sqlmap/plugins/generic/syntax.py

51 lines
1.7 KiB
Python
Raw Permalink Normal View History

2019-05-08 13:47:52 +03:00
#!/usr/bin/env python
"""
2023-01-03 01:24:59 +03:00
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
2017-10-11 15:50:46 +03:00
See the file 'LICENSE' for copying permission
"""
import re
2019-11-30 06:42:38 +03:00
from lib.core.common import Backend
from lib.core.convert import getBytes
from lib.core.data import conf
2019-11-30 06:42:38 +03:00
from lib.core.enums import DBMS
from lib.core.exception import SqlmapUndefinedMethod
2019-05-29 17:42:04 +03:00
class Syntax(object):
"""
This class defines generic syntax functionalities for plugins.
"""
def __init__(self):
pass
@staticmethod
def _escape(expression, quote=True, escaper=None):
retVal = expression
if quote:
2017-04-14 14:08:51 +03:00
for item in re.findall(r"'[^']*'+", expression):
original = item[1:-1]
2019-12-12 16:10:02 +03:00
if original:
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue
if re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker
replacement = escaper(original) if not conf.noEscape else original
if replacement != original:
retVal = retVal.replace(item, replacement)
elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
retVal = retVal.replace("'%s'" % original, "n'%s'" % original)
else:
retVal = escaper(expression)
return retVal
@staticmethod
2013-01-18 19:10:34 +04:00
def escape(expression, quote=True):
2011-04-30 17:20:05 +04:00
errMsg = "'escape' method must be defined "
2013-01-18 18:40:37 +04:00
errMsg += "inside the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)