PenTest/sqlmap
1
0
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-12-06 12:41:30 +00:00
Code Issues Projects Releases Wiki Activity

sqlmap 0.8-rc3: Merge from Miroslav Stampar's branch fixing a bug when verbosity > 2, another major bug with urlencoding/urldecoding of POST data and Cookies, adding --drop-set-cookie option, implementing support to automatically decode gzip and deflate HTTP responses, support for Google dork page result (--gpage) and a minor code cleanup.

Browse Source
This commit is contained in:
Bernardo Damele
2010-01-02 02:02:12 +00:00
parent d55175a340
commit ce022a3b6e
62 changed files with 567 additions and 1026 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
lib/core/agent.py
View File

@@ -22,8 +22,6 @@ with sqlmap; if not, write to the Free Software Foundation, Inc., 51
Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
"""
import re
from lib.core.common import randomInt
@@ -45,7 +43,6 @@ class Agent:
temp.start = randomStr(6)
temp.stop = randomStr(6)
def payload(self, place=None, parameter=None, value=None, newValue=None, negative=False, falseCond=False):
"""
This method replaces the affected parameter with the SQL
@@ -56,9 +53,9 @@ class Agent:
negValue = ""
retValue = ""
if negative == True or conf.paramNegative == True:
if negative or conf.paramNegative:
negValue = "-"
elif falseCond == True or conf.paramFalseCond == True:
elif falseCond or conf.paramFalseCond:
randInt = randomInt()
falseValue = " AND %d=%d" % (randInt, randInt + 1)
@@ -83,7 +80,6 @@ class Agent:
return retValue
def fullPayload(self, query):
query = self.prefixQuery(query)
query = self.postfixQuery(query)
@@ -91,7 +87,6 @@ class Agent:
return payload
def prefixQuery(self, string):
"""
This method defines how the input string has to be escaped
@@ -120,7 +115,6 @@ class Agent:
return query
def postfixQuery(self, string, comment=None):
"""
This method appends the DBMS comment to the
@@ -136,7 +130,7 @@ class Agent:
if conf.postfix:
string += " %s" % conf.postfix
else:
if kb.parenthesis != None:
if kb.parenthesis is not None:
string += " AND %s" % ("(" * kb.parenthesis)
else:
raise sqlmapNoneDataException, "unable to get the number of parenthesis"
@@ -156,7 +150,6 @@ class Agent:
return string
def nullAndCastField(self, field):
"""
Take in input a field string and return its processed nulled and
@@ -195,7 +188,6 @@ class Agent:
return nulledCastedField
def nullCastConcatFields(self, fields):
"""
Take in input a sequence of fields string and return its processed
@@ -242,7 +234,6 @@ class Agent:
return nulledCastedConcatFields
def getFields(self, query):
"""
Take in input a query string and return its fields (columns) and
@@ -285,7 +276,6 @@ class Agent:
return fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, fieldsToCastList, fieldsToCastStr
def simpleConcatQuery(self, query1, query2):
concatenatedQuery = ""
@@ -300,7 +290,6 @@ class Agent:
return concatenatedQuery
def concatQuery(self, query, unpack=True):
"""
Take in input a query string and return its processed nulled,
@@ -327,7 +316,7 @@ class Agent:
@rtype: C{str}
"""
if unpack == True:
if unpack:
concatenatedQuery = ""
query = query.replace(", ", ",")
@@ -386,7 +375,6 @@ class Agent:
return concatenatedQuery
def forgeInbandQuery(self, query, exprPosition=None, nullChar="NULL"):
"""
Take in input an query (pseudo query) string and return its
@@ -465,7 +453,6 @@ class Agent:
return inbandQuery
def limitQuery(self, num, query, field):
"""
Take in input a query string and return its limited query string.
@@ -529,7 +516,7 @@ class Agent:
topNum = re.search("TOP\s+([\d]+)\s+", limitedQuery, re.I).group(1)
limitedQuery = limitedQuery.replace("TOP %s " % topNum, "")
if forgeNotIn == True:
if forgeNotIn:
limitedQuery = limitedQuery.replace("SELECT ", (limitStr % 1), 1)
if " WHERE " in limitedQuery:
limitedQuery = "%s AND %s " % (limitedQuery, field)
@@ -540,7 +527,6 @@ class Agent:
return limitedQuery
def forgeCaseStatement(self, expression):
"""
Take in input a query string and return its CASE statement query
@@ -560,6 +546,5 @@ class Agent:
return queries[kb.dbms].case % expression
# SQL agent
agent = Agent()