added concept of tamper script priority

2024-11-22 01:26:42 +03:00 · 2010-11-04 10:29:40 +00:00 · 2010-11-04 10:29:40 +00:00 · 18aea251b3
commit 18aea251b3
parent 303359e8b1
13 changed files with 85 additions and 1 deletions
--- a/lib/core/common.py
+++ b/lib/core/common.py
@ -110,7 +110,6 @@ class DynamicContentItem:
        self.lineContentBefore = lineContentBefore
        self.lineContentAfter = lineContentAfter

-
 def paramToDict(place, parameters=None):
    """
    Split the parameters into names and values, check if these parameters
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -31,6 +31,7 @@ from lib.core.common import parseTargetDirect
 from lib.core.common import parseTargetUrl
 from lib.core.common import paths
 from lib.core.common import randomRange
+from lib.core.common import readInput
 from lib.core.common import runningAsAdmin
 from lib.core.common import sanitizeStr
 from lib.core.common import UnicodeRawConfigParser
@ -47,7 +48,9 @@ from lib.core.exception import sqlmapMissingMandatoryOptionException
 from lib.core.exception import sqlmapMissingPrivileges
 from lib.core.exception import sqlmapSyntaxException
 from lib.core.exception import sqlmapUnsupportedDBMSException
+from lib.core.exception import sqlmapUserQuitException
 from lib.core.optiondict import optDict
+from lib.core.priority import PRIORITY
 from lib.core.settings import IS_WIN
 from lib.core.settings import PLATFORM
 from lib.core.settings import PYVERSION
@ -521,6 +524,11 @@ def __setTamperingFunctions():
    """

    if conf.tamper:
+        last_priority = PRIORITY.LOWEST
+        check_priority = True
+        resolve_priorities = False
+        priorities = []
+
        for tfile in conf.tamper.split(','):
            found = False

@ -556,16 +564,41 @@ def __setTamperingFunctions():
            except ImportError, msg:
                raise sqlmapSyntaxException, "can not import tamper script '%s' (%s)" % (filename[:-3], msg)

+            priority = PRIORITY.NORMAL if not hasattr(module, '__priority__') else module.__priority__
+
            for name, function in inspect.getmembers(module, inspect.isfunction):
                if name == "tamper" and function.func_code.co_argcount == 1:
                    kb.tamperFunctions.append(function)
                    found = True

+                    if check_priority and priority < last_priority:
+                        message  = "it seems that you've probably "
+                        message += "mixed order of tamper scripts.\n"
+                        message += "do you want to auto resolve this? [Y/n/q]"
+                        test = readInput(message, default="Y")
+
+                        if not test or test[0] in ("y", "Y"):
+                            resolve_priorities = True
+                        elif test[0] in ("n", "N"):
+                            resolve_priorities = False
+                        elif test[0] in ("q", "Q"):
+                            raise sqlmapUserQuitException
+
+                        check_priority = False
+
+                    priorities.append((priority, function))
+                    last_priority = priority
                    break

            if not found:
                raise sqlmapGenericException, "missing function 'tamper(value)' in tamper script '%s'" % tfile

+        if resolve_priorities and priorities:
+            priorities.sort()
+            kb.tamperFunctions = []
+            for _, function in priorities:
+                kb.tamperFunctions.append(function)
+
 def __setThreads():
    if not isinstance(conf.threads, int) or conf.threads <= 0:
        conf.threads = 1
--- a/lib/core/priority.py
+++ b/lib/core/priority.py
@ -0,0 +1,17 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+class PRIORITY:
+    LOWEST  = -100
+    LOWER   = -50
+    LOW     = -10
+    NORMAL  = 0
+    HIGH    = 10
+    HIGHER  = 50
+    HIGHEST = 100
--- a/tamper/between.py
+++ b/tamper/between.py
@ -7,6 +7,10 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """

+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.HIGHEST
+
 def tamper(value):
    """
    Replaces '>' with 'NOT BETWEEN 0 AND #'
--- a/tamper/charencode.py
+++ b/tamper/charencode.py
@ -10,6 +10,9 @@ See the file 'doc/COPYING' for copying permission
 import string

 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOWEST

 def tamper(value):
    """
--- a/tamper/charunicodeencode.py
+++ b/tamper/charunicodeencode.py
@ -10,6 +10,9 @@ See the file 'doc/COPYING' for copying permission
 import string

 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOWEST

 def tamper(value):
    """
--- a/tamper/ifnull2ifisnull.py
+++ b/tamper/ifnull2ifisnull.py
@ -7,6 +7,10 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """

+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.HIGHEST
+
 def tamper(value):
    """
    Replaces 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
--- a/tamper/randomcase.py
+++ b/tamper/randomcase.py
@ -11,6 +11,9 @@ import re

 from lib.core.common import randomRange
 from lib.core.data import kb
+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.NORMAL

 def tamper(value):
    """
--- a/tamper/randomcomments.py
+++ b/tamper/randomcomments.py
@ -11,6 +11,9 @@ import re

 from lib.core.common import randomRange
 from lib.core.data import kb
+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOW

 def tamper(value):
    """
--- a/tamper/space2comment.py
+++ b/tamper/space2comment.py
@ -7,6 +7,10 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """

+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
 def tamper(value):
    """
    Replaces ' ' with '/**/'
--- a/tamper/space2plus.py
+++ b/tamper/space2plus.py
@ -7,6 +7,10 @@ Copyright (c) 2006-2010 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """

+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
 def tamper(value):
    """
    Replaces ' ' with '+'
--- a/tamper/space2randomblank.py
+++ b/tamper/space2randomblank.py
@ -9,6 +9,10 @@ See the file 'doc/COPYING' for copying permission

 import random

+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
 def tamper(value):
    """
    Replaces ' ' with a random blank char from a set ('\r', '\n', '\t')
--- a/tamper/urlencode.py
+++ b/tamper/urlencode.py
@ -9,6 +9,9 @@ See the file 'doc/COPYING' for copying permission

 from lib.core.convert import urlencode
 from lib.core.exception import sqlmapUnsupportedFeatureException
+from lib.core.priority import PRIORITY
+
+__priority__ = PRIORITY.LOWER

 def tamper(value):
    """