added --tamper option

This commit is contained in:
Miroslav Stampar 2010-10-12 22:45:25 +00:00
parent 9a08f7feb8
commit 34580f56fc
6 changed files with 107 additions and 42 deletions

View File

@ -542,6 +542,45 @@ def __setDBMS():
errMsg += "fingerprint it for you." errMsg += "fingerprint it for you."
raise sqlmapUnsupportedDBMSException, errMsg raise sqlmapUnsupportedDBMSException, errMsg
def __setTamperingFunctions():
"""
Loads tampering functions from given module path(s).
"""
if conf.tamper:
kb.tamperFunctions = []
import inspect
import sys
for file in conf.tamper.split(';'):
if not file:
continue
elif not os.path.exists(file):
errMsg = "missing tampering module file '%s'" % file
raise sqlmapFilePathException, errMsg
elif os.path.splitext(file)[1] != '.py':
errMsg = "tampering module file should have an extension '.py'"
raise sqlmapSyntaxException, errMsg
dirname, filename = os.path.split(file)
dirname = os.path.abspath(dirname)
if not os.path.exists(os.path.join(dirname, '__init__.py')):
errMsg = "make sure that there is an empty file '__init__.py' "
errMsg += "inside of tampering module directory '%s'" % dirname
raise sqlmapGenericException, errMsg
if dirname not in sys.path:
sys.path.insert(0, dirname)
try:
module = __import__(filename[:-3])
except ImportError, msg:
raise sqlmapSyntaxException, "can't import module file '%s' (%s)" % (file, msg)
found = False
for name, function in inspect.getmembers(module, inspect.isfunction):
if name=="tamper" and function.func_code.co_argcount == 2:
kb.tamperFunctions.append(function)
found = True
break
if not found:
raise sqlmapGenericException, "missing function 'tamper(place, value)' in tampering module '%s'" % filename
def __setThreads(): def __setThreads():
if not isinstance(conf.threads, int) or conf.threads <= 0: if not isinstance(conf.threads, int) or conf.threads <= 0:
conf.threads = 1 conf.threads = 1
@ -1032,6 +1071,7 @@ def __setKnowledgeBaseAttributes():
kb.queryCounter = 0 kb.queryCounter = 0
kb.resumedQueries = {} kb.resumedQueries = {}
kb.stackedTest = None kb.stackedTest = None
kb.tamperFunctions = None
kb.targetUrls = set() kb.targetUrls = set()
kb.testedParams = set() kb.testedParams = set()
kb.timeTest = None kb.timeTest = None
@ -1185,6 +1225,7 @@ def init(inputOptions=advancedDict()):
__basicOptionValidation() __basicOptionValidation()
__setRequestFromFile() __setRequestFromFile()
__setMultipleTargets() __setMultipleTargets()
__setTamperingFunctions()
parseTargetUrl() parseTargetUrl()
parseTargetDirect() parseTargetDirect()

View File

@ -204,6 +204,9 @@ def cmdLineParser():
action="store_true", default=False, action="store_true", default=False,
help="Use operator BETWEEN instead of default '>'") help="Use operator BETWEEN instead of default '>'")
injection.add_option("--tamper", dest="tamper",
help="Use given module(s) for tampering injection data")
# Techniques options # Techniques options
techniques = OptionGroup(parser, "Techniques", "These options can " techniques = OptionGroup(parser, "Techniques", "These options can "
"be used to test for specific SQL injection " "be used to test for specific SQL injection "

View File

@ -306,6 +306,10 @@ class Connect:
if not place: if not place:
place = kb.injPlace place = kb.injPlace
if kb.tamperFunctions:
for function in kb.tamperFunctions:
value = function(place, value)
if "GET" in conf.parameters: if "GET" in conf.parameters:
get = conf.parameters["GET"] if place != "GET" or not value else value get = conf.parameters["GET"] if place != "GET" or not value else value

0
tamper/__init__.py Normal file
View File

6
tamper/dummy.py Normal file
View File

@ -0,0 +1,6 @@
def tamper(place, value):
print "Hi, World!"
print value
if place=="GET" and value:
value=value.upper()
return value

11
tamper/ifnull2ifisnull.py Normal file
View File

@ -0,0 +1,11 @@
import re
#not finished (watch for number of parenthesis)
#IFNULL(A,B) -> IF(ISNULL(A),B,A)
def tamper(place, value):
if value:
if value.find("IFNULL") > -1:
import pdb
pdb.set_trace()
value = re.sub(r"IFNULL(\(|%28)(?P<A>.+?)(,|%2C)(?P<B>.+?)(\)|%29)", lambda match: "IF%%28ISNULL%%28%s%%29%%2C%s%%2C%s%%29" % ("A="+match.group("A"), "B="+match.group("B"), "A="+match.group("A")), value)
return value