sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 17:46:37 +03:00
Code Issues Packages Projects Releases Wiki Activity

Update for an Issue #352

Browse Source
This commit is contained in:
Miroslav Stampar 2013-03-11 14:58:05 +01:00
parent d6fc10092f
commit db0a1e58b9
11 changed files with 138 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/common.py
View File

@ -1480,7 +1480,7 @@ def isWindowsDriveLetterPath(filepath):
def posixToNtSlashes(filepath): def posixToNtSlashes(filepath):
""" """
Replaces all occurances of Posix slashes (/) in provided Replaces all occurances of Posix slashes (/) in provided
filepath with NT ones (/) filepath with NT ones (\)
>>> posixToNtSlashes('C:/Windows') >>> posixToNtSlashes('C:/Windows')
'C:\\\\Windows' 'C:\\\\Windows'

87
lib/core/convert.py
View File

@ -13,12 +13,33 @@ from lib.core.settings import IS_WIN
from lib.core.settings import UNICODE_ENCODING from lib.core.settings import UNICODE_ENCODING
def base64decode(value): def base64decode(value):
"""
Decodes string value from Base64 to plain format
>>> base64decode('Zm9vYmFy')
'foobar'
"""
return value.decode("base64") return value.decode("base64")
def base64encode(value): def base64encode(value):
"""
Encodes string value from plain to Base64 format
>>> base64encode('foobar')
'Zm9vYmFy'
"""
return value.encode("base64")[:-1].replace("\n", "") return value.encode("base64")[:-1].replace("\n", "")
def base64pickle(value): def base64pickle(value):
"""
Serializes (with pickle) and encodes to Base64 format supplied (binary) value
>>> base64pickle('foobar')
'gAJVBmZvb2JhcnEALg=='
"""
retVal = None retVal = None
try: try:
retVal = base64encode(pickle.dumps(value, pickle.HIGHEST_PROTOCOL)) retVal = base64encode(pickle.dumps(value, pickle.HIGHEST_PROTOCOL))
@ -31,21 +52,42 @@ def base64pickle(value):
return retVal return retVal
def base64unpickle(value): def base64unpickle(value):
"""
Decodes value from Base64 to plain format and deserializes (with pickle) it's content
>>> base64unpickle('gAJVBmZvb2JhcnEALg==')
'foobar'
"""
return pickle.loads(base64decode(value)) return pickle.loads(base64decode(value))
def hexdecode(value): def hexdecode(value):
"""
Decodes string value from hex to plain format
>>> hexdecode('666f6f626172')
'foobar'
"""
value = value.lower() value = value.lower()
return (value[2:] if value.startswith("0x") else value).decode("hex") return (value[2:] if value.startswith("0x") else value).decode("hex")
def hexencode(value): def hexencode(value):
"""
Encodes string value from plain to hex format
>>> hexencode('foobar')
'666f6f626172'
"""
return utf8encode(value).encode("hex") return utf8encode(value).encode("hex")
def unicodeencode(value, encoding=None): def unicodeencode(value, encoding=None):
""" """
Return 8-bit string representation of the supplied unicode value: Returns 8-bit string representation of the supplied unicode value
>>> unicodeencode(u'test') >>> unicodeencode(u'foobar')
'test' 'foobar'
""" """
retVal = value retVal = value
@ -57,16 +99,33 @@ def unicodeencode(value, encoding=None):
return retVal return retVal
def utf8encode(value): def utf8encode(value):
"""
Returns 8-bit string representation of the supplied UTF-8 value
>>> utf8encode(u'foobar')
'foobar'
"""
return unicodeencode(value, "utf-8") return unicodeencode(value, "utf-8")
def utf8decode(value): def utf8decode(value):
"""
Returns UTF-8 representation of the supplied 8-bit string representation
>>> utf8decode('foobar')
u'foobar'
"""
return value.decode("utf-8") return value.decode("utf-8")
def htmlescape(value):
codes = (('&', '&amp;'), ('<', '&lt;'), ('>', '&gt;'), ('"', '&quot;'), ("'", '&#39;'), (' ', '&nbsp;'))
return reduce(lambda x, y: x.replace(y[0], y[1]), codes, value)
def htmlunescape(value): def htmlunescape(value):
"""
Returns (basic conversion) HTML unescaped value
>>> htmlunescape('a&lt;b')
'a<b'
"""
retVal = value retVal = value
if value and isinstance(value, basestring): if value and isinstance(value, basestring):
codes = (('&lt;', '<'), ('&gt;', '>'), ('&quot;', '"'), ('&nbsp;', ' '), ('&amp;', '&')) codes = (('&lt;', '<'), ('&gt;', '>'), ('&quot;', '"'), ('&nbsp;', ' '), ('&amp;', '&'))
@ -103,7 +162,21 @@ def stdoutencode(data):
return retVal return retVal
def jsonize(data): def jsonize(data):
"""
Returns JSON serialized data
>>> jsonize({'foo':'bar'})
'{\\n "foo": "bar"\\n}'
"""
return json.dumps(data, sort_keys=False, indent=4) return json.dumps(data, sort_keys=False, indent=4)
def dejsonize(data): def dejsonize(data):
"""
Returns JSON deserialized data
>>> dejsonize('{\\n "foo": "bar"\\n}')
{u'foo': u'bar'}
"""
return json.loads(data) return json.loads(data)

5
plugins/dbms/db2/syntax.py
View File

@ -13,6 +13,11 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
"""
def escaper(value): def escaper(value):
return "||".join("CHR(%d)" % ord(_) for _ in value) return "||".join("CHR(%d)" % ord(_) for _ in value)

12
plugins/dbms/firebird/syntax.py
View File

@ -5,6 +5,7 @@ Copyright (c) 2006-2013 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission See the file 'doc/COPYING' for copying permission
""" """
from lib.core.common import Backend
from lib.core.common import isDBMSVersionAtLeast from lib.core.common import isDBMSVersionAtLeast
from plugins.generic.syntax import Syntax as GenericSyntax from plugins.generic.syntax import Syntax as GenericSyntax
@ -14,6 +15,17 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Backend.setVersion('2.0')
['2.0']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT 'abcdefgh' FROM foobar"
>>> Backend.setVersion('2.1')
['2.1']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar'
"""
def escaper(value): def escaper(value):
return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value) return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value)

5
plugins/dbms/maxdb/syntax.py
View File

@ -13,4 +13,9 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT 'abcdefgh' FROM foobar"
"""
return expression return expression

5
plugins/dbms/mssqlserver/syntax.py
View File

@ -13,6 +13,11 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar'
"""
def escaper(value): def escaper(value):
return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "NCHAR", ord(value[i])) for i in xrange(len(value))) return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "NCHAR", ord(value[i])) for i in xrange(len(value)))

5
plugins/dbms/mysql/syntax.py
View File

@ -16,6 +16,11 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT 0x6162636465666768 FROM foobar'
"""
def escaper(value): def escaper(value):
retVal = None retVal = None
try: try:

5
plugins/dbms/oracle/syntax.py
View File

@ -13,6 +13,11 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
"""
def escaper(value): def escaper(value):
return "||".join("%s(%d)" % ("CHR" if ord(value[i]) < 256 else "NCHR", ord(value[i])) for i in xrange(len(value))) return "||".join("%s(%d)" % ("CHR" if ord(value[i]) < 256 else "NCHR", ord(value[i])) for i in xrange(len(value)))

3
plugins/dbms/postgresql/syntax.py
View File

@ -16,6 +16,9 @@ class Syntax(GenericSyntax):
""" """
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing) Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text") e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT (CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104)) FROM foobar'
""" """
def escaper(value): def escaper(value):

12
plugins/dbms/sqlite/syntax.py
View File

@ -7,6 +7,7 @@ See the file 'doc/COPYING' for copying permission
import binascii import binascii
from lib.core.common import Backend
from lib.core.common import isDBMSVersionAtLeast from lib.core.common import isDBMSVersionAtLeast
from lib.core.settings import UNICODE_ENCODING from lib.core.settings import UNICODE_ENCODING
from plugins.generic.syntax import Syntax as GenericSyntax from plugins.generic.syntax import Syntax as GenericSyntax
@ -17,6 +18,17 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Backend.setVersion('2')
['2']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT 'abcdefgh' FROM foobar"
>>> Backend.setVersion('3')
['3']
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
"SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
"""
def escaper(value): def escaper(value):
# Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3 # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
return "CAST(X'%s' AS TEXT)" % binascii.hexlify(value.encode(UNICODE_ENCODING) if isinstance(value, unicode) else value) return "CAST(X'%s' AS TEXT)" % binascii.hexlify(value.encode(UNICODE_ENCODING) if isinstance(value, unicode) else value)

5
plugins/dbms/sybase/syntax.py
View File

@ -13,6 +13,11 @@ class Syntax(GenericSyntax):
@staticmethod @staticmethod
def escape(expression, quote=True): def escape(expression, quote=True):
"""
>>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
'SELECT CHAR(97)+CHAR(98)+CHAR(99)+CHAR(100)+CHAR(101)+CHAR(102)+CHAR(103)+CHAR(104) FROM foobar'
"""
def escaper(value): def escaper(value):
return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "TO_UNICHAR", ord(value[i])) for i in xrange(len(value))) return "+".join("%s(%d)" % ("CHAR" if ord(value[i]) < 256 else "TO_UNICHAR", ord(value[i])) for i in xrange(len(value)))