sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Minor drei update

Browse Source
This commit is contained in:
Miroslav Stampar 2019-05-02 12:39:16 +02:00
parent 7d9cd0c079
commit 2791ea51ea
15 changed files with 84 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
lib/core/common.py
View File

@ -2484,6 +2484,18 @@ def getBytes(value, encoding=UNICODE_ENCODING, errors="strict"):
return retVal
def getOrds(value):
"""
Returns ORD(...) representation of provided string value
>>> getOrds(u'fo\xf6bar')
[102, 111, 246, 98, 97, 114]
>>> getOrds(b"fo\xc3\xb6bar")
[102, 111, 195, 182, 98, 97, 114]
"""
return [_ if isinstance(_, int) else ord(_) for _ in value]
def longestCommonPrefix(*sequences):
"""
Returns longest common prefix occuring in given sequences
@ -3635,8 +3647,8 @@ def maskSensitiveData(msg):
"""
Masks sensitive data in the supplied message
>>> maskSensitiveData('python sqlmap.py -u "http://www.test.com/vuln.php?id=1" --banner')
u'python sqlmap.py -u *********************************** --banner'
>>> maskSensitiveData('python sqlmap.py -u "http://www.test.com/vuln.php?id=1" --banner') == 'python sqlmap.py -u *********************************** --banner'
True
"""
retVal = getUnicode(msg)

2
lib/core/settings.py
View File

@ -17,7 +17,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.3.5.2"
VERSION = "1.3.5.3"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

8
plugins/dbms/access/syntax.py
View File

@ -5,12 +5,18 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from plugins.generic.syntax import Syntax as GenericSyntax
class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)&CHR(98)&CHR(99)&CHR(100)&CHR(101)&CHR(102)&CHR(103)&CHR(104) FROM foobar"
True
"""
def escaper(value):
return "&".join("CHR(%d)" % ord(_) for _ in value)
return "&".join("CHR(%d)" % _ for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)

7
plugins/dbms/db2/syntax.py
View File

@ -5,17 +5,18 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from plugins.generic.syntax import Syntax as GenericSyntax
class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
True
"""
def escaper(value):
return "||".join("CHR(%d)" % ord(_) for _ in value)
return "||".join("CHR(%d)" % _ for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)

11
plugins/dbms/firebird/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from lib.core.common import isDBMSVersionAtLeast
from plugins.generic.syntax import Syntax as GenericSyntax
@ -15,16 +16,16 @@ class Syntax(GenericSyntax):
>>> from lib.core.common import Backend
>>> Backend.setVersion('2.0')
['2.0']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT 'abcdefgh' FROM foobar"
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
True
>>> Backend.setVersion('2.1')
['2.1']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar"
True
"""
def escaper(value):
return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value)
return "||".join("ASCII_CHAR(%d)" %_ for _ in getOrds(value))
retVal = expression

7
plugins/dbms/h2/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from lib.core.compat import xrange
from plugins.generic.syntax import Syntax as GenericSyntax
@ -12,11 +13,11 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar"
True
"""
def escaper(value):
return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
return "||".join("CHAR(%d)" % _ for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)

7
plugins/dbms/hsqldb/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from lib.core.compat import xrange
from plugins.generic.syntax import Syntax as GenericSyntax
@ -12,11 +13,11 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)||CHAR(98)||CHAR(99)||CHAR(100)||CHAR(101)||CHAR(102)||CHAR(103)||CHAR(104) FROM foobar"
True
"""
def escaper(value):
return "||".join("CHAR(%d)" % ord(value[i]) for i in xrange(len(value)))
return "||".join("CHAR(%d)" % _ for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)

7
plugins/dbms/informix/syntax.py
View File

@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission
import re
from lib.core.common import getOrds
from lib.core.common import isDBMSVersionAtLeast
from lib.core.common import randomStr
from plugins.generic.syntax import Syntax as GenericSyntax
@ -18,12 +19,12 @@ class Syntax(GenericSyntax):
>>> from lib.core.common import Backend
>>> Backend.setVersion('12.10')
['12.10']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
True
"""
def escaper(value):
return "||".join("CHR(%d)" % ord(_) for _ in value)
return "||".join("CHR(%d)" % _ for _ in getOrds(value))
retVal = expression

4
plugins/dbms/maxdb/syntax.py
View File

@ -11,8 +11,8 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT 'abcdefgh' FROM foobar"
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == u"SELECT 'abcdefgh' FROM foobar"
True
"""
return expression

9
plugins/dbms/mssqlserver/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from lib.core.compat import xrange
from plugins.generic.syntax import Syntax as GenericSyntax
@ -12,11 +13,13 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
True
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+NCHAR(235)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
True
"""
def escaper(value):
return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "NCHAR", ord(value[i])) for i in xrange(len(value)))
return "+".join("%s(%d)" % ("CHAR" if _ < 128 else "NCHAR", _) for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)

12
plugins/dbms/mysql/syntax.py
View File

@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
import binascii
from lib.core.common import getBytes
from lib.core.common import getOrds
from lib.core.common import getUnicode
from plugins.generic.syntax import Syntax as GenericSyntax
@ -15,11 +16,16 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT 0x6162636465666768 FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 0x6162636465666768 FROM foobar"
True
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CONVERT(0x61626364c3ab666768 USING utf8) FROM foobar"
True
"""
def escaper(value):
return "0x%s" % getUnicode(binascii.hexlify(getBytes(value)))
if all(_ < 128 for _ in getOrds(value)):
return "0x%s" % getUnicode(binascii.hexlify(getBytes(value)))
else:
return "CONVERT(0x%s USING utf8)" % getUnicode(binascii.hexlify(getBytes(value)))
return Syntax._escape(expression, quote, escaper)

9
plugins/dbms/oracle/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from lib.core.compat import xrange
from plugins.generic.syntax import Syntax as GenericSyntax
@ -12,11 +13,13 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
True
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||NCHR(235)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
True
"""
def escaper(value):
return "||".join("%s(%d)" % ("CHR" if ord(value[i]) < 256 else "NCHR", ord(value[i])) for i in xrange(len(value)))
return "||".join("%s(%d)" % ("CHR" if _ < 128 else "NCHR", _) for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)

7
plugins/dbms/postgresql/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from plugins.generic.syntax import Syntax as GenericSyntax
class Syntax(GenericSyntax):
@ -14,11 +15,11 @@ class Syntax(GenericSyntax):
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT (CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104)) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT (CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104)) FROM foobar"
True
"""
def escaper(value):
return "(%s)" % "||".join("CHR(%d)" % ord(_) for _ in value) # Postgres CHR() function already accepts Unicode code point of character(s)
return "(%s)" % "||".join("CHR(%d)" % _ for _ in getOrds(value)) # Postgres CHR() function already accepts Unicode code point of character(s)
return Syntax._escape(expression, quote, escaper)

11
plugins/dbms/sqlite/syntax.py
View File

@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
import binascii
from lib.core.common import getBytes
from lib.core.common import getUnicode
from lib.core.common import isDBMSVersionAtLeast
from plugins.generic.syntax import Syntax as GenericSyntax
@ -18,17 +19,17 @@ class Syntax(GenericSyntax):
>>> from lib.core.common import Backend
>>> Backend.setVersion('2')
['2']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT 'abcdefgh' FROM foobar"
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
True
>>> Backend.setVersion('3')
['3']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
True
"""
def escaper(value):
# Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
return "CAST(X'%s' AS TEXT)" % binascii.hexlify(getBytes(value))
return "CAST(X'%s' AS TEXT)" % getUnicode(binascii.hexlify(getBytes(value)))
retVal = expression

11
plugins/dbms/sybase/syntax.py
View File

@ -1,10 +1,11 @@
#!/usr/bin/env python2
1#!/usr/bin/env python2
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.common import getOrds
from lib.core.compat import xrange
from plugins.generic.syntax import Syntax as GenericSyntax
@ -12,11 +13,13 @@ class Syntax(GenericSyntax):
@staticmethod
def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar'
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
True
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+TO_UNICHAR(235)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar"
True
"""
def escaper(value):
return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "TO_UNICHAR", ord(value[i])) for i in xrange(len(value)))
return "+".join("%s(%d)" % ("CHAR" if _ < 128 else "TO_UNICHAR", _) for _ in getOrds(value))
return Syntax._escape(expression, quote, escaper)