few bug fixes

2024-11-25 19:13:48 +03:00 · 2010-12-24 18:40:48 +00:00 · 2010-12-24 18:40:48 +00:00 · edcf1a0872
commit edcf1a0872
parent 96a06351a1
3 changed files with 9 additions and 12 deletions
--- a/lib/controller/handler.py
+++ b/lib/controller/handler.py
@ -62,10 +62,7 @@ def setHandler():
                  ( SYBASE_ALIASES, SybaseMap, SybaseConn ),
                ]

-    if kb.htmlFp:
-        inferencedDbms = kb.htmlFp[-1]
-    else:
-        inferencedDbms = None
+    inferencedDbms = (kb.htmlFp[-1] if kb.htmlFp else None) or kb.dbms

    for injection in kb.injections:
        if hasattr(injection, "dbms"):
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -127,7 +127,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None

            forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
            queriesCount[0] += 1
-            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
+            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)

            if result:
                return hintValue[idx-1]
@ -161,7 +161,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
        if len(charTbl) == 1:
            forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0]))
            queriesCount[0] += 1
-            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
+            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)

            if result:
                return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0])
@ -181,7 +181,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else unichr(posValue))

            queriesCount[0] += 1
-            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
+            result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)

            if result:
                minValue = posValue
@ -233,7 +233,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]):
                        forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal))
                        queriesCount[0] += 1
-                        result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
+                        result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)

                        if result:
                            return chr(retVal) if retVal < 128 else unichr(retVal)
@ -433,7 +433,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
                    query = agent.suffixQuery(query)
                    queriesCount[0] += 1
-                    result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare)
+                    result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)

                    # Did we have luck?
                    if result:
@ -457,7 +457,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                    query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
                    query = agent.suffixQuery(query)
                    queriesCount[0] += 1
-                    result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare)
+                    result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)

                    # Did we have luck?
                    if result:
--- a/xml/queries.xml
+++ b/xml/queries.xml
@ -335,7 +335,7 @@
    <dbms value="Microsoft Access">
        <cast query="CVAR(%s)"/>
        <length query="LEN(%s)"/>
-        <isnull query="IIF(ISNULL(%s), ' ', %s)"/>
+        <isnull query="IIF(LEN(%s)=0, ' ', %s)"/>
        <delimiter query=","/>
        <limit query="TOP %d"/>
        <limitregexp query="\s+TOP\s+([\d]+)"/>
@ -352,7 +352,7 @@
        <!--CURRENTUSER() is not available outside the MS Access query tool itself-->
        <current_user/>
        <current_db/>
-        <inference query="MID((%s), %d, 1) > CHR(%d)"/>
+        <inference query="ASC(MID((%s), %d, 1)) > %d"/>
        <is_dba/>
        <dbs/>
        <!--MSysObjects have no read permission by default-->