From fd36250026cc16d7f06567f93862deed0dae5d84 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Tue, 26 Aug 2014 23:36:04 +0200
Subject: [PATCH] Proper fix for an Issue #757

---
 lib/core/enums.py           | 1 +
 lib/techniques/error/use.py | 7 ++++---
 2 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/lib/core/enums.py b/lib/core/enums.py
index 9b41db113..c7307c778 100644
--- a/lib/core/enums.py
+++ b/lib/core/enums.py
@@ -173,6 +173,7 @@ class HTTP_HEADER:
     SERVER = "Server"
     USER_AGENT = "User-Agent"
     TRANSFER_ENCODING = "Transfer-Encoding"
+    URI = "URI"
     VIA = "Via"
 
 class EXPECTED:
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
index c8a43874e..f6c960484 100644
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@@ -35,6 +35,7 @@ from lib.core.data import logger
 from lib.core.data import queries
 from lib.core.dicts import FROM_DUMMY_TABLE
 from lib.core.enums import DBMS
+from lib.core.enums import HTTP_HEADER
 from lib.core.settings import CHECK_ZERO_COLUMNS_THRESHOLD
 from lib.core.settings import MYSQL_ERROR_CHUNK_LENGTH
 from lib.core.settings import MSSQL_ERROR_CHUNK_LENGTH
@@ -99,14 +100,14 @@ def _oneShotErrorUse(expression, field=None):
 
                 incrementCounter(kb.technique)
 
-                if page and conf.noCast:
+                if page and conf.noEscape:
                     page = re.sub(r"('|\%%27)%s('|\%%27).*?('|\%%27)%s('|\%%27)" % (kb.chars.start, kb.chars.stop), "", page)
 
                 # Parse the returned page to get the exact error-based
                 # SQL injection output
                 output = reduce(lambda x, y: x if x is not None else y, (\
                         extractRegexResult(check, page, re.DOTALL | re.IGNORECASE), \
-                        extractRegexResult(check, listToStrValue(headers.headers \
+                        extractRegexResult(check, listToStrValue([headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()] \
                         if headers else None), re.DOTALL | re.IGNORECASE), \
                         extractRegexResult(check, threadData.lastRedirectMsg[1] \
                         if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \
@@ -117,7 +118,7 @@ def _oneShotErrorUse(expression, field=None):
                     output = getUnicode(output)
                 else:
                     trimmed = extractRegexResult(trimcheck, page, re.DOTALL | re.IGNORECASE) \
-                        or extractRegexResult(trimcheck, listToStrValue(headers.headers \
+                        or extractRegexResult(trimcheck, listToStrValue([headers[header] for header in headers if header.lower() != HTTP_HEADER.URI.lower()] \
                         if headers else None), re.DOTALL | re.IGNORECASE) \
                         or extractRegexResult(trimcheck, threadData.lastRedirectMsg[1] \
                         if threadData.lastRedirectMsg and threadData.lastRedirectMsg[0] == \