mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-28 20:43:49 +03:00
safe decoding values going into --replicate (as we should have a "replicate" and sqlite3 supports all chars)
This commit is contained in:
parent
30bfefd638
commit
eafab03d99
|
@ -22,6 +22,7 @@ import urllib
|
|||
|
||||
from lib.core.data import conf
|
||||
from lib.core.data import logger
|
||||
from lib.core.settings import HEX_ENCODED_CHAR_REGEX
|
||||
from lib.core.settings import UNICODE_ENCODING
|
||||
from lib.core.settings import URLENCODE_CHAR_LIMIT
|
||||
from lib.core.settings import URLENCODE_FAILSAFE_CHARS
|
||||
|
@ -145,11 +146,39 @@ def safecharencode(value):
|
|||
"""
|
||||
|
||||
retVal = value
|
||||
|
||||
if isinstance(value, basestring):
|
||||
retVal = reduce(lambda x, y: x + (y if (y in string.printable or ord(y) > 255) else '\%02x' % ord(y)), value, unicode())
|
||||
for char in "\t\n\r\x0b\x0c":
|
||||
retVal = retVal.replace(char, repr(char).strip('\''))
|
||||
|
||||
elif isinstance(value, list):
|
||||
for i in xrange(len(value)):
|
||||
retVal[i] = safecharencode(value[i])
|
||||
|
||||
return retVal
|
||||
|
||||
def safechardecode(value):
|
||||
"""
|
||||
Reverse function to safecharencode
|
||||
"""
|
||||
|
||||
retVal = value
|
||||
if isinstance(value, basestring):
|
||||
for char in "\t\n\r\x0b\x0c":
|
||||
retVal = retVal.replace(repr(char).strip('\''), char)
|
||||
|
||||
regex = re.compile(HEX_ENCODED_CHAR_REGEX)
|
||||
|
||||
while True:
|
||||
match = regex.search(retVal)
|
||||
if match:
|
||||
retVal = retVal.replace(match.group("result"), unhexlify(value.lstrip('\\')))
|
||||
else:
|
||||
break
|
||||
|
||||
elif isinstance(value, list):
|
||||
for i in xrange(len(value)):
|
||||
retVal[i] = safechardecode(value[i])
|
||||
|
||||
return retVal
|
||||
|
|
|
@ -7,6 +7,7 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
|
|||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
from lib.core.convert import safechardecode
|
||||
from lib.core.exception import sqlmapMissingDependence
|
||||
from lib.core.exception import sqlmapValueException
|
||||
|
||||
|
@ -63,8 +64,9 @@ class Replication:
|
|||
"""
|
||||
This function is used for inserting row(s) into current table.
|
||||
"""
|
||||
|
||||
if len(values) == len(self.columns):
|
||||
self.parent.cursor.execute('INSERT INTO %s VALUES (%s)' % (self.name, ','.join(['?']*len(values))), values)
|
||||
self.parent.cursor.execute('INSERT INTO %s VALUES (%s)' % (self.name, ','.join(['?']*len(values))), safechardecode(values))
|
||||
else:
|
||||
errMsg = "wrong number of columns used in replicating insert"
|
||||
raise sqlmapValueException, errMsg
|
||||
|
|
|
@ -304,3 +304,6 @@ MAX_INT = sys.maxint
|
|||
|
||||
# Parameters to be ignored in detection phase (upper case)
|
||||
IGNORE_PARAMETERS = ("__VIEWSTATE", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "ASPSESSIONID", "ASP.NET_SESSIONID", "JSESSIONID", "CFID", "CFTOKEN")
|
||||
|
||||
# Regex used for recognition of hex encoded characters
|
||||
HEX_ENCODED_CHAR_REGEX = r"(?P<result>\\[0-9A-Fa-f]{2})"
|
||||
|
|
Loading…
Reference in New Issue
Block a user