introduced safe string formatting

2025-02-03 05:04:11 +03:00 · 2010-01-15 16:06:59 +00:00 · 2010-01-15 16:06:59 +00:00 · 5f171340f5
commit 5f171340f5
parent dcf0b2a3c1
5 changed files with 31 additions and 9 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -41,6 +41,7 @@ from lib.core.data import queries
 from lib.core.data import temp
 from lib.core.convert import urlencode
 from lib.core.exception import sqlmapFilePathException
 from lib.core.exception import sqlmapNoneDataException
 from lib.core.settings import IS_WIN
 from lib.core.settings import SQL_STATEMENTS
 from lib.core.settings import VERSION_STRING
@ -847,3 +848,20 @@ def normalizePath(path):
    else:
        retVal = ntpath.normpath(path)
    return retVal
 def safeStringFormat(formatStr, params):
    index = 0
    count = 0
    retVal = formatStr.replace('%d', '%s')
    while index !=- 1:
        index = retVal.find('%s')
        if index != -1:
            if count < len(params):
                retVal = retVal[:index] + str(params[count]) + retVal[index+2:]
            else:
                raise sqlmapNoneDataException, "wrong number of parameters during string formatting"
            count += 1
    return retVal
--- a/lib/techniques/blind/inference.py
+++ b/lib/techniques/blind/inference.py
@ -31,6 +31,7 @@ from lib.core.common import dataToSessionFile
 from lib.core.common import dataToStdout
 from lib.core.common import getCharset
 from lib.core.common import replaceNewlineTabs
 from lib.core.common import safeStringFormat
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@ -117,7 +118,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
            queriesCount[0] += 1
            position      = (len(asciiTbl) / 2)
            posValue      = asciiTbl[position]
-            forgedPayload = payload % (expressionUnescaped, idx, posValue)
+            forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
            result        = Request.queryPage(forgedPayload)
            if result:
--- a/lib/techniques/inband/union/test.py
+++ b/lib/techniques/inband/union/test.py
@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 from lib.core.agent import agent
 from lib.core.common import randomStr
 from lib.core.common import safeStringFormat
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@ -121,7 +122,7 @@ def __forgeUserFriendlyValue(payload):
    value = ""
    if kb.injPlace == "GET":
-        value = "%s?%s" % (conf.url, payload)
+        value = safeStringFormat("%s?%s", (conf.url, payload))
    elif kb.injPlace == "POST":
        value  = "URL:\t'%s'" % conf.url
        value += "\nPOST:\t'%s'\n" % payload
@ -202,7 +203,7 @@ def unionTest():
        technique = "NULL bruteforcing"
    infoMsg  = "testing inband sql injection on parameter "
-    infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)
+    infoMsg += safeStringFormat("'%s' with %s technique", (kb.injParameter, technique))
    logger.info(infoMsg)
    value   = ""
--- a/lib/techniques/inband/union/use.py
+++ b/lib/techniques/inband/union/use.py
@ -27,6 +27,7 @@ import time
 from lib.core.agent import agent
 from lib.core.common import parseUnionPage
 from lib.core.common import safeStringFormat
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
--- a/lib/utils/resume.py
+++ b/lib/utils/resume.py
@ -25,6 +25,7 @@ Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
 import re
 from lib.core.common import dataToSessionFile
 from lib.core.common import safeStringFormat
 from lib.core.data import conf
 from lib.core.data import kb
 from lib.core.data import logger
@ -74,7 +75,7 @@ def queryOutputLength(expression, payload):
    if output:
        return 0, output, regExpr
-    dataToSessionFile("[%s][%s][%s][%s][" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], lengthExpr))
+    dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], lengthExpr)))
    lengthExprUnescaped = unescaper.unescape(lengthExpr)
    count, length       = bisection(payload, lengthExprUnescaped)
@ -144,7 +145,7 @@ def resume(expression, payload):
        infoMsg += "%s" % resumedValue.split("\n")[0]
        logger.info(infoMsg)
-        dataToSessionFile("[%s][%s][%s][%s][%s]\n" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue))
+        dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][%s]\n", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)))
        return resumedValue
    elif len(resumedValue) < int(length):
@ -152,12 +153,12 @@ def resume(expression, payload):
        infoMsg += "%s..." % resumedValue.split("\n")[0]
        logger.info(infoMsg)
-        dataToSessionFile("[%s][%s][%s][%s][%s" % (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue))
+        dataToSessionFile(safeStringFormat("[%s][%s][%s][%s][%s", (conf.url, kb.injPlace, conf.parameters[kb.injPlace], expression, resumedValue)))
        if select:
-            newExpr = expression.replace(regExpr, substringQuery % (regExpr, len(resumedValue) + 1, int(length)), 1)
+            newExpr = expression.replace(regExpr, safeStringFormat(substringQuery, (regExpr, len(resumedValue) + 1, int(length))), 1)
        else:
-            newExpr = substringQuery % (expression, len(resumedValue) + 1, int(length))
+            newExpr = safeStringFormat(substringQuery, (expression, len(resumedValue) + 1, int(length)))
        missingCharsLength = int(length) - len(resumedValue)
@ -175,6 +176,6 @@ def resume(expression, payload):
            return None
-        return "%s%s" % (resumedValue, finalValue)
+        return safeStringFormat("%s%s", (resumedValue, finalValue))
    return None