ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

syntax批注

Browse Source
pull/18/head
Warmlight 2 months ago
parent b7c07b97f7
commit 713615fdc3
1 changed files with 48 additions and 23 deletions
Show Stats Download Patch File Download Diff File

71
src/sqlmap-master/plugins/generic/syntax.py
Unescape View File

@ -5,46 +5,71 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
import re # 导入re模块用于正则表达式操作
from lib.core.common import Backend
from lib.core.convert import getBytes
from lib.core.data import conf
from lib.core.enums import DBMS
from lib.core.exception import SqlmapUndefinedMethod
from lib.core.common import Backend # 导入Backend类用于获取后端数据库信息
from lib.core.convert import getBytes # 导入getBytes函数用于将字符串转换为字节
from lib.core.data import conf # 导入conf对象存储全局配置信息
from lib.core.enums import DBMS # 导入DBMS枚举类定义数据库类型
from lib.core.exception import SqlmapUndefinedMethod # 导入SqlmapUndefinedMethod异常类表示未定义的方法
class Syntax(object):
"""
This class defines generic syntax functionalities for plugins.
这个类定义了插件的通用语法功能
"""
def __init__(self):
pass
pass # 初始化方法,此处为空
@staticmethod
def _escape(expression, quote=True, escaper=None):
retVal = expression
"""
Internal method to escape a given expression.
内部方法用于转义给定的表达式
if quote:
for item in re.findall(r"'[^']*'+", expression):
original = item[1:-1]
if original:
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue
if re.search(r"\[(SLEEPTIME|RAND)", original) is None: # e.g. '[SLEEPTIME]' marker
replacement = escaper(original) if not conf.noEscape else original
Args:
expression (str): The expression to escape. 要转义的表达式
quote (bool, optional): Whether to handle quoting. 是否处理引号默认为True
escaper (function, optional): The function to use for escaping. 用于转义的函数默认为None
Returns:
str: 转义后的表达式
"""
retVal = expression # 初始化返回值
if replacement != original:
retVal = retVal.replace(item, replacement)
if quote: # 如果需要处理引号
for item in re.findall(r"'[^']*'+", expression): # 查找所有单引号包裹的内容
original = item[1:-1] # 获取引号内的原始内容
if original: # 如果原始内容不为空
if Backend.isDbms(DBMS.SQLITE) and "X%s" % item in expression:
continue # 如果是SQLite数据库且表达式中包含X'...'的格式,则跳过
if re.search(r"$$(SLEEPTIME|RAND)", original) is None: # 检查原始内容是否包含[SLEEPTIME]或[RAND]标记,例如'[SLEEPTIME]'
replacement = escaper(original) if not conf.noEscape else original # 如果配置中没有设置noEscape则使用转义函数进行转义否则不转义
if replacement != original: # 如果转义后的内容与原始内容不同
retVal = retVal.replace(item, replacement) # 则替换表达式中的原始内容为转义后的内容
elif len(original) != len(getBytes(original)) and "n'%s'" % original not in retVal and Backend.getDbms() in (DBMS.MYSQL, DBMS.PGSQL, DBMS.ORACLE, DBMS.MSSQL):
retVal = retVal.replace("'%s'" % original, "n'%s'" % original)
else:
retVal = escaper(expression)
# 如果原始内容的字节长度与字符串长度不同且不是n'...'格式且数据库为MySQLPostgreSQLOracleMSSQL中的一种
retVal = retVal.replace("'%s'" % original, "n'%s'" % original) # 则将表达式中的原始内容替换为n'...'格式以支持Unicode字符
else: # 如果不需要处理引号
retVal = escaper(expression) # 使用转义函数进行转义
return retVal
return retVal # 返回转义后的表达式
@staticmethod
def escape(expression, quote=True):
"""
Generic method to escape a given expression.
通用方法用于转义给定的表达式
Args:
expression (str): The expression to escape. 要转义的表达式
quote (bool, optional): Whether to handle quoting. 是否处理引号默认为True
Raises:
SqlmapUndefinedMethod: 如果没有在具体数据库插件中定义escape方法则抛出此异常
"""
errMsg = "'escape' method must be defined "
errMsg += "inside the specific DBMS plugin"
raise SqlmapUndefinedMethod(errMsg)
raise SqlmapUndefinedMethod(errMsg) # 抛出异常表示未在具体DBMS插件中定义此方法
Write Preview
Loading…
Cancel
Save