Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit edcf1a0

Browse files
stamparmstamparm
committed
few bug fixes
1 parent 96a0635 commit edcf1a0

3 files changed

Lines changed: 9 additions & 12 deletions

File tree

lib/controller/handler.py

Lines changed: 1 addition & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -62,10 +62,7 @@ def setHandler():
6262
( SYBASE_ALIASES, SybaseMap, SybaseConn ),
6363
]
6464

65-
if kb.htmlFp:
66-
inferencedDbms = kb.htmlFp[-1]
67-
else:
68-
inferencedDbms = None
65+
inferencedDbms = (kb.htmlFp[-1] if kb.htmlFp else None) or kb.dbms
6966

7067
for injection in kb.injections:
7168
if hasattr(injection, "dbms"):

lib/techniques/blind/inference.py

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -127,7 +127,7 @@ def tryHint(idx):
127127

128128
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
129129
queriesCount[0] += 1
130-
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
130+
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
131131

132132
if result:
133133
return hintValue[idx-1]
@@ -161,7 +161,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
161161
if len(charTbl) == 1:
162162
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0]))
163163
queriesCount[0] += 1
164-
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
164+
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
165165

166166
if result:
167167
return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0])
@@ -181,7 +181,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
181181
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else unichr(posValue))
182182

183183
queriesCount[0] += 1
184-
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
184+
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
185185

186186
if result:
187187
minValue = posValue
@@ -233,7 +233,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
233233
for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]):
234234
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal))
235235
queriesCount[0] += 1
236-
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare)
236+
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
237237

238238
if result:
239239
return chr(retVal) if retVal < 128 else unichr(retVal)
@@ -433,7 +433,7 @@ def downloadThread():
433433
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
434434
query = agent.suffixQuery(query)
435435
queriesCount[0] += 1
436-
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare)
436+
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
437437

438438
# Did we have luck?
439439
if result:
@@ -457,7 +457,7 @@ def downloadThread():
457457
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
458458
query = agent.suffixQuery(query)
459459
queriesCount[0] += 1
460-
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare)
460+
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
461461

462462
# Did we have luck?
463463
if result:

xml/queries.xml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -335,7 +335,7 @@
335335
<dbms value="Microsoft Access">
336336
<cast query="CVAR(%s)"/>
337337
<length query="LEN(%s)"/>
338-
<isnull query="IIF(ISNULL(%s), ' ', %s)"/>
338+
<isnull query="IIF(LEN(%s)=0, ' ', %s)"/>
339339
<delimiter query=","/>
340340
<limit query="TOP %d"/>
341341
<limitregexp query="\s+TOP\s+([\d]+)"/>
@@ -352,7 +352,7 @@
352352
<!--CURRENTUSER() is not available outside the MS Access query tool itself-->
353353
<current_user/>
354354
<current_db/>
355-
<inference query="MID((%s), %d, 1) > CHR(%d)"/>
355+
<inference query="ASC(MID((%s), %d, 1)) > %d"/>
356356
<is_dba/>
357357
<dbs/>
358358
<!--MSysObjects have no read permission by default-->

0 commit comments

Comments
 (0)