sqlmap/lib/core/convert.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

try:
    import hashlib
except:
    import md5
    import sha

import pickle
import re
import sys
import struct
import urllib

from lib.core.data import conf
from lib.core.data import kb
from lib.core.enums import PLACE
from lib.core.settings import UNICODE_ENCODING
from lib.core.settings import URLENCODE_CHAR_LIMIT
from lib.core.settings import URLENCODE_FAILSAFE_CHARS

def base64decode(value):
    return value.decode("base64")

def base64encode(value):
    return value.encode("base64")[:-1].replace("\n", "")

def base64pickle(value):
    return base64encode(pickle.dumps(value, pickle.HIGHEST_PROTOCOL))

def base64unpickle(value):
    return pickle.loads(base64decode(value))

def hexdecode(value):
    value = value.lower()
    return (value[2:] if value.startswith("0x") else value).decode("hex")

def hexencode(value):
    return value.encode("hex")

def md5hash(value):
    if sys.modules.has_key('hashlib'):
        return hashlib.md5(value).hexdigest()
    else:
        return md5.new(value).hexdigest()

def orddecode(value):
    packedString = struct.pack("!"+"I" * len(value), *value)
    return "".join(chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString))

def ordencode(value):
    return tuple(ord(char) for char in value)

def sha1hash(value):
    if sys.modules.has_key('hashlib'):
        return hashlib.sha1(value).hexdigest()
    else:
        return sha.new(value).hexdigest()

def urldecode(value, encoding=None):
    result = None

    if value:
        try:
            # for cases like T%C3%BCrk%C3%A7e
            value = str(value)
        except ValueError:
            pass
        finally:
            result = urllib.unquote_plus(value)

    if isinstance(result, str):
        result = unicode(result, encoding or UNICODE_ENCODING, "replace")

    return result

def urlencode(value, safe="%&=", convall=False, limit=False):
    if conf.direct or PLACE.SOAP in conf.paramDict:
        return value

    count = 0
    result = None if value is None else ""

    if value:
        if convall or safe is None:
            safe = ""

        # corner case when character % really needs to be
        # encoded (when not representing url encoded char)
        # except in cases when tampering scripts are used
        if all(map(lambda x: '%' in x, [safe, value])) and not kb.tamperFunctions:
            value = re.sub("%(?![0-9a-fA-F]{2})", "%25", value)

        while True:
            result = urllib.quote(utf8encode(value), safe)

            if limit and len(result) > URLENCODE_CHAR_LIMIT:
                if count >= len(URLENCODE_FAILSAFE_CHARS):
                    break

                while count < len(URLENCODE_FAILSAFE_CHARS):
                    safe += URLENCODE_FAILSAFE_CHARS[count]
                    count += 1
                    if safe[-1] in value:
                        break
            else:
                break

    return result

def unicodeencode(value, encoding=None):
    """
    Return 8-bit string representation of the supplied unicode value:

    >>> unicodeencode(u'test')
    'test'
    """

    retVal = value
    if isinstance(value, unicode):
        try:
            retVal = value.encode(encoding or UNICODE_ENCODING)
        except UnicodeEncodeError:
            retVal = value.encode(UNICODE_ENCODING, "replace")
    return retVal

def utf8encode(value):
    return unicodeencode(value, "utf-8")

def utf8decode(value):
    return value.decode("utf-8")

def htmlescape(value):
    codes = (('&', '&amp;'), ('<', '&lt;'), ('>', '&gt;'), ('"', '&quot;'), ("'", '&#39;'), (' ', '&nbsp;'))
    return reduce(lambda x, y: x.replace(y[0], y[1]), codes, value)

def htmlunescape(value):
    retVal = value
    if value and isinstance(value, basestring):
        codes = (('&lt;', '<'), ('&gt;', '>'), ('&quot;', '"'), ('&nbsp;', ' '), ('&amp;', '&'))
        retVal = reduce(lambda x, y: x.replace(y[0], y[1]), codes, retVal)
    return retVal
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
modified homepage address 2012-07-12 21:38:03 +04:00			`Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`try:`
			`import hashlib`
			`except:`
			`import md5`
			`import sha`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
			`import pickle`
fix for that @chunk bug 2011-04-10 20:46:33 +04:00			`import re`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`import sys`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`import struct`
			`import urllib`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`from lib.core.data import conf`
more general approach 2011-07-08 14:03:14 +04:00			`from lib.core.data import kb`
SOAP refactoring 2011-04-18 01:39:00 +04:00			`from lib.core.enums import PLACE`
further update regarding last commit 2011-03-03 13:39:04 +03:00			`from lib.core.settings import UNICODE_ENCODING`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00			`from lib.core.settings import URLENCODE_CHAR_LIMIT`
			`from lib.core.settings import URLENCODE_FAILSAFE_CHARS`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64decode(value):`
			`return value.decode("base64")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64encode(value):`
			`return value.encode("base64")[:-1].replace("\n", "")`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64pickle(value):`
using pickle HIGHEST_PROTOCOL just in case 2012-03-13 13:35:37 +04:00			`return base64encode(pickle.dumps(value, pickle.HIGHEST_PROTOCOL))`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64unpickle(value):`
			`return pickle.loads(base64decode(value))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def hexdecode(value):`
			`value = value.lower()`
some more refactoring 2011-12-21 23:40:42 +04:00			`return (value[2:] if value.startswith("0x") else value).decode("hex")`
removed all trailing spaces from blank lines 2010-11-03 13:08:27 +03:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def hexencode(value):`
			`return value.encode("hex")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def md5hash(value):`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`if sys.modules.has_key('hashlib'):`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return hashlib.md5(value).hexdigest()`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`else:`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return md5.new(value).hexdigest()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def orddecode(value):`
			`packedString = struct.pack("!"+"I" * len(value), *value)`
minor optimization 2011-11-21 00:14:47 +04:00			`return "".join(chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def ordencode(value):`
minor optimization 2011-11-21 00:14:47 +04:00			`return tuple(ord(char) for char in value)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def sha1hash(value):`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`if sys.modules.has_key('hashlib'):`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return hashlib.sha1(value).hexdigest()`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`else:`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return sha.new(value).hexdigest()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
further update regarding last commit 2011-03-03 13:39:04 +03:00			`def urldecode(value, encoding=None):`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`result = None`
fix for a google bug reported by Brandon E. 2010-10-01 12:03:39 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`if value:`
bug fix for international encoded letters 2011-02-26 01:43:01 +03:00			`try:`
			`# for cases like T%C3%BCrk%C3%A7e`
			`value = str(value)`
			`except ValueError:`
further update regarding last commit 2011-03-03 13:39:04 +03:00			`pass`
			`finally:`
bug fix for international encoded letters 2011-02-26 01:43:01 +03:00			`result = urllib.unquote_plus(value)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
further update regarding last commit 2011-03-03 13:39:04 +03:00			`if isinstance(result, str):`
minor fix (when redirected path has non-ASCII char and conf.url is unicode) and bits along with pieces 2012-05-14 18:06:43 +04:00			`result = unicode(result, encoding or UNICODE_ENCODING, "replace")`
further update regarding last commit 2011-03-03 13:39:04 +03:00
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`return result`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
more general approach 2011-07-08 14:03:14 +04:00			`def urlencode(value, safe="%&=", convall=False, limit=False):`
SOAP refactoring 2011-04-18 01:39:00 +04:00			`if conf.direct or PLACE.SOAP in conf.paramDict:`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return value`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 22:57:44 +03:00			`count = 0`
some more refactorings 2012-02-16 18:42:28 +04:00			`result = None if value is None else ""`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00
some more refactorings 2012-02-16 18:42:28 +04:00			`if value:`
			`if convall or safe is None:`
			`safe = ""`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
some more refactorings 2012-02-16 18:42:28 +04:00			`# corner case when character % really needs to be`
			`# encoded (when not representing url encoded char)`
			`# except in cases when tampering scripts are used`
			`if all(map(lambda x: '%' in x, [safe, value])) and not kb.tamperFunctions:`
bug fix(es) (flags were used in place of count parameter in re.sub() calls) 2012-03-28 23:33:00 +04:00			`value = re.sub("%(?![0-9a-fA-F]{2})", "%25", value)`
this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 22:57:44 +03:00
some more refactorings 2012-02-16 18:42:28 +04:00			`while True:`
			`result = urllib.quote(utf8encode(value), safe)`
fix for that @chunk bug 2011-04-10 20:46:33 +04:00
some more refactorings 2012-02-16 18:42:28 +04:00			`if limit and len(result) > URLENCODE_CHAR_LIMIT:`
			`if count >= len(URLENCODE_FAILSAFE_CHARS):`
			`break`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00
some more refactorings 2012-02-16 18:42:28 +04:00			`while count < len(URLENCODE_FAILSAFE_CHARS):`
			`safe += URLENCODE_FAILSAFE_CHARS[count]`
			`count += 1`
			`if safe[-1] in value:`
			`break`
			`else:`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00			`break`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00
			`return result`
Minor bug fix to correctly deal with unicode queries with -d 2010-05-28 15:32:10 +04:00
minor refactoring 2011-04-29 19:22:32 +04:00			`def unicodeencode(value, encoding=None):`
			`"""`
			`Return 8-bit string representation of the supplied unicode value:`

			`>>> unicodeencode(u'test')`
			`'test'`
			`"""`

			`retVal = value`
			`if isinstance(value, unicode):`
			`try:`
			`retVal = value.encode(encoding or UNICODE_ENCODING)`
			`except UnicodeEncodeError:`
removing xmlcharrefreplace error handler as it seems that it wasn't such a good idea at the end 2011-05-16 01:43:38 +04:00			`retVal = value.encode(UNICODE_ENCODING, "replace")`
minor refactoring 2011-04-29 19:22:32 +04:00			`return retVal`

code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def utf8encode(value):`
minor refactoring 2011-04-29 19:22:32 +04:00			`return unicodeencode(value, "utf-8")`
Minor bug fix to correctly deal with unicode queries with -d 2010-05-28 15:32:10 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def utf8decode(value):`
			`return value.decode("utf-8")`
fix for a google bug reported by Brandon E. 2010-10-01 12:03:39 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def htmlescape(value):`
Minor style update 2012-07-23 17:06:49 +04:00			`codes = (('&', '&'), ('<', '<'), ('>', '>'), ('"', '"'), ("'", '''), (' ', ' '))`
			`return reduce(lambda x, y: x.replace(y[0], y[1]), codes, value)`
fix for a google bug reported by Brandon E. 2010-10-01 12:03:39 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def htmlunescape(value):`
minor refactoring 2011-12-21 18:25:39 +04:00			`retVal = value`
			`if value and isinstance(value, basestring):`
Minor style update 2012-07-23 17:06:49 +04:00			`codes = (('<', '<'), ('>', '>'), ('"', '"'), (' ', ' '), ('&', '&'))`
			`retVal = reduce(lambda x, y: x.replace(y[0], y[1]), codes, retVal)`
improved htmlunescape (great for localized html escape codes) 2011-04-15 01:36:13 +04:00			`return retVal`