Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 04986be

Browse files
stamparmstamparm
committed
update regarding safe character output together with a small fix for newlines
1 parent 5dfb55e commit 04986be

5 files changed

Lines changed: 16 additions & 14 deletions

File tree

lib/core/convert.py

Lines changed: 7 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -134,20 +134,22 @@ def htmlescape(value):
134134
def htmlunescape(value):
135135
return value.replace('&amp;', '&').replace('&lt;', '<').replace('&gt;', '>').replace('&quot;', '"').replace('&#39;', "'").replace('&nbsp;', ' ')
136136

137-
def safehexencode(value):
137+
def safecharencode(value):
138138
"""
139-
Returns safe hex representation of a given basestring value
139+
Returns safe representation of a given basestring value
140140
141-
>>> safehexencode(u'test123')
141+
>>> safecharencode(u'test123')
142142
u'test123'
143-
>>> safehexencode(u'test\x01\x02\xff')
143+
>>> safecharencode(u'test\x01\x02\xff')
144144
u'test\\01\\02\\03\\ff'
145145
"""
146146

147147
retVal = value
148148
if isinstance(value, basestring):
149149
retVal = reduce(lambda x, y: x + (y if (y in string.printable or ord(y) > 255) else '\%02x' % ord(y)), value, unicode())
150+
for char in "\t\n\r\x0b\x0c":
151+
retVal = retVal.replace(char, repr(char).strip('\''))
150152
elif isinstance(value, list):
151153
for i in xrange(len(value)):
152-
retVal[i] = safehexencode(value[i])
154+
retVal[i] = safecharencode(value[i])
153155
return retVal

lib/request/inject.py

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@
2727
from lib.core.common import readInput
2828
from lib.core.common import replaceNewlineTabs
2929
from lib.core.common import safeStringFormat
30-
from lib.core.convert import safehexencode
30+
from lib.core.convert import safecharencode
3131
from lib.core.data import conf
3232
from lib.core.data import kb
3333
from lib.core.data import logger
@@ -388,7 +388,7 @@ def __goInband(expression, expected=None, sort=True, resumeValue=True, unpack=Tr
388388

389389
return data
390390

391-
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeHexEncode=True):
391+
def getValue(expression, blind=True, inband=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, sort=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True):
392392
"""
393393
Called each time sqlmap inject a SQL query on the SQL injection
394394
affected parameter. It can call a function to retrieve the output
@@ -494,8 +494,8 @@ def getValue(expression, blind=True, inband=True, error=True, time=True, fromUse
494494
elif value == [None]:
495495
value = None
496496

497-
if safeHexEncode:
498-
value = safehexencode(value)
497+
if safeCharEncode:
498+
value = safecharencode(value)
499499

500500
return value
501501

lib/techniques/brute/use.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -87,7 +87,7 @@ def tableExistsThread():
8787

8888
if conf.verbose in (1, 2):
8989
clearConsoleLine(True)
90-
infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), table)
90+
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), table)
9191
dataToStdout(infoMsg, True)
9292

9393
if conf.verbose in (1, 2):
@@ -205,7 +205,7 @@ def columnExistsThread():
205205

206206
if conf.verbose in (1, 2):
207207
clearConsoleLine(True)
208-
infoMsg = "\r[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), column)
208+
infoMsg = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), column)
209209
dataToStdout(infoMsg, True)
210210

211211
if conf.verbose in (1, 2):

lib/techniques/error/use.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,7 @@
2424
from lib.core.common import replaceNewlineTabs
2525
from lib.core.common import safeStringFormat
2626
from lib.core.convert import htmlunescape
27-
from lib.core.convert import safehexencode
27+
from lib.core.convert import safecharencode
2828
from lib.core.data import conf
2929
from lib.core.data import kb
3030
from lib.core.data import logger
@@ -136,7 +136,7 @@ def __errorFields(expression, expressionFields, expressionFieldsList, expected=N
136136
output = __oneShotErrorUse(expressionReplaced, field)
137137

138138
if output is not None:
139-
dataToStdout("[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), safehexencode(replaceNewlineTabs(output, stdout=True))))
139+
dataToStdout("[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), safecharencode(replaceNewlineTabs(output, stdout=True))))
140140

141141
if isinstance(num, int):
142142
expression = origExpr

lib/techniques/inband/union/use.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -253,7 +253,7 @@ def unionUse(expression, unpack=True, dump=False):
253253

254254
if conf.verbose == 1:
255255
items = output.replace(kb.misc.start, "").replace(kb.misc.stop, "").split(kb.misc.delimiter)
256-
status = "[%s] [INFO] retrieved: %s\n" % (time.strftime("%X"), ",".join(map(lambda x: "\"%s\"" % x, items)))
256+
status = "[%s] [INFO] retrieved: %s\r\n" % (time.strftime("%X"), ",".join(map(lambda x: "\"%s\"" % x, items)))
257257
if len(status) > width:
258258
status = "%s..." % status[:width - 3]
259259
dataToStdout(status, True)

0 commit comments

Comments
 (0)