sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixes #5378

Browse Source
This commit is contained in:
Miroslav Stampar 2023-03-30 15:34:46 +02:00
parent 257c4d1c88
commit 077d58c5e9
2 changed files with 8 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/settings.py
View File

@ -20,7 +20,7 @@ from thirdparty import six
from thirdparty.six import unichr as _unichr
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.7.3.4"
VERSION = "1.7.3.5"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

13
plugins/dbms/hsqldb/filesystem.py
View File

@ -21,13 +21,13 @@ class Filesystem(GenericFilesystem):
@stackedmethod
def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
funcName = randomStr()
func_name = randomStr()
max_bytes = 1024 * 1024
debugMsg = "creating JLP procedure '%s'" % funcName
debugMsg = "creating JLP procedure '%s'" % func_name
logger.debug(debugMsg)
addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, max_bytes)
addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (func_name, max_bytes)
addFuncQuery += "LANGUAGE JAVA DETERMINISTIC NO SQL "
addFuncQuery += "EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'"
inject.goStacked(addFuncQuery)
@ -47,11 +47,12 @@ class Filesystem(GenericFilesystem):
logger.debug(debugMsg)
# Reference: http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures
invokeQuery = "CALL %s('%s', CAST('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, max_bytes)
invokeQuery = "CALL %s('%s', CAST('%s' AS VARBINARY(%s)))" % (func_name, remoteFile, fcEncodedStr, max_bytes)
inject.goStacked(invokeQuery)
logger.debug("cleaning up" % funcName)
delQuery = "DELETE PROCEDURE %s" % funcName
logger.debug("cleaning up the database management system")
delQuery = "DELETE PROCEDURE %s" % func_name
inject.goStacked(delQuery)
message = "the local file '%s' has been written on the back-end DBMS" % localFile