FS#56287 - [sqlmap] wrapper script breaks relative paths in argv

Attached to Project: Community Packages
Opened by Pedro F. (psf) - Friday, 10 November 2017, 02:07 GMT
Last edited by Jelle van der Waa (jelly) - Sunday, 03 September 2023, 09:37 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Levente Polyak (anthraxx)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description: sqlmap using sh wrapper changes directory losing context.


Additional info:
package version(s): 1.1.11#stable


Steps to reproduce:
# sqlmap -r request.req


To fix:
Just change remove the `cd` lines from the wrapper and call
the program using its full path. Example: python2 /opt/${pkgname}/sqlmapi.py "\$@"
That should be enough to avoid losing the context.


Output of the issue:
http://ix.io/C82/sh


If more info is needed, I'll be glad to provide.
This task depends upon

Closed by  Jelle van der Waa (jelly)
Sunday, 03 September 2023, 09:37 GMT
Reason for closing:  No response
Comment by Eli Schwartz (eschwartz) - Friday, 10 November 2017, 05:00 GMT
  • Field changed: Summary ([sqlmap] PLEASE ENTER SUMMARY → [sqlmap] wrapper script breaks relative paths in argv)
  • Field changed: Status (Unconfirmed → Assigned)
  • Field changed: Severity (Very Low → Low)
  • Task assigned to Levente Polyak (anthraxx)
But as your own tests indicate, you *need* to cd in order to ensure the current working directory is in the pythonpath.

@anthraxx, maybe a better fix would be to create a python wrapper which uses sys.path.insert() -- also why is it installed to /opt instead of say /usr/share or path munging and placing it in /usr/lib/python2.7 or something?

Maybe upstream would accept a rework that allowed their software to actually be installed in a halfway reasonable manner, and fixed PEP 394 in the process?
Comment by Pedro F. (psf) - Friday, 10 November 2017, 11:59 GMT
@eschwartz

In my humble opinion, just removing the `cd` on PKGBUILD, therefore creating a sh wrapper that won't change the directory, is enough. I think creating a python wrapper is a little bit too much maybe? What would be the benefits of that?

Now about changing it upstream, sounds like a good idea. Even though that should take some time to be accepted, I believe. That's why the idea of only removing the `cd` as a more fast fix.

Thanks and good day.

PS: thanks for changing the summary, my bad.
Comment by Eli Schwartz (eschwartz) - Friday, 10 November 2017, 14:44 GMT
"you *need* to cd in order to ensure the current working directory is in the pythonpath"

I suggest you try running `python2 /opt/sqlmap/sqlmap.py -r /root/ctf/hackthebox/boxes/10.10.10.31/login.req -p user` from outside of /opt/sqlmap, you will see exactly why the cd was necessary. /opt/sqlmap/lib *must* be able to be imported.

This would be easy to fix if all the lib files were modified to actually perform relative imports, rather than assuming that no one will every run sqlmap outside of a local git clone.
Comment by Pedro F. (psf) - Friday, 10 November 2017, 15:05 GMT
@eschwartz

Good afternoon.
Just did, seems to be working just fine. But then again, I'm no authority nor a Python expert; I'm just trying to help. :)
I tried to take a look at the code and this function seems pretty interesting: https://github.com/sqlmapproject/sqlmap/blob/master/sqlmap.py#L75.

Cheers.

Logs: http://ix.io/C8G/+

PS: I didn't have the original request file to reproduce the same command than before, but you can see from the changes in the wrapper that it won't change directory.
Comment by Ivy Foster (escondida) - Friday, 11 October 2019, 00:20 GMT
psf, do you still experience this issue?
Comment by Pedro F. (psf) - Sunday, 13 October 2019, 10:50 GMT
escondida, yes. With exactly the same output from before (my links).
Comment by Alexandre ZANNI (noraj) - Wednesday, 15 July 2020, 17:49 GMT Comment by Eli Schwartz (eschwartz) - Wednesday, 15 July 2020, 18:06 GMT
Again, I don't see how this could work sensibly without a proper entry point. E.g. using setup.py, which the upstream project doesn't have.

Hacking around with the $PWD because upstream doesn't support anything other than cd'ing into a git clone, isn't very feasible. But that's the only way to do it right now.
Comment by Eduard Toloza (edu4rdshl) - Wednesday, 15 July 2020, 21:30 GMT
@eschwartz, sqlmap is able to detect where their own modules are (https://github.com/sqlmapproject/sqlmap/blob/fc4dec72917d4bc4133b14a87c266453ba2630c3/sqlmap.py#L93-L104), so in this case the cd is unnecessary.

You're right that they don't provide relative imports for their modules but they have done that workaround/hack to prevent errors when launching sqlmap.py outside of the clone dir. This patch (https://paste.rs/w1S) will fix the issue.
Comment by Buggy McBugFace (bugbot) - Tuesday, 08 August 2023, 19:11 GMT
This is an automated comment as this bug is open for more then 2 years. Please reply if you still experience this bug otherwise this issue will be closed after 1 month.

Loading...