From 6a24048aa6b40ca8862d6d78821062c826e06a28 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Sat, 11 Dec 2010 21:17:54 +0000 Subject: [PATCH] urllib2 doesn't play well with '\n' when non unescaped chars used --- lib/core/common.py | 2 ++ lib/techniques/blind/inference.py | 5 ++++- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/lib/core/common.py b/lib/core/common.py index 47546fca0..95c1dbc4d 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1724,6 +1724,8 @@ def isDBMSVersionAtLeast(version): value = float(value.replace("<=", "")) elif value.startswith(">"): value = float(value.replace("<", "")) - 0.01 + else: + value = float(value) retVal = value >= version return retVal diff --git a/lib/techniques/blind/inference.py b/lib/techniques/blind/inference.py index 8edc42c55..07c4777cc 100644 --- a/lib/techniques/blind/inference.py +++ b/lib/techniques/blind/inference.py @@ -155,6 +155,9 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None # Used for gradual expanding into unicode charspace shiftTable = [5, 4] + if CHAR_INFERENCE_MARK in payload and ord('\n') in charTbl: + charTbl.remove(ord('\n')) + if len(charTbl) == 1: forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0])) queriesCount[0] += 1 @@ -216,7 +219,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None return None else: retVal = minValue + 1 - if retVal in originalTbl: + if retVal in originalTbl or (retVal == ord('\n') and CHAR_INFERENCE_MARK in payload): return chr(retVal) if retVal < 128 else unichr(retVal) else: return None