diff --git a/lib/core/settings.py b/lib/core/settings.py index 6013aa90f..677e06239 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -249,3 +249,6 @@ URI_INJECTION_MARK_CHAR = '*' # Maximum length used for retrieving data over MySQL error based payload due to "known" problems with longer result strings MYSQL_ERROR_TRIM_LENGTH = 100 + +# +EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ") diff --git a/lib/core/unescaper.py b/lib/core/unescaper.py index a57a37954..d5d21decb 100644 --- a/lib/core/unescaper.py +++ b/lib/core/unescaper.py @@ -9,16 +9,20 @@ See the file 'doc/COPYING' for copying permission from lib.core.common import Backend from lib.core.datatype import advancedDict +from lib.core.settings import EXCLUDE_UNESCAPE class Unescaper(advancedDict): def unescape(self, expression, quote=True, dbms=None): + if expression is None: + return expression + + for exclude in EXCLUDE_UNESCAPE: + if exclude in expression: + return expression + identifiedDbms = Backend.getIdentifiedDbms() - if not expression: - return expression - elif "WAITFOR DELAY " in expression: - return expression - elif dbms is not None: + if dbms is not None: return self[dbms](expression, quote=quote) elif identifiedDbms is not None: return self[identifiedDbms](expression, quote=quote) diff --git a/lib/techniques/inband/union/use.py b/lib/techniques/inband/union/use.py index 6f8245114..b00fae4ce 100644 --- a/lib/techniques/inband/union/use.py +++ b/lib/techniques/inband/union/use.py @@ -32,13 +32,12 @@ from lib.utils.resume import resume reqCount = 0 -def __oneShotUnionUse(expression, unpack=True, unescape=True): +def __oneShotUnionUse(expression, unpack=True): global reqCount # Prepare expression with delimiters - if unescape: - expression = agent.concatQuery(expression, unpack) - expression = unescaper.unescape(expression) + expression = agent.concatQuery(expression, unpack) + expression = unescaper.unescape(expression) if conf.limitStart or conf.limitStop: where = PAYLOAD.WHERE.NEGATIVE @@ -102,7 +101,7 @@ def configUnion(char=None, columns=None): elif isinstance(columns, basestring): __configUnionCols(columns) -def unionUse(expression, unescape=True, unpack=True, dump=False): +def unionUse(expression, unpack=True, dump=False): """ This function tests for an inband SQL injection on the target url then call its subsidiary function to effectively perform an @@ -204,7 +203,7 @@ def unionUse(expression, unescape=True, unpack=True, dump=False): count = parseUnionPage(count, countedExpression) if not count or not count.isdigit(): - output = __oneShotUnionUse(countedExpression, unpack=unpack) + output = __oneShotUnionUse(countedExpression, unpack) if output: count = parseUnionPage(output, countedExpression) @@ -239,7 +238,7 @@ def unionUse(expression, unescape=True, unpack=True, dump=False): output = resume(limitedExpr, None) if not output: - output = __oneShotUnionUse(limitedExpr, unescape=unescape, unpack=unpack) + output = __oneShotUnionUse(limitedExpr, unpack) if output: value += output @@ -251,7 +250,7 @@ def unionUse(expression, unescape=True, unpack=True, dump=False): logger.warn(warnMsg) if not value: - value = __oneShotUnionUse(expression, unescape=unescape, unpack=unpack) + value = __oneShotUnionUse(expression, unpack) duration = calculateDeltaSeconds(start)