PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-10 09:49:06 +00:00
Code Issues Projects Releases Wiki Activity

introduced safe string formatting

Browse Source
This commit is contained in:
Miroslav Stampar
2010-01-15 16:06:59 +00:00
parent dcf0b2a3c1
commit 5f171340f5
5 changed files with 31 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
lib/techniques/blind/inference.py
View File

@@ -31,6 +31,7 @@ from lib.core.common import dataToSessionFile
from lib.core.common import dataToStdout
from lib.core.common import getCharset
from lib.core.common import replaceNewlineTabs
from lib.core.common import safeStringFormat
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
@@ -117,7 +118,7 @@ def bisection(payload, expression, length=None, charsetType=None, firstChar=None
queriesCount[0] += 1
position = (len(asciiTbl) / 2)
posValue = asciiTbl[position]
forgedPayload = payload % (expressionUnescaped, idx, posValue)
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
result = Request.queryPage(forgedPayload)
if result:

5
lib/techniques/inband/union/test.py
View File

@@ -24,6 +24,7 @@ Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
from lib.core.agent import agent
from lib.core.common import randomStr
from lib.core.common import safeStringFormat
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger
@@ -121,7 +122,7 @@ def __forgeUserFriendlyValue(payload):
value = ""
if kb.injPlace == "GET":
value = "%s?%s" % (conf.url, payload)
value = safeStringFormat("%s?%s", (conf.url, payload))
elif kb.injPlace == "POST":
value = "URL:\t'%s'" % conf.url
value += "\nPOST:\t'%s'\n" % payload
@@ -202,7 +203,7 @@ def unionTest():
technique = "NULL bruteforcing"
infoMsg = "testing inband sql injection on parameter "
infoMsg += "'%s' with %s technique" % (kb.injParameter, technique)
infoMsg += safeStringFormat("'%s' with %s technique", (kb.injParameter, technique))
logger.info(infoMsg)
value = ""

1
lib/techniques/inband/union/use.py
View File

@@ -27,6 +27,7 @@ import time
from lib.core.agent import agent
from lib.core.common import parseUnionPage
from lib.core.common import safeStringFormat
from lib.core.data import conf
from lib.core.data import kb
from lib.core.data import logger