Fixes #5203

2025-12-06 12:41:30 +00:00 · 2022-10-17 12:21:47 +02:00
parent 5c55602296
commit 02dcf2a926
2 changed files with 8 additions and 2 deletions
--- a/tamper/htmlencode.py
+++ b/tamper/htmlencode.py
@@ -20,6 +20,12 @@ def tamper(payload, **kwargs):

    >>> tamper("1' AND SLEEP(5)#")
    '1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'
+    >>> tamper("1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;")
+    '1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'
    """

-    return re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload) if payload else payload
+    if payload:
+        payload = re.sub(r"&#(\d+);", lambda match: chr(int(match.group(1))), payload)      # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5203
+        payload = re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload)
+
+    return payload