Patch for an Issue #2396

lib/core/settings.py

@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.2.8"
+VERSION = "1.1.2.9"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

tamper/plus2concat.py

@@ -5,6 +5,8 @@ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
 See the file 'doc/COPYING' for copying permission
 """
 
+import re
+
 from lib.core.common import zeroDepthSearch
 from lib.core.enums import PRIORITY
 
@@ -35,6 +37,7 @@ def tamper(payload, **kwargs):
     if payload:
         while True:
             indexes = zeroDepthSearch(retVal, '+')
+
             if indexes:
                 first, last = 0, 0
                 for i in xrange(1, len(indexes)):
@@ -51,6 +54,19 @@ def tamper(payload, **kwargs):
                     chars[index] = ','
 
                 retVal = "%sCONCAT(%s)%s" % (retVal[:start], ''.join(chars)[start:end], retVal[end:])
+            else:
+                match = re.search(r"\((CHAR\(\d+.+CHAR\(\d+\))\)", retVal)
+                if match:
+                    part = match.group(0)
+                    indexes = set(zeroDepthSearch(match.group(1), '+'))
+                    if not indexes:
+                        break
+                    chars = [char for char in part]
+                    for i in xrange(1, len(chars)):
+                        if i - 1 in indexes:
+                            chars[i] = ','
+                    replacement = "CONCAT%s" % "".join(chars)
+                    retVal = retVal.replace(part, replacement)
                 else:
                     break
 

txt/checksum.md5

@@ -45,7 +45,7 @@ e544108e2238d756c94a240e8a1ce061  lib/core/optiondict.py
 d8e9250f3775119df07e9070eddccd16  lib/core/replication.py
 785f86e3f963fa3798f84286a4e83ff2  lib/core/revision.py
 40c80b28b3a5819b737a5a17d4565ae9  lib/core/session.py
-bf27a71ebdeee395ebaabde9ed6974fe  lib/core/settings.py
+f108158ecd5c238a5f94f6f80d5f4c1a  lib/core/settings.py
 d91291997d2bd2f6028aaf371bf1d3b6  lib/core/shell.py
 2ad85c130cc5f2b3701ea85c2f6bbf20  lib/core/subprocessng.py
 afd0636d2e93c23f4f0a5c9b6023ea17  lib/core/target.py
@@ -252,7 +252,7 @@ a3a0e76922b4f40f422a0daca4e71af3  tamper/htmlencode.py
 54e1793f30c755202ee1acaacfac45fb  tamper/nonrecursivereplacement.py
 00ba60e5869055aaa7ba0cd23b5ed1f4  tamper/overlongutf8.py
 3cadacb0f39de03e0f8612c656104e03  tamper/percentage.py
-7805efc7af932c2ab452f41967f9eb7b  tamper/plus2concat.py
+dfaa889d125c34c7b2b468012d2b5279  tamper/plus2concat.py
 24753ed4e8ceab6f1a1fc13ee621943b  tamper/randomcase.py
 4d5fdfe77668fa44967e1d44f8a50ce7  tamper/randomcomments.py
 22561b429f41fc0bdd23e36b9a8de9e5  tamper/securesphere.py