sqlmap 0.6-rc5: major bug fix to make --sql-shell and --sql-query work properly also with mixed case statements (i.e oRDeR bY). Thanks Konrads Smelkovs to notifying.

bdamele · bdamele · commit 605409019130 · 2009-01-28T14:53:11.000Z
diff --git a/doc/THANKS b/doc/THANKS
@@ -126,6 +126,9 @@ Sumit Siddharth <sid@notsosecure.com>
 M Simkin <mlsimkin@cox.net>
     for suggesting a feature
 
+Konrads Smelkovs <konrads@smelkovs.com>
+    for reporting two bugs in --sql-shell and --sql-query
+
 Jason Swan <jasoneswan@gmail.com>
     for reporting a bug when enumerating columns on Microsoft SQL Server
     for suggesting a couple of improvements
diff --git a/lib/core/common.py b/lib/core/common.py
@@ -498,7 +498,11 @@ def cleanQuery(query):
 
     for sqlStatements in SQL_STATEMENTS.values():
         for sqlStatement in sqlStatements:
-            upperQuery = upperQuery.replace(sqlStatement, sqlStatement.upper())
+            sqlStatementEsc = sqlStatement.replace("(", "\\(")
+            queryMatch = re.search("(%s)" % sqlStatementEsc, query, re.I)
+
+            if queryMatch:
+                upperQuery = upperQuery.replace(queryMatch.group(1), sqlStatement.upper())
 
     return upperQuery
 
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -30,7 +30,7 @@
 
 
 # sqlmap version and site
-VERSION            = "0.6.4-rc4"
+VERSION            = "0.6.4-rc5"
 VERSION_STRING     = "sqlmap/%s" % VERSION
 SITE               = "http://sqlmap.sourceforge.net"
 
