Unescaping is renamed to escaping

2025-12-09 06:01:29 +00:00 · 2013-01-18 15:40:37 +01:00
parent c717de9c9d
commit 601eb1e49a
37 changed files with 51 additions and 287 deletions
--- a/lib/core/agent.py
+++ b/lib/core/agent.py
@@ -157,7 +157,7 @@ class Agent(object):
            return self.payloadDirect(expression)

        expression = self.cleanupPayload(expression)
-        expression = unescaper.unescape(expression)
+        expression = unescaper.escape(expression)
        query = None

        if where is None and kb.technique and kb.technique in kb.injection.data:
@@ -917,7 +917,7 @@ class Agent(object):
        else:
            lengthExpr = lengthQuery % expression

-        return unescaper.unescape(lengthExpr)
+        return unescaper.escape(lengthExpr)

    def forgeCaseStatement(self, expression):
        """
--- a/lib/core/common.py
+++ b/lib/core/common.py
@@ -54,7 +54,7 @@ from lib.core.convert import unicodeencode
 from lib.core.convert import utf8encode
 from lib.core.decorators import cachedmethod
 from lib.core.dicts import DBMS_DICT
-from lib.core.dicts import DEPRECATED_HINTS
+from lib.core.dicts import DEPRECATED_OPTIONS
 from lib.core.dicts import SQL_STATEMENTS
 from lib.core.enums import ADJUST_TIME_DELAY
 from lib.core.enums import CHARSET_TYPE
@@ -84,7 +84,6 @@ from lib.core.settings import DBMS_DIRECTORY_DICT
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
 from lib.core.settings import DEFAULT_GET_POST_DELIMITER
 from lib.core.settings import DEFAULT_MSSQL_SCHEMA
-from lib.core.settings import DEPRECATED_OPTIONS
 from lib.core.settings import DESCRIPTION
 from lib.core.settings import DUMMY_SQL_INJECTION_CHARS
 from lib.core.settings import DUMMY_USER_INJECTION
@@ -3055,8 +3054,8 @@ def checkDeprecatedOptions(args):
    for _ in args:
        if _ in DEPRECATED_OPTIONS:
            errMsg = "switch/option '%s' is deprecated" % _
-            if _ in DEPRECATED_HINTS:
-                errMsg += " (hint: %s)" % DEPRECATED_HINTS[_]
+            if DEPRECATED_OPTIONS[_]:
+                errMsg += " (hint: %s)" % DEPRECATED_OPTIONS[_]
            raise SqlmapSyntaxException(errMsg)

 def evaluateCode(code, variables=None):
--- a/lib/core/dicts.py
+++ b/lib/core/dicts.py
@@ -202,9 +202,10 @@ POST_HINT_CONTENT_TYPES = {
                                POST_HINT.XML: "application/xml",
                          }

-DEPRECATED_HINTS = {
+DEPRECATED_OPTIONS = {
                        "--replicate": "use '--dump-format=SQLITE' instead",
-                   }
+                        "--no-unescape": "use '--no-escape' instead",
+                     }

 DUMP_DATA_PREPROCESS = {
                            DBMS.ORACLE: {"XMLTYPE": "(%s).getStringVal()"},  # Reference: https://www.tibcommunity.com/docs/DOC-3643
--- a/lib/core/optiondict.py
+++ b/lib/core/optiondict.py
@@ -65,7 +65,7 @@ optDict = {
                               "invalidBignum":     "boolean",
                               "invalidLogical":    "boolean",
                               "noCast":            "boolean",
-                               "noUnescape":        "boolean",
+                               "noEscape":          "boolean",
                               "prefix":            "string",
                               "suffix":            "string",
                               "skip":              "string",
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -278,7 +278,7 @@ MYSQL_ERROR_CHUNK_LENGTH = 50
 # Maximum length used for retrieving data over MSSQL error based payload due to trimming problems with longer result strings
 MSSQL_ERROR_CHUNK_LENGTH = 100

-# Do not unescape the injected statement if it contains any of the following SQL words
+# Do not escape the injected statement if it contains any of the following SQL keywords
 EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)

 # Mark used for replacement of reflected values
@@ -308,9 +308,6 @@ HASH_MOD_ITEM_DISPLAY = 11
 # Maximum integer value
 MAX_INT = sys.maxint

-# List of deprecated options
-DEPRECATED_OPTIONS = ("--replicate",)
-
 # Parameters to be ignored in detection phase (upper case)
 IGNORE_PARAMETERS = ("__VIEWSTATE", "__VIEWSTATEENCRYPTED", "__EVENTARGUMENT", "__EVENTTARGET", "__EVENTVALIDATION", "ASPSESSIONID", "ASP.NET_SESSIONID", "JSESSIONID", "CFID", "CFTOKEN")

--- a/lib/core/unescaper.py
+++ b/lib/core/unescaper.py
@@ -11,8 +11,8 @@ from lib.core.datatype import AttribDict
 from lib.core.settings import EXCLUDE_UNESCAPE

 class Unescaper(AttribDict):
-    def unescape(self, expression, quote=True, dbms=None):
-        if conf.noUnescape:
+    def escape(self, expression, quote=True, dbms=None):
+        if conf.noEscape:
            return expression

        if expression is None: