diff --git a/lib/core/option.py b/lib/core/option.py index 0b5680215..b7ae66269 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1770,7 +1770,18 @@ def _cleanupOptions(): conf.col = re.sub(r"\s*,\s*", ',', conf.col) if conf.exclude: - conf.exclude = re.sub(r"\s*,\s*", ',', conf.exclude) + regex = False + if any(_ in conf.exclude for _ in ('+', '*')): + try: + re.compile(conf.exclude) + except re.error: + pass + else: + regex = True + + if not regex: + conf.exclude = re.sub(r"\s*,\s*", ',', conf.exclude) + conf.exclude = "\A%s\Z" % '|'.join(re.escape(_) for _ in conf.exclude.split(',')) if conf.binaryFields: conf.binaryFields = re.sub(r"\s*,\s*", ',', conf.binaryFields) diff --git a/lib/core/settings.py b/lib/core/settings.py index 6940e7017..3a9720c4c 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.3.11.1" +VERSION = "1.3.11.2" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/plugins/dbms/maxdb/enumeration.py b/plugins/dbms/maxdb/enumeration.py index 120e8447e..bece7afeb 100644 --- a/plugins/dbms/maxdb/enumeration.py +++ b/plugins/dbms/maxdb/enumeration.py @@ -5,6 +5,8 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission """ +import re + from lib.core.common import isListLike from lib.core.common import readInput from lib.core.common import safeSQLIdentificatorNaming @@ -121,7 +123,7 @@ class Enumeration(GenericEnumeration): colList = [] if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] for col in colList: colList[colList.index(col)] = safeSQLIdentificatorNaming(col) diff --git a/plugins/dbms/mssqlserver/enumeration.py b/plugins/dbms/mssqlserver/enumeration.py index b39b9d7d4..46437fbed 100644 --- a/plugins/dbms/mssqlserver/enumeration.py +++ b/plugins/dbms/mssqlserver/enumeration.py @@ -5,6 +5,8 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission """ +import re + from lib.core.agent import agent from lib.core.common import arrayizeValue from lib.core.common import getLimitRange @@ -96,7 +98,7 @@ class Enumeration(GenericEnumeration): singleTimeLogMessage(infoMsg) continue - if conf.exclude and db in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, db, re.I) is not None: infoMsg = "skipping database '%s'" % db singleTimeLogMessage(infoMsg) continue @@ -119,7 +121,7 @@ class Enumeration(GenericEnumeration): singleTimeLogMessage(infoMsg) continue - if conf.exclude and db in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, db, re.I) is not None: infoMsg = "skipping database '%s'" % db singleTimeLogMessage(infoMsg) continue @@ -209,7 +211,7 @@ class Enumeration(GenericEnumeration): singleTimeLogMessage(infoMsg) continue - if conf.exclude and db in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, db, re.I) is not None: infoMsg = "skipping database '%s'" % db singleTimeLogMessage(infoMsg) continue @@ -283,7 +285,7 @@ class Enumeration(GenericEnumeration): colList = conf.col.split(',') if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] origTbl = conf.tbl origDb = conf.db @@ -344,7 +346,7 @@ class Enumeration(GenericEnumeration): if conf.excludeSysDbs and db in self.excludeDbsList: continue - if conf.exclude and db in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, db, re.I) is not None: continue if any(isTechniqueAvailable(_) for _ in (PAYLOAD.TECHNIQUE.UNION, PAYLOAD.TECHNIQUE.ERROR, PAYLOAD.TECHNIQUE.QUERY)) or conf.direct: diff --git a/plugins/dbms/sybase/enumeration.py b/plugins/dbms/sybase/enumeration.py index 78b1113f8..9e4f9e63e 100644 --- a/plugins/dbms/sybase/enumeration.py +++ b/plugins/dbms/sybase/enumeration.py @@ -5,6 +5,8 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission """ +import re + from lib.core.common import filterPairValues from lib.core.common import isListLike from lib.core.common import isTechniqueAvailable @@ -185,7 +187,7 @@ class Enumeration(GenericEnumeration): colList = [] if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] for col in colList: colList[colList.index(col)] = safeSQLIdentificatorNaming(col) diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py index 84a0de4c5..7f80357b5 100644 --- a/plugins/generic/databases.py +++ b/plugins/generic/databases.py @@ -5,6 +5,8 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission """ +import re + from lib.core.agent import agent from lib.core.common import arrayizeValue from lib.core.common import Backend @@ -332,7 +334,7 @@ class Databases(object): logger.info(infoMsg) continue - if conf.exclude and db in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, db, re.I) is not None: infoMsg = "skipping database '%s'" % unsafeSQLIdentificatorNaming(db) singleTimeLogMessage(infoMsg) continue @@ -466,7 +468,7 @@ class Databases(object): colList = [] if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] for col in colList: colList[colList.index(col)] = safeSQLIdentificatorNaming(col) diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py index 2d359f13f..e54927675 100644 --- a/plugins/generic/entries.py +++ b/plugins/generic/entries.py @@ -78,7 +78,7 @@ class Entries(object): errMsg += "the tables' columns" raise SqlmapMissingMandatoryOptionException(errMsg) - if conf.exclude and conf.db in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, conf.db, re.I) is not None: infoMsg = "skipping database '%s'" % unsafeSQLIdentificatorNaming(conf.db) singleTimeLogMessage(infoMsg) return @@ -112,7 +112,7 @@ class Entries(object): if kb.dumpKeyboardInterrupt: break - if conf.exclude and tbl in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, tbl, re.I) is not None: infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl) singleTimeLogMessage(infoMsg) continue @@ -145,7 +145,7 @@ class Entries(object): colList = sorted(column for column in columns if column) if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] if not colList: warnMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(tbl) @@ -491,7 +491,7 @@ class Entries(object): conf.db = db for table in tables: - if conf.exclude and table in conf.exclude.split(','): + if conf.exclude and re.search(conf.exclude, table, re.I) is not None: infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table) logger.info(infoMsg) continue @@ -562,7 +562,7 @@ class Entries(object): colList = [_ for _ in columns if _] if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] conf.col = ','.join(colList) kb.data.cachedColumns = {} diff --git a/plugins/generic/search.py b/plugins/generic/search.py index 119af82c6..30f1feaac 100644 --- a/plugins/generic/search.py +++ b/plugins/generic/search.py @@ -5,6 +5,8 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file 'LICENSE' for copying permission """ +import re + from lib.core.agent import agent from lib.core.common import arrayizeValue from lib.core.common import Backend @@ -376,7 +378,7 @@ class Search(object): colList = conf.col.split(',') if conf.exclude: - colList = [_ for _ in colList if _ not in conf.exclude.split(',')] + colList = [_ for _ in colList if re.search(conf.exclude, _, re.I) is None] origTbl = conf.tbl origDb = conf.db