update regarding safe character output together with a small fix for newlines

2025-01-24 08:14:24 +03:00 · 2011-04-14 09:31:45 +00:00 · 2011-04-14 09:31:45 +00:00 · 04986be4b9
commit 04986be4b9
parent 5dfb55effc
5 changed files with 16 additions and 14 deletions
--- a/lib/core/convert.py
+++ b/lib/core/convert.py
@ -134,20 +134,22 @@ def htmlescape(value):
 def htmlunescape(value):
    return value.replace('&amp;', '&').replace('&lt;', '<').replace('&gt;', '>').replace('&quot;', '"').replace('&#39;', "'").replace('&nbsp;', ' ')

-def safehexencode(value):
+def safecharencode(value):
    """
-    Returns safe hex representation of a given basestring value
+    Returns safe representation of a given basestring value

-    >>> safehexencode(u'test123')
+    >>> safecharencode(u'test123')
    u'test123'
-    >>> safehexencode(u'test\x01\x02\xff')
+    >>> safecharencode(u'test\x01\x02\xff')
    u'test\\01\\02\\03\\ff'
    """

    retVal = value
    if isinstance(value, basestring):
        retVal = reduce(lambda x, y: x + (y if (y in string.printable or ord(y) > 255) else '\%02x' % ord(y)), value, unicode())
+        for char in "\t\n\r\x0b\x0c":
+            retVal = retVal.replace(char, repr(char).strip('\''))
    elif isinstance(value, list):
        for i in xrange(len(value)):
-            retVal[i] = safehexencode(value[i])
+            retVal[i] = safecharencode(value[i])
    return retVal
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@ -27,7 +27,7 @@ from lib.core.common import randomInt
 from lib.core.common import readInput
 from lib.core.common import replaceNewlineTabs
 from lib.core.common import safeStringFormat
-from lib.core.convert import safehexencode
+from lib.core.convert import safecharencode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@ -388,7 +388,7 @@ def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=Tr

    return data

-def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeHexEncode=True):
+def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
    """
    Called each time sqlmap inject a SQL query on the SQL injection
    affected parameter. It can call a function to retrieve the output
@ -494,8 +494,8 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
        elif value == [None]:
            value = None

-    if safeHexEncode:
-        value = safehexencode(value)
+    if safeCharEncode:
+        value = safecharencode(value)

    return value

--- a/lib/techniques/brute/use.py
+++ b/lib/techniques/brute/use.py
@ -87,7 +87,7 @@ def tableExists(tableFile, regex=None):

                if conf.verbose in (1, 2):
                    clearConsoleLine(True)
-                    infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), table)
+                    infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), table)
                    dataToStdout(infoMsg, True)

            if conf.verbose in (1, 2):
@ -205,7 +205,7 @@ def columnExists(columnFile, regex=None):

                if conf.verbose in (1, 2):
                    clearConsoleLine(True)
-                    infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), column)
+                    infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), column)
                    dataToStdout(infoMsg, True)

            if conf.verbose in (1, 2):
--- a/lib/techniques/error/use.py
+++ b/lib/techniques/error/use.py
@ -24,7 +24,7 @@ from lib.core.common import randomInt
 from lib.core.common import replaceNewlineTabs
 from lib.core.common import safeStringFormat
 from lib.core.convert import htmlunescape
-from lib.core.convert import safehexencode
+from lib.core.convert import safecharencode
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@ -136,7 +136,7 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
            output = __oneShotErrorUse(expressionReplaced, field)

            if output is not None:
-                dataToStdout("[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), safehexencode(replaceNewlineTabs(output, stdout=True))))
+                dataToStdout("[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), safecharencode(replaceNewlineTabs(output, stdout=True))))

        if isinstance(num, int):
            expression = origExpr
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -253,7 +253,7 @@ def unionUse(expression, unpack=True, dump=False):

                        if conf.verbose == 1:
                            items = output.replace(kb.misc.start, "").replace(kb.misc.stop, "").split(kb.misc.delimiter)
-                            status = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), ",".join(map(lambda x: "\"%s\"" % x, items)))
+                            status = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), ",".join(map(lambda x: "\"%s\"" % x, items)))
                            if len(status) > width:
                                status = "%s..." % status[:width - 3]
                            dataToStdout(status, True)