MCPcopy Index your code
hub / github.com/sqlmapproject/sqlmap / concatQuery

Method concatQuery

lib/core/agent.py:676–823  ·  view source on GitHub ↗

Take in input a query string and return its processed nulled, casted and concatenated query string. Examples: MySQL input: SELECT user, password FROM mysql.user MySQL output: CONCAT('mMvPxc',IFNULL(CAST(user AS CHAR(10000)), ' '),'nXlgnR',IFNULL(CAST(passw

(self, query, unpack=True)

Source from the content-addressed store, hash-verified

674 return retVal
675
676 def concatQuery(self, query, unpack=True):
677 """
678 Take in input a query string and return its processed nulled,
679 casted and concatenated query string.
680
681 Examples:
682
683 MySQL input: SELECT user, password FROM mysql.user
684 MySQL output: CONCAT('mMvPxc',IFNULL(CAST(user AS CHAR(10000)), ' '),'nXlgnR',IFNULL(CAST(password AS CHAR(10000)), ' '),'YnCzLl') FROM mysql.user
685
686 PostgreSQL input: SELECT usename, passwd FROM pg_shadow
687 PostgreSQL output: 'HsYIBS'||COALESCE(CAST(usename AS CHARACTER(10000)), ' ')||'KTBfZp'||COALESCE(CAST(passwd AS CHARACTER(10000)), ' ')||'LkhmuP' FROM pg_shadow
688
689 Oracle input: SELECT COLUMN_NAME, DATA_TYPE FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='USERS'
690 Oracle output: 'GdBRAo'||NVL(CAST(COLUMN_NAME AS VARCHAR(4000)), ' ')||'czEHOf'||NVL(CAST(DATA_TYPE AS VARCHAR(4000)), ' ')||'JVlYgS' FROM SYS.ALL_TAB_COLUMNS WHERE TABLE_NAME='USERS'
691
692 Microsoft SQL Server input: SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins
693 Microsoft SQL Server output: 'QQMQJO'+ISNULL(CAST(name AS VARCHAR(8000)), ' ')+'kAtlqH'+ISNULL(CAST(master.dbo.fn_varbintohexstr(password) AS VARCHAR(8000)), ' ')+'lpEqoi' FROM master..sysxlogins
694
695 @param query: query string to be processed
696 @type query: C{str}
697
698 @return: query string nulled, casted and concatenated
699 @rtype: C{str}
700 """
701
702 if unpack:
703 concatenatedQuery = ""
704 query = query.replace(", ", ',')
705 fieldsSelectFrom, fieldsSelect, fieldsNoSelect, fieldsSelectTop, fieldsSelectCase, _, fieldsToCastStr, fieldsExists = self.getFields(query)
706 castedFields = self.nullCastConcatFields(fieldsToCastStr)
707 concatenatedQuery = query.replace(fieldsToCastStr, castedFields, 1)
708 else:
709 return query
710
711 if Backend.isDbms(DBMS.MYSQL):
712 if fieldsExists:
713 concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
714 concatenatedQuery += ",'%s')" % kb.chars.stop
715 elif fieldsSelectCase:
716 concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
717 concatenatedQuery += ",'%s')" % kb.chars.stop
718 elif fieldsSelectFrom:
719 _ = unArrayizeValue(zeroDepthSearch(concatenatedQuery, " FROM "))
720 concatenatedQuery = "%s,'%s')%s" % (concatenatedQuery[:_].replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1), kb.chars.stop, concatenatedQuery[_:])
721 elif fieldsSelect:
722 concatenatedQuery = concatenatedQuery.replace("SELECT ", "CONCAT('%s'," % kb.chars.start, 1)
723 concatenatedQuery += ",'%s')" % kb.chars.stop
724 elif fieldsNoSelect:
725 concatenatedQuery = "CONCAT('%s',%s,'%s')" % (kb.chars.start, concatenatedQuery, kb.chars.stop)
726
727 elif Backend.getIdentifiedDbms() in (DBMS.PGSQL, DBMS.ORACLE, DBMS.SQLITE, DBMS.DB2, DBMS.FIREBIRD, DBMS.HSQLDB, DBMS.H2, DBMS.MONETDB, DBMS.DERBY, DBMS.VERTICA, DBMS.MCKOI, DBMS.PRESTO, DBMS.ALTIBASE, DBMS.MIMERSQL, DBMS.CRATEDB, DBMS.CUBRID, DBMS.CACHE, DBMS.EXTREMEDB, DBMS.FRONTBASE, DBMS.RAIMA, DBMS.VIRTUOSO):
728 if fieldsExists:
729 concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||" % kb.chars.start, 1)
730 concatenatedQuery += "||'%s'" % kb.chars.stop
731 elif fieldsSelectCase:
732 concatenatedQuery = concatenatedQuery.replace("SELECT ", "'%s'||(SELECT " % kb.chars.start, 1)
733 concatenatedQuery += ")||'%s'" % kb.chars.stop

Callers 2

_unionPositionFunction · 0.80
_oneShotUnionUseFunction · 0.80

Calls 10

getFieldsMethod · 0.95
nullCastConcatFieldsMethod · 0.95
unArrayizeValueFunction · 0.90
zeroDepthSearchFunction · 0.90
singleTimeWarnMessageFunction · 0.90
isDbmsMethod · 0.80
getIdentifiedDbmsMethod · 0.80
replaceMethod · 0.45
escapeMethod · 0.45
getMethod · 0.45

Tested by 1

_unionPositionFunction · 0.64