From b07cbb648db8b72aec14e8ed530e49e7b7095d44 Mon Sep 17 00:00:00 2001 From: flsf Date: Fri, 19 Dec 2014 10:05:31 +0800 Subject: [PATCH 1/2] fix --smoke-test error(tamper/unmagicquotes.py) --- tamper/unmagicquotes.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tamper/unmagicquotes.py b/tamper/unmagicquotes.py index d56136f7f..8f92f5d3a 100644 --- a/tamper/unmagicquotes.py +++ b/tamper/unmagicquotes.py @@ -26,7 +26,9 @@ def tamper(payload, **kwargs): * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string >>> tamper("1' AND 1=1") - '1%bf%27 AND 1=1-- ' + '1%bf%27 AND 1=1' + >>> tamper("1' AND '1'='1") + '1%bf%27-- ' """ retVal = payload From 11922225d02612faeb188d9befe4fea263d4e2a6 Mon Sep 17 00:00:00 2001 From: flsf Date: Fri, 19 Dec 2014 10:14:25 +0800 Subject: [PATCH 2/2] fix --smoke-test error(safeStringFormat) --- lib/core/common.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/lib/core/common.py b/lib/core/common.py index 457d1b048..234c4bb20 100755 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -1564,8 +1564,12 @@ def safeStringFormat(format_, params): """ Avoids problems with inappropriate string format strings - >>> safeStringFormat('foobar%d%s', ('1', 2)) + >>> safeStringFormat('foobar%s%s', ('1', 2)) u'foobar12' + >>> safeStringFormat('foobar %d%s', ('1', 2)) + u'foobar 12' + >>> safeStringFormat('foobar=%d%s', ('1', 2)) + u'foobar=12' """ if format_.count(PAYLOAD_DELIMITER) == 2: