Merge branch 'master' of github.com:sqlmapproject/sqlmap

2025-02-03 13:14:13 +03:00 · 2013-02-12 09:28:28 +00:00 · 2013-02-12 09:28:28 +00:00 · b9cc127ead
commit b9cc127ead
parent 70230f3513 c75560ba69
2 changed files with 17 additions and 3 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -2590,7 +2590,10 @@ def decodeIntToUnicode(value):
        try:
            # http://dev.mysql.com/doc/refman/5.0/en/string-functions.html#function_ord
            if Backend.getIdentifiedDbms() in (DBMS.MYSQL,):
-                retVal = getUnicode(hexdecode(hex(value)))
+                _ = "%x" % value
+                if len(_) % 2 == 1:
+                    _ = "0%s" % _
+                retVal = getUnicode(hexdecode(_))
            elif value > 255:
                retVal = unichr(value)
            else:
--- a/plugins/generic/custom.py
+++ b/plugins/generic/custom.py
@ -9,7 +9,9 @@ import re

 from lib.core.common import Backend
 from lib.core.common import dataToStdout
+from lib.core.common import getPublicTypeMembers
 from lib.core.common import getSQLSnippet
+from lib.core.common import getTechniqueData
 from lib.core.common import isTechniqueAvailable
 from lib.core.convert import utf8decode
 from lib.core.data import conf
@ -39,14 +41,23 @@ class Custom:
                    sqlType = sqlTitle
                    break

-        if 'OPENROWSET' not in query.upper() and (not sqlType or 'SELECT' in sqlType):
+        stacked = isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED)
+
+        if not stacked:
+            for technique in getPublicTypeMembers(PAYLOAD.TECHNIQUE, True):
+                _ = getTechniqueData(technique)
+                if _ and "stacked" in _["title"].lower():
+                    stacked = True
+                    break
+
+        if "OPENROWSET" not in query.upper() and (not sqlType or "SELECT" in sqlType):
            infoMsg = "fetching %s query output: '%s'" % (sqlType if sqlType is not None else "SQL", query)
            logger.info(infoMsg)

            output = inject.getValue(query, fromUser=True)

            return output
-        elif not isTechniqueAvailable(PAYLOAD.TECHNIQUE.STACKED) and not conf.direct:
+        elif not stacked and not conf.direct:
                warnMsg = "execution of custom SQL queries is only "
                warnMsg += "available when stacked queries are supported"
                logger.warn(warnMsg)