sqlmap/plugins/generic/syntax.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.common import Backend
from lib.core.convert import getBytes
from lib.core.data import conf
from lib.core.enums import DBMS
from lib.core.exception import SqlmapUndefinedMethod

class Syntax(object):
    """
    This class defines generic syntax functionalities for plugins.
    """

    def __init__(self):
        pass

    @staticmethod
    def _escape(expression, quote=True, escaper=None):
        retVal = expression

        if quote:
            for item in re.findall(r"'[^']*'+", expression):
                original = item[1:-1]
                if original:
                    if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
                        continue
                    if re.search(r"\[(SLEEPTIME|RAND)", original) is None:  # e.g. '[SLEEPTIME]' marker
                        replacement = escaper(original) if not conf.noEscape else original

                        if replacement != original:
                            retVal = retVal.replace(item, replacement)
                        elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
                            retVal = retVal.replace("'%s'" % original, "n'%s'" % original)
        else:
            retVal = escaper(expression)

        return retVal

    @staticmethod
    def escape(expression, quote=True):
        errMsg = "'escape' method must be defined "
        errMsg += "inside the specific DBMS plugin"
        raise SqlmapUndefinedMethod(errMsg)
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
			`"""`
Update regarding #4795 2021-09-08 22:01:41 +03:00			`Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`"""`

Refactoring DBMS string escaping functions 2013-01-20 16:45:58 +04:00			`import re`

Couple of important patches 2019-11-30 06:42:38 +03:00			`from lib.core.common import Backend`
Minor improvement for international strings in payloads 2019-05-31 01:17:50 +03:00			`from lib.core.convert import getBytes`
			`from lib.core.data import conf`
Couple of important patches 2019-11-30 06:42:38 +03:00			`from lib.core.enums import DBMS`
Doing some more style updating (capitalization of exception classes; using _ is enough for private members - __ is used in Python specific methods) 2012-12-06 17:14:19 +04:00			`from lib.core.exception import SqlmapUndefinedMethod`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00
Pleasing the pylint gods 2019-05-29 17:42:04 +03:00			`class Syntax(object):`
Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`"""`
			`This class defines generic syntax functionalities for plugins.`
			`"""`

			`def __init__(self):`
			`pass`

Refactoring DBMS string escaping functions 2013-01-20 16:45:58 +04:00			`@staticmethod`
			`def _escape(expression, quote=True, escaper=None):`
			`retVal = expression`

			`if quote:`
Minor patches (pydiatra) 2017-04-14 14:08:51 +03:00			`for item in re.findall(r"'[^']*'+", expression):`
Minor improvement for international strings in payloads 2019-05-31 01:17:50 +03:00			`original = item[1:-1]`
Minor bug fix 2019-12-12 16:10:02 +03:00			`if original:`
			`if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:`
			`continue`
			`if re.search(r"\[(SLEEPTIME\|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker`
			`replacement = escaper(original) if not conf.noEscape else original`

			`if replacement != original:`
			`retVal = retVal.replace(item, replacement)`
			`elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):`
			`retVal = retVal.replace("'%s'" % original, "n'%s'" % original)`
Refactoring DBMS string escaping functions 2013-01-20 16:45:58 +04:00			`else:`
			`retVal = escaper(expression)`

			`return retVal`

Major code refactoring: moved and split plugins (mysql, pgsql, mssql, oracle) more granularly and organized. Todo for firebird, sqlite, access. 2010-03-23 01:57:57 +03:00			`@staticmethod`
minor fix to previous commit 2013-01-18 19:10:34 +04:00			`def escape(expression, quote=True):`
Minor code restyling 2011-04-30 17:20:05 +04:00			`errMsg = "'escape' method must be defined "`
Unescaping is renamed to escaping 2013-01-18 18:40:37 +04:00			`errMsg += "inside the specific DBMS plugin"`
Replacing old and deprecated raise Exception style (PEP8) 2013-01-04 02:20:55 +04:00			`raise SqlmapUndefinedMethod(errMsg)`