Inconsistent encoding of % character in certain cases

[hippich]

Describe the bug
When using --sql-shell, and using % character, in some scenarios it will be transcoded into %25 while in others - not. Here is an example:

select name from table where value like '%some%begin%'

This will result in the like value to be converted into (notice middle % is not escaped):

%25some%begin%25

This happens in

sqlmap/lib/core/common.py

Line 2932 in 6b7c3a2

value = re.sub(r"%(?![0-9a-fA-F]{2})", "%25", value)

Basically, that line attempts to escape any % characters present in the value, unless that character is already escaped. It checks it against hex regex, which, unfortunately, can fail in some cases like the one above. Not sure what the proper fix would be, but I hope the above provides enough details for it. The workaround is to manually replace all not escaped %'s with %25.

To Reproduce

1. Run --sql-shell
2. Run query, which includes % followed by two letters representing any hex code
3. Observe in the HTTP log, that % followed by [0-9a-fA-F]{2} is left unescaped.

Expected behavior
The % should be escaped

Running environment:

• sqlmap version: 1.4.11.15#dev
• Installation method: git
• Operating system: Ubuntu 18.04
• Python version: 3.6.9

Target details:

• DBMS: Oracle
• SQLi techniques found by sqlmap: boolean blind
• WAF/IPS: none

[stamparm]

p.s. please consider that there will always be corner cases which can't be covered. Anyhow, with the latest revision encoding part should be done better (including your case)