Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit bc79eec

Browse files
stamparmstamparm
committed
removed queriesfile.py, implemented XMLObject approach (still shell.py and udf.py TODO)
1 parent be443c6 commit bc79eec

16 files changed

Lines changed: 169 additions & 401 deletions

File tree

extra/xmlobject/xmlobject.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -142,6 +142,7 @@ def __init__(self, **kw):
142142
fobj = kw.get("file", None)
143143
raw = kw.get("raw", None)
144144
root = kw.get("root", None)
145+
textfilter = kw.get("textfilter", None)
145146

146147
if path:
147148
self.path = path
@@ -176,6 +177,11 @@ def __init__(self, **kw):
176177
raise IncorrectRootTag("Gave root='%s', input has root='%s'" % (
177178
root, rootnode.nodeName))
178179

180+
if textfilter:
181+
self.textfilter = textfilter
182+
else:
183+
self.textfilter = lambda x: x
184+
179185
# need this for recursion in XMLNode
180186
self._childrenByName = {}
181187
self._children = []
@@ -278,7 +284,7 @@ def __init__(self, parent, node):
278284
self._value = None
279285
if isinstance(node, xml.dom.minidom.Text):
280286
self._type = "text"
281-
self._value = node.nodeValue
287+
self._value = self._root.textfilter(node.nodeValue)
282288
elif isinstance(node, xml.dom.minidom.Element):
283289
self._type = "node"
284290
elif isinstance(node, xml.dom.minidom.Comment):

lib/core/agent.py

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -220,8 +220,8 @@ def nullAndCastField(self, field):
220220
if field.startswith("(CASE"):
221221
nulledCastedField = field
222222
else:
223-
nulledCastedField = queries[kb.dbms].cast % field
224-
nulledCastedField = queries[kb.dbms].isnull % nulledCastedField
223+
nulledCastedField = queries[kb.dbms].cast.query % field
224+
nulledCastedField = queries[kb.dbms].isnull.query % nulledCastedField
225225

226226
return nulledCastedField
227227

@@ -260,7 +260,7 @@ def nullCastConcatFields(self, fields):
260260

261261
fields = fields.replace(", ", ",")
262262
fieldsSplitted = fields.split(",")
263-
dbmsDelimiter = queries[kb.dbms].delimiter
263+
dbmsDelimiter = queries[kb.dbms].delimiter.query
264264
nulledCastedFields = []
265265

266266
for field in fieldsSplitted:
@@ -516,18 +516,18 @@ def limitQuery(self, num, query, field=None):
516516
"""
517517

518518
limitedQuery = query
519-
limitStr = queries[kb.dbms].limit
519+
limitStr = queries[kb.dbms].limit.query
520520
fromIndex = limitedQuery.index(" FROM ")
521521
untilFrom = limitedQuery[:fromIndex]
522522
fromFrom = limitedQuery[fromIndex+1:]
523523
orderBy = False
524524

525525
if kb.dbms in ( "MySQL", "PostgreSQL", "SQLite" ):
526-
limitStr = queries[kb.dbms].limit % (num, 1)
526+
limitStr = queries[kb.dbms].limit.query % (num, 1)
527527
limitedQuery += " %s" % limitStr
528528

529529
elif kb.dbms == "Firebird":
530-
limitStr = queries[kb.dbms].limit % (num+1, num+1)
530+
limitStr = queries[kb.dbms].limit.query % (num+1, num+1)
531531
limitedQuery += " %s" % limitStr
532532

533533
elif kb.dbms == "Oracle":
@@ -556,7 +556,7 @@ def limitQuery(self, num, query, field=None):
556556
limitedQuery = limitedQuery.replace("DISTINCT %s" % notDistinct, notDistinct)
557557

558558
if limitedQuery.startswith("SELECT TOP ") or limitedQuery.startswith("TOP "):
559-
topNums = re.search(queries[kb.dbms].limitregexp, limitedQuery, re.I)
559+
topNums = re.search(queries[kb.dbms].limitregexp.query, limitedQuery, re.I)
560560

561561
if topNums:
562562
topNums = topNums.groups()
@@ -602,7 +602,7 @@ def forgeCaseStatement(self, expression):
602602
@rtype: C{str}
603603
"""
604604

605-
return queries[kb.dbms].case % expression
605+
return queries[kb.dbms].case.query % expression
606606

607607
# SQL agent
608608
agent = Agent()

lib/core/common.py

Lines changed: 6 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -909,14 +909,14 @@ def getDelayQuery(andCond=False):
909909
banVer = kb.bannerFp["dbmsVersion"]
910910

911911
if (kb.dbms == "MySQL" and banVer >= "5.0.12") or (kb.dbms == "PostgreSQL" and banVer >= "8.2"):
912-
query = queries[kb.dbms].timedelay % conf.timeSec
912+
query = queries[kb.dbms].timedelay.query % conf.timeSec
913913

914914
else:
915-
query = queries[kb.dbms].timedelay2 % conf.timeSec
915+
query = queries[kb.dbms].timedelay.query2 % conf.timeSec
916916
elif kb.dbms == "Firebird":
917-
query = queries[kb.dbms].timedelay
917+
query = queries[kb.dbms].timedelay.query
918918
else:
919-
query = queries[kb.dbms].timedelay % conf.timeSec
919+
query = queries[kb.dbms].timedelay.query % conf.timeSec
920920

921921
if andCond:
922922
if kb.dbms in ( "MySQL", "SQLite" ):
@@ -1078,6 +1078,8 @@ def safeStringFormat(formatStr, params):
10781078
if count < len(params):
10791079
retVal = retVal[:index] + getUnicode(params[count]) + retVal[index+2:]
10801080
else:
1081+
import pdb
1082+
pdb.set_trace()
10811083
raise sqlmapNoneDataException, "wrong number of parameters during string formatting"
10821084
count += 1
10831085

lib/core/option.py

Lines changed: 9 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -37,6 +37,7 @@
3737
from lib.core.data import kb
3838
from lib.core.data import logger
3939
from lib.core.data import paths
40+
from lib.core.data import queries
4041
from lib.core.datatype import advancedDict
4142
from lib.core.exception import sqlmapFilePathException
4243
from lib.core.exception import sqlmapGenericException
@@ -55,7 +56,6 @@
5556
from lib.core.settings import VERSION_STRING
5657
from lib.core.update import update
5758
from lib.parse.configfile import configFileParser
58-
from lib.parse.queriesfile import queriesParser
5959
from lib.request.proxy import ProxyHTTPSHandler
6060
from lib.request.certhandler import HTTPSCertAuthHandler
6161
from lib.request.redirecthandler import SmartRedirectHandler
@@ -195,6 +195,13 @@ def __feedTargetsDict(reqFile, addedTargetUrls):
195195
kb.targetUrls.add((url, method, data, cookie))
196196
addedTargetUrls.add(url)
197197

198+
def __loadQueries():
199+
"""
200+
Loads queries from 'xml/queries.xml' file.
201+
"""
202+
for node in xmlobject.XMLFile(path=paths.QUERIES_XML, textfilter=sanitizeStr).root.dbms:
203+
queries[node.value] = node
204+
198205
def __setMultipleTargets():
199206
"""
200207
Define a configuration parameter if we are running in multiple target
@@ -1258,4 +1265,4 @@ def init(inputOptions=advancedDict()):
12581265
__setMetasploit()
12591266

12601267
update()
1261-
queriesParser()
1268+
__loadQueries()

lib/parse/queriesfile.py

Lines changed: 0 additions & 240 deletions
This file was deleted.

0 commit comments

Comments
 (0)