Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 25463bc

Browse files
stamparmstamparm
committed
fix for a bug (--predict-output) noticed by Bernardo
1 parent 60a2364 commit 25463bc

2 files changed

Lines changed: 11 additions & 3 deletions

File tree

lib/core/settings.py

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,6 +80,12 @@
8080
# use this replacement character for cases when inference is not able to retrieve the proper character value
8181
INFERENCE_UNKNOWN_CHAR = '?'
8282

83+
# character used for operation "greater" in inference
84+
INFERENCE_GREATER_CHAR = ">"
85+
86+
# character used for operation "equals" in inference
87+
INFERENCE_EQUALS_CHAR = "="
88+
8389
# string used for representation of unknown dbms version
8490
UNKNOWN_DBMS_VERSION = "Unknown"
8591

lib/techniques/blind/inference.py

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,8 @@
3838
from lib.core.settings import CHAR_INFERENCE_MARK
3939
from lib.core.settings import INFERENCE_BLANK_BREAK
4040
from lib.core.settings import INFERENCE_UNKNOWN_CHAR
41+
from lib.core.settings import INFERENCE_GREATER_CHAR
42+
from lib.core.settings import INFERENCE_EQUALS_CHAR
4143
from lib.core.unescaper import unescaper
4244
from lib.request.connect import Connect as Request
4345

@@ -129,7 +131,7 @@ def tryHint(idx):
129131
else:
130132
posValue = ord(hintValue[idx-1])
131133

132-
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
134+
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, posValue))
133135
queriesCount[0] += 1
134136
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
135137

@@ -163,7 +165,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
163165
charTbl.remove(ord('\n'))
164166

165167
if len(charTbl) == 1:
166-
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0]))
168+
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, charTbl[0]))
167169
queriesCount[0] += 1
168170
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
169171

@@ -239,7 +241,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
239241
# both minValue and character afterwards are possible
240242
# candidates
241243
for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]):
242-
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal))
244+
forgedPayload = safeStringFormat(payload.replace(INFERENCE_GREATER_CHAR, INFERENCE_EQUALS_CHAR), (expressionUnescaped, idx, retVal))
243245
queriesCount[0] += 1
244246
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
245247

0 commit comments

Comments
 (0)