sqlmap/tamper/if2case.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.compat import xrange
from lib.core.enums import PRIORITY
from lib.core.settings import REPLACEMENT_MARKER

__priority__ = PRIORITY.HIGHEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart

    Requirement:
        * MySQL
        * SQLite (possibly)
        * SAP MaxDB (possibly)

    Tested against:
        * MySQL 5.0 and 5.5

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that filter the IF() functions

    >>> tamper('IF(1, 2, 3)')
    'CASE WHEN (1) THEN (2) ELSE (3) END'
    >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)')
    'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END'
    """

    if payload and payload.find("IF") > -1:
        payload = payload.replace("()", REPLACEMENT_MARKER)
        while payload.find("IF(") > -1:
            index = payload.find("IF(")
            depth = 1
            commas, end = [], None

            for i in xrange(index + len("IF("), len(payload)):
                if depth == 1 and payload[i] == ',':
                    commas.append(i)

                elif depth == 1 and payload[i] == ')':
                    end = i
                    break

                elif payload[i] == '(':
                    depth += 1

                elif payload[i] == ')':
                    depth -= 1

            if len(commas) == 2 and end:
                a = payload[index + len("IF("):commas[0]].strip("()")
                b = payload[commas[0] + 1:commas[1]].lstrip().strip("()")
                c = payload[commas[1] + 1:end].lstrip().strip("()")
                newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c)
                payload = payload[:index] + newVal + payload[end + 1:]
            else:
                break

        payload = payload.replace(REPLACEMENT_MARKER, "()")

    return payload
Implements tamper script if2case (#5301) 2023-02-01 15:53:19 +03:00			`#!/usr/bin/env python`

			`"""`
Bumping copyright year 2024-01-04 01:11:52 +03:00			`Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)`
Implements tamper script if2case (#5301) 2023-02-01 15:53:19 +03:00			`See the file 'doc/COPYING' for copying permission`
			`"""`

			`from lib.core.compat import xrange`
			`from lib.core.enums import PRIORITY`
Fixes #5549 2023-10-20 16:24:41 +03:00			`from lib.core.settings import REPLACEMENT_MARKER`
Implements tamper script if2case (#5301) 2023-02-01 15:53:19 +03:00
			`__priority__ = PRIORITY.HIGHEST`

			`def dependencies():`
			`pass`

			`def tamper(payload, **kwargs):`
			`"""`
			`Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart`

			`Requirement:`
			`* MySQL`
			`* SQLite (possibly)`
			`* SAP MaxDB (possibly)`

			`Tested against:`
			`* MySQL 5.0 and 5.5`

			`Notes:`
			`* Useful to bypass very weak and bespoke web application firewalls`
			`that filter the IF() functions`

			`>>> tamper('IF(1, 2, 3)')`
			`'CASE WHEN (1) THEN (2) ELSE (3) END'`
			`>>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)')`
			`'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END'`
			`"""`

			`if payload and payload.find("IF") > -1:`
Fixes #5549 2023-10-20 16:24:41 +03:00			`payload = payload.replace("()", REPLACEMENT_MARKER)`
Implements tamper script if2case (#5301) 2023-02-01 15:53:19 +03:00			`while payload.find("IF(") > -1:`
			`index = payload.find("IF(")`
			`depth = 1`
			`commas, end = [], None`

			`for i in xrange(index + len("IF("), len(payload)):`
			`if depth == 1 and payload[i] == ',':`
			`commas.append(i)`

			`elif depth == 1 and payload[i] == ')':`
			`end = i`
			`break`

			`elif payload[i] == '(':`
			`depth += 1`

			`elif payload[i] == ')':`
			`depth -= 1`

			`if len(commas) == 2 and end:`
			`a = payload[index + len("IF("):commas[0]].strip("()")`
			`b = payload[commas[0] + 1:commas[1]].lstrip().strip("()")`
			`c = payload[commas[1] + 1:end].lstrip().strip("()")`
			`newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c)`
			`payload = payload[:index] + newVal + payload[end + 1:]`
			`else:`
			`break`

Fixes #5549 2023-10-20 16:24:41 +03:00			`payload = payload.replace(REPLACEMENT_MARKER, "()")`

Implements tamper script if2case (#5301) 2023-02-01 15:53:19 +03:00			`return payload`