コード例 #1
0
    def unescape(expression, quote=True):
        if isDBMSVersionAtLeast('2.1'):
            if quote:
                while True:
                    index = expression.find("'")
                    if index == -1:
                        break

                    firstIndex = index + 1
                    index = expression[firstIndex:].find("'")

                    if index == -1:
                        raise SqlmapSyntaxException("Unenclosed ' in '%s'" %
                                                    expression)

                    lastIndex = firstIndex + index
                    old = "'%s'" % expression[firstIndex:lastIndex]
                    unescaped = ""

                    for i in xrange(firstIndex, lastIndex):
                        unescaped += "ASCII_CHAR(%d)" % (ord(expression[i]))
                        if i < lastIndex - 1:
                            unescaped += "||"

                    expression = expression.replace(old, unescaped)
            else:
                unescaped = "".join("ASCII_CHAR(%d)||" % ord(c)
                                    for c in expression)
                if unescaped[-1] == "||":
                    unescaped = unescaped[:-1]

                expression = unescaped

        return expression
コード例 #2
0
ファイル: syntax.py プロジェクト: Marquand/Script
    def unescape(expression, quote=True):
        if isDBMSVersionAtLeast('2.1'):
            if quote:
                while True:
                    index = expression.find("'")
                    if index == -1:
                        break

                    firstIndex = index + 1
                    index = expression[firstIndex:].find("'")

                    if index == -1:
                        raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression

                    lastIndex = firstIndex + index
                    old = "'%s'" % expression[firstIndex:lastIndex]
                    unescaped = ""

                    for i in range(firstIndex, lastIndex):
                        unescaped += "ASCII_CHAR(%d)" % (ord(expression[i]))
                        if i < lastIndex - 1:
                            unescaped += "||"

                    expression = expression.replace(old, unescaped)
            else:
                unescaped = "".join("ASCII_CHAR(%d)||" % ord(c) for c in expression)
                if unescaped[-1] == "||":
                    unescaped = unescaped[:-1]

                expression = unescaped

        return expression
コード例 #3
0
    def escape(expression, quote=True):
        """
        >>> from lib.core.common import Backend
        >>> Backend.setVersion('12.10')
        ['12.10']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
        """
        def escaper(value):
            return "||".join("CHR(%d)" % ord(_) for _ in value)

        retVal = expression

        if isDBMSVersionAtLeast("11.70"):
            excluded = {}
            for _ in re.findall(r"DBINFO\([^)]+\)", expression):
                excluded[_] = randomStr()
                expression = expression.replace(_, excluded[_])

            retVal = Syntax._escape(expression, quote, escaper)

            for _ in excluded.items():
                retVal = retVal.replace(_[1], _[0])

        return retVal
コード例 #4
0
ファイル: syntax.py プロジェクト: zhiwenuil/sqlmap
    def unescape(expression, quote=True):
        if isDBMSVersionAtLeast('3'):
            if quote:
                expression = expression.replace("'", "''")
                while True:
                    index = expression.find("''")
                    if index == -1:
                        break

                    firstIndex = index + 2
                    index = expression[firstIndex:].find("''")

                    if index == -1:
                        raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression.replace("''", "'")

                    lastIndex = firstIndex + index
                    old = "''%s''" % expression[firstIndex:lastIndex]
                    unescaped = ""

                    for i in xrange(firstIndex, lastIndex):
                        unescaped += "X'%x'" % ord(expression[i])
                        if i < lastIndex - 1:
                            unescaped += "||"

                    #unescaped += ")"
                    expression = expression.replace(old, unescaped)
                expression = expression.replace("''", "'")
            else:
                expression = "||".join("X'%x" % ord(c) for c in expression)

        return expression
コード例 #5
0
ファイル: syntax.py プロジェクト: rahulunair/sqlmap
    def escape(expression, quote=True):
        """
        >>> from lib.core.common import Backend
        >>> Backend.setVersion('12.10')
        ['12.10']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        'SELECT CHR(97)||CHR(98)||CHR(99)||CHR(100)||CHR(101)||CHR(102)||CHR(103)||CHR(104) FROM foobar'
        """

        def escaper(value):
            return "||".join("CHR(%d)" % ord(_) for _ in value)

        retVal = expression

        if isDBMSVersionAtLeast("11.70"):
            excluded = {}
            for _ in re.findall(r"DBINFO\([^)]+\)", expression):
                excluded[_] = randomStr()
                expression = expression.replace(_, excluded[_])

            retVal = Syntax._escape(expression, quote, escaper)

            for _ in excluded.items():
                retVal = retVal.replace(_[1], _[0])

        return retVal
コード例 #6
0
ファイル: syntax.py プロジェクト: kaibo9314/Script
    def unescape(expression, quote=True):
        if isDBMSVersionAtLeast('3'):
            if quote:
                expression = expression.replace("'", "''")
                while True:
                    index = expression.find("''")
                    if index == -1:
                        break

                    firstIndex = index + 2
                    index = expression[firstIndex:].find("''")

                    if index == -1:
                        raise sqlmapSyntaxException, "Unenclosed ' in '%s'" % expression.replace(
                            "''", "'")

                    lastIndex = firstIndex + index
                    old = "''%s''" % expression[firstIndex:lastIndex]
                    unescaped = ""

                    for i in range(firstIndex, lastIndex):
                        unescaped += "X'%x'" % ord(expression[i])
                        if i < lastIndex - 1:
                            unescaped += "||"

                    #unescaped += ")"
                    expression = expression.replace(old, unescaped)
                expression = expression.replace("''", "'")
            else:
                expression = "||".join("X'%x" % ord(c) for c in expression)

        return expression
コード例 #7
0
ファイル: syntax.py プロジェクト: Mybrc91/sqlmap
    def escape(expression, quote=True):
        def escaper(value):
            return "CAST(X'%s' AS TEXT)" % binascii.hexlify(value)

        retVal = expression

        if isDBMSVersionAtLeast("3"):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #8
0
ファイル: syntax.py プロジェクト: chiehwen/sqlmap
    def escape(expression, quote=True):
        def escaper(value):
            return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value)

        retVal = expression

        if isDBMSVersionAtLeast('2.1'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #9
0
ファイル: syntax.py プロジェクト: bussiere/sqlmap
    def escape(expression, quote=True):
        def escaper(value):
            return "X'%s'" % binascii.hexlify(value)

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #10
0
ファイル: syntax.py プロジェクト: CodericSandbox/sqlmap
    def escape(expression, quote=True):
        def escaper(value):
            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
            return "CAST(X'%s' AS TEXT)" % binascii.hexlify(value.encode(UNICODE_ENCODING) if isinstance(value, unicode) else value)

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #11
0
ファイル: agent.py プロジェクト: vasubesimple/w3af
    def nullAndCastField(self, field):
        """
        Take in input a field string and return its processed nulled and
        casted field string.

        Examples:

        MySQL input:  VERSION()
        MySQL output: IFNULL(CAST(VERSION() AS CHAR(10000)), ' ')
        MySQL scope:  VERSION()

        PostgreSQL input:  VERSION()
        PostgreSQL output: COALESCE(CAST(VERSION() AS CHARACTER(10000)), ' ')
        PostgreSQL scope:  VERSION()

        Oracle input:  banner
        Oracle output: NVL(CAST(banner AS VARCHAR(4000)), ' ')
        Oracle scope:  SELECT banner FROM v$version WHERE ROWNUM=1

        Microsoft SQL Server input:  @@VERSION
        Microsoft SQL Server output: ISNULL(CAST(@@VERSION AS VARCHAR(8000)), ' ')
        Microsoft SQL Server scope:  @@VERSION

        @param field: field string to be processed
        @type field: C{str}

        @return: field string nulled and casted
        @rtype: C{str}
        """

        nulledCastedField = field

        if field:
            rootQuery = queries[Backend.getIdentifiedDbms()]

            if field.startswith("(CASE") or field.startswith(
                    "(IIF") or conf.noCast:
                nulledCastedField = field
            else:
                if not (Backend.isDbms(DBMS.SQLITE)
                        and not isDBMSVersionAtLeast('3')):
                    nulledCastedField = rootQuery.cast.query % field
                if Backend.getIdentifiedDbms() in (DBMS.ACCESS, ):
                    nulledCastedField = rootQuery.isnull.query % (
                        nulledCastedField, nulledCastedField)
                else:
                    nulledCastedField = rootQuery.isnull.query % nulledCastedField

            kb.binaryField = conf.binaryFields and field in conf.binaryFields.split(
                ',')
            if conf.hexConvert or kb.binaryField:
                nulledCastedField = self.hexConvertField(nulledCastedField)

        return nulledCastedField
コード例 #12
0
ファイル: syntax.py プロジェクト: charl1/sqlmap
    def escape(expression, quote=True):
        unescaped = expression

        if isDBMSVersionAtLeast('3'):
            if quote:
                for item in re.findall(r"'[^']+'", expression, re.S):
                    unescaped = unescaped.replace(item, "X'%s'" % binascii.hexlify(item.strip("'")))
            else:
                unescaped = "X'%s'" % binascii.hexlify(expression)

        return unescaped
    def unescape(expression, quote=True):
        unescaped = expression

        if isDBMSVersionAtLeast('3'):
            if quote:
                for item in re.findall(r"'[^']+'", expression, re.S):
                    unescaped = unescaped.replace(item, "X'%s'" % binascii.hexlify(item.strip("'")))
            else:
                unescaped = "X'%s'" % binascii.hexlify(expression)

        return unescaped
コード例 #14
0
ファイル: agent.py プロジェクト: KibodWapon/sqlmap_research
    def nullAndCastField(self, field):
        """
        Take in input a field string and return its processed nulled and
        casted field string.

        Examples:

        MySQL input:  VERSION()
        MySQL output: IFNULL(CAST(VERSION() AS CHAR(10000)), ' ')
        MySQL scope:  VERSION()

        PostgreSQL input:  VERSION()
        PostgreSQL output: COALESCE(CAST(VERSION() AS CHARACTER(10000)), ' ')
        PostgreSQL scope:  VERSION()

        Oracle input:  banner
        Oracle output: NVL(CAST(banner AS VARCHAR(4000)), ' ')
        Oracle scope:  SELECT banner FROM v$version WHERE ROWNUM=1

        Microsoft SQL Server input:  @@VERSION
        Microsoft SQL Server output: ISNULL(CAST(@@VERSION AS VARCHAR(8000)), ' ')
        Microsoft SQL Server scope:  @@VERSION

        @param field: field string to be processed
        @type field: C{str}

        @return: field string nulled and casted
        @rtype: C{str}
        """

        nulledCastedField = field

        if field:
            rootQuery = queries[Backend.getIdentifiedDbms()]

            if field.startswith("(CASE") or field.startswith("(IIF") or conf.noCast:
                nulledCastedField = field
            else:
                if not (Backend.isDbms(DBMS.SQLITE) and not isDBMSVersionAtLeast('3')):
                    nulledCastedField = rootQuery.cast.query % field
                if Backend.getIdentifiedDbms() in (DBMS.ACCESS,):
                    nulledCastedField = rootQuery.isnull.query % (nulledCastedField, nulledCastedField)
                else:
                    if rootQuery.isnull.query.count('%')==2:
                        nulledCastedField = rootQuery.isnull.query % (nulledCastedField,nulledCastedField)

                    else:
                        nulledCastedField = rootQuery.isnull.query % nulledCastedField

            kb.binaryField = conf.binaryFields and field in conf.binaryFields.split(',')
            if conf.hexConvert or kb.binaryField:
                nulledCastedField = self.hexConvertField(nulledCastedField)

        return nulledCastedField
コード例 #15
0
ファイル: agent.py プロジェクト: naivesoft/sqlmap
    def cleanupPayload(self, payload, origValue=None):
        if payload is None:
            return

        replacements = (
            ("[DELIMITER_START]", kb.chars.start),
            ("[DELIMITER_STOP]", kb.chars.stop),
            ("[AT_REPLACE]", kb.chars.at),
            ("[SPACE_REPLACE]", kb.chars.space),
            ("[DOLLAR_REPLACE]", kb.chars.dollar),
            ("[HASH_REPLACE]", kb.chars.hash_),
            ("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT)
        )
        payload = reduce(lambda x, y: x.replace(y[0], y[1]), replacements, payload)

        for _ in set(re.findall(r"(?i)\[RANDNUM(?:\d+)?\]", payload)):
            payload = payload.replace(_, str(randomInt()))

        for _ in set(re.findall(r"(?i)\[RANDSTR(?:\d+)?\]", payload)):
            payload = payload.replace(_, randomStr())

        if origValue is not None:
            origValue = getUnicode(origValue)
            if "[ORIGVALUE]" in payload:
                payload = getUnicode(payload).replace("[ORIGVALUE]", origValue if origValue.isdigit() else unescaper.escape("'%s'" % origValue))
            if "[ORIGINAL]" in payload:
                payload = getUnicode(payload).replace("[ORIGINAL]", origValue)

        if INFERENCE_MARKER in payload:
            if Backend.getIdentifiedDbms() is not None:
                inference = queries[Backend.getIdentifiedDbms()].inference

                if "dbms_version" in inference:
                    if isDBMSVersionAtLeast(inference.dbms_version):
                        inferenceQuery = inference.query
                    else:
                        inferenceQuery = inference.query2
                else:
                    inferenceQuery = inference.query

                payload = payload.replace(INFERENCE_MARKER, inferenceQuery)
            elif not kb.testMode:
                errMsg = "invalid usage of inference payload without "
                errMsg += "knowledge of underlying DBMS"
                raise SqlmapNoneDataException(errMsg)

        return payload
コード例 #16
0
ファイル: agent.py プロジェクト: cosmosSay/sqlmap
    def cleanupPayload(self, payload, origValue=None):
        if payload is None:
            return

        replacements = (
            ("[DELIMITER_START]", kb.chars.start),
            ("[DELIMITER_STOP]", kb.chars.stop),
            ("[AT_REPLACE]", kb.chars.at),
            ("[SPACE_REPLACE]", kb.chars.space),
            ("[DOLLAR_REPLACE]", kb.chars.dollar),
            ("[HASH_REPLACE]", kb.chars.hash_),
            ("[GENERIC_SQL_COMMENT]", GENERIC_SQL_COMMENT)
        )
        payload = reduce(lambda x, y: x.replace(y[0], y[1]), replacements, payload)

        for _ in set(re.findall(r"(?i)\[RANDNUM(?:\d+)?\]", payload)):
            payload = payload.replace(_, str(randomInt()))

        for _ in set(re.findall(r"(?i)\[RANDSTR(?:\d+)?\]", payload)):
            payload = payload.replace(_, randomStr())

        if origValue is not None:
            origValue = getUnicode(origValue)
            if "[ORIGVALUE]" in payload:
                payload = getUnicode(payload).replace("[ORIGVALUE]", origValue if origValue.isdigit() else unescaper.escape("'%s'" % origValue))
            if "[ORIGINAL]" in payload:
                payload = getUnicode(payload).replace("[ORIGINAL]", origValue)

        if INFERENCE_MARKER in payload:
            if Backend.getIdentifiedDbms() is not None:
                inference = queries[Backend.getIdentifiedDbms()].inference

                if "dbms_version" in inference:
                    if isDBMSVersionAtLeast(inference.dbms_version):
                        inferenceQuery = inference.query
                    else:
                        inferenceQuery = inference.query2
                else:
                    inferenceQuery = inference.query

                payload = payload.replace(INFERENCE_MARKER, inferenceQuery)
            elif not kb.testMode:
                errMsg = "invalid usage of inference payload without "
                errMsg += "knowledge of underlying DBMS"
                raise SqlmapNoneDataException(errMsg)

        return payload
コード例 #17
0
ファイル: agent.py プロジェクト: zhiwenuil/sqlmap
    def cleanupPayload(self, payload, origValue=None):
        if payload is None:
            return

        randInt = randomInt()
        randInt1 = randomInt()
        randStr = randomStr()
        randStr1 = randomStr()

        payload = payload.replace("[RANDNUM]", str(randInt))
        payload = payload.replace("[RANDNUM1]", str(randInt1))
        payload = payload.replace("[RANDSTR]", randStr)
        payload = payload.replace("[RANDSTR1]", randStr1)
        payload = payload.replace("[DELIMITER_START]", kb.chars.start)
        payload = payload.replace("[DELIMITER_STOP]", kb.chars.stop)
        payload = payload.replace("[AT_REPLACE]", kb.chars.at)
        payload = payload.replace("[SPACE_REPLACE]", kb.chars.space)
        payload = payload.replace("[DOLLAR_REPLACE]", kb.chars.dollar)
        payload = payload.replace("[SLEEPTIME]", str(conf.timeSec))

        if origValue is not None:
            payload = payload.replace("[ORIGVALUE]", origValue)

        if "[INFERENCE]" in payload:
            if Backend.getIdentifiedDbms() is not None:
                inference = queries[Backend.getIdentifiedDbms()].inference

                if "dbms_version" in inference:
                    if isDBMSVersionAtLeast(inference.dbms_version):
                        inferenceQuery = inference.query
                    else:
                        inferenceQuery = inference.query2
                else:
                    inferenceQuery = inference.query

                payload = payload.replace("[INFERENCE]", inferenceQuery)
            else:
                errMsg = "invalid usage of inference payload without "
                errMsg += "knowledge of underlying DBMS"
                raise sqlmapNoneDataException, errMsg

        return payload
コード例 #18
0
ファイル: agent.py プロジェクト: franx47/sqlmap
    def cleanupPayload(self, payload, origValue=None):
        if payload is None:
            return

        _ = (
            ("[DELIMITER_START]", kb.chars.start),
            ("[DELIMITER_STOP]", kb.chars.stop),
            ("[AT_REPLACE]", kb.chars.at),
            ("[SPACE_REPLACE]", kb.chars.space),
            ("[DOLLAR_REPLACE]", kb.chars.dollar),
            ("[HASH_REPLACE]", kb.chars.hash_),
        )
        payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)

        for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
            payload = payload.replace(_, str(randomInt()))

        for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
            payload = payload.replace(_, randomStr())

        if origValue is not None:
            payload = payload.replace("[ORIGVALUE]", origValue if origValue.isdigit() else "'%s'" % origValue)

        if "[INFERENCE]" in payload:
            if Backend.getIdentifiedDbms() is not None:
                inference = queries[Backend.getIdentifiedDbms()].inference

                if "dbms_version" in inference:
                    if isDBMSVersionAtLeast(inference.dbms_version):
                        inferenceQuery = inference.query
                    else:
                        inferenceQuery = inference.query2
                else:
                    inferenceQuery = inference.query

                payload = payload.replace("[INFERENCE]", inferenceQuery)
            else:
                errMsg = "invalid usage of inference payload without "
                errMsg += "knowledge of underlying DBMS"
                raise sqlmapNoneDataException, errMsg

        return payload
コード例 #19
0
ファイル: syntax.py プロジェクト: webvul/webfuzzer
    def escape(expression, quote=True):
        """
        >>> Backend.setVersion('2.0')
        ['2.0']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT 'abcdefgh' FROM foobar"
        >>> Backend.setVersion('2.1')
        ['2.1']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        'SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar'
        """
        def escaper(value):
            return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value)

        retVal = expression

        if isDBMSVersionAtLeast("2.1"):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #20
0
    def cleanupPayload(self, payload, origValue=None):
        if payload is None:
            return

        _ = (
                ("[DELIMITER_START]", kb.chars.start), ("[DELIMITER_STOP]", kb.chars.stop),\
                ("[AT_REPLACE]", kb.chars.at), ("[SPACE_REPLACE]", kb.chars.space), ("[DOLLAR_REPLACE]", kb.chars.dollar),\
                ("[HASH_REPLACE]", kb.chars.hash_)
            )
        payload = reduce(lambda x, y: x.replace(y[0], y[1]), _, payload)

        for _ in set(re.findall(r"\[RANDNUM(?:\d+)?\]", payload, re.I)):
            payload = payload.replace(_, str(randomInt()))

        for _ in set(re.findall(r"\[RANDSTR(?:\d+)?\]", payload, re.I)):
            payload = payload.replace(_, randomStr())

        if origValue is not None:
            payload = payload.replace(
                "[ORIGVALUE]",
                origValue if origValue.isdigit() else "'%s'" % origValue)

        if "[INFERENCE]" in payload:
            if Backend.getIdentifiedDbms() is not None:
                inference = queries[Backend.getIdentifiedDbms()].inference

                if "dbms_version" in inference:
                    if isDBMSVersionAtLeast(inference.dbms_version):
                        inferenceQuery = inference.query
                    else:
                        inferenceQuery = inference.query2
                else:
                    inferenceQuery = inference.query

                payload = payload.replace("[INFERENCE]", inferenceQuery)
            else:
                errMsg = "invalid usage of inference payload without "
                errMsg += "knowledge of underlying DBMS"
                raise SqlmapNoneDataException, errMsg

        return payload
コード例 #21
0
ファイル: syntax.py プロジェクト: Ettack/csqlmap
    def escape(expression, quote=True):
        """
        >>> Backend.setVersion('2.0')
        ['2.0']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT 'abcdefgh' FROM foobar"
        >>> Backend.setVersion('2.1')
        ['2.1']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        'SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar'
        """

        def escaper(value):
            return "||".join("ASCII_CHAR(%d)" % ord(_) for _ in value)

        retVal = expression

        if isDBMSVersionAtLeast("2.1"):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #22
0
    def escape(expression, quote=True):
        """
        >>> from lib.core.common import Backend
        >>> Backend.setVersion('2.0')
        ['2.0']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT 'abcdefgh' FROM foobar"
        True
        >>> Backend.setVersion('2.1')
        ['2.1']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar") == "SELECT ASCII_CHAR(97)||ASCII_CHAR(98)||ASCII_CHAR(99)||ASCII_CHAR(100)||ASCII_CHAR(101)||ASCII_CHAR(102)||ASCII_CHAR(103)||ASCII_CHAR(104) FROM foobar"
        True
        """
        def escaper(value):
            return "||".join("ASCII_CHAR(%d)" % _ for _ in getOrds(value))

        retVal = expression

        if isDBMSVersionAtLeast("2.1"):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #23
0
ファイル: syntax.py プロジェクト: 0x0mar/sqlmap
    def escape(expression, quote=True):
        """
        >>> Backend.setVersion('2')
        ['2']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT 'abcdefgh' FROM foobar"
        >>> Backend.setVersion('3')
        ['3']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
        """

        def escaper(value):
            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
            return "CAST(X'%s' AS TEXT)" % binascii.hexlify(value.encode(UNICODE_ENCODING) if isinstance(value, unicode) else value)

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #24
0
ファイル: syntax.py プロジェクト: copperfieldd/sqlmap-1
    def escape(expression, quote=True):
        """
        >>> from lib.core.common import Backend
        >>> Backend.setVersion('2')
        ['2']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT 'abcdefgh' FROM foobar"
        >>> Backend.setVersion('3')
        ['3']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
        """
        def escaper(value):
            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
            return "CAST(X'%s' AS TEXT)" % binascii.hexlify(getBytes(value))

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #25
0
ファイル: syntax.py プロジェクト: rahulunair/sqlmap
    def escape(expression, quote=True):
        """
        >>> from lib.core.common import Backend
        >>> Backend.setVersion('2')
        ['2']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT 'abcdefgh' FROM foobar"
        >>> Backend.setVersion('3')
        ['3']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
        """

        def escaper(value):
            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
            return "CAST(X'%s' AS TEXT)" % binascii.hexlify(getBytes(value))

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal
コード例 #26
0
ファイル: syntax.py プロジェクト: weisst/w3af
    def escape(expression, quote=True):
        """
        >>> Backend.setVersion('2')
        ['2']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT 'abcdefgh' FROM foobar"
        >>> Backend.setVersion('3')
        ['3']
        >>> Syntax.escape("SELECT 'abcdefgh' FROM foobar")
        "SELECT CAST(X'6162636465666768' AS TEXT) FROM foobar"
        """
        def escaper(value):
            # Reference: http://stackoverflow.com/questions/3444335/how-do-i-quote-a-utf-8-string-literal-in-sqlite3
            return "CAST(X'%s' AS TEXT)" % binascii.hexlify(
                value.encode(UNICODE_ENCODING) if isinstance(value, unicode
                                                             ) else value)

        retVal = expression

        if isDBMSVersionAtLeast('3'):
            retVal = Syntax._escape(expression, quote, escaper)

        return retVal