sqlmap/tamper/charencode.py

import re
import string

from lib.core.exception import sqlmapUnsupportedFeatureException

"""
value -> urlencode of nonencoded chars in value (e.g., SELECT%20FIELD%20FROM%20TABLE -> %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45)
"""
def tamper(place, value):
    retVal = value
    if value:
        if place != "URI":
            retVal = ""
            i = 0
            while i < len(value):
                if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
                    retVal += value[i:i+3]
                    i += 3
                else:
                    retVal += '%%%X' % ord(value[i])
                    i += 1
        else:
            raise sqlmapUnsupportedFeatureException, "can't use tampering module '%s' with 'URI' type injections" % __name__
    return retVal
update of tampering modules 2010-10-13 23:51:10 +04:00			`import re`
			`import string`

			`from lib.core.exception import sqlmapUnsupportedFeatureException`

			`"""`
minor update 2010-10-14 10:20:32 +04:00			`value -> urlencode of nonencoded chars in value (e.g., SELECT%20FIELD%20FROM%20TABLE -> %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45)`
update of tampering modules 2010-10-13 23:51:10 +04:00			`"""`
			`def tamper(place, value):`
			`retVal = value`
			`if value:`
			`if place != "URI":`
			`retVal = ""`
			`i = 0`
			`while i < len(value):`
			`if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:`
			`retVal += value[i:i+3]`
			`i += 3`
			`else:`
			`retVal += '%%%X' % ord(value[i])`
			`i += 1`
			`else:`
update 2010-10-14 00:59:06 +04:00			`raise sqlmapUnsupportedFeatureException, "can't use tampering module '%s' with 'URI' type injections" % __name__`
update of tampering modules 2010-10-13 23:51:10 +04:00			`return retVal`