sqlmap with --eval breaks on parameter starting with numbers #3515
Description
Sqlmap breaks when the testing paramter names are Python invalid varialbles
i.e: thy start with numbers.
sqlmap -u https://sequel-9cba4c8e.challenges.bsidessf.net/sequels --cookie="1337_AUTH=eyJ1c2VybmFtZSI6Imd1ZXN0IiwicGFzc3dvcmQiOiJndWVzdCJ9" --eval "import base64;1337_AUTH=base64.b64encode(1337_AUTH)"
The output:
___
__H__
___ ___[(]_____ ___ ___ {1.3#stable}
|_ -| . ["] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 16:27:03 /2019-03-04/
[16:27:04] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] n
[16:27:04] [WARNING] provided parameter '1337_AUTH' appears to be 'base64' encoded
[16:27:04] [INFO] testing connection to the target URL
[16:27:04] [CRITICAL] an error occurred while evaluating provided code ('invalid syntax')
[*] ending @ 16:27:04 /2019-03-04/
This question/request is related to 1062.
When the parameter to use on --eval starts with a number (witch is invalid in python variable name) sqlmap states that there is an invalid syntax
a solution would be to add evaluation of parameters that starts with numbers also and escape them like the case of reserved words.