Just in case update for an Issue sqlmapproject#2474

Author: stamparm

lib/core/common.py

@@ -26,6 +26,7 @@
 import subprocess
 import sys
 import tempfile
+import threading
 import time
 import urllib
 import urllib2
@@ -139,6 +140,7 @@
 from lib.core.settings import REFLECTED_BORDER_REGEX
 from lib.core.settings import REFLECTED_MAX_REGEX_PARTS
 from lib.core.settings import REFLECTED_REPLACEMENT_REGEX
+from lib.core.settings import REFLECTED_REPLACEMENT_TIMEOUT
 from lib.core.settings import REFLECTED_VALUE_MARKER
 from lib.core.settings import REFLECTIVE_MISS_THRESHOLD
 from lib.core.settings import SENSITIVE_DATA_REGEX
@@ -3429,11 +3431,27 @@ def _(value):
  else:
  regex = r"%s\b" % regex
 
- retVal = re.sub(r"(?i)%s" % regex, REFLECTED_VALUE_MARKER, retVal)
+ _retVal = [retVal]
+ def _thread(regex):
+ _retVal[0] = re.sub(r"(?i)%s" % regex, REFLECTED_VALUE_MARKER, _retVal[0])
 
- if len(parts) > 2:
- regex = REFLECTED_REPLACEMENT_REGEX.join(parts[1:])
- retVal = re.sub(r"(?i)\b%s\b" % regex, REFLECTED_VALUE_MARKER, retVal)
+ if len(parts) > 2:
+ regex = REFLECTED_REPLACEMENT_REGEX.join(parts[1:])
+ _retVal[0] = re.sub(r"(?i)\b%s\b" % regex, REFLECTED_VALUE_MARKER, _retVal[0])
+
+ thread = threading.Thread(target=_thread, args=(regex,))
+ thread.daemon = True
+ thread.start()
+ thread.join(REFLECTED_REPLACEMENT_TIMEOUT)
+
+ if thread.isAlive():
+ kb.reflectiveMechanism = False
+ retVal = content
+ if not suppressWarning:
+ debugMsg = "turning off reflection removal mechanism (because of timeouts)"
+ logger.debug(debugMsg)
+ else:
+ retVal = _retVal[0]
 
  if retVal != content:
  kb.reflectiveCounters[REFLECTIVE_COUNTER.HIT] += 1

lib/core/settings.py

@@ -19,7 +19,7 @@
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.4.16"
+VERSION = "1.1.4.18"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
@@ -386,6 +386,9 @@
 # Regular expression used for replacing non-alphanum characters
 REFLECTED_REPLACEMENT_REGEX = r".+"
 
+# Maximum time (in seconds) spent per reflective value(s) replacement
+REFLECTED_REPLACEMENT_TIMEOUT = 3
+
 # Maximum number of alpha-numerical parts in reflected regex (for speed purposes)
 REFLECTED_MAX_REGEX_PARTS = 10
 

txt/checksum.md5

@@ -26,7 +26,7 @@ d79481ab99acd739615e747d4a79d9d0 lib/controller/handler.py
 310efc965c862cfbd7b0da5150a5ad36 lib/controller/__init__.py
 19905ecb4437b94512cf21d5f1720091 lib/core/agent.py
 6cc95a117fbd34ef31b9aa25520f0e31 lib/core/bigarray.py
-f667d34b2869016ac2b97f82c4463599 lib/core/common.py
+8f827c514751b85890da09581c21285c lib/core/common.py
 5065a4242a8cccf72f91e22e1007ae63 lib/core/convert.py
 a8143dab9d3a27490f7d49b6b29ea530 lib/core/data.py
 7936d78b1a7f1f008ff92bf2f88574ba lib/core/datatype.py
@@ -45,7 +45,7 @@ dd19b4d930d418f8aef498941346ab2d lib/core/option.py
 d8e9250f3775119df07e9070eddccd16 lib/core/replication.py
 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py
 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py
-f2cace15ba198ea85d8d67981ee739ea lib/core/settings.py
+78ce748dd65ba204321cb74c53ec55e3 lib/core/settings.py
 d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py
 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py
 afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py