PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-08 05:31:32 +00:00
Code Issues Projects Releases Wiki Activity

Unescaping is renamed to escaping

Browse Source
This commit is contained in:
Miroslav Stampar
2013-01-18 15:40:37 +01:00
parent c717de9c9d
commit 601eb1e49a
37 changed files with 51 additions and 287 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
plugins/dbms/access/__init__.py
View File

@@ -30,4 +30,4 @@ class AccessMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.ACCESS] = Syntax.unescape
unescaper[DBMS.ACCESS] = Syntax.escape

25
plugins/dbms/access/syntax.py
View File

@@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
@@ -45,26 +45,3 @@ class Syntax(GenericSyntax):
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHR(").rstrip(")")
oldUpper = oldUpper.split("&")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped).replace("'&'", "")
return expression

2
plugins/dbms/db2/__init__.py
View File

@@ -31,4 +31,4 @@ class DB2Map(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Takeov
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.DB2] = Syntax.unescape
unescaper[DBMS.DB2] = Syntax.escape

28
plugins/dbms/db2/syntax.py
View File

@@ -14,7 +14,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if expression == u"'''":
return "CHR(%d)" % (ord("'"))
@@ -44,29 +44,3 @@ class Syntax(GenericSyntax):
expression = "||".join("CHR(%d)" % ord(c) for c in expression)
return expression
@staticmethod
def escape(expression):
logMsg = "escaping %s" % expression
logger.info(logMsg)
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/firebird/__init__.py
View File

@@ -30,4 +30,4 @@ class FirebirdMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, T
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.FIREBIRD] = Syntax.unescape
unescaper[DBMS.FIREBIRD] = Syntax.escape

25
plugins/dbms/firebird/syntax.py
View File

@@ -14,7 +14,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if isDBMSVersionAtLeast('2.1'):
if quote:
while True:
@@ -47,26 +47,3 @@ class Syntax(GenericSyntax):
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("ASCII_CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("ASCII_CHAR(").rstrip(")")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped).replace("'||'", "")
return expression

2
plugins/dbms/maxdb/__init__.py
View File

@@ -30,4 +30,4 @@ class MaxDBMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Take
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.MAXDB] = Syntax.unescape
unescaper[DBMS.MAXDB] = Syntax.escape

4
plugins/dbms/maxdb/syntax.py
View File

@@ -11,10 +11,6 @@ class Syntax(GenericSyntax):
def __init__(self):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
return expression
@staticmethod
def escape(expression):
return expression

2
plugins/dbms/mssqlserver/__init__.py
View File

@@ -31,4 +31,4 @@ class MSSQLServerMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.MSSQL] = Syntax.unescape
unescaper[DBMS.MSSQL] = Syntax.escape

26
plugins/dbms/mssqlserver/syntax.py
View File

@@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
@@ -36,27 +36,3 @@ class Syntax(GenericSyntax):
expression = "+".join("CHAR(%d)" % ord(c) for c in expression)
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHAR(", "").replace(")", "")
escaped = "'%s'" % chr(int(oldUpper))
expression = expression.replace(old, escaped)
expression = expression.replace("'+'", "")
return expression

2
plugins/dbms/mysql/__init__.py
View File

@@ -36,4 +36,4 @@ class MySQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Take
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.MYSQL] = Syntax.unescape
unescaper[DBMS.MYSQL] = Syntax.escape

30
plugins/dbms/mysql/syntax.py
View File

@@ -17,7 +17,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if quote:
unescaped = expression
for item in re.findall(r"'[^']+'", expression, re.S):
@@ -29,31 +29,3 @@ class Syntax(GenericSyntax):
unescaped = "0x%s" % binascii.hexlify(expression)
return unescaped
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find(")")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.lstrip("CHAR(").rstrip(")")
oldUpper = oldUpper.split(",")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
original = expression
for item in re.findall(r"0x[0-9a-fA-F]+", original, re.S):
expression = expression.replace(item, "'%s'" % binascii.unhexlify(item[2:]))
return expression

2
plugins/dbms/oracle/__init__.py
View File

@@ -30,4 +30,4 @@ class OracleMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.ORACLE] = Syntax.unescape
unescaper[DBMS.ORACLE] = Syntax.escape

26
plugins/dbms/oracle/syntax.py
View File

@@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
@@ -35,27 +35,3 @@ class Syntax(GenericSyntax):
expression = "||".join("CHR(%d)" % ord(c) for c in expression)
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHR(", "").replace(")", "")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/postgresql/__init__.py
View File

@@ -37,4 +37,4 @@ class PostgreSQLMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous,
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.PGSQL] = Syntax.unescape
unescaper[DBMS.PGSQL] = Syntax.escape

26
plugins/dbms/postgresql/syntax.py
View File

@@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
"""
Note: PostgreSQL has a general problem with concenation operator (||) precedence (hence the parentheses enclosing)
e.g. SELECT 1 WHERE 'a'!='a'||'b' will trigger error ("argument of WHERE must be type boolean, not type text")
@@ -40,27 +40,3 @@ class Syntax(GenericSyntax):
expression = "(%s)" % "||".join("CHR(%d)" % ord(c) for c in expression)
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHR(", "").replace(")", "")
oldUpper = oldUpper.split("||")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/sqlite/__init__.py
View File

@@ -30,4 +30,4 @@ class SQLiteMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.SQLITE] = Syntax.unescape
unescaper[DBMS.SQLITE] = Syntax.escape

29
plugins/dbms/sqlite/syntax.py
View File

@@ -17,7 +17,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
unescaped = expression
if isDBMSVersionAtLeast('3'):
@@ -28,30 +28,3 @@ class Syntax(GenericSyntax):
unescaped = "X'%s'" % binascii.hexlify(expression)
return unescaped
@staticmethod
def escape(expression):
# Example on SQLite 3, not supported on SQLite 2:
# select X'48'||X'656c6c6f20576f726c6400'; -- Hello World
while True:
index = expression.find("X'")
if index == -1:
break
firstIndex = index
index = expression[firstIndex + 2:].find("'")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ' in '%s'" % expression)
lastIndex = firstIndex + index + 3
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("X'", "").replace("'", "")
for i in xrange(len(oldUpper) / 2):
char = oldUpper[i * 2:i * 2 + 2]
escaped = "'%s'" % chr(int(char, 16))
expression = expression.replace(old, escaped)
return expression

2
plugins/dbms/sybase/__init__.py
View File

@@ -30,4 +30,4 @@ class SybaseMap(Syntax, Fingerprint, Enumeration, Filesystem, Miscellaneous, Tak
Miscellaneous.__init__(self)
Takeover.__init__(self)
unescaper[DBMS.SYBASE] = Syntax.unescape
unescaper[DBMS.SYBASE] = Syntax.escape

26
plugins/dbms/sybase/syntax.py
View File

@@ -13,7 +13,7 @@ class Syntax(GenericSyntax):
GenericSyntax.__init__(self)
@staticmethod
def unescape(expression, quote=True):
def escape(expression, quote=True):
if quote:
while True:
index = expression.find("'")
@@ -35,27 +35,3 @@ class Syntax(GenericSyntax):
expression = "+".join("CHAR(%d)" % ord(c) for c in expression)
return expression
@staticmethod
def escape(expression):
while True:
index = expression.find("CHAR(")
if index == -1:
break
firstIndex = index
index = expression[firstIndex:].find("))")
if index == -1:
raise SqlmapSyntaxException("Unenclosed ) in '%s'" % expression)
lastIndex = firstIndex + index + 1
old = expression[firstIndex:lastIndex]
oldUpper = old.upper()
oldUpper = oldUpper.replace("CHAR(", "").replace(")", "")
oldUpper = oldUpper.split("+")
escaped = "'%s'" % "".join(chr(int(char)) for char in oldUpper)
expression = expression.replace(old, escaped)
return expression