Patch for an Issue reported privately via email

2025-12-27 01:49:04 +00:00 · 2017-07-05 12:15:14 +02:00
parent ba369b73d3
commit a4ebd5418f
3 changed files with 8 additions and 4 deletions
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS

 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.7.5"
+VERSION = "1.1.7.6"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
--- a/lib/request/inject.py
+++ b/lib/request/inject.py
@@ -345,6 +345,10 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
    kb.safeCharEncode = safeCharEncode
    kb.resumeValues = resumeValue

+    # Note: following keywords are expected to be in uppercase
+    for keyword in ("SELECT", "FROM", "WHERE"):
+        expression = re.sub("(?i)(\A|\(|\)|\s)%s(\Z|\(|\)|\s)" % keyword, r"\g<1>%s\g<2>" % keyword, expression)
+
    if suppressOutput is not None:
        pushValue(getCurrentThreadData().disableStdOut)
        getCurrentThreadData().disableStdOut = suppressOutput
@@ -356,7 +360,7 @@ def getValue(expression, blind=True, union=True, error=True, time=True, fromUser
        if expected == EXPECTED.BOOL:
            forgeCaseExpression = booleanExpression = expression

-            if expression.upper().startswith("SELECT "):
+            if expression.startswith("SELECT "):
                booleanExpression = "(%s)=%s" % (booleanExpression, "'1'" if "'1'" in booleanExpression else "1")
            else:
                forgeCaseExpression = agent.forgeCaseStatement(expression)