diff --git a/lib/core/convert.py b/lib/core/convert.py index fad05998b..a83a38b5b 100644 --- a/lib/core/convert.py +++ b/lib/core/convert.py @@ -134,20 +134,22 @@ def htmlescape(value): def htmlunescape(value): return value.replace('&', '&').replace('<', '<').replace('>', '>').replace('"', '"').replace(''', "'").replace(' ', ' ') -def safehexencode(value): +def safecharencode(value): """ - Returns safe hex representation of a given basestring value + Returns safe representation of a given basestring value - >>> safehexencode(u'test123') + >>> safecharencode(u'test123') u'test123' - >>> safehexencode(u'test\x01\x02\xff') + >>> safecharencode(u'test\x01\x02\xff') u'test\\01\\02\\03\\ff' """ retVal = value if isinstance(value, basestring): retVal = reduce(lambda x, y: x + (y if (y in string.printable or ord(y) > 255) else '\%02x' % ord(y)), value, unicode()) + for char in "\t\n\r\x0b\x0c": + retVal = retVal.replace(char, repr(char).strip('\'')) elif isinstance(value, list): for i in xrange(len(value)): - retVal[i] = safehexencode(value[i]) + retVal[i] = safecharencode(value[i]) return retVal diff --git a/lib/request/inject.py b/lib/request/inject.py index de7cb1321..0b99fdd23 100644 --- a/lib/request/inject.py +++ b/lib/request/inject.py @@ -27,7 +27,7 @@ from lib.core.common import randomInt from lib.core.common import readInput from lib.core.common import replaceNewlineTabs from lib.core.common import safeStringFormat -from lib.core.convert import safehexencode +from lib.core.convert import safecharencode from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger @@ -388,7 +388,7 @@ def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=Tr return data -def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeHexEncode=True): +def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True): """ Called each time sqlmap inject a SQL query on the SQL injection affected parameter. It can call a function to retrieve the output @@ -494,8 +494,8 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse elif value == [None]: value = None - if safeHexEncode: - value = safehexencode(value) + if safeCharEncode: + value = safecharencode(value) return value diff --git a/lib/techniques/brute/use.py b/lib/techniques/brute/use.py index 34b942f3f..9b6072ae2 100644 --- a/lib/techniques/brute/use.py +++ b/lib/techniques/brute/use.py @@ -87,7 +87,7 @@ def tableExists(tableFile, regex=None): if conf.verbose in (1, 2): clearConsoleLine(True) - infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), table) + infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), table) dataToStdout(infoMsg, True) if conf.verbose in (1, 2): @@ -205,7 +205,7 @@ def columnExists(columnFile, regex=None): if conf.verbose in (1, 2): clearConsoleLine(True) - infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), column) + infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), column) dataToStdout(infoMsg, True) if conf.verbose in (1, 2): diff --git a/lib/techniques/error/use.py b/lib/techniques/error/use.py index feaa38c16..3c2a2c245 100644 --- a/lib/techniques/error/use.py +++ b/lib/techniques/error/use.py @@ -24,7 +24,7 @@ from lib.core.common import randomInt from lib.core.common import replaceNewlineTabs from lib.core.common import safeStringFormat from lib.core.convert import htmlunescape -from lib.core.convert import safehexencode +from lib.core.convert import safecharencode from lib.core.data import conf from lib.core.data import kb from lib.core.data import logger @@ -136,7 +136,7 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N output = __oneShotErrorUse(expressionReplaced, field) if output is not None: - dataToStdout("[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), safehexencode(replaceNewlineTabs(output, stdout=True)))) + dataToStdout("[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), safecharencode(replaceNewlineTabs(output, stdout=True)))) if isinstance(num, int): expression = origExpr diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index 8982ad78a..be1de9cba 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -253,7 +253,7 @@ def unionUse(expression, unpack=True, dump=False): if conf.verbose == 1: items = output.replace(kb.misc.start, "").replace(kb.misc.stop, "").split(kb.misc.delimiter) - status = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), ",".join(map(lambda x: "\"%s\"" % x, items))) + status = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), ",".join(map(lambda x: "\"%s\"" % x, items))) if len(status) > width: status = "%s..." % status[:width - 3] dataToStdout(status, True)