Merge branch 'master' of github.com:sqlmapproject/sqlmap

bdamele · bdamele · commit 6bacbdb03159 · 2013-02-15T17:12:09.000Z
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -829,6 +829,10 @@ def readInput(message, default=None, checkBatch=True):
     elif message[-1] == ']':
         message += " "
 
+    if kb.prependFlag:
+        message = "\n%s" % message
+        kb.prependFlag = False
+
     if conf.answers:
         for item in conf.answers.split(','):
             question = item.split('=')[0].strip()
@@ -2814,7 +2818,7 @@ def safeSQLIdentificatorNaming(name, isTable=False):
         if retVal.upper() in kb.keywords or not re.match(r"\A[A-Za-z0-9_@%s\$]+\Z" % ("." if _ else ""), retVal):  # MsSQL is the only DBMS where we automatically prepend schema to table name (dot is normal)
             if Backend.getIdentifiedDbms() in (DBMS.MYSQL, DBMS.ACCESS):
                 retVal = "`%s`" % retVal.strip("`")
-            elif Backend.getIdentifiedDbms() in (DBMS.ORACLE, DBMS.PGSQL, DBMS.DB2):
+            elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.DB2):
                 retVal = "\"%s\"" % retVal.strip("\"")
             elif Backend.getIdentifiedDbms() in (DBMS.MSSQL,):
                 retVal = "[%s]" % retVal.strip("[]")
diff --git a/lib/core/dump.py b/lib/core/dump.py
@@ -579,9 +579,9 @@ def dbColumns(self, dbColumnsDict, colConsider, dbs):
 
         for column in dbColumnsDict.keys():
             if colConsider == "1":
-                colConsiderStr = "s like '" + column + "' were"
+                colConsiderStr = "s like '%s' were" % unsafeSQLIdentificatorNaming(column)
             else:
-                colConsiderStr = " '%s' was" % column
+                colConsiderStr = " '%s' was" % unsafeSQLIdentificatorNaming(column)
 
             msg = "Column%s found in the " % colConsiderStr
             msg += "following databases:"
diff --git a/plugins/generic/databases.py b/plugins/generic/databases.py
@@ -247,7 +247,7 @@ def getTables(self, bruteForce=None):
                 return tableExists(paths.COMMON_TABLES)
 
         infoMsg = "fetching tables for database"
-        infoMsg += "%s: '%s'" % ("s" if len(dbs) > 1 else "", ", ".join(db if isinstance(db, basestring) else db[0] for db in sorted(dbs)))
+        infoMsg += "%s: '%s'" % ("s" if len(dbs) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(unArrayizeValue(db)) for db in sorted(dbs)))
         logger.info(infoMsg)
 
         rootQuery = queries[Backend.getIdentifiedDbms()].tables
@@ -261,7 +261,7 @@ def getTables(self, bruteForce=None):
                     query += " WHERE %s" % condition
 
                     if conf.excludeSysDbs:
-                        infoMsg = "skipping system database%s '%s'" % ("s" if len(self.excludeDbsList) > 1 else "", ", ".join(db for db in self.excludeDbsList))
+                        infoMsg = "skipping system database%s '%s'" % ("s" if len(self.excludeDbsList) > 1 else "", ", ".join(unsafeSQLIdentificatorNaming(db) for db in self.excludeDbsList))
                         logger.info(infoMsg)
                         query += " IN (%s)" % ",".join("'%s'" % unsafeSQLIdentificatorNaming(db) for db in sorted(dbs) if db not in self.excludeDbsList)
                     else:
@@ -290,7 +290,7 @@ def getTables(self, bruteForce=None):
         if not kb.data.cachedTables and isInferenceAvailable() and not conf.direct:
             for db in dbs:
                 if conf.excludeSysDbs and db in self.excludeDbsList:
-                    infoMsg = "skipping system database '%s'" % db
+                    infoMsg = "skipping system database '%s'" % unsafeSQLIdentificatorNaming(db)
                     logger.info(infoMsg)
 
                     continue
@@ -569,7 +569,7 @@ def getColumns(self, onlyColNames=False, colTuple=None, bruteForce=None):
                    and conf.db in kb.data.cachedColumns and tbl in \
                    kb.data.cachedColumns[conf.db]:
                     infoMsg = "fetched tables' columns on "
-                    infoMsg += "database '%s'" % conf.db
+                    infoMsg += "database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
                     logger.info(infoMsg)
 
                     return {conf.db: kb.data.cachedColumns[conf.db]}
@@ -692,7 +692,7 @@ def getColumns(self, onlyColNames=False, colTuple=None, bruteForce=None):
 
         if not kb.data.cachedColumns:
             warnMsg = "unable to retrieve column names for "
-            warnMsg += ("table '%s' " % tblList[0]) if len(tblList) == 1 else "any table "
+            warnMsg += ("table '%s' " % unsafeSQLIdentificatorNaming(unArrayizeValue(tblList))) if len(tblList) == 1 else "any table "
             warnMsg += "in database '%s'" % unsafeSQLIdentificatorNaming(conf.db)
             logger.warn(warnMsg)
 
diff --git a/plugins/generic/entries.py b/plugins/generic/entries.py
@@ -363,7 +363,7 @@ def dumpAll(self):
 
                         self.dumpTable()
                     except SqlmapNoneDataException:
-                        infoMsg = "skipping table '%s'" % table
+                        infoMsg = "skipping table '%s'" % unsafeSQLIdentificatorNaming(table)
                         logger.info(infoMsg)
 
     def dumpFoundColumn(self, dbs, foundCols, colConsider):
@@ -378,7 +378,7 @@ def dumpFoundColumn(self, dbs, foundCols, colConsider):
 
         for db, tblData in dbs.items():
             if tblData:
-                message += "[%s]\n" % db
+                message += "[%s]\n" % unsafeSQLIdentificatorNaming(db)
 
         message += "[q]uit"
         test = readInput(message, default="a")
@@ -396,7 +396,7 @@ def dumpFoundColumn(self, dbs, foundCols, colConsider):
 
             conf.db = db
             dumpFromTbls = []
-            message = "which table(s) of database '%s'?\n" % db
+            message = "which table(s) of database '%s'?\n" % unsafeSQLIdentificatorNaming(db)
             message += "[a]ll (default)\n"
 
             for tbl in tblData:
@@ -441,7 +441,7 @@ def dumpFoundTables(self, tables):
 
         for db, tablesList in tables.items():
             if tablesList:
-                message += "[%s]\n" % db
+                message += "[%s]\n" % unsafeSQLIdentificatorNaming(db)
 
         message += "[q]uit"
         test = readInput(message, default="a")
@@ -459,11 +459,11 @@ def dumpFoundTables(self, tables):
 
             conf.db = db
             dumpFromTbls = []
-            message = "which table(s) of database '%s'?\n" % db
+            message = "which table(s) of database '%s'?\n" % unsafeSQLIdentificatorNaming(db)
             message += "[a]ll (default)\n"
 
             for tbl in tablesList:
-                message += "[%s]\n" % tbl
+                message += "[%s]\n" % unsafeSQLIdentificatorNaming(tbl)
 
             message += "[s]kip\n"
             message += "[q]uit"
diff --git a/plugins/generic/search.py b/plugins/generic/search.py
@@ -508,7 +508,6 @@ def searchColumn(self):
                     colQuery = colQuery % unsafeSQLIdentificatorNaming(column)
 
                     for db in dbData:
-                        db = safeSQLIdentificatorNaming(db)
                         conf.db = origDb
                         conf.tbl = origTbl
 
@@ -519,7 +518,7 @@ def searchColumn(self):
                         logger.info(infoMsg)
 
                         query = rootQuery.blind.count2
-                        query = query % db
+                        query = query % unsafeSQLIdentificatorNaming(db)
                         query += " AND %s" % colQuery
                         query += whereTblsQuery
 
@@ -545,7 +544,7 @@ def searchColumn(self):
                             else:
                                 query += " AND %s" % (colQuery + whereTblsQuery)
 
-                            query = safeStringFormat(query, db)
+                            query = safeStringFormat(query, unsafeSQLIdentificatorNaming(db))
                             query = agent.limitQuery(index, query)
 
                             tbl = unArrayizeValue(inject.getValue(query, union=False, error=False))
