Minor improvement to use Python ConfigParser library when --save if specified.

bdamele · bdamele · commit 9c125a2b577e · 2009-01-03T22:59:22.000Z
Minor update to the user's manual
diff --git a/doc/README.html b/doc/README.html
@@ -215,19 +215,14 @@ <H2><A NAME="ss1.3">1.3</A> <A HREF="#toc1.3">Techniques</A>
 statements support</B>: sqlmap tests if the web application supports
 stacked queries then, in case it does support, it appends to the affected
 parameter in the HTTP request, a semi-colon (<CODE>;</CODE>) followed by the
-SQL statement to be executed. This technique is useful if to run SQL
+SQL statement to be executed. This technique is useful to run SQL
 statements other than <CODE>SELECT</CODE> like, for instance, <EM>data
 definition</EM> or <EM>data manipulation</EM> statements possibly leading
 to file system read and write access and operating system command
-execution depending on the underlying back-end database management system.</LI>
+execution depending on the underlying back-end database management system
+and the session user privileges.</LI>
 </UL>
 </P>
-<P>It is strongly recommended to run at least once sqlmap with the
-<CODE>--union-test</CODE> option to test if the affected parameter is used
-within a <CODE>for</CODE> cycle, or similar, and in case use
-<CODE>--union-use</CODE> option to exploit this vulnerability because it
-saves a lot of time and it does not weight down the web server log file
-with hundreds of HTTP requests.</P>
 
 
 <H2><A NAME="s2">2.</A> <A HREF="#toc2">Features</A></H2>
@@ -2008,6 +2003,13 @@ <H3>Test for UNION query SQL injection</H3>
 In case this vulnerability is exploitable it is strongly recommended to
 use this technique which saves a lot of time.</P>
 
+<P>It is strongly recommended to run at least once sqlmap with the
+<CODE>--union-test</CODE> option to test if the affected parameter is used
+within a <CODE>for</CODE> cycle, or similar, and in case use
+<CODE>--union-use</CODE> option to exploit this vulnerability because it
+saves a lot of time and it does not weight down the web server log file
+with hundreds of HTTP requests.</P>
+
 
 <H3>Use the UNION query SQL injection</H3>
 
diff --git a/doc/README.pdf b/doc/README.pdf
diff --git a/doc/README.sgml b/doc/README.sgml
@@ -172,20 +172,14 @@ This SQL injection technique is an alternative to the first one.
 statements support</bf>: sqlmap tests if the web application supports
 stacked queries then, in case it does support, it appends to the affected
 parameter in the HTTP request, a semi-colon (<tt>;</tt>) followed by the
-SQL statement to be executed. This technique is useful if to run SQL
+SQL statement to be executed. This technique is useful to run SQL
 statements other than <tt>SELECT</tt> like, for instance, <em>data
 definition</em> or <em>data manipulation</em> statements possibly leading
 to file system read and write access and operating system command
-execution depending on the underlying back-end database management system.
+execution depending on the underlying back-end database management system
+and the session user privileges.
 </itemize>
 
-It is strongly recommended to run at least once sqlmap with the
-<tt>--union-test</tt> option to test if the affected parameter is used
-within a <tt>for</tt> cycle, or similar, and in case use
-<tt>--union-use</tt> option to exploit this vulnerability because it
-saves a lot of time and it does not weight down the web server log file
-with hundreds of HTTP requests.
-
 
 <sect>Features
 
@@ -1939,6 +1933,14 @@ affected by an inband SQL injection.
 In case this vulnerability is exploitable it is strongly recommended to
 use this technique which saves a lot of time.
 
+<p>
+It is strongly recommended to run at least once sqlmap with the
+<tt>--union-test</tt> option to test if the affected parameter is used
+within a <tt>for</tt> cycle, or similar, and in case use
+<tt>--union-use</tt> option to exploit this vulnerability because it
+saves a lot of time and it does not weight down the web server log file
+with hundreds of HTTP requests.
+
 
 <sect2>Use the UNION query SQL injection
 
diff --git a/lib/core/option.py b/lib/core/option.py
@@ -34,6 +34,8 @@
 import urllib2
 import urlparse
 
+from ConfigParser import ConfigParser
+
 from lib.core.common import parseTargetUrl
 from lib.core.common import paths
 from lib.core.common import randomRange
@@ -657,6 +659,7 @@ def __saveCmdline():
     debugMsg = "saving command line options on a sqlmap configuration INI file"
     logger.debug(debugMsg)
 
+    config   = ConfigParser()
     userOpts = {}
 
     for family in optDict.keys():
@@ -667,10 +670,8 @@ def __saveCmdline():
             if option in optionData:
                 userOpts[family].append((option, value, optionData[option]))
 
-    confFP = open(paths.SQLMAP_CONFIG, "w")
-
     for family, optionData in userOpts.items():
-        confFP.write("[%s]\n" % family)
+        config.add_section(family)
 
         optionData.sort()
 
@@ -691,12 +692,10 @@ def __saveCmdline():
             if isinstance(value, str):
                 value = value.replace("\n", "\n ")
 
-            confFP.write("%s = %s\n" % (option, value))
-
-        confFP.write("\n")
+            config.set(family, option, value)
 
-    confFP.flush()
-    confFP.close()
+    confFP = open(paths.SQLMAP_CONFIG, "wb")
+    config.write(confFP)
 
     infoMsg = "saved command line options on '%s' configuration file" % paths.SQLMAP_CONFIG
     logger.info(infoMsg)
