Skip to content

Commit 89ddc5a

Browse files
committed
Minor patch
1 parent f65dc92 commit 89ddc5a

3 files changed

Lines changed: 14 additions & 9 deletions

File tree

lib/core/settings.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -20,7 +20,7 @@
2020
from thirdparty import six
2121

2222
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
23-
VERSION = "1.10.7.37"
23+
VERSION = "1.10.7.38"
2424
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2525
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2626
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

plugins/dbms/oracle/syntax.py

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,6 +16,8 @@ def escape(expression, quote=True):
1616
True
1717
>>> Syntax.escape(u"SELECT 'abcd\xebfgh' FROM foobar") == "SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||NCHR(235)||CHR(102)||CHR(103)||CHR(104) FROM foobar"
1818
True
19+
>>> Syntax.escape("SELECT 'a''b' FROM DUAL") == "SELECT CHR(97)||CHR(39)||CHR(98) FROM DUAL"
20+
True
1921
"""
2022

2123
def escaper(value):

plugins/generic/syntax.py

Lines changed: 11 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -26,18 +26,21 @@ def _escape(expression, quote=True, escaper=None):
2626
retVal = expression
2727

2828
if quote:
29-
for item in re.findall(r"'[^']*'+", expression):
30-
original = item[1:-1]
31-
if original:
29+
# Match a full SQL string literal, honouring the '' (doubled single quote) escape - e.g.
30+
# 'a''b' is ONE literal whose value is a'b, not 'a'' followed by a dangling b'. The old
31+
# r"'[^']*'+" split on the inner '' and left the tail bare, corrupting the encoded payload.
32+
for item in re.findall(r"'(?:[^']|'')*'", expression):
33+
value = item[1:-1].replace("''", "'") # inner content with '' collapsed to the real quote
34+
if value:
3235
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
3336
continue
34-
if re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker
35-
replacement = escaper(original) if not conf.noEscape else original
37+
if re.search(r"\[(SLEEPTIME|RAND)", value) is None: # e.g. '[SLEEPTIME]' marker
38+
replacement = escaper(value) if not conf.noEscape else value
3639

37-
if replacement != original:
40+
if replacement != value:
3841
retVal = retVal.replace(item, replacement)
39-
elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
40-
retVal = retVal.replace("'%s'" % original, "n'%s'" % original)
42+
elif len(value) != len(getBytes(value)) and "n%s" % item not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
43+
retVal = retVal.replace(item, "n%s" % item)
4144
else:
4245
retVal = escaper(expression)
4346

0 commit comments

Comments
 (0)