Bug fix regarding a problem reported by user @blink2014

2025-01-23 15:54:24 +03:00 · 2014-12-20 00:23:31 +01:00 · 2014-12-20 00:23:31 +01:00 · 4f122ee008
commit 4f122ee008
parent 6cb76bcf85
4 changed files with 6 additions and 4 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -162,6 +162,7 @@ class Agent(object):
                match = None
                for match in re.finditer(pattern, string):
                    pass
+
                if match:
                    while True:
                        _ = re.search(r"\\g<([^>]+)>", repl)
@ -173,7 +174,8 @@ class Agent(object):
                return retVal

            if origValue:
-                retVal = _(r"(\A|\b)%s=%s(\Z|\b)" % (re.escape(parameter), re.escape(origValue)), "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
+                regex = r"(\A|\b)%s=%s%s" % (re.escape(parameter), re.escape(origValue), r"(\Z|\b)" if origValue[-1].isalnum() else "")
+                retVal = _(regex, "%s=%s" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
            else:
                retVal = _(r"(\A|\b)%s=%s(\Z|%s|%s|\s)" % (re.escape(parameter), re.escape(origValue), DEFAULT_GET_POST_DELIMITER, DEFAULT_COOKIE_DELIMITER), "%s=%s\g<2>" % (parameter, self.addPayloadDelimiters(newValue.replace("\\", "\\\\"))), paramString)
            if retVal == paramString and urlencode(parameter) != parameter:
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -97,7 +97,6 @@ from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_MSSQL_SCHEMA
 from lib.core.settings import DESCRIPTION
-from lib.core.settings import DUMMY_SQL_INJECTION_CHARS
 from lib.core.settings import DUMMY_USER_INJECTION
 from lib.core.settings import DYNAMICITY_MARK_LENGTH
 from lib.core.settings import ERROR_PARSING_REGEXES
@ -573,7 +572,7 @@ def paramToDict(place, parameters=None):
                testableParameters[parameter] = "=".join(parts[1:])
                if not conf.multipleTargets and not (conf.csrfToken and parameter == conf.csrfToken):
                    _ = urldecode(testableParameters[parameter], convall=True)
-                    if (_.strip(DUMMY_SQL_INJECTION_CHARS) != _\
+                    if (_.endswith("'") and _.count("'") == 1
                      or re.search(r'\A9{3,}', _) or re.search(DUMMY_USER_INJECTION, _))\
                      and not parameter.upper().startswith(GOOGLE_ANALYTICS_COOKIE_PREFIX):
                        warnMsg = "it appears that you have provided tainted parameter values "
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -412,7 +412,7 @@ ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
 DUMMY_SQL_INJECTION_CHARS = ";()'"

 # Simple check against dummy users
-DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\A-\d+\Z"
+DUMMY_USER_INJECTION = r"(?i)[^\w](AND|OR)\s+[^\s]+[=><]|\bUNION\b.+\bSELECT\b|\bSELECT\b.+\bFROM\b|\b(CONCAT|information_schema|SLEEP|DELAY)\b"

 # Extensions skipped by crawler
 CRAWL_EXCLUDE_EXTENSIONS = ("gif", "jpg", "jpeg", "image", "jar", "tif", "bmp", "war", "ear", "mpg", "mpeg", "wmv", "mpeg", "scm", "iso", "dmp", "dll", "cab", "so", "avi", "mkv", "bin", "iso", "tar", "png", "pdf", "ps", "wav", "mp3", "mp4", "au", "aiff", "aac", "zip", "rar", "7z", "gz", "flv", "mov", "doc", "docx", "xls", "dot", "dotx", "xlt", "xlsx", "ppt", "pps", "pptx")
--- a/xml/errors.xml
+++ b/xml/errors.xml
@ -5,6 +5,7 @@
    <dbms value="MySQL">
        <error regexp="SQL syntax.*MySQL"/>
        <error regexp="Warning.*mysql_.*"/>
+        <error regexp="MySqlException \(0x"/>
        <error regexp="valid MySQL result"/>
        <error regexp="MySqlClient\."/>
        <error regexp="com\.mysql\.jdbc\.exceptions"/>