Minor update for an Issue #49

2025-02-03 05:04:11 +03:00 · 2012-10-04 18:01:42 +02:00 · 2012-10-04 18:01:42 +02:00 · d464678e10
commit d464678e10
parent 84b05e2d18
4 changed files with 16 additions and 3 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@ -13,6 +13,7 @@ from lib.core.common import Backend
 from lib.core.common import extractRegexResult
 from lib.core.common import getSQLSnippet
 from lib.core.common import isDBMSVersionAtLeast
+from lib.core.common import isNumber
 from lib.core.common import isTechniqueAvailable
 from lib.core.common import randomInt
 from lib.core.common import randomStr
@ -113,7 +114,7 @@ class Agent:

        if place in (PLACE.URI, PLACE.CUSTOM_POST):
            _ = "%s%s" % (origValue, CUSTOM_INJECTION_MARK_CHAR)
-            if kb.postHint == POST_HINT.JSON and not newValue.isdigit() and not '"%s"' % _ in paramString:
+            if kb.postHint == POST_HINT.JSON and not isNumber(newValue) and not '"%s"' % _ in paramString:
                newValue = '"%s"' % newValue
            retVal = paramString.replace(_, self.addPayloadDelimiters(newValue)).replace(CUSTOM_INJECTION_MARK_CHAR, "")
        elif place in (PLACE.USER_AGENT, PLACE.REFERER, PLACE.HOST):
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -3237,3 +3237,15 @@ def getRequestHeader(request, name):
    if request and name:
        retVal = max(request.get_header(_) if name.upper() == _.upper() else None for _ in request.headers.keys())
    return retVal
+
+def isNumber(value):
+    """
+    Returns True if the given value is a number-like object
+    """
+
+    try:
+        _ = float(value)
+    except:
+        return False
+    else:
+        return True
--- a/lib/core/target.py
+++ b/lib/core/target.py
@ -94,7 +94,7 @@ def __setRequestParams():
                raise sqlmapUserQuitException
            elif test[0] not in ("n", "N"):
                conf.data = re.sub(r'("[^"]+"\s*:\s*"[^"]+)"', r'\g<1>%s"' % CUSTOM_INJECTION_MARK_CHAR, conf.data)
-                conf.data = re.sub(r'("[^"]+"\s*:\s*)(-?[\d\.]+\b)', r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, conf.data)
+                conf.data = re.sub(r'("[^"]+"\s*:\s*)(-?\d[\d\.]*\b)', r'\g<0>%s' % CUSTOM_INJECTION_MARK_CHAR, conf.data)
                kb.processUserMarks = True
                kb.postHint = POST_HINT.JSON

--- a/lib/request/connect.py
+++ b/lib/request/connect.py
@ -695,7 +695,7 @@ class Connect:

            if place not in (PLACE.POST, PLACE.CUSTOM_POST) and hasattr(post, UNENCODED_ORIGINAL_VALUE):
                post = getattr(post, UNENCODED_ORIGINAL_VALUE)
-            elif not skipUrlEncode and kb.postHint not in (POST_HINT.JSON, POST_HINT.SOAP):
+            elif not skipUrlEncode and kb.postHint not in POST_HINT_CONTENT_TYPES.keys():
                post = urlencode(post)

        if timeBasedCompare: