From 605409019130b407561519f7987247bf5a27b16d Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Wed, 28 Jan 2009 14:53:11 +0000 Subject: [PATCH] sqlmap 0.6-rc5: major bug fix to make --sql-shell and --sql-query work properly also with mixed case statements (i.e oRDeR bY). Thanks Konrads Smelkovs to notifying. --- doc/THANKS | 3 +++ lib/core/common.py | 6 +++++- lib/core/settings.py | 2 +- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/doc/THANKS b/doc/THANKS index 986377f4c..55c8e6a5b 100644 --- a/doc/THANKS +++ b/doc/THANKS @@ -126,6 +126,9 @@ Sumit Siddharth M Simkin for suggesting a feature +Konrads Smelkovs + for reporting two bugs in --sql-shell and --sql-query + Jason Swan for reporting a bug when enumerating columns on Microsoft SQL Server for suggesting a couple of improvements diff --git a/lib/core/common.py b/lib/core/common.py index 24f235670..990c80be9 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -498,7 +498,11 @@ def cleanQuery(query): for sqlStatements in SQL_STATEMENTS.values(): for sqlStatement in sqlStatements: - upperQuery = upperQuery.replace(sqlStatement, sqlStatement.upper()) + sqlStatementEsc = sqlStatement.replace("(", "\\(") + queryMatch = re.search("(%s)" % sqlStatementEsc, query, re.I) + + if queryMatch: + upperQuery = upperQuery.replace(queryMatch.group(1), sqlStatement.upper()) return upperQuery diff --git a/lib/core/settings.py b/lib/core/settings.py index 0b7841353..fb5f040ca 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -30,7 +30,7 @@ import sys # sqlmap version and site -VERSION = "0.6.4-rc4" +VERSION = "0.6.4-rc5" VERSION_STRING = "sqlmap/%s" % VERSION SITE = "http://sqlmap.sourceforge.net"