sqlmap/tamper/charunicodeencode.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

import os
import string

from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage

__priority__ = PRIORITY.LOWEST

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])

def tamper(payload, **kwargs):
    """
    Unicode-url-encodes non-encoded characters in a given payload (not
    processing already encoded)

    Example:
        * Input: SELECT FIELD%20FROM TABLE
        * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'

    Requirement:
        * ASP
        * ASP.NET

    Tested against:
        * Microsoft SQL Server 2000
        * Microsoft SQL Server 2005
        * MySQL 5.1.56
        * PostgreSQL 9.0.3

    Notes:
        * Useful to bypass weak web application firewalls that do not
          unicode url-decode the request before processing it through their
          ruleset
    """

    retVal = payload

    if payload:
        retVal = ""
        i = 0

        while i < len(payload):
            if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1:i+2] in string.hexdigits and payload[i+2:i+3] in string.hexdigits:
                retVal += "%%u00%s" % payload[i+1:i+3]
                i += 3
            else:
                retVal += '%%u%.4X' % ord(payload[i])
                i += 1

    return retVal
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`#!/usr/bin/env python`

			`"""`
modified homepage address 2012-07-12 21:38:03 +04:00			`Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/)`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`See the file 'doc/COPYING' for copying permission`
			`"""`

Updated docstring 2011-07-11 14:39:30 +04:00			`import os`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`import string`

			`from lib.core.enums import PRIORITY`
Updated docstring 2011-07-11 14:39:30 +04:00			`from lib.core.common import singleTimeWarnMessage`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00
			`__priority__ = PRIORITY.LOWEST`

Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00			`def dependencies():`
Updated docstring 2011-07-11 14:39:30 +04:00			`singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])`
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00
Update for an Issue #12 2012-12-03 17:27:01 +04:00			`def tamper(payload, **kwargs):`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`"""`
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00			`Unicode-url-encodes non-encoded characters in a given payload (not`
			`processing already encoded)`

			`Example:`
			`* Input: SELECT FIELD%20FROM TABLE`
			`* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'`

Updated docstring 2011-07-11 14:39:30 +04:00			`Requirement:`
			`* ASP`
			`* ASP.NET`

Updated docstring 2011-07-11 14:04:19 +04:00			`Tested against:`
			`* Microsoft SQL Server 2000`
			`* Microsoft SQL Server 2005`
Updated docstring 2011-07-11 14:39:30 +04:00			`* MySQL 5.1.56`
			`* PostgreSQL 9.0.3`
Updated docstring 2011-07-11 14:04:19 +04:00
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00			`Notes:`
Updated docstring 2011-07-11 14:04:19 +04:00			`* Useful to bypass weak web application firewalls that do not`
			`unicode url-decode the request before processing it through their`
			`ruleset`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`"""`

minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`retVal = payload`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00
minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`if payload:`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`retVal = ""`
			`i = 0`

minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`while i < len(payload):`
minor update (changing form of payload[i+1] with payload[i+1:i+2] which is much safer for not crashing the script with invalid char index) 2011-07-11 13:22:29 +04:00			`if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1:i+2] in string.hexdigits and payload[i+2:i+3] in string.hexdigits:`
minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`retVal += "%%u00%s" % payload[i+1:i+3]`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`i += 3`
			`else:`
Minor refactoring 2012-07-24 03:21:32 +04:00			`retVal += '%%u%.4X' % ord(payload[i])`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`i += 1`

Tamper function(s) refactoring (really no need for returning headers as they are passed by reference) 2012-10-25 12:10:23 +04:00			`return retVal`