Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 5a38ac7

Browse files
stamparmstamparm
committed
important update regarding (Bug #209) - probably more will be needed
1 parent a921fe0 commit 5a38ac7

21 files changed

Lines changed: 132 additions & 132 deletions

lib/controller/checks.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -24,7 +24,6 @@
2424
from lib.core.common import showStaticWords
2525
from lib.core.common import wasLastRequestError
2626
from lib.core.common import DynamicContentItem
27-
from lib.core.convert import urlencode
2827
from lib.core.data import conf
2928
from lib.core.data import kb
3029
from lib.core.data import logger

lib/core/agent.py

Lines changed: 66 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@
1111

1212
from xml.etree import ElementTree as ET
1313

14+
from lib.core.common import getCompiledRegex
1415
from lib.core.common import getInjectionCase
1516
from lib.core.common import randomInt
1617
from lib.core.common import randomStr
@@ -20,6 +21,7 @@
2021
from lib.core.data import queries
2122
from lib.core.datatype import advancedDict
2223
from lib.core.exception import sqlmapNoneDataException
24+
from lib.core.settings import PAYLOAD_DELIMITER
2325

2426
class Agent:
2527
"""
@@ -54,18 +56,17 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
5456
falseValue = ""
5557
negValue = ""
5658
retValue = ""
57-
newValue = urlencode(newValue) if place != "URI" else newValue
5859

5960
if negative or kb.unionNegative:
6061
negValue = "-"
6162
elif falseCond or kb.unionFalseCond:
6263
randInt = randomInt()
63-
falseValue = urlencode(" AND %d=%d" % (randInt, randInt + 1))
64+
falseValue = " AND %d=%d" % (randInt, randInt + 1)
6465

6566
# After identifing the injectable parameter
6667
if kb.injPlace == "User-Agent":
6768
retValue = kb.injParameter.replace(kb.injParameter,
68-
"%s%s" % (negValue, kb.injParameter + falseValue + newValue))
69+
self.addPayloadDelimiters("%s%s" % (negValue, kb.injParameter + falseValue + newValue)))
6970
elif kb.injParameter:
7071
paramString = conf.parameters[kb.injPlace]
7172
paramDict = conf.paramDict[kb.injPlace]
@@ -76,21 +77,21 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
7677
iterator = root.getiterator(kb.injParameter)
7778

7879
for child in iterator:
79-
child.text = "%s%s" % (negValue, value + falseValue + newValue)
80+
child.text = self.addPayloadDelimiters(negValue + value + falseValue + newValue)
8081

8182
retValue = ET.tostring(root)
8283
elif kb.injPlace == "URI":
8384
retValue = paramString.replace("*",
84-
"%s%s" % (negValue, falseValue + newValue))
85+
self.addPayloadDelimiters("%s%s" % (negValue, falseValue + newValue)))
8586
else:
8687
retValue = paramString.replace("%s=%s" % (kb.injParameter, value),
87-
"%s=%s%s" % (kb.injParameter, negValue, value + falseValue + newValue))
88+
"%s=%s" % (kb.injParameter, self.addPayloadDelimiters(negValue + value + falseValue + newValue)))
8889

8990
# Before identifing the injectable parameter
9091
elif parameter == "User-Agent":
91-
retValue = value.replace(value, newValue)
92+
retValue = value.replace(value, self.addPayloadDelimiters(newValue))
9293
elif place == "URI":
93-
retValue = value.replace("*", "%s" % newValue.replace(value, str()))
94+
retValue = value.replace("*", self.addPayloadDelimiters("%s" % newValue.replace(value, str())))
9495
else:
9596
paramString = conf.parameters[place]
9697

@@ -99,12 +100,12 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
99100
iterator = root.getiterator(parameter)
100101

101102
for child in iterator:
102-
child.text = newValue
103+
child.text = self.addPayloadDelimiters(newValue)
103104

104105
retValue = ET.tostring(root)
105106
else:
106107
retValue = paramString.replace("%s=%s" % (parameter, value),
107-
"%s=%s" % (parameter, newValue))
108+
"%s=%s" % (parameter, self.addPayloadDelimiters(newValue)))
108109

109110
return retValue
110111

@@ -604,5 +605,60 @@ def forgeCaseStatement(self, expression):
604605

605606
return queries[kb.dbms].case.query % expression
606607

608+
def addPayloadDelimiters(self, inpStr):
609+
"""
610+
Adds payload delimiters around the input string
611+
"""
612+
retVal = inpStr
613+
614+
if inpStr:
615+
retVal = "%s%s%s" % (PAYLOAD_DELIMITER, inpStr, PAYLOAD_DELIMITER)
616+
617+
return retVal
618+
619+
def removePayloadDelimiters(self, inpStr, urlencode_=True):
620+
"""
621+
Removes payload delimiters from inside the input string
622+
"""
623+
retVal = inpStr
624+
625+
if inpStr:
626+
if urlencode_:
627+
regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
628+
629+
for match in regObj.finditer(inpStr):
630+
retVal = retVal.replace(match.group("result"), urlencode(match.group("result")[1:-1]))
631+
else:
632+
retVal = retVal.replace(PAYLOAD_DELIMITER, '')
633+
634+
return retVal
635+
636+
def extractPayload(self, inpStr):
637+
"""
638+
Extracts payload from inside of the input string
639+
"""
640+
retVal = None
641+
642+
if inpStr:
643+
regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
644+
match = regObj.search(inpStr)
645+
646+
if match:
647+
retVal = match.group("result")[1:-1]
648+
649+
return retVal
650+
651+
def replacePayload(self, inpStr, payload):
652+
"""
653+
Replaces payload inside the input string with a given payload
654+
"""
655+
retVal = inpStr
656+
657+
if inpStr:
658+
regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
659+
retVal = regObj.sub("%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr)
660+
661+
return retVal
662+
607663
# SQL agent
608664
agent = Agent()

lib/core/common.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1532,7 +1532,7 @@ def runningAsAdmin():
15321532
isAdmin = True
15331533
else:
15341534
errMsg = "sqlmap is not able to check if you are running it "
1535-
errMsg += "as an administrator accout on this platform. "
1535+
errMsg += "as an administrator account on this platform. "
15361536
errMsg += "sqlmap will assume that you are an administrator "
15371537
errMsg += "which is mandatory for the requested takeover attack "
15381538
errMsg += "to work properly"

lib/core/option.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -556,14 +556,14 @@ def __setTamperingFunctions():
556556
raise sqlmapSyntaxException, "can not import tamper script '%s' (%s)" % (filename[:-3], msg)
557557

558558
for name, function in inspect.getmembers(module, inspect.isfunction):
559-
if name == "tamper" and function.func_code.co_argcount == 2:
559+
if name == "tamper" and function.func_code.co_argcount == 1:
560560
kb.tamperFunctions.append(function)
561561
found = True
562562

563563
break
564564

565565
if not found:
566-
raise sqlmapGenericException, "missing function 'tamper(place, value)' in tamper script '%s'" % tfile
566+
raise sqlmapGenericException, "missing function 'tamper(value)' in tamper script '%s'" % tfile
567567

568568
def __setThreads():
569569
if not isinstance(conf.threads, int) or conf.threads <= 0:

lib/core/settings.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -46,6 +46,8 @@
4646
ERROR_START_CHAR = ":s:"
4747
ERROR_END_CHAR = ":e:"
4848

49+
PAYLOAD_DELIMITER = "\x00"
50+
4951
# System variables
5052
IS_WIN = subprocess.mswindows
5153
# The name of the operating system dependent module imported. The following

lib/parse/banner.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -92,7 +92,7 @@ def bannerParser(banner):
9292
"""
9393

9494
xmlfile = None
95-
95+
9696
if kb.dbms == "Microsoft SQL Server":
9797
xmlfile = paths.MSSQL_XML
9898
elif kb.dbms == "MySQL":
@@ -104,7 +104,7 @@ def bannerParser(banner):
104104

105105
if not xmlfile:
106106
return
107-
107+
108108
checkFile(xmlfile)
109109

110110
if kb.dbms == "Microsoft SQL Server":

lib/request/basic.py

Lines changed: 0 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -35,9 +35,6 @@ def forgeHeaders(cookie, ua):
3535

3636
for header, value in conf.httpHeaders:
3737
if cookie and header == "Cookie":
38-
if conf.cookieUrlencode:
39-
cookie = urlEncodeCookieValues(cookie)
40-
4138
headers[header] = cookie
4239
elif ua and header == "User-Agent":
4340
headers[header] = ua

lib/request/connect.py

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,7 @@
1616
import traceback
1717

1818
from lib.contrib import multipartpost
19+
from lib.core.agent import agent
1920
from lib.core.common import readInput
2021
from lib.core.common import getUnicode
2122
from lib.core.convert import urlencode
@@ -107,7 +108,6 @@ def getPage(**kwargs):
107108
get = conf.parameters["GET"]
108109

109110
if get:
110-
get = urlencode(get)
111111
url = "%s?%s" % (url, get)
112112
requestMsg += "?%s" % get
113113

@@ -149,7 +149,7 @@ def getPage(**kwargs):
149149
cookieStr += "%s; " % cookie[8:index]
150150

151151
conn = urllib2.urlopen(req)
152-
152+
153153
if not req.has_header("Accept-Encoding"):
154154
requestHeaders += "Accept-Encoding: identity\n"
155155

@@ -307,8 +307,22 @@ def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent
307307
place = kb.injPlace
308308

309309
if kb.tamperFunctions:
310-
for function in kb.tamperFunctions:
311-
value = function(place, value)
310+
payload = agent.extractPayload(value)
311+
if payload:
312+
for function in kb.tamperFunctions:
313+
payload = function(payload)
314+
value = agent.replacePayload(value, payload)
315+
316+
if place == "GET":
317+
value = agent.removePayloadDelimiters(value, True)
318+
elif place == "POST":
319+
value = agent.removePayloadDelimiters(value, False)
320+
elif place == "Cookie":
321+
value = agent.removePayloadDelimiters(value, conf.cookieUrlencode)
322+
elif place == "User-Agent":
323+
value = agent.removePayloadDelimiters(value, True)
324+
elif place == "URI":
325+
value = agent.removePayloadDelimiters(value, False)
312326

313327
if conf.checkPayload:
314328
checkPayload(value)

lib/request/inject.py

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@
2222
from lib.core.common import randomInt
2323
from lib.core.common import readInput
2424
from lib.core.common import safeStringFormat
25-
from lib.core.convert import urlencode
2625
from lib.core.data import conf
2726
from lib.core.data import kb
2827
from lib.core.data import logger

lib/techniques/blind/inference.py

Lines changed: 6 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,6 @@
2222
from lib.core.common import readInput
2323
from lib.core.common import replaceNewlineTabs
2424
from lib.core.common import safeStringFormat
25-
from lib.core.convert import urlencode
2625
from lib.core.data import conf
2726
from lib.core.data import kb
2827
from lib.core.data import logger
@@ -122,7 +121,7 @@ def tryHint(idx):
122121

123122
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
124123
queriesCount[0] += 1
125-
result = Request.queryPage(urlencode(forgedPayload))
124+
result = Request.queryPage(forgedPayload)
126125

127126
if result:
128127
return hintValue[idx-1]
@@ -153,7 +152,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
153152
if len(charTbl) == 1:
154153
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0]))
155154
queriesCount[0] += 1
156-
result = Request.queryPage(urlencode(forgedPayload))
155+
result = Request.queryPage(forgedPayload)
157156

158157
if result:
159158
return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0])
@@ -174,7 +173,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
174173
forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
175174

176175
queriesCount[0] += 1
177-
result = Request.queryPage(urlencode(forgedPayload))
176+
result = Request.queryPage(forgedPayload)
178177

179178
if kb.dbms in ("SQLite", "Microsoft Access", "SAP MaxDB"):
180179
posValue = popValue()
@@ -226,7 +225,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
226225
for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]):
227226
forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal))
228227
queriesCount[0] += 1
229-
result = Request.queryPage(urlencode(forgedPayload))
228+
result = Request.queryPage(forgedPayload)
230229

231230
if result:
232231
return chr(retVal) if retVal < 128 else unichr(retVal)
@@ -444,7 +443,7 @@ def downloadThread():
444443
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
445444
query = agent.postfixQuery(query)
446445
queriesCount[0] += 1
447-
result = Request.queryPage(urlencode(agent.payload(newValue=query)))
446+
result = Request.queryPage(agent.payload(newValue=query))
448447

449448
# Did we have luck?
450449
if result:
@@ -468,7 +467,7 @@ def downloadThread():
468467
query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
469468
query = agent.postfixQuery(query)
470469
queriesCount[0] += 1
471-
result = Request.queryPage(urlencode(agent.payload(newValue=query)))
470+
result = Request.queryPage(agent.payload(newValue=query))
472471

473472
# Did we have luck?
474473
if result:

0 commit comments

Comments
 (0)