Fixes #1559

2024-11-25 19:13:48 +03:00 · 2015-11-23 09:20:35 +01:00 · 2015-11-23 09:20:35 +01:00 · b2dc443835
commit b2dc443835
parent 4d576928a7
1 changed files with 29 additions and 24 deletions
--- a/plugins/generic/custom.py
+++ b/plugins/generic/custom.py
@ -17,6 +17,7 @@ from lib.core.data import conf
 from lib.core.data import logger
 from lib.core.dicts import SQL_STATEMENTS
 from lib.core.enums import AUTOCOMPLETE_TYPE
 from lib.core.exception import SqlmapNoneDataException
 from lib.core.settings import NULL
 from lib.core.settings import PARAMETER_SPLITTING_REGEX
 from lib.core.shell import autoCompletion
@ -35,38 +36,42 @@ class Custom:
        sqlType = None
        query = query.rstrip(';')
-        for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
+        try:
-            for sqlStatement in sqlStatements:
+            for sqlTitle, sqlStatements in SQL_STATEMENTS.items():
-                if query.lower().startswith(sqlStatement):
+                for sqlStatement in sqlStatements:
-                    sqlType = sqlTitle
+                    if query.lower().startswith(sqlStatement):
-                    break
+                        sqlType = sqlTitle
                        break
-        if not any(_ in query.upper() for _ in ("OPENROWSET", "INTO")) and (not sqlType or "SELECT" in sqlType):
+            if not any(_ in query.upper() for _ in ("OPENROWSET", "INTO")) and (not sqlType or "SELECT" in sqlType):
-            infoMsg = "fetching %s query output: '%s'" % (sqlType if sqlType is not None else "SQL", query)
+                infoMsg = "fetching %s query output: '%s'" % (sqlType if sqlType is not None else "SQL", query)
-            logger.info(infoMsg)
+                logger.info(infoMsg)
-            output = inject.getValue(query, fromUser=True)
+                output = inject.getValue(query, fromUser=True)
-            return output
+                return output
-        elif not isStackingAvailable() and not conf.direct:
+            elif not isStackingAvailable() and not conf.direct:
-                warnMsg = "execution of custom SQL queries is only "
+                    warnMsg = "execution of custom SQL queries is only "
-                warnMsg += "available when stacked queries are supported"
+                    warnMsg += "available when stacked queries are supported"
-                logger.warn(warnMsg)
+                    logger.warn(warnMsg)
-                return None
+                    return None
        else:
            if sqlType:
                debugMsg = "executing %s query: '%s'" % (sqlType if sqlType is not None else "SQL", query)
            else:
-                debugMsg = "executing unknown SQL type query: '%s'" % query
+                if sqlType:
-            logger.debug(debugMsg)
+                    debugMsg = "executing %s query: '%s'" % (sqlType if sqlType is not None else "SQL", query)
                else:
                    debugMsg = "executing unknown SQL type query: '%s'" % query
                logger.debug(debugMsg)
-            inject.goStacked(query)
+                inject.goStacked(query)
-            debugMsg = "done"
+                debugMsg = "done"
-            logger.debug(debugMsg)
+                logger.debug(debugMsg)
-            output = NULL
+                output = NULL
        except SqlmapNoneDataException, ex:
            logger.warn(ex)
        return output