From cf3b02ee0465408ea5ae2a33820fdb597326d01c Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 19 Dec 2014 09:26:01 +0100 Subject: [PATCH] Proper fix for #1053 --- lib/core/common.py | 4 ++-- tamper/unmagicquotes.py | 7 ++++--- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/lib/core/common.py b/lib/core/common.py index 457d1b048..c3951b33b 100755 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1564,8 +1564,8 @@ def safeStringFormat(format_, params): """ Avoids problems with inappropriate string format strings - >>> safeStringFormat('foobar%d%s', ('1', 2)) - u'foobar12' + >>> safeStringFormat('SELECT foo FROM %s LIMIT %d', ('bar', '1')) + u'SELECT foo FROM bar LIMIT 1' """ if format_.count(PAYLOAD_DELIMITER) == 2: diff --git a/tamper/unmagicquotes.py b/tamper/unmagicquotes.py index d56136f7f..b37f6c0eb 100644 --- a/tamper/unmagicquotes.py +++ b/tamper/unmagicquotes.py @@ -26,7 +26,7 @@ def tamper(payload, **kwargs): * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string >>> tamper("1' AND 1=1") - '1%bf%27 AND 1=1-- ' + '1%bf%27-- ' """ retVal = payload @@ -44,9 +44,10 @@ def tamper(payload, **kwargs): continue if found: - _ = re.sub("(?i)\s*(AND|OR)[\s(]+'[^']+'\s*(=|LIKE)\s*'.*", "", retVal) + _ = re.sub(r"(?i)\s*(AND|OR)[\s(]+([^\s]+)\s*(=|LIKE)\s*\2", "", retVal) if _ != retVal: retVal = _ retVal += "-- " - + elif not any(_ in retVal for _ in ('#', '--', '/*')): + retVal += "-- " return retVal