added checking of header values for GREP (error); still UNION to do

lib/controller/checks.py

@@ -22,6 +22,7 @@ from lib.core.common import getComparePageRatio
 from lib.core.common import getCompiledRegex
 from lib.core.common import getSortedInjectionTests
 from lib.core.common import getUnicode
+from lib.core.common import listToStrValue
 from lib.core.common import popValue
 from lib.core.common import pushValue
 from lib.core.common import randomInt
@@ -320,8 +321,9 @@ def checkSqlInjection(place, parameter, value):
                         elif method == PAYLOAD.METHOD.GREP:
                             # Perform the test's request and grep the response
                             # body for the test's <grep> regular expression
-                            reqBody, _ = Request.queryPage(reqPayload, place, content=True, raise404=False)
+                            page, headers = Request.queryPage(reqPayload, place, content=True, raise404=False)
-                            output = extractRegexResult(check, reqBody, re.DOTALL | re.IGNORECASE)
+                            output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)\
+                              or extractRegexResult(check, listToStrValue(headers.headers if headers else None), re.DOTALL | re.IGNORECASE)
 
                             if output:
                                 result = output.replace(kb.misc.space, " ") == "1"

lib/core/common.py

@@ -2292,3 +2292,16 @@ def unhandledExceptionMessage():
     errMsg += "Technique: %s\n" % (enumValueToNameLookup(PAYLOAD.TECHNIQUE, kb.technique) if kb.technique else None)
     errMsg += "Back-end DBMS: %s" % kb.dbms
     return errMsg
+
+def listToStrValue(value):
+    """
+    Flattens list to a string value
+    >>> listToStrValue([1,2,3])
+    '1, 2, 3'
+    """
+    if isinstance(value, list):
+        retValue = value.__str__().lstrip('[').rstrip(']')
+    else:
+        retValue = value
+
+    return retValue

lib/techniques/error/use.py

@@ -11,12 +11,13 @@ import re
 import time
 
 from lib.core.agent import agent
+from lib.core.common import Backend
 from lib.core.common import calculateDeltaSeconds
 from lib.core.common import dataToSessionFile
 from lib.core.common import extractRegexResult
-from lib.core.common import Backend
 from lib.core.common import initTechnique
 from lib.core.common import isNumPosStrValue
+from lib.core.common import listToStrValue
 from lib.core.common import randomInt
 from lib.core.common import replaceNewlineTabs
 from lib.core.common import safeStringFormat
@@ -55,12 +56,13 @@ def __oneShotErrorUse(expression, field):
     payload = agent.payload(newValue=injExpression)
 
     # Perform the request
-    page, _ = Request.queryPage(payload, content=True)
+    page, headers = Request.queryPage(payload, content=True)
     reqCount += 1
 
     # Parse the returned page to get the exact error-based
     # sql injection output
-    output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)
+    output = extractRegexResult(check, page, re.DOTALL | re.IGNORECASE)\
+      or extractRegexResult(check, listToStrValue(headers.headers if headers else None), re.DOTALL | re.IGNORECASE)
 
     dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(output)))