sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Unescaping is renamed to escaping

Browse Source
This commit is contained in:
Miroslav Stampar 2013-01-18 15:40:37 +01:00
parent c717de9c9d
commit 601eb1e49a
37 changed files with 51 additions and 287 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
extra/shutils/_sqlmap.py
View File

@ -55,7 +55,7 @@ _arguments -C -s \
'(--invalid-bignum)'--invalid-bignum'[Use big numbers for invalidating values]' \ '(--invalid-bignum)'--invalid-bignum'[Use big numbers for invalidating values]' \
'(--invalid-logical)'--invalid-logical'[Use logical operations for invalidating values]' \ '(--invalid-logical)'--invalid-logical'[Use logical operations for invalidating values]' \
'(--no-cast)'--no-cast'[Turn off payload casting mechanism]' \ '(--no-cast)'--no-cast'[Turn off payload casting mechanism]' \
'(--no-unescape)'--no-unescape'[Turn off string unescaping mechanism]' \ '(--no-escape)'--no-unescape'[Turn off string escaping mechanism]' \
'(--prefix)'--prefix=-'[Injection payload prefix string]:PREFIX' \ '(--prefix)'--prefix=-'[Injection payload prefix string]:PREFIX' \
'(--suffix)'--suffix=-'[Injection payload suffix string]:SUFFIX' \ '(--suffix)'--suffix=-'[Injection payload suffix string]:SUFFIX' \
'(--skip)'--skip=-'[Skip testing for given parameter(s)]:SKIP' \ '(--skip)'--skip=-'[Skip testing for given parameter(s)]:SKIP' \

4
lib/core/agent.py
View File

@ -157,7 +157,7 @@ class Agent(object):
return self.payloadDirect(expression) return self.payloadDirect(expression)
expression = self.cleanupPayload(expression) expression = self.cleanupPayload(expression)
expression = unescaper.unescape(expression) expression = unescaper.escape(expression)
query = None query = None
if where is None and kb.technique and kb.technique in kb.injection.data: if where is None and kb.technique and kb.technique in kb.injection.data:
@ -917,7 +917,7 @@ class Agent(object):
else: else:
lengthExpr = lengthQuery % expression lengthExpr = lengthQuery % expression
return unescaper.unescape(lengthExpr) return unescaper.escape(lengthExpr)
def forgeCaseStatement(self, expression): def forgeCaseStatement(self, expression):
""" """

7
lib/core/common.py
View File

@ -54,7 +54,7 @@ from lib.core.convert import unicodeencode
from lib.core.convert import utf8encode from lib.core.convert import utf8encode
from lib.core.decorators import cachedmethod from lib.core.decorators import cachedmethod
from lib.core.dicts import DBMS_DICT from lib.core.dicts import DBMS_DICT
from lib.core.dicts import DEPRECATED_HINTS from lib.core.dicts import DEPRECATED_OPTIONS
from lib.core.dicts import SQL_STATEMENTS from lib.core.dicts import SQL_STATEMENTS
from lib.core.enums import ADJUST_TIME_DELAY from lib.core.enums import ADJUST_TIME_DELAY
from lib.core.enums import CHARSET_TYPE from lib.core.enums import CHARSET_TYPE
@ -84,7 +84,6 @@ from lib.core.settings import DBMS_DIRECTORY_DICT
from lib.core.settings import DEFAULT_COOKIE_DELIMITER from lib.core.settings import DEFAULT_COOKIE_DELIMITER
from lib.core.settings import DEFAULT_GET_POST_DELIMITER from lib.core.settings import DEFAULT_GET_POST_DELIMITER
from lib.core.settings import DEFAULT_MSSQL_SCHEMA from lib.core.settings import DEFAULT_MSSQL_SCHEMA
from lib.core.settings import DEPRECATED_OPTIONS
from lib.core.settings import DESCRIPTION from lib.core.settings import DESCRIPTION
from lib.core.settings import DUMMY_SQL_INJECTION_CHARS from lib.core.settings import DUMMY_SQL_INJECTION_CHARS
from lib.core.settings import DUMMY_USER_INJECTION from lib.core.settings import DUMMY_USER_INJECTION
@ -3055,8 +3054,8 @@ def checkDeprecatedOptions(args):
for _ in args: for _ in args:
if _ in DEPRECATED_OPTIONS: if _ in DEPRECATED_OPTIONS:
errMsg = "switch/option '%s' is deprecated" % _ errMsg = "switch/option '%s' is deprecated" % _
if _ in DEPRECATED_HINTS: if DEPRECATED_OPTIONS[_]:
errMsg += " (hint: %s)" % DEPRECATED_HINTS[_] errMsg += " (hint: %s)" % DEPRECATED_OPTIONS[_]
raise SqlmapSyntaxException(errMsg) raise SqlmapSyntaxException(errMsg)
def evaluateCode(code, variables=None): def evaluateCode(code, variables=None):

5
lib/core/dicts.py
View File

@ -202,9 +202,10 @@ POST_HINT_CONTENT_TYPES = {
POST_HINT.XML: "application/xml", POST_HINT.XML: "application/xml",
} }
DEPRECATED_HINTS = { DEPRECATED_OPTIONS = {
"--replicate": "use '--dump-format=SQLITE' instead", "--replicate": "use '--dump-format=SQLITE' instead",
} "--no-unescape": "use '--no-escape' instead",
}
DUMP_DATA_PREPROCESS = { DUMP_DATA_PREPROCESS = {
DBMS.ORACLE: {"XMLTYPE": "(%s).getStringVal()"}, # Reference: https://www.tibcommunity.com/docs/DOC-3643 DBMS.ORACLE: {"XMLTYPE": "(%s).getStringVal()"}, # Reference: https://www.tibcommunity.com/docs/DOC-3643

2
lib/core/optiondict.py
View File

@ -65,7 +65,7 @@ optDict = {
"invalidBignum": "boolean", "invalidBignum": "boolean",
"invalidLogical": "boolean", "invalidLogical": "boolean",
"noCast": "boolean", "noCast": "boolean",
"noUnescape": "boolean", "noEscape": "boolean",
"prefix": "string", "prefix": "string",
"suffix": "string", "suffix": "string",
"skip": "string", "skip": "string",

5
lib/core/settings.py
View File

@ -278,7 +278,7 @@ MYSQL_ERROR_CHUNK_LENGTH = 50
# Maximum length used for retrieving data over MSSQL error based payload due to trimming problems with longer result strings # Maximum length used for retrieving data over MSSQL error based payload due to trimming problems with longer result strings
MSSQL_ERROR_CHUNK_LENGTH = 100 MSSQL_ERROR_CHUNK_LENGTH = 100
# Do not unescape the injected statement if it contains any of the following SQL words # Do not escape the injected statement if it contains any of the following SQL keywords
EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK) EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)
# Mark used for replacement of reflected values # Mark used for replacement of reflected values
@ -308,9 +308,6 @@ HASH_MOD_ITEM_DISPLAY = 11
# Maximum integer value # Maximum integer value
MAX_INT = sys.maxint MAX_INT = sys.maxint
# List of deprecated options
DEPRECATED_OPTIONS = ("--replicate",)
# Parameters to be ignored in detection phase (upper case) # Parameters to be ignored in detection phase (upper case)
IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "ASPSESSIONID", "ASP.NET_SESSIONID", "JSESSIONID", "CFID", "CFTOKEN") IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "ASPSESSIONID", "ASP.NET_SESSIONID", "JSESSIONID", "CFID", "CFTOKEN")

4
lib/core/unescaper.py
View File

@ -11,8 +11,8 @@ from lib.core.datatype import AttribDict
from lib.core.settings import EXCLUDE_UNESCAPE from lib.core.settings import EXCLUDE_UNESCAPE
class Unescaper(AttribDict): class Unescaper(AttribDict):
def unescape(self, expression, quote=True, dbms=None): def escape(self, expression, quote=True, dbms=None):
if conf.noUnescape: if conf.noEscape:
return expression return expression
if expression is None: if expression is None:

4
lib/parse/cmdline.py
View File

@ -209,9 +209,9 @@ def cmdLineParser():
action="store_true", action="store_true",
help="Turn off payload casting mechanism") help="Turn off payload casting mechanism")
injection.add_option("--no-unescape", dest="noUnescape", injection.add_option("--no-escape", dest="noEscape",
action="store_true", action="store_true",
help="Turn off string unescaping mechanism") help="Turn off string escaping mechanism")
injection.add_option("--prefix", dest="prefix", injection.add_option("--prefix", dest="prefix",
help="Injection payload prefix string") help="Injection payload prefix string")

4
lib/takeover/udf.py
View File

@ -84,7 +84,7 @@ class UDF:
if udfName is None: if udfName is None:
udfName = "sys_exec" udfName = "sys_exec"
cmd = unescaper.unescape(self.udfForgeCmd(cmd)) cmd = unescaper.escape(self.udfForgeCmd(cmd))
return inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent) return inject.goStacked("SELECT %s(%s)" % (udfName, cmd), silent)
@ -103,7 +103,7 @@ class UDF:
output = new_output output = new_output
else: else:
cmd = unescaper.unescape(self.udfForgeCmd(cmd)) cmd = unescaper.escape(self.udfForgeCmd(cmd))
inject.goStacked("INSERT INTO %s(%s) VALUES (%s(%s))" % (self.cmdTblName, self.tblField, udfName, cmd)) inject.goStacked("INSERT INTO %s(%s) VALUES (%s(%s))" % (self.cmdTblName, self.tblField, udfName, cmd))
output = unArrayizeValue(inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False)) output = unArrayizeValue(inject.getValue("SELECT %s FROM %s" % (self.tblField, self.cmdTblName), resumeValue=False, firstChar=first, lastChar=last, safeCharEncode=False))

10
lib/techniques/blind/inference.py
View File

@ -107,9 +107,9 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
_, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression) _, _, _, _, _, _, fieldToCastStr, _ = agent.getFields(expression)
nulledCastedField = agent.nullAndCastField(fieldToCastStr) nulledCastedField = agent.nullAndCastField(fieldToCastStr)
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1) expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionUnescaped = unescaper.unescape(expressionReplaced) expressionUnescaped = unescaper.escape(expressionReplaced)
else: else:
expressionUnescaped = unescaper.unescape(expression) expressionUnescaped = unescaper.escape(expression)
if length and isinstance(length, basestring) and length.isdigit(): if length and isinstance(length, basestring) and length.isdigit():
length = int(length) length = int(length)
@ -234,7 +234,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
else: else:
# e.g.: ... > '%c' -> ... > ORD(..) # e.g.: ... > '%c' -> ... > ORD(..)
markingValue = "'%s'" % CHAR_INFERENCE_MARK markingValue = "'%s'" % CHAR_INFERENCE_MARK
unescapedCharValue = unescaper.unescape("'%s'" % decodeIntToUnicode(posValue)) unescapedCharValue = unescaper.escape("'%s'" % decodeIntToUnicode(posValue))
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue) forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(markingValue, unescapedCharValue)
result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False) result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
@ -461,7 +461,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
# it via equal against the query output # it via equal against the query output
if commonValue is not None: if commonValue is not None:
# One-shot query containing equals commonValue # One-shot query containing equals commonValue
testValue = unescaper.unescape("'%s'" % commonValue) if "'" not in commonValue else unescaper.unescape("%s" % commonValue, quote=False) testValue = unescaper.escape("'%s'" % commonValue) if "'" not in commonValue else unescaper.escape("%s" % commonValue, quote=False)
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue))) query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False) result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)
@ -483,7 +483,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
if commonPattern is not None: if commonPattern is not None:
# Substring-query containing equals commonPattern # Substring-query containing equals commonPattern
subquery = queries[Backend.getIdentifiedDbms()].substring.query % (expressionUnescaped, 1, len(commonPattern)) subquery = queries[Backend.getIdentifiedDbms()].substring.query % (expressionUnescaped, 1, len(commonPattern))
testValue = unescaper.unescape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.unescape("%s" % commonPattern, quote=False) testValue = unescaper.escape("'%s'" % commonPattern) if "'" not in commonPattern else unescaper.escape("%s" % commonPattern, quote=False)
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue))) query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False) result = Request.queryPage(agent.payload(newValue=query), timeBasedCompare=timeBasedCompare, raise404=False)

2
lib/techniques/dns/use.py
View File

@ -66,7 +66,7 @@ def dnsUse(payload, expression):
expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1) expressionReplaced = expression.replace(fieldToCastStr, nulledCastedField, 1)
expressionRequest = getSQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsName) expressionRequest = getSQLSnippet(Backend.getIdentifiedDbms(), "dns_request", PREFIX=prefix, QUERY=expressionReplaced, SUFFIX=suffix, DOMAIN=conf.dnsName)
expressionUnescaped = unescaper.unescape(expressionRequest) expressionUnescaped = unescaper.escape(expressionRequest)
if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL): if Backend.getIdentifiedDbms() in (DBMS.MSSQL, DBMS.PGSQL):
query = agent.prefixQuery("; %s" % expressionUnescaped) query = agent.prefixQuery("; %s" % expressionUnescaped)

2
lib/techniques/error/use.py
View File

@ -88,7 +88,7 @@ def _oneShotErrorUse(expression, field=None):
query = agent.prefixQuery(vector) query = agent.prefixQuery(vector)
query = agent.suffixQuery(query) query = agent.suffixQuery(query)
injExpression = expression.replace(field, nulledCastedField, 1) if field else expression injExpression = expression.replace(field, nulledCastedField, 1) if field else expression
injExpression = unescaper.unescape(injExpression) injExpression = unescaper.escape(injExpression)
injExpression = query.replace("[QUERY]", injExpression) injExpression = query.replace("[QUERY]", injExpression)
payload = agent.payload(newValue=injExpression) payload = agent.payload(newValue=injExpression)

4
lib/techniques/union/test.py
View File

@ -172,7 +172,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
randQuery = randomStr(UNION_MIN_RESPONSE_CHARS) randQuery = randomStr(UNION_MIN_RESPONSE_CHARS)
phrase = "%s%s%s".lower() % (kb.chars.start, randQuery, kb.chars.stop) phrase = "%s%s%s".lower() % (kb.chars.start, randQuery, kb.chars.stop)
randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery) randQueryProcessed = agent.concatQuery("\'%s\'" % randQuery)
randQueryUnescaped = unescaper.unescape(randQueryProcessed) randQueryUnescaped = unescaper.escape(randQueryProcessed)
# Forge the union SQL injection request # Forge the union SQL injection request
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where) query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where)
@ -194,7 +194,7 @@ def _unionPosition(comment, place, parameter, prefix, suffix, count, where=PAYLO
randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS) randQuery2 = randomStr(UNION_MIN_RESPONSE_CHARS)
phrase2 = "%s%s%s".lower() % (kb.chars.start, randQuery2, kb.chars.stop) phrase2 = "%s%s%s".lower() % (kb.chars.start, randQuery2, kb.chars.stop)
randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2) randQueryProcessed2 = agent.concatQuery("\'%s\'" % randQuery2)
randQueryUnescaped2 = unescaper.unescape(randQueryProcessed2) randQueryUnescaped2 = unescaper.escape(randQueryProcessed2)
# Confirm that it is a full union SQL injection # Confirm that it is a full union SQL injection
query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2) query = agent.forgeUnionQuery(randQueryUnescaped, position, count, comment, prefix, suffix, kb.uChar, where, multipleUnions=randQueryUnescaped2)

2
lib/techniques/union/use.py
View File

@ -58,7 +58,7 @@ def _oneShotUnionUse(expression, unpack=True, limited=False):
if retVal is None: if retVal is None:
# Prepare expression with delimiters # Prepare expression with delimiters
injExpression = unescaper.unescape(agent.concatQuery(expression, unpack)) injExpression = unescaper.escape(agent.concatQuery(expression, unpack))
where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None where = PAYLOAD.WHERE.NEGATIVE if conf.limitStart or conf.limitStop else None

4
lib/utils/pivotdumptable.py
View File

@ -102,9 +102,9 @@ def pivotDumpTable(table, colList, count=None, blind=True):
for column in colList: for column in colList:
def _(pivotValue): def _(pivotValue):
if column == colList[0]: if column == colList[0]:
query = dumpNode.query.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, column), unescaper.unescape(pivotValue, False)) query = dumpNode.query.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, column), unescaper.escape(pivotValue, False))
else: else:
query = dumpNode.query2.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, colList[0]), unescaper.unescape(pivotValue, False)) query = dumpNode.query2.replace("'%s'", "%s") % (agent.preprocessField(table, column), table, agent.preprocessField(table, colList[0]), unescaper.escape(pivotValue, False))
return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind)) return unArrayizeValue(inject.getValue(query, blind=blind, time=blind, union=not blind, error=not blind))

2
plugins/dbms/access/__init__.py
View File

@ -30,4 +30,4 @@ class AccessMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.ACCESS] = Syntax.unescape unescaper[DBMS.ACCESS] = Syntax.escape

25
plugins/dbms/access/syntax.py
View File

@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if quote: if quote:
while True: while True:
index = expression.find("'") index = expression.find("'")
@ -45,26 +45,3 @@ class Syntax(GenericSyntax):
return expression return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHR(").rstrip(")")
oldUpper = oldUpper.split("&")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped).replace("'&'", "")
return expression

2
plugins/dbms/db2/__init__.py
View File

@ -31,4 +31,4 @@ class DB2Map(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.DB2] = Syntax.unescape unescaper[DBMS.DB2] = Syntax.escape

28
plugins/dbms/db2/syntax.py
View File

@ -14,7 +14,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if expression == u"'''": if expression == u"'''":
return "CHR(%d)" % (ord("'")) return "CHR(%d)" % (ord("'"))
@ -44,29 +44,3 @@ class Syntax(GenericSyntax):
expression = "||".join("CHR(%d)" % ord(c) for c in expression) expression = "||".join("CHR(%d)" % ord(c) for c in expression)
return expression return expression
@staticmethod
def escape(expression):
logMsg = "escaping %s" % expression
logger.info(logMsg)
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/firebird/__init__.py
View File

@ -30,4 +30,4 @@ class FirebirdMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, T
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.FIREBIRD] = Syntax.unescape unescaper[DBMS.FIREBIRD] = Syntax.escape

25
plugins/dbms/firebird/syntax.py
View File

@ -14,7 +14,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if isDBMSVersionAtLeast('2.1'): if isDBMSVersionAtLeast('2.1'):
if quote: if quote:
while True: while True:
@ -47,26 +47,3 @@ class Syntax(GenericSyntax):
return expression return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("ASCII_CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("ASCII_CHAR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped).replace("'||'", "")
return expression

2
plugins/dbms/maxdb/__init__.py
View File

@ -30,4 +30,4 @@ class MaxDBMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Take
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.MAXDB] = Syntax.unescape unescaper[DBMS.MAXDB] = Syntax.escape

4
plugins/dbms/maxdb/syntax.py
View File

@ -11,10 +11,6 @@ class Syntax(GenericSyntax):
def __init__(self): def __init__(self):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
return expression
@staticmethod @staticmethod
def escape(expression): def escape(expression):
return expression return expression

2
plugins/dbms/mssqlserver/__init__.py
View File

@ -31,4 +31,4 @@ class MSSQLServerMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.MSSQL] = Syntax.unescape unescaper[DBMS.MSSQL] = Syntax.escape

26
plugins/dbms/mssqlserver/syntax.py
View File

@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if quote: if quote:
while True: while True:
index = expression.find("'") index = expression.find("'")
@ -36,27 +36,3 @@ class Syntax(GenericSyntax):
expression = "+".join("CHAR(%d)" % ord(c) for c in expression) expression = "+".join("CHAR(%d)" % ord(c) for c in expression)
return expression return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHAR(", "").replace(")", "")
escaped = "'%s'" % chr(int(oldUpper))
expression = expression.replace(old, escaped)
expression = expression.replace("'+'", "")
return expression

2
plugins/dbms/mysql/__init__.py
View File

@ -36,4 +36,4 @@ class MySQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Take
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.MYSQL] = Syntax.unescape unescaper[DBMS.MYSQL] = Syntax.escape

30
plugins/dbms/mysql/syntax.py
View File

@ -17,7 +17,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if quote: if quote:
unescaped = expression unescaped = expression
for item in re.findall(r"'[^']+'", expression, re.S): for item in re.findall(r"'[^']+'", expression, re.S):
@ -29,31 +29,3 @@ class Syntax(GenericSyntax):
unescaped = "0x%s" % binascii.hexlify(expression) unescaped = "0x%s" % binascii.hexlify(expression)
return unescaped return unescaped
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHAR(").rstrip(")")
oldUpper = oldUpper.split(",")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
original = expression
for item in re.findall(r"0x[0-9a-fA-F]+", original, re.S):
expression = expression.replace(item, "'%s'" % binascii.unhexlify(item[2:]))
return expression

2
plugins/dbms/oracle/__init__.py
View File

@ -30,4 +30,4 @@ class OracleMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.ORACLE] = Syntax.unescape unescaper[DBMS.ORACLE] = Syntax.escape

26
plugins/dbms/oracle/syntax.py
View File

@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if quote: if quote:
while True: while True:
index = expression.find("'") index = expression.find("'")
@ -35,27 +35,3 @@ class Syntax(GenericSyntax):
expression = "||".join("CHR(%d)" % ord(c) for c in expression) expression = "||".join("CHR(%d)" % ord(c) for c in expression)
return expression return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHR(", "").replace(")", "")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/postgresql/__init__.py
View File

@ -37,4 +37,4 @@ class PostgreSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous,
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.PGSQL] = Syntax.unescape unescaper[DBMS.PGSQL] = Syntax.escape

26
plugins/dbms/postgresql/syntax.py
View File

@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
""" """
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing) Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text") e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
@ -40,27 +40,3 @@ class Syntax(GenericSyntax):
expression = "(%s)" % "||".join("CHR(%d)" % ord(c) for c in expression) expression = "(%s)" % "||".join("CHR(%d)" % ord(c) for c in expression)
return expression return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHR(", "").replace(")", "")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/sqlite/__init__.py
View File

@ -30,4 +30,4 @@ class SQLiteMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.SQLITE] = Syntax.unescape unescaper[DBMS.SQLITE] = Syntax.escape

29
plugins/dbms/sqlite/syntax.py
View File

@ -17,7 +17,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
unescaped = expression unescaped = expression
if isDBMSVersionAtLeast('3'): if isDBMSVersionAtLeast('3'):
@ -28,30 +28,3 @@ class Syntax(GenericSyntax):
unescaped = "X'%s'" % binascii.hexlify(expression) unescaped = "X'%s'" % binascii.hexlify(expression)
return unescaped return unescaped
@staticmethod
def escape(expression):
# Example on SQLite 3, not supported on SQLite 2:
# select X'48'||X'656c6c6f20576f726c6400'; -- Hello World
while True:
index = expression.find("X'")
if index == -1:
break
firstIndex = index
index = expression[firstIndex + 2:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
lastIndex = firstIndex + index + 3
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("X'", "").replace("'", "")
for i in xrange(len(oldUpper) / 2):
char = oldUpper[i * 2:i * 2 + 2]
escaped = "'%s'" % chr(int(char, 16))
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/sybase/__init__.py
View File

@ -30,4 +30,4 @@ class SybaseMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self) Miscellaneous.__init__(self)
Takeover.__init__(self) Takeover.__init__(self)
unescaper[DBMS.SYBASE] = Syntax.unescape unescaper[DBMS.SYBASE] = Syntax.escape

26
plugins/dbms/sybase/syntax.py
View File

@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self) GenericSyntax.__init__(self)
@staticmethod @staticmethod
def unescape(expression, quote=True): def escape(expression, quote=True):
if quote: if quote:
while True: while True:
index = expression.find("'") index = expression.find("'")
@ -35,27 +35,3 @@ class Syntax(GenericSyntax):
expression = "+".join("CHAR(%d)" % ord(c) for c in expression) expression = "+".join("CHAR(%d)" % ord(c) for c in expression)
return expression return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHAR(", "").replace(")", "")
oldUpper = oldUpper.split("+")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

8
plugins/generic/syntax.py
View File

@ -15,14 +15,8 @@ class Syntax:
def __init__(self): def __init__(self):
pass pass
@staticmethod
def unescape(expression, quote=True):
errMsg = "'unescape' method must be defined "
errMsg += "into the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
@staticmethod @staticmethod
def escape(expression): def escape(expression):
errMsg = "'escape' method must be defined " errMsg = "'escape' method must be defined "
errMsg += "into the specific DBMS plugin" errMsg += "inside the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg) raise SqlmapUndefinedMethod(errMsg)

4
sqlmap.conf
View File

@ -207,9 +207,9 @@ invalidLogical = False
# Valid: True or False # Valid: True or False
noCast = False noCast = False
# Turn off string unescaping mechanism # Turn off string escaping mechanism
# Valid: True or False # Valid: True or False
noUnescape = False noEscape = False
# Injection payload prefix string. # Injection payload prefix string.
prefix = prefix =