sqlmap/lib/core/convert.py

#!/usr/bin/env python

"""
$Id$

Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
See the file 'doc/COPYING' for copying permission
"""

try:
    import hashlib
except:
    import md5
    import sha

import pickle
import sys
import struct
import urllib

from lib.core.data import conf
from lib.core.data import logger
from lib.core.settings import UNICODE_ENCODING
from lib.core.settings import URLENCODE_CHAR_LIMIT
from lib.core.settings import URLENCODE_FAILSAFE_CHARS

def base64decode(value):
    return value.decode("base64")

def base64encode(value):
    return value.encode("base64")[:-1].replace("\n", "")

def base64pickle(value):
    return base64encode(pickle.dumps(value))

def base64unpickle(value):
    return pickle.loads(base64decode(value))

def hexdecode(value):
    value = value.lower()

    if value.startswith("0x"):
        value = value[2:]

    return value.decode("hex")

def hexencode(value):
    return value.encode("hex")

def md5hash(value):
    if sys.modules.has_key('hashlib'):
        return hashlib.md5(value).hexdigest()
    else:
        return md5.new(value).hexdigest()

def orddecode(value):
    packedString = struct.pack("!"+"I" * len(value), *value)
    return "".join([chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString)])

def ordencode(value):
    return tuple([ord(char) for char in value])

def sha1hash(value):
    if sys.modules.has_key('hashlib'):
        return hashlib.sha1(value).hexdigest()
    else:
        return sha.new(value).hexdigest()

def urldecode(value, encoding=None):
    result = None

    if value:
        try:
            # for cases like T%C3%BCrk%C3%A7e
            value = str(value)
        except ValueError:
            pass
        finally:
            result = urllib.unquote_plus(value)

    if isinstance(result, str):
        result = unicode(result, encoding or UNICODE_ENCODING, errors="replace")

    return result

def urlencode(value, safe="%&=", convall=False, limit=False):
    if conf.direct or "POSTxml" in conf.paramDict:
        return value

    count = 0
    result = None

    if value is None:
        return result

    if convall or safe is None:
        safe = ""

    while True:
        result = urllib.quote(utf8encode(value), safe)

        if limit and len(result) > URLENCODE_CHAR_LIMIT:
            if count >= len(URLENCODE_FAILSAFE_CHARS):
                dbgMsg  = "failed to fully shorten urlencoding value"
                logger.debug(dbgMsg)
                break

            while count < len(URLENCODE_FAILSAFE_CHARS):
                safe += URLENCODE_FAILSAFE_CHARS[count]
                count += 1
                if safe[-1] in value:
                    break
        else:
            break

    return result

def utf8encode(value):
    return value.encode("utf-8")

def utf8decode(value):
    return value.decode("utf-8")

def htmlescape(value):
    return value.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#39;').replace(' ', '&nbsp;')

def htmlunescape(value):
    return value.replace('&amp;', '&').replace('&lt;', '<').replace('&gt;', '>').replace('&quot;', '"').replace('&#39;', "'").replace('&nbsp;', ' ')
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`#!/usr/bin/env python`

			`"""`
propsets.. 2008-10-15 19:56:32 +04:00			$Id$
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
large commit with copyright header modifications 2010-10-14 18:41:14 +04:00			`Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)`
sorry, cosmetics 2010-10-15 03:18:29 +04:00			`See the file 'doc/COPYING' for copying permission`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`"""`

Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`try:`
			`import hashlib`
			`except:`
			`import md5`
			`import sha`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
			`import pickle`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`import sys`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`import struct`
			`import urllib`

Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00			`from lib.core.data import conf`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00			`from lib.core.data import logger`
further update regarding last commit 2011-03-03 13:39:04 +03:00			`from lib.core.settings import UNICODE_ENCODING`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00			`from lib.core.settings import URLENCODE_CHAR_LIMIT`
			`from lib.core.settings import URLENCODE_FAILSAFE_CHARS`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64decode(value):`
			`return value.decode("base64")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64encode(value):`
			`return value.encode("base64")[:-1].replace("\n", "")`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64pickle(value):`
			`return base64encode(pickle.dumps(value))`
Added resume functionality to -d and fixed logging with -d 2010-04-12 13:35:20 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def base64unpickle(value):`
			`return pickle.loads(base64decode(value))`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def hexdecode(value):`
			`value = value.lower()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`if value.startswith("0x"):`
			`value = value[2:]`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return value.decode("hex")`
removed all trailing spaces from blank lines 2010-11-03 13:08:27 +03:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def hexencode(value):`
			`return value.encode("hex")`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def md5hash(value):`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`if sys.modules.has_key('hashlib'):`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return hashlib.md5(value).hexdigest()`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`else:`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return md5.new(value).hexdigest()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def orddecode(value):`
			`packedString = struct.pack("!"+"I" * len(value), *value)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00			`return "".join([chr(char) for char in struct.unpack("!"+"I"*(len(packedString)/4), packedString)])`

code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def ordencode(value):`
			`return tuple([ord(char) for char in value])`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def sha1hash(value):`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`if sys.modules.has_key('hashlib'):`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return hashlib.sha1(value).hexdigest()`
Avoiding md5/sha1 deprecated warning in Python >=2.6 2010-02-23 11:54:33 +03:00			`else:`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return sha.new(value).hexdigest()`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
further update regarding last commit 2011-03-03 13:39:04 +03:00			`def urldecode(value, encoding=None):`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`result = None`
fix for a google bug reported by Brandon E. 2010-10-01 12:03:39 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`if value:`
bug fix for international encoded letters 2011-02-26 01:43:01 +03:00			`try:`
			`# for cases like T%C3%BCrk%C3%A7e`
			`value = str(value)`
			`except ValueError:`
further update regarding last commit 2011-03-03 13:39:04 +03:00			`pass`
			`finally:`
bug fix for international encoded letters 2011-02-26 01:43:01 +03:00			`result = urllib.unquote_plus(value)`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
further update regarding last commit 2011-03-03 13:39:04 +03:00			`if isinstance(result, str):`
			`result = unicode(result, encoding or UNICODE_ENCODING, errors="replace")`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`return result`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00			`def urlencode(value, safe="%&=", convall=False, limit=False):`
Added support for SOAP requests: fixed, extended and tested a user's patch - closes #196. 2010-06-30 01:07:23 +04:00			`if conf.direct or "POSTxml" in conf.paramDict:`
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`return value`
Major enhancement to directly connect to the dbms without passing via a sql injection: adapted code accordingly - see #158. This feature relies on python third-party libraries to be able to connect to the database. For the moment it has been implemented for MySQL (with python-mysqldb module) and PostgreSQL (with python-psycopg2 module). Minor layout adjustments. 2010-03-27 02:23:25 +03:00
this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 22:57:44 +03:00			`count = 0`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`result = None`

code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`if value is None:`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`return result`
After the storm, a restore.. 2008-10-15 19:38:22 +04:00
this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 22:57:44 +03:00			`if convall or safe is None:`
			`safe = ""`

			`while True:`
			`result = urllib.quote(utf8encode(value), safe)`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00
this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 22:57:44 +03:00			`if limit and len(result) > URLENCODE_CHAR_LIMIT:`
			`if count >= len(URLENCODE_FAILSAFE_CHARS):`
			`dbgMsg = "failed to fully shorten urlencoding value"`
			`logger.debug(dbgMsg)`
improvement of url encoding technique (implemented failsafe routine for shortening too long GET queries) 2011-03-09 12:36:56 +03:00			`break`
sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00
this was bothering me for some time (POST and/or GET payloads needs to be urlencoded throughly) 2011-03-11 22:57:44 +03:00			`while count < len(URLENCODE_FAILSAFE_CHARS):`
			`safe += URLENCODE_FAILSAFE_CHARS[count]`
			`count += 1`
			`if safe[-1] in value:`
			`break`
			`else:`
			`break`

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup. 2010-01-02 05:02:12 +03:00			`return result`
Minor bug fix to correctly deal with unicode queries with -d 2010-05-28 15:32:10 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def utf8encode(value):`
			`return value.encode("utf-8")`
Minor bug fix to correctly deal with unicode queries with -d 2010-05-28 15:32:10 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def utf8decode(value):`
			`return value.decode("utf-8")`
fix for a google bug reported by Brandon E. 2010-10-01 12:03:39 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def htmlescape(value):`
			`return value.replace('&', '&').replace('<', '<').replace('>', '>').replace('"', '"').replace("'", ''').replace(' ', ' ')`
fix for a google bug reported by Brandon E. 2010-10-01 12:03:39 +04:00
code review of modules in lib/core directory 2011-01-15 15:13:45 +03:00			`def htmlunescape(value):`
			`return value.replace('&', '&').replace('<', '<').replace('>', '>').replace('"', '"').replace(''', "'").replace(' ', ' ')`