Minor update of #3527

2024-11-21 17:16:35 +03:00 · 2019-03-11 11:38:16 +01:00 · 2019-03-11 11:38:16 +01:00 · f4338952ac
commit f4338952ac
parent a3fe4be6c5
3 changed files with 10 additions and 9 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.3.3.14"
+VERSION = "1.3.3.15"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/tamper/substring2leftright.py
+++ b/tamper/substring2leftright.py
@ -24,23 +24,23 @@ def tamper(payload, **kwargs):
    Note:
        * Useful to bypass weak web application firewalls that filter SUBSTRING (but not LEFT and RIGHT)

-    >>> tamper('SUBSTRING((X FROM 1 FOR 1))')
-    'LEFT(X,1)'
-    >>> tamper('SUBSTRING((X FROM 5 FOR 1))')
-    'LEFT(RIGHT(X,-4),1)'
+    >>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1)')
+    'LEFT((SELECT usename FROM pg_user)::text,1)'
+    >>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1)')
+    'LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)'
    """

    retVal = payload

    if payload:
-        match = re.search(r"SUBSTRING\(\((.*)\sFROM\s(\d+)\sFOR\s1\)\)", payload)
+        match = re.search(r"SUBSTRING\((.+?)\s+FROM[^)]+(\d+)[^)]+FOR[^)]+1\)", payload)

        if match:
            pos = int(match.group(2))
            if pos == 1:
-                _ = "LEFT((%s,1))" % (match.group(1))
+                _ = "LEFT(%s,1)" % (match.group(1))
            else:
-                _ = "LEFT(RIGHT((%s,%d),1))" % (match.group(1), 1-pos)
+                _ = "LEFT(RIGHT(%s,%d),1)" % (match.group(1), 1 - pos)

            retVal = retVal.replace(match.group(0), _)

--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@ -50,7 +50,7 @@ d5ef43fe3cdd6c2602d7db45651f9ceb  lib/core/readlineng.py
 7d8a22c582ad201f65b73225e4456170  lib/core/replication.py
 3179d34f371e0295dd4604568fb30bcd  lib/core/revision.py
 d6269c55789f78cf707e09a0f5b45443  lib/core/session.py
-e0e8419f3e68202e2cb336544c83c6cc  lib/core/settings.py
+70d40f6779a871d6cd824aa8827426a8  lib/core/settings.py
 4483b4a5b601d8f1c4281071dff21ecc  lib/core/shell.py
 10fd19b0716ed261e6d04f311f6f527c  lib/core/subprocessng.py
 0a5b0a97a36c19022665f66858fd7450  lib/core/target.py
@ -286,6 +286,7 @@ a308787c9dad835cb21498defcd218e6  tamper/space2mysqlblank.py
 dc99c639a9bdef91a4225d884c29bb40  tamper/space2plus.py
 190bc9adca68e4a628298b78e8e455e8  tamper/space2randomblank.py
 eec5c82c86f5108f9e08fb4207a8a9b1  tamper/sp_password.py
+abfdf3a9f02d0755b3c9db768bd87f9a  tamper/substring2leftright.py
 64b9486995d38c99786f7ceefa22fbce  tamper/symboliclogical.py
 08f2ce540ee1f73b6a211bffde18e697  tamper/unionalltounion.py
 628f74fc6049dd1450c832cabb28e0da  tamper/unmagicquotes.py