Proper english (--postfix is now --suffix) and --string/--regexp does not necessarily need to match into the original response body, it might well be in the injected True condition only!

2026-06-09 17:51:33 +00:00 · 2010-11-17 22:00:09 +00:00 · 2010-11-17 22:00:09 +00:00 · 17486e472a
commit 17486e472a
parent ca5125bbe0
20 changed files with 77 additions and 78 deletions
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -442,7 +442,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    # One-shot query containing equals commonValue
                    testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False)
                    query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
-                    query = agent.postfixQuery(query)
+                    query = agent.suffixQuery(query)
                    queriesCount[0] += 1
                    result = Request.queryPage(agent.payload(newValue=query))

@ -466,7 +466,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    subquery = queries[kb.dbms].substring.query % (expressionUnescaped, 1, len(commonPattern))
                    testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False)
                    query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
-                    query = agent.postfixQuery(query)
+                    query = agent.suffixQuery(query)
                    queriesCount[0] += 1
                    result = Request.queryPage(agent.payload(newValue=query))