sqlmap/tamper/charunicodeencode.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import string

from lib.core.common import singleTimeWarnMessage
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOWEST

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])

def tamper(payload, **kwargs):
    """
    Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)

    Requirement:
        * ASP
        * ASP.NET

    Tested against:
        * Microsoft SQL Server 2000
        * Microsoft SQL Server 2005
        * MySQL 5.1.56
        * PostgreSQL 9.0.3

    Notes:
        * Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset

    >>> tamper('SELECT FIELD%20FROM TABLE')
    '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
    """

    retVal = payload

    if payload:
        retVal = ""
        i = 0

        while i < len(payload):
            if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
                retVal += "%%u00%s" % payload[i + 1:i + 3]
                i += 3
            else:
                retVal += '%%u%.4X' % ord(payload[i])
                i += 1

    return retVal
Last preparations for DREI 2019-05-08 13:47:52 +03:00			`#!/usr/bin/env python`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00
			`"""`
Bumping copyright year 2024-01-04 01:11:52 +03:00			`Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 15:50:46 +03:00			`See the file 'LICENSE' for copying permission`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`"""`

Updated docstring 2011-07-11 14:39:30 +04:00			`import os`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`import string`

Updated docstring 2011-07-11 14:39:30 +04:00			`from lib.core.common import singleTimeWarnMessage`
Trivial update 2019-06-04 15:44:06 +03:00			`from lib.core.enums import PRIORITY`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00
			`__priority__ = PRIORITY.LOWEST`

Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00			`def dependencies():`
Updated docstring 2011-07-11 14:39:30 +04:00			`singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])`
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00
Update for an Issue #12 2012-12-03 17:27:01 +04:00			`def tamper(payload, **kwargs):`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`"""`
Implementation for an Issue #3108 2018-07-31 03:18:33 +03:00			`Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)`
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00
Updated docstring 2011-07-11 14:39:30 +04:00			`Requirement:`
			`* ASP`
			`* ASP.NET`

Updated docstring 2011-07-11 14:04:19 +04:00			`Tested against:`
			`* Microsoft SQL Server 2000`
			`* Microsoft SQL Server 2005`
Updated docstring 2011-07-11 14:39:30 +04:00			`* MySQL 5.1.56`
			`* PostgreSQL 9.0.3`
Updated docstring 2011-07-11 14:04:19 +04:00
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-07 01:04:45 +04:00			`Notes:`
First commit related to the #3108 2018-07-31 02:17:11 +03:00			`* Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset`
Another update for an Issue #352 and couple of fixes 2013-03-14 00:57:09 +04:00
			`>>> tamper('SELECT FIELD%20FROM TABLE')`
			`'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`"""`

minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`retVal = payload`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00
minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`if payload:`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`retVal = ""`
			`i = 0`

minor cosmetics on tamper scripts 2011-04-04 12:18:26 +04:00			`while i < len(payload):`
Some PEP8 related style cleaning 2013-01-10 16:18:44 +04:00			`if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:`
			`retVal += "%%u00%s" % payload[i + 1:i + 3]`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`i += 3`
			`else:`
Minor refactoring 2012-07-24 03:21:32 +04:00			`retVal += '%%u%.4X' % ord(payload[i])`
Converted from DOS format (\n\r to \n only) 2011-02-07 02:25:55 +03:00			`i += 1`

Tamper function(s) refactoring (really no need for returning headers as they are passed by reference) 2012-10-25 12:10:23 +04:00			`return retVal`