sqlmap/tamper/ifnull2casewhenisnull.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGHEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart

    Requirement:
        * MySQL
        * SQLite (possibly)
        * SAP MaxDB (possibly)

    Tested against:
        * MySQL 5.0 and 5.5

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that filter the IFNULL() functions

    >>> tamper('IFNULL(1, 2)')
    'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'
    """

    if payload and payload.find("IFNULL") > -1:
        while payload.find("IFNULL(") > -1:
            index = payload.find("IFNULL(")
            depth = 1
            comma, end = None, None

            for i in xrange(index + len("IFNULL("), len(payload)):
                if depth == 1 and payload[i] == ',':
                    comma = i

                elif depth == 1 and payload[i] == ')':
                    end = i
                    break

                elif payload[i] == '(':
                    depth += 1

                elif payload[i] == ')':
                    depth -= 1

            if comma and end:
                _ = payload[index + len("IFNULL("):comma]
                __ = payload[comma + 1:end].lstrip()
                newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _)
                payload = payload[:index] + newVal + payload[end + 1:]
            else:
                break

    return payload
Add new tamper script witch can Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END', it could be usefull for bypass some weak WAFs that filter the 'IFNULL' and 'IF' functions (#2791) 2017-11-22 15:27:49 +03:00			`#!/usr/bin/env python`

			`"""`
update_copyright_year() 2019-01-05 23:38:52 +03:00			`Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)`
Add new tamper script witch can Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END', it could be usefull for bypass some weak WAFs that filter the 'IFNULL' and 'IF' functions (#2791) 2017-11-22 15:27:49 +03:00			`See the file 'doc/COPYING' for copying permission`
			`"""`

			`from lib.core.enums import PRIORITY`

			`__priority__ = PRIORITY.HIGHEST`

			`def dependencies():`
			`pass`

			`def tamper(payload, **kwargs):`
			`"""`
Implementation for an Issue #3108 2018-07-31 03:18:33 +03:00			`Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart`
Add new tamper script witch can Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END', it could be usefull for bypass some weak WAFs that filter the 'IFNULL' and 'IF' functions (#2791) 2017-11-22 15:27:49 +03:00
			`Requirement:`
			`* MySQL`
			`* SQLite (possibly)`
			`* SAP MaxDB (possibly)`

			`Tested against:`
			`* MySQL 5.0 and 5.5`

			`Notes:`
			`* Useful to bypass very weak and bespoke web application firewalls`
Minor update regarding #2791 2017-11-22 15:29:39 +03:00			`that filter the IFNULL() functions`
Add new tamper script witch can Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END', it could be usefull for bypass some weak WAFs that filter the 'IFNULL' and 'IF' functions (#2791) 2017-11-22 15:27:49 +03:00
			`>>> tamper('IFNULL(1, 2)')`
			`'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'`
			`"""`

			`if payload and payload.find("IFNULL") > -1:`
			`while payload.find("IFNULL(") > -1:`
			`index = payload.find("IFNULL(")`
			`depth = 1`
			`comma, end = None, None`

			`for i in xrange(index + len("IFNULL("), len(payload)):`
			`if depth == 1 and payload[i] == ',':`
			`comma = i`

			`elif depth == 1 and payload[i] == ')':`
			`end = i`
			`break`

			`elif payload[i] == '(':`
			`depth += 1`

			`elif payload[i] == ')':`
			`depth -= 1`

			`if comma and end:`
			`_ = payload[index + len("IFNULL("):comma]`
			`__ = payload[comma + 1:end].lstrip()`
			`newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _)`
			`payload = payload[:index] + newVal + payload[end + 1:]`
			`else:`
			`break`

			`return payload`