2019-03-21 16:00:09 +03:00
|
|
|
#!/usr/bin/env python2
|
2016-12-02 00:28:07 +03:00
|
|
|
|
|
|
|
"""
|
2019-01-05 23:38:52 +03:00
|
|
|
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
2017-10-11 15:50:46 +03:00
|
|
|
See the file 'LICENSE' for copying permission
|
2016-12-02 00:28:07 +03:00
|
|
|
"""
|
|
|
|
|
2018-02-10 13:06:31 +03:00
|
|
|
import os
|
2017-02-16 18:56:54 +03:00
|
|
|
import re
|
|
|
|
|
2018-02-08 18:49:16 +03:00
|
|
|
from lib.core.common import singleTimeWarnMessage
|
2016-12-02 00:28:07 +03:00
|
|
|
from lib.core.common import zeroDepthSearch
|
2019-03-28 18:04:38 +03:00
|
|
|
from lib.core.compat import xrange
|
2018-02-08 18:49:16 +03:00
|
|
|
from lib.core.enums import DBMS
|
2016-12-02 00:28:07 +03:00
|
|
|
from lib.core.enums import PRIORITY
|
|
|
|
|
|
|
|
__priority__ = PRIORITY.HIGHEST
|
|
|
|
|
|
|
|
def dependencies():
|
2018-02-08 18:49:16 +03:00
|
|
|
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))
|
2016-12-02 00:28:07 +03:00
|
|
|
|
|
|
|
def tamper(payload, **kwargs):
|
|
|
|
"""
|
2018-07-31 03:18:33 +03:00
|
|
|
Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
|
2016-12-02 00:28:07 +03:00
|
|
|
|
|
|
|
Tested against:
|
|
|
|
* Microsoft SQL Server 2012
|
|
|
|
|
|
|
|
Requirements:
|
|
|
|
* Microsoft SQL Server 2012+
|
|
|
|
|
|
|
|
Notes:
|
|
|
|
* Useful in case ('+') character is filtered
|
|
|
|
|
|
|
|
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
|
|
|
|
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
|
2017-02-17 12:26:25 +03:00
|
|
|
|
|
|
|
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
|
|
|
|
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
|
2016-12-02 00:28:07 +03:00
|
|
|
"""
|
|
|
|
|
|
|
|
retVal = payload
|
|
|
|
|
|
|
|
if payload:
|
2018-11-30 13:29:17 +03:00
|
|
|
prefix, suffix = '+' * len(re.search(r"\A(\+*)", payload).group(0)), '+' * len(re.search(r"(\+*)\Z", payload).group(0))
|
|
|
|
retVal = retVal.strip('+')
|
|
|
|
|
2016-12-02 00:28:07 +03:00
|
|
|
while True:
|
|
|
|
indexes = zeroDepthSearch(retVal, '+')
|
2017-02-16 18:56:54 +03:00
|
|
|
|
2016-12-02 00:28:07 +03:00
|
|
|
if indexes:
|
|
|
|
first, last = 0, 0
|
|
|
|
for i in xrange(1, len(indexes)):
|
|
|
|
if ' ' in retVal[indexes[0]:indexes[i]]:
|
|
|
|
break
|
|
|
|
else:
|
|
|
|
last = i
|
|
|
|
|
|
|
|
start = retVal[:indexes[first]].rfind(' ') + 1
|
|
|
|
end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1
|
|
|
|
|
|
|
|
chars = [char for char in retVal]
|
|
|
|
for index in indexes[first:last + 1]:
|
|
|
|
chars[index] = ','
|
|
|
|
|
|
|
|
retVal = "%sCONCAT(%s)%s" % (retVal[:start], ''.join(chars)[start:end], retVal[end:])
|
|
|
|
else:
|
2018-02-08 18:49:16 +03:00
|
|
|
match = re.search(r"\((CHAR\(\d+.+\bCHAR\(\d+\))\)", retVal)
|
2017-02-16 18:56:54 +03:00
|
|
|
if match:
|
|
|
|
part = match.group(0)
|
|
|
|
indexes = set(zeroDepthSearch(match.group(1), '+'))
|
|
|
|
if not indexes:
|
|
|
|
break
|
|
|
|
chars = [char for char in part]
|
|
|
|
for i in xrange(1, len(chars)):
|
|
|
|
if i - 1 in indexes:
|
|
|
|
chars[i] = ','
|
|
|
|
replacement = "CONCAT%s" % "".join(chars)
|
|
|
|
retVal = retVal.replace(part, replacement)
|
|
|
|
else:
|
|
|
|
break
|
2016-12-02 00:28:07 +03:00
|
|
|
|
2018-11-30 13:29:17 +03:00
|
|
|
retVal = "%s%s%s" % (prefix, retVal, suffix)
|
|
|
|
|
2016-12-02 00:28:07 +03:00
|
|
|
return retVal
|