fuck yea

lib/core/common.py

@@ -21,6 +21,7 @@ import urlparse
 import ntpath
 import posixpath
 import httplib
+import struct
 
 from ConfigParser import DEFAULTSECT
 from ConfigParser import RawConfigParser
@@ -1518,7 +1519,7 @@ def getUnicode(value, encoding=None):
     if isinstance(value, unicode):
         return value
     elif isinstance(value, basestring):
-        return unicode(value, encoding or conf.dataEncoding, errors='replace')
+        return unicode(value, encoding or conf.dataEncoding)
     else:
         return unicode(value) # encoding ignored for non-basestring instances
 
@@ -2130,3 +2131,12 @@ def openFile(filename, mode='r'):
           mode and ('w' in mode or 'a' in mode or '+' in mode) else "read")
         errMsg += "and that it's not locked by another process."
         raise sqlmapFilePathException, errMsg
+
+def decodeIntToUnicode(value):
+    """
+    Decodes inferenced integer value with usage of current page encoding
+    """
+    try:
+        return struct.pack('>H', value).decode(kb.pageEncoding)
+    except:
+        return '?'

lib/techniques/blind/inference.py

@@ -14,6 +14,7 @@ import traceback
 from lib.core.agent import agent
 from lib.core.common import dataToSessionFile
 from lib.core.common import dataToStdout
+from lib.core.common import decodeIntToUnicode
 from lib.core.common import filterControlChars
 from lib.core.common import getCharset
 from lib.core.common import getIdentifiedDBMS
@@ -168,7 +169,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
 
             if result:
-                return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0])
+                return chr(charTbl[0]) if charTbl[0] < 128 else decodeIntToUnicode(charTbl[0])
             else: 
                 return None
 
@@ -182,7 +183,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
             if CHAR_INFERENCE_MARK not in payload:
                 forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
             else:
-                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else unichr(posValue))
+                forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx)).replace(CHAR_INFERENCE_MARK, chr(posValue) if posValue < 128 else decodeIntToUnicode(posValue))
 
             queriesCount[0] += 1
             result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
@@ -225,7 +226,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                     else:
                         retVal = minValue + 1
                         if retVal in originalTbl or (retVal == ord('\n') and CHAR_INFERENCE_MARK in payload):
-                            return chr(retVal) if retVal < 128 else unichr(retVal)
+                            return chr(retVal) if retVal < 128 else decodeIntToUnicode(retVal)
                         else:
                             return None
                 else:
@@ -241,7 +242,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
                         result = Request.queryPage(forgedPayload, timeBasedCompare=timeBasedCompare, raise404=False)
 
                         if result:
-                            return chr(retVal) if retVal < 128 else unichr(retVal)
+                            return chr(retVal) if retVal < 128 else decodeIntToUnicode(retVal)
 
                     return None