diff --git a/lib/core/common.py b/lib/core/common.py index db8c3808b..152ccbe9b 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1224,6 +1224,9 @@ def getGoodSamaritanCharsets(part, prevValue, originalCharset): if kb.commonOutputs is None: initCommonOutputs() + if not part or not prevValue: #is not None and != "" + return None, originalCharset + predictionSet = set() wildIndexes = [] @@ -1239,7 +1242,7 @@ def getGoodSamaritanCharsets(part, prevValue, originalCharset): findIndex = prevValue.find('.', charIndex) if part in kb.commonOutputs: - for item in kb.commonOutputs[kb.dbms]: + for item in kb.commonOutputs[part]: if re.search('\A%s' % prevValue, item): for index in wildIndexes: char = item[index] @@ -1250,7 +1253,7 @@ def getGoodSamaritanCharsets(part, prevValue, originalCharset): predictedCharset = [] otherCharset = [] - for ordChar in originalTable: + for ordChar in originalCharset: if chr(ordChar) not in predictionSet: otherCharset.append(ordChar) else: @@ -1260,7 +1263,7 @@ def getGoodSamaritanCharsets(part, prevValue, originalCharset): return predictedCharset, otherCharset else: - return None, originalTable + return None, originalCharset def getCompiledRegex(regex): if regex in __compiledRegularExpressions: diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index 78dd639e1..b7a8d977e 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -141,12 +141,23 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None return None - def getChar(idx, charTbl=asciiTbl): + def getChar(idx, charTbl=asciiTbl, sequentialOrder=True): result = tryHint(idx) if result: return result + if not sequentialOrder: + originalTbl = list(charTbl) + + if len(charTbl) == 1: + forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0])) + result = Request.queryPage(urlencode(forgedPayload)) + if result: + return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0]) + else: + return None + maxChar = maxValue = charTbl[-1] minValue = charTbl[0] @@ -189,15 +200,14 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None if maxValue == 1: return None elif minValue == maxChar: - charTbl = xrange( maxChar + 1, (maxChar + 1) << 8 ) + charTbl = xrange(maxChar + 1, (maxChar + 1) << 8) maxChar = maxValue = charTbl[-1] minValue = charTbl[0] - else: + elif sequentialOrder: retVal = minValue + 1 - if retVal < 128: - return chr(retVal) - else: - return unichr(retVal) + return chr(retVal) if retVal < 128 else unichr(retVal) + else: + retVal = originalTbl[originalTbl.index(minValue) + 1] def etaProgressUpdate(charTime, index): if len(progressTime) <= ( (length * 3) / 100 ): @@ -361,7 +371,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None if conf.useCommonPrediction: predictedCharset, otherCharset = getGoodSamaritanCharsets(kb.partRun, finalValue, asciiTbl) - val = getChar(index, predictedCharset) if predictedCharset else None + val = getChar(index, predictedCharset, False) if predictedCharset else None if not val: val = getChar(index, otherCharset) else: diff --git a/txt/common-outputs.txt b/txt/common-outputs.txt index 9d5692d2b..fc6533328 100644 --- a/txt/common-outputs.txt +++ b/txt/common-outputs.txt @@ -1,2 +1,5 @@ [Tables] -users \ No newline at end of file +users + +[Users] +luther \ No newline at end of file