testing %s" % DBMS.MYSQL
         logger.info(infoMsg)
 
-        result = inject.checkBooleanExpression("QUARTER(NULL XOR NULL) IS NULL")
+        result = inject.checkBooleanExpression("IFNULL(QUARTER(NULL),NULL XOR NULL) IS NULL")
 
         if result:
             infoMsg = "confirming %s" % DBMS.MYSQL
