sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-08-04 04:10:10 +03:00
Code Issues Packages Projects Releases Wiki Activity

Remove appending of --+

Browse Source 
For some reason this tamper script automatically adds --+ in some cases. Unless I'm mistaken, normally this is something that should be handled by the different payloads (payloads.xml). I have found cases where using this script failed because it would add --+ even though the payload was trying to use #, and the application in question was blacklisting on --. Removing these lines allowed the script to work and payloads using either -- or # should work as normal.

Is there some particular reason for wanting to auto-add --+ within this tamper script?
This commit is contained in:
securitygeneration 2014-06-07 11:58:27 +01:00
parent 54be398e83
commit 022506580a
1 changed files with 2 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
tamper/unmagicquotes.py
View File

@ -20,7 +20,8 @@ def tamper(payload, **kwargs):
generic comment at the end (to make it work) generic comment at the end (to make it work)
Notes: Notes:
* Useful for bypassing magic_quotes/addslashes feature * Useful for bypassing mysql_real_escape_string/magic_quotes/addslashes feature
* Particularly for servers using GBK encoding
Reference: Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
@ -43,8 +44,4 @@ def tamper(payload, **kwargs):
retVal += payload[i] retVal += payload[i]
continue continue
if found:
retVal = re.sub("\s*(AND|OR)[\s(]+'[^']+'\s*(=|LIKE)\s*'.*", "", retVal)
retVal += "-- "
return retVal return retVal