Adding escapequotes.py (utility tamper script)

Author: stamparm

lib/request/connect.py

@@ -80,6 +80,7 @@ class WebSocketException(Exception):
 from lib.core.exception import SqlmapTokenException
 from lib.core.exception import SqlmapValueException
 from lib.core.settings import ASTERISK_MARKER
+from lib.core.settings import BOUNDARY_BACKSLASH_MARKER
 from lib.core.settings import CUSTOM_INJECTION_MARK_CHAR
 from lib.core.settings import DEFAULT_CONTENT_TYPE
 from lib.core.settings import DEFAULT_COOKIE_DELIMITER
@@ -765,7 +766,7 @@ def queryPage(value=None, place=None, content=False, getRatioValue=False, silent
 
                 value = agent.replacePayload(value, payload)
 
-            logger.log(CUSTOM_LOGGING.PAYLOAD, safecharencode(payload))
+            logger.log(CUSTOM_LOGGING.PAYLOAD, safecharencode(payload.replace('\\', BOUNDARY_BACKSLASH_MARKER)).replace(BOUNDARY_BACKSLASH_MARKER, '\\'))
 
             if place == PLACE.CUSTOM_POST and kb.postHint:
                 if kb.postHint in (POST_HINT.SOAP, POST_HINT.XML):

tamper/escapequotes.py

@@ -0,0 +1,26 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import base64
+
+from lib.core.enums import PRIORITY
+from lib.core.settings import UNICODE_ENCODING
+
+__priority__ = PRIORITY.LOWEST
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Slash escape quotes (' and ")
+
+    >>> tamper("1' AND SLEEP(5)#")
+    '1\' AND SLEEP(5)#'
+    """
+
+    return payload.replace("'", "\\'").replace('"', '\\"')