From 7dbbf3ecf5f96ab7c6d77b72d8f4789a037af600 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 7 Jun 2017 23:19:19 +0200 Subject: [PATCH] Fixes 'codewatchorg/sqlipy/issues/12' --- lib/core/settings.py | 2 +- lib/core/target.py | 91 ++++++++++++++++++++++++-------------------- txt/checksum.md5 | 4 +- 3 files changed, 53 insertions(+), 44 deletions(-) diff --git a/lib/core/settings.py b/lib/core/settings.py index 3bac3eedf..ed2a3c45a 100755 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.1.6.8" +VERSION = "1.1.6.9" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/core/target.py b/lib/core/target.py index acdf6d855..6697a3de3 100644 --- a/lib/core/target.py +++ b/lib/core/target.py @@ -128,15 +128,15 @@ def _setRequestParams(): if kb.processUserMarks: kb.testOnlyCustom = True - if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): - if re.search(JSON_RECOGNITION_REGEX, conf.data): - message = "JSON data found in %s data. " % conf.method - message += "Do you want to process it? [Y/n/q] " - choice = readInput(message, default='Y') + if re.search(JSON_RECOGNITION_REGEX, conf.data): + message = "JSON data found in %s data. " % conf.method + message += "Do you want to process it? [Y/n/q] " + choice = readInput(message, default='Y') - if choice == 'Q': - raise SqlmapUserQuitException - elif choice == 'Y': + if choice == 'Q': + raise SqlmapUserQuitException + elif choice == 'Y': + if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r'("(?P[^"]+)"\s*:\s*"[^"]+)"', functools.partial(process, repl=r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR), conf.data) @@ -147,59 +147,68 @@ def _setRequestParams(): _ = re.sub(r'("[^"]+)"', '\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, _) _ = re.sub(r'(\A|,|\s+)(-?\d[\d\.]*\b)', '\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, _) conf.data = conf.data.replace(match.group(0), match.group(0).replace(match.group(2), _)) - kb.postHint = POST_HINT.JSON - elif re.search(JSON_LIKE_RECOGNITION_REGEX, conf.data): - message = "JSON-like data found in %s data. " % conf.method - message += "Do you want to process it? [Y/n/q] " - choice = readInput(message, default='Y').upper() + kb.postHint = POST_HINT.JSON - if choice == 'Q': - raise SqlmapUserQuitException - elif choice == 'Y': + elif re.search(JSON_LIKE_RECOGNITION_REGEX, conf.data): + message = "JSON-like data found in %s data. " % conf.method + message += "Do you want to process it? [Y/n/q] " + choice = readInput(message, default='Y').upper() + + if choice == 'Q': + raise SqlmapUserQuitException + elif choice == 'Y': + if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r"('(?P[^']+)'\s*:\s*'[^']+)'", functools.partial(process, repl=r"\g<1>%s'" % CUSTOM_INJECTION_MARK_CHAR), conf.data) conf.data = re.sub(r"('(?P[^']+)'\s*:\s*)(-?\d[\d\.]*\b)", functools.partial(process, repl=r"\g<0>%s" % CUSTOM_INJECTION_MARK_CHAR), conf.data) - kb.postHint = POST_HINT.JSON_LIKE - elif re.search(ARRAY_LIKE_RECOGNITION_REGEX, conf.data): - message = "Array-like data found in %s data. " % conf.method - message += "Do you want to process it? [Y/n/q] " - choice = readInput(message, default='Y').upper() + kb.postHint = POST_HINT.JSON_LIKE - if choice == 'Q': - raise SqlmapUserQuitException - elif choice == 'Y': + elif re.search(ARRAY_LIKE_RECOGNITION_REGEX, conf.data): + message = "Array-like data found in %s data. " % conf.method + message += "Do you want to process it? [Y/n/q] " + choice = readInput(message, default='Y').upper() + + if choice == 'Q': + raise SqlmapUserQuitException + elif choice == 'Y': + if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r"(=[^%s]+)" % DEFAULT_GET_POST_DELIMITER, r"\g<1>%s" % CUSTOM_INJECTION_MARK_CHAR, conf.data) - kb.postHint = POST_HINT.ARRAY_LIKE - elif re.search(XML_RECOGNITION_REGEX, conf.data): - message = "SOAP/XML data found in %s data. " % conf.method - message += "Do you want to process it? [Y/n/q] " - choice = readInput(message, default='Y').upper() + kb.postHint = POST_HINT.ARRAY_LIKE - if choice == 'Q': - raise SqlmapUserQuitException - elif choice == 'Y': + elif re.search(XML_RECOGNITION_REGEX, conf.data): + message = "SOAP/XML data found in %s data. " % conf.method + message += "Do you want to process it? [Y/n/q] " + choice = readInput(message, default='Y').upper() + + if choice == 'Q': + raise SqlmapUserQuitException + elif choice == 'Y': + if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r"(<(?P[^>]+)( [^<]*)?>)([^<]+)(\g<4>%s\g<5>" % CUSTOM_INJECTION_MARK_CHAR), conf.data) - kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML - elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data): - message = "Multipart-like data found in %s data. " % conf.method - message += "Do you want to process it? [Y/n/q] " - choice = readInput(message, default='Y').upper() + kb.postHint = POST_HINT.SOAP if "soap" in conf.data.lower() else POST_HINT.XML - if choice == 'Q': - raise SqlmapUserQuitException - elif choice == 'Y': + elif re.search(MULTIPART_RECOGNITION_REGEX, conf.data): + message = "Multipart-like data found in %s data. " % conf.method + message += "Do you want to process it? [Y/n/q] " + choice = readInput(message, default='Y').upper() + + if choice == 'Q': + raise SqlmapUserQuitException + elif choice == 'Y': + if not (kb.processUserMarks and CUSTOM_INJECTION_MARK_CHAR in conf.data): conf.data = getattr(conf.data, UNENCODED_ORIGINAL_VALUE, conf.data) conf.data = conf.data.replace(CUSTOM_INJECTION_MARK_CHAR, ASTERISK_MARKER) conf.data = re.sub(r"(?si)((Content-Disposition[^\n]+?name\s*=\s*[\"'](?P[^\n]+?)[\"']).+?)(((\r)?\n)+--)", functools.partial(process, repl=r"\g<1>%s\g<4>" % CUSTOM_INJECTION_MARK_CHAR), conf.data) - kb.postHint = POST_HINT.MULTIPART + + kb.postHint = POST_HINT.MULTIPART if not kb.postHint: if CUSTOM_INJECTION_MARK_CHAR in conf.data: # later processed diff --git a/txt/checksum.md5 b/txt/checksum.md5 index 34078b85c..7d7e4df12 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -46,10 +46,10 @@ f1531be15ed98555a9010e2db3c9da75 lib/core/optiondict.py d8e9250f3775119df07e9070eddccd16 lib/core/replication.py 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py -d756c1c15c9e63145a608e3b73d95324 lib/core/settings.py +cbbdac42ff202cffc475492e6652fce5 lib/core/settings.py d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py -8136241fdbdb99a5dc0e51ba72918f6e lib/core/target.py +04cca8a05faef752c98d1a775d98a0e6 lib/core/target.py 8970b88627902239d695280b1160e16c lib/core/testing.py 40881e63d516d8304fc19971049cded0 lib/core/threads.py ad74fc58fc7214802fd27067bce18dd2 lib/core/unescaper.py