Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit 78ba337

Browse files
stamparmstamparm
committed
Patch for known NCHAR/UNION-query SQLi problems
1 parent c6557e2 commit 78ba337

4 files changed

Lines changed: 13 additions & 1 deletion

File tree

lib/core/agent.py

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -499,6 +499,9 @@ def nullAndCastField(self, field):
499499
if suffix:
500500
nulledCastedField += suffix
501501

502+
if not kb.nchar:
503+
nulledCastedField = re.sub(r"( AS )N(CHAR|VARCHAR)", r"\g<1>\g<2>", nulledCastedField)
504+
502505
return nulledCastedField
503506

504507
def nullCastConcatFields(self, fields):

lib/core/option.py

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2071,6 +2071,7 @@ def _setKnowledgeBaseAttributes(flushAll=True):
20712071
kb.mergeCookies = None
20722072
kb.multipleCtrlC = False
20732073
kb.negativeLogic = False
2074+
kb.nchar = True
20742075
kb.nullConnection = None
20752076
kb.oldMsf = None
20762077
kb.orderByColumns = None

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
from thirdparty.six import unichr as _unichr
1919

2020
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
21-
VERSION = "1.4.11.17"
21+
VERSION = "1.4.12.0"
2222
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2323
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2424
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

lib/techniques/union/use.py

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -157,12 +157,20 @@ def _(regex):
157157
warnMsg += "(probably due to its length and/or content): "
158158
warnMsg += safecharencode(trimmed)
159159
logger.warn(warnMsg)
160+
160161
elif re.search(r"ORDER BY [^ ]+\Z", expression):
161162
debugMsg = "retrying failed SQL query without the ORDER BY clause"
162163
singleTimeDebugMessage(debugMsg)
163164

164165
expression = re.sub(r"\s*ORDER BY [^ ]+\Z", "", expression)
165166
retVal = _oneShotUnionUse(expression, unpack, limited)
167+
168+
elif kb.nchar and re.search(r" AS N(CHAR|VARCHAR)", agent.nullAndCastField(expression)):
169+
debugMsg = "turning off NATIONAL CHARACTER casting" # NOTE: in some cases there are "known" incompatibilities between original columns and NCHAR (e.g. http://testphp.vulnweb.com/artists.php?artist=1)
170+
singleTimeDebugMessage(debugMsg)
171+
172+
kb.nchar = False
173+
retVal = _oneShotUnionUse(expression, unpack, limited)
166174
else:
167175
vector = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector
168176
kb.unionDuplicates = vector[7]

0 commit comments

Comments
 (0)