Called each time sqlmap inject a SQL query on the SQL injection affected parameter.
(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True)
| 359 | @lockedmethod |
| 360 | @stackedmethod |
| 361 | def getValue(expression, blind=True, union=True, error=True, time=True, fromUser=False, expected=None, batch=False, unpack=True, resumeValue=True, charsetType=None, firstChar=None, lastChar=None, dump=False, suppressOutput=None, expectingNone=False, safeCharEncode=True): |
| 362 | """ |
| 363 | Called each time sqlmap inject a SQL query on the SQL injection |
| 364 | affected parameter. |
| 365 | """ |
| 366 | |
| 367 | if conf.hexConvert and expected != EXPECTED.BOOL and Backend.getIdentifiedDbms(): |
| 368 | if not hasattr(queries[Backend.getIdentifiedDbms()], "hex"): |
| 369 | warnMsg = "switch '--hex' is currently not supported on DBMS %s" % Backend.getIdentifiedDbms() |
| 370 | singleTimeWarnMessage(warnMsg) |
| 371 | conf.hexConvert = False |
| 372 | else: |
| 373 | charsetType = CHARSET_TYPE.HEXADECIMAL |
| 374 | |
| 375 | kb.safeCharEncode = safeCharEncode |
| 376 | kb.resumeValues = resumeValue |
| 377 | |
| 378 | for keyword in GET_VALUE_UPPERCASE_KEYWORDS: |
| 379 | expression = re.sub(r"(?i)(\A|\(|\)|\s)%s(\Z|\(|\)|\s)" % keyword, r"\g<1>%s\g<2>" % keyword, expression) |
| 380 | |
| 381 | if suppressOutput is not None: |
| 382 | pushValue(getCurrentThreadData().disableStdOut) |
| 383 | getCurrentThreadData().disableStdOut = suppressOutput |
| 384 | |
| 385 | try: |
| 386 | pushValue(conf.db) |
| 387 | pushValue(conf.tbl) |
| 388 | |
| 389 | if expected == EXPECTED.BOOL: |
| 390 | forgeCaseExpression = booleanExpression = expression |
| 391 | |
| 392 | if expression.startswith("SELECT "): |
| 393 | booleanExpression = "(%s)=%s" % (booleanExpression, "'1'" if "'1'" in booleanExpression else "1") |
| 394 | else: |
| 395 | forgeCaseExpression = agent.forgeCaseStatement(expression) |
| 396 | |
| 397 | if conf.direct: |
| 398 | value = direct(forgeCaseExpression if expected == EXPECTED.BOOL else expression) |
| 399 | |
| 400 | elif any(isTechniqueAvailable(_) for _ in getPublicTypeMembers(PAYLOAD.TECHNIQUE, onlyValues=True)): |
| 401 | query = cleanQuery(expression) |
| 402 | query = expandAsteriskForColumns(query) |
| 403 | value = None |
| 404 | found = False |
| 405 | count = 0 |
| 406 | |
| 407 | if query and not re.search(r"COUNT.*FROM.*\(.*DISTINCT", query, re.I): |
| 408 | query = query.replace("DISTINCT ", "") |
| 409 | |
| 410 | if not conf.forceDns: |
| 411 | if union and isTechniqueAvailable(PAYLOAD.TECHNIQUE.UNION): |
| 412 | setTechnique(PAYLOAD.TECHNIQUE.UNION) |
| 413 | kb.forcePartialUnion = kb.injection.data[PAYLOAD.TECHNIQUE.UNION].vector[8] |
| 414 | fallback = not expected and kb.injection.data[PAYLOAD.TECHNIQUE.UNION].where == PAYLOAD.WHERE.ORIGINAL and not kb.forcePartialUnion |
| 415 | |
| 416 | if expected == EXPECTED.BOOL: |
| 417 | # Note: some DBMSes (e.g. Altibase) don't support implicit conversion of boolean check result during concatenation with prefix and suffix (e.g. 'qjjvq'||(1=1)||'qbbbq') |
| 418 |
no test coverage detected
searching dependent graphs…