diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 749c9327e..d998524a2 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -488,9 +488,6 @@ def checkSqlInjection(place, parameter, value):
if vector is None and "vector" in test and test.vector is not None:
vector = "%s%s" % (test.vector, comment or "")
- if method == PAYLOAD.METHOD.TIME:
- reqPayload = reqPayload.replace(test.request.payload.replace("[SLEEPTIME]", str(conf.timeSec)), test.request.payload)
-
injection.data[stype] = AttribDict()
injection.data[stype].title = title
injection.data[stype].payload = agent.removePayloadDelimiters(reqPayload)
diff --git a/lib/controller/controller.py b/lib/controller/controller.py
index 1dc4dd88b..e60db4a93 100644
--- a/lib/controller/controller.py
+++ b/lib/controller/controller.py
@@ -138,7 +138,7 @@ def __formatInjection(inj):
title = title.replace("columns", "column")
data += " Type: %s\n" % PAYLOAD.SQLINJECTION[stype]
data += " Title: %s\n" % title
- data += " Payload: %s\n" % (sdata.payload if stype not in (PAYLOAD.TECHNIQUE.TIME, PAYLOAD.TECHNIQUE.STACKED) else sdata.payload.replace("[SLEEPTIME]", str(conf.timeSec)))
+ data += " Payload: %s\n" % agent.adjustLateValues(sdata.payload)
data += " Vector: %s\n\n" % vector if conf.verbose > 1 else "\n"
return data
diff --git a/lib/core/agent.py b/lib/core/agent.py
index f76aa1934..90650e6df 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -212,20 +212,19 @@ class Agent:
if payload is None:
return
- randInt = randomInt()
- randInt1 = randomInt()
- randInt2 = randomInt()
- randStr = randomStr()
- randStr1 = randomStr()
-
_ = (
- ("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDNUM2]", str(randInt2)), ("[RANDSTR]", randStr),\
- ("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
+ ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
("[HASH_REPLACE]", kb.chars.hash_)
)
payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
+ for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
+ payload = payload.replace(_, str(randomInt()))
+
+ for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
+ payload = payload.replace(_, randomStr())
+
if origValue is not None:
payload = payload.replace("[ORIGVALUE]", origValue)
@@ -249,12 +248,15 @@ class Agent:
return payload
- def adjustSleepTime(self, payload):
+ def adjustLateValues(self, payload):
"""
- Returns payload with a replaced tag for SLEEPTIME
+ Returns payload with a replaced late tags (e.g. SLEEPTIME)
"""
- return payload.replace("[SLEEPTIME]", str(conf.timeSec)) if payload else payload
+ if payload:
+ payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
+
+ return payload
def getComment(self, request):
"""
diff --git a/lib/request/connect.py b/lib/request/connect.py
index 235d582ca..5af77e395 100644
--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@@ -540,7 +540,7 @@ class Connect:
raise404 = place != PLACE.URI if raise404 is None else raise404
- value = agent.adjustSleepTime(value)
+ value = agent.adjustLateValues(value)
payload = agent.extractPayload(value)
threadData = getCurrentThreadData()
diff --git a/lib/request/direct.py b/lib/request/direct.py
index 99c099fc6..02724a039 100644
--- a/lib/request/direct.py
+++ b/lib/request/direct.py
@@ -28,7 +28,7 @@ from lib.utils.timeout import timeout
def direct(query, content=True):
select = True
query = agent.payloadDirect(query)
- query = agent.adjustSleepTime(query)
+ query = agent.adjustLateValues(query)
threadData = getCurrentThreadData()
if Backend.isDbms(DBMS.ORACLE) and query.startswith("SELECT ") and " FROM " not in query:
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 87bc7f186..f2e2f44c6 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -1215,9 +1215,9 @@ Formats:
0
1
1
- AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)
+ AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)
- AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)
+ AND ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)
[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
@@ -1433,9 +1433,9 @@ Formats:
2
1
2
- OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)
+ OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)
- OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM] UNION SELECT [RANDNUM1] UNION SELECT [RANDNUM2])a GROUP BY x)
+ OR ROW([RANDNUM],[RANDNUM1])>(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM (SELECT [RANDNUM2][RANDNUM3] UNION SELECT [RANDNUM4][RANDNUM5] UNION SELECT [RANDNUM6][RANDNUM7])a GROUP BY x)
[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]