From 46495f70f8a8aaa4345242d26cc82a023f272481 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Sat, 4 Feb 2023 00:00:21 +0100 Subject: [PATCH] Adding char escaper to ClickHouse support (#5229) --- lib/core/settings.py | 2 +- plugins/dbms/clickhouse/syntax.py | 10 +++++++--- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index 9d224253a..7ea40144e 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.7.2.3" +VERSION = "1.7.2.4" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/plugins/dbms/clickhouse/syntax.py b/plugins/dbms/clickhouse/syntax.py index 5adee2f51..2d4cfcaaf 100755 --- a/plugins/dbms/clickhouse/syntax.py +++ b/plugins/dbms/clickhouse/syntax.py @@ -1,18 +1,22 @@ #!/usr/bin/env python """ -Copyright (c) 2006-2023 sqlmap developers (http://sqlmap.org/) +Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ +from lib.core.convert import getOrds from plugins.generic.syntax import Syntax as GenericSyntax class Syntax(GenericSyntax): @staticmethod def escape(expression, quote=True): """ - >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == u"SELECT 'abcdefgh' FROM foobar" + >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT char(97)||char(98)||char(99)||char(100)||char(101)||char(102)||char(103)||char(104) FROM foobar" True """ - return expression + def escaper(value): + return "||".join("char(%d)" % _ for _ in getOrds(value)) + + return Syntax._escape(expression, quote, escaper)