Implementation for Issue #92

lib/core/optiondict.py

@@ -64,6 +64,8 @@ optDict = {
                                "os":                "string",
                                "invalidBignum":     "boolean",
                                "invalidLogical":    "boolean",
+                               "noCast":            "boolean",
+                               "noUnescape":        "boolean",
                                "prefix":            "string",
                                "suffix":            "string",
                                "skip":              "string",

lib/core/unescaper.py

@@ -6,13 +6,14 @@ See the file 'doc/COPYING' for copying permission
 """
 
 from lib.core.common import Backend
+from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.datatype import AttribDict
 from lib.core.settings import EXCLUDE_UNESCAPE
 
 class Unescaper(AttribDict):
     def unescape(self, expression, quote=True, dbms=None):
-        if not kb.unescape:
+        if not kb.unescape or conf.noUnescape:
             return expression
 
         if expression is None:

lib/parse/cmdline.py

@@ -209,6 +209,10 @@ def cmdLineParser():
                              action="store_true",
                              help="Turn off payload casting mechanism")
 
+        injection.add_option("--no-unescape", dest="noUnescape",
+                             action="store_true",
+                             help="Turn off string unescaping mechanism")
+
         injection.add_option("--prefix", dest="prefix",
                              help="Injection payload prefix string")
 

sqlmap.conf

@@ -207,6 +207,10 @@ invalidLogical = False
 # Valid: True or False
 noCast = False
 
+# Turn off string unescaping mechanism
+# Valid: True or False
+noUnescape = False
+
 # Injection payload prefix string.
 prefix =