From 0bc5069042b251bb288d7a8d8b37e71ccf0cd155 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 19 Jul 2019 12:17:07 +0200 Subject: [PATCH] Implements #3834 --- lib/core/common.py | 11 +++++++++-- lib/core/option.py | 14 ++++++++++++-- lib/core/settings.py | 2 +- lib/request/connect.py | 4 +++- 4 files changed, 25 insertions(+), 6 deletions(-) diff --git a/lib/core/common.py b/lib/core/common.py index f4aa3d5ae..e012a35bf 100644 --- a/lib/core/common.py +++ b/lib/core/common.py @@ -4868,6 +4868,8 @@ def zeroDepthSearch(expression, value): >>> _ = "SELECT (SELECT id FROM users WHERE 2>1) AS result FROM DUAL"; _[zeroDepthSearch(_, "FROM")[0]:] 'FROM DUAL' + >>> _ = "a(b; c),d;e"; _[zeroDepthSearch(_, "[;, ]")[0]:] + ',d;e' """ retVal = [] @@ -4878,8 +4880,13 @@ def zeroDepthSearch(expression, value): depth += 1 elif expression[index] == ')': depth -= 1 - elif depth == 0 and expression[index:index + len(value)] == value: - retVal.append(index) + elif depth == 0: + found = False + if value.startswith('[') and value.endswith(']'): + if re.search(value, expression[index:index + 1]): + retVal.append(index) + elif expression[index:index + len(value)] == value: + retVal.append(index) return retVal diff --git a/lib/core/option.py b/lib/core/option.py index 815664837..7fc708e28 100644 --- a/lib/core/option.py +++ b/lib/core/option.py @@ -1583,8 +1583,17 @@ def _cleanupOptions(): conf.user = conf.user.replace(" ", "") if conf.rParam: - conf.rParam = conf.rParam.replace(" ", "") - conf.rParam = re.split(PARAMETER_SPLITTING_REGEX, conf.rParam) + if all(_ in conf.rParam for _ in ('=', ',')): + original = conf.rParam + conf.rParam = [] + for part in original.split(';'): + if '=' in part: + left, right = part.split('=', 1) + conf.rParam.append(left) + kb.randomPool[left] = filterNone(_.strip() for _ in right.split(',')) + else: + conf.rParam = conf.rParam.replace(" ", "") + conf.rParam = re.split(PARAMETER_SPLITTING_REGEX, conf.rParam) else: conf.rParam = [] @@ -1946,6 +1955,7 @@ def _setKnowledgeBaseAttributes(flushAll=True): kb.processUserMarks = None kb.proxyAuthHeader = None kb.queryCounter = 0 + kb.randomPool = {} kb.redirectChoice = None kb.reflectiveMechanism = True kb.reflectiveCounters = {REFLECTIVE_COUNTER.MISS: 0, REFLECTIVE_COUNTER.HIT: 0} diff --git a/lib/core/settings.py b/lib/core/settings.py index e56cfc89f..5236846d9 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -18,7 +18,7 @@ from lib.core.enums import OS from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.3.7.36" +VERSION = "1.3.7.37" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/lib/request/connect.py b/lib/request/connect.py index 70a2a4e97..7048b1624 100644 --- a/lib/request/connect.py +++ b/lib/request/connect.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission import binascii import logging +import random import re import socket import string @@ -1102,7 +1103,8 @@ class Connect(object): match = re.search(r"(\A|\b)%s=(?P[^&;]*)" % re.escape(randomParameter), paramString) if match: origValue = match.group("value") - retVal = re.sub(r"(\A|\b)%s=[^&;]*" % re.escape(randomParameter), "%s=%s" % (randomParameter, randomizeParameterValue(origValue)), paramString) + newValue = randomizeParameterValue(origValue) if randomParameter not in kb.randomPool else random.sample(kb.randomPool[randomParameter], 1)[0] + retVal = re.sub(r"(\A|\b)%s=[^&;]*" % re.escape(randomParameter), "%s=%s" % (randomParameter, newValue), paramString) return retVal for randomParameter in conf.rParam: