Major bug fix for semi-centralize unescape() and cleanupPayload() into prefixQuery() and suffixQuery()

lib/controller/checks.py

@@ -54,7 +54,6 @@ from lib.core.settings import UNKNOWN_DBMS_VERSION
 from lib.core.settings import LOWER_RATIO_BOUND
 from lib.core.settings import UPPER_RATIO_BOUND
 from lib.core.threads import getCurrentThreadData
-from lib.core.unescaper import unescaper
 from lib.request.connect import Connect as Request
 from lib.request.templates import getPageTemplate
 from lib.techniques.inband.union.test import unionTest
@@ -200,7 +199,6 @@ def checkSqlInjection(place, parameter, value):
             # Parse test's <request>
             comment = agent.getComment(test.request)
             fstPayload = agent.cleanupPayload(test.request.payload, value)
-            fstPayload = unescaper.unescape(fstPayload, dbms=dbms)
 
             for boundary in conf.boundaries:
                 injectable = False
@@ -275,7 +273,6 @@ def checkSqlInjection(place, parameter, value):
                     # test's ' <payload><comment> ' string
                     boundPayload = agent.prefixQuery(fstPayload, prefix, where, clause)
                     boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
-                    boundPayload = agent.cleanupPayload(boundPayload, value)
                     reqPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
 
                     # Perform the test's request and check whether or not the
@@ -287,7 +284,6 @@ def checkSqlInjection(place, parameter, value):
                         # In case of boolean-based blind SQL injection
                         if method == PAYLOAD.METHOD.COMPARISON:
                             sndPayload = agent.cleanupPayload(test.response.comparison, value)
-                            sndPayload = unescaper.unescape(sndPayload, dbms=dbms)
 
                             # Forge response payload by prepending with
                             # boundary's prefix and appending the boundary's
@@ -295,7 +291,6 @@ def checkSqlInjection(place, parameter, value):
                             # string
                             boundPayload = agent.prefixQuery(sndPayload, prefix, where, clause)
                             boundPayload = agent.suffixQuery(boundPayload, comment, suffix, where)
-                            boundPayload = agent.cleanupPayload(boundPayload, value)
                             cmpPayload = agent.payload(place, parameter, newValue=boundPayload, where=where)
 
                             # Useful to set kb.matchRatio at first based on

lib/core/agent.py

@@ -129,16 +129,17 @@ class Agent:
 
         return payload
 
-    def prefixQuery(self, string, prefix=None, where=None, clause=None):
+    def prefixQuery(self, expression, prefix=None, where=None, clause=None):
         """
-        This method defines how the input string has to be escaped
+        This method defines how the input expression has to be escaped
         to perform the injection depending on the injection type
         identified as valid
         """
 
         if conf.direct:
-            return self.payloadDirect(string)
+            return self.payloadDirect(expression)
 
+        expression = unescaper.unescape(expression)
         query = None
 
         if where is None and kb.technique and kb.technique in kb.injection.data:
@@ -162,25 +163,27 @@ class Agent:
         else:
             query = kb.injection.prefix or prefix or ""
 
-            if not (string and string[0] == ";"):
+            if not (expression and expression[0] == ";"):
                 query += " "
 
-        query = "%s%s" % (query, string)
+        query = "%s%s" % (query, expression)
         query = self.cleanupPayload(query)
 
         return query
 
-    def suffixQuery(self, string, comment=None, suffix=None, where=None):
+    def suffixQuery(self, expression, comment=None, suffix=None, where=None):
         """
         This method appends the DBMS comment to the
         SQL injection request
         """
 
         if conf.direct:
-            return self.payloadDirect(string)
+            return self.payloadDirect(expression)
+
+        expression = unescaper.unescape(expression)
 
         if comment is not None:
-            string += comment
+            expression += comment
 
         if where is None and kb.technique and kb.technique in kb.injection.data:
             where = kb.injection.data[kb.technique].where
@@ -191,13 +194,13 @@ class Agent:
             pass
 
         elif kb.injection.suffix is not None:
-            string += " %s" % kb.injection.suffix
+            expression += " %s" % kb.injection.suffix
         elif suffix is not None:
-            string += " %s" % suffix
+            expression += " %s" % suffix
 
-        string = self.cleanupPayload(string)
+        expression = self.cleanupPayload(expression)
 
-        return string.rstrip()
+        return expression.rstrip()
 
     def cleanupPayload(self, payload, origvalue=None, query=None):
         if payload is None:
@@ -241,8 +244,6 @@ class Agent:
                 errMsg += "knowledge of underlying DBMS"
                 raise sqlmapNoneDataException, errMsg
 
-        #payload = unescaper.unescape(payload)
-
         return payload
 
     def getComment(self, reqObj):

lib/request/inject.py

@@ -114,8 +114,7 @@ def __goInferenceProxy(expression, fromUser=False, expected=None, batch=False, r
 
     initTechnique(kb.technique)
 
-    vector = agent.cleanupPayload(kb.injection.data[kb.technique].vector)
-    query = agent.prefixQuery(vector)
+    query = agent.prefixQuery(kb.injection.data[kb.technique].vector)
     query = agent.suffixQuery(query)
     payload = agent.payload(newValue=query)
     count = None
@@ -329,7 +328,6 @@ def __goBooleanProxy(expression, resumeValue=True):
 
     vector = kb.injection.data[kb.technique].vector
     vector = vector.replace("[INFERENCE]", expression)
-    vector = agent.cleanupPayload(vector)
     query = agent.prefixQuery(vector)
     query = agent.suffixQuery(query)
     payload = agent.payload(newValue=query)