Fixes #1600

2025-01-23 15:54:24 +03:00 · 2015-12-09 19:53:48 +01:00 · 2015-12-09 19:53:48 +01:00 · 663c976a3b
commit 663c976a3b
parent 2eb5f5e841
2 changed files with 7 additions and 1 deletions
--- a/lib/core/convert.py
+++ b/lib/core/convert.py
@ -10,9 +10,11 @@ import json
 import pickle
 import StringIO
 import sys
+import types

 from lib.core.settings import IS_WIN
 from lib.core.settings import UNICODE_ENCODING
+from lib.core.settings import PICKLE_REDUCE_WHITELIST

 def base64decode(value):
    """
@ -71,7 +73,7 @@ def base64unpickle(value):
    def _(self):
        if len(self.stack) > 1:
            func = self.stack[-2]
-            if '.' in repr(func) and " 'lib." not in repr(func):
+            if func not in PICKLE_REDUCE_WHITELIST:
                raise Exception, "abusing reduce() is bad, Mkay!"
        self.load_reduce()

--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -11,7 +11,9 @@ import subprocess
 import string
 import sys
 import time
+import types

+from lib.core.datatype import AttribDict
 from lib.core.enums import DBMS
 from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
@ -427,6 +429,8 @@ HTML_TITLE_REGEX = "<title>(?P<result>[^<]+)</title>"
 # Table used for Base64 conversion in WordPress hash cracking routine
 ITOA64 = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"

+PICKLE_REDUCE_WHITELIST = (types.BooleanType, types.DictType, types.FloatType, types.IntType, types.ListType, types.LongType, types.NoneType, types.StringType, types.TupleType, types.UnicodeType, types.XRangeType, type(AttribDict()), type(set()))
+
 # Chars used to quickly distinguish if the user provided tainted parameter values
 DUMMY_SQL_INJECTION_CHARS = ";()'"