sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Added Unicode-escape tamper script

Browse Source
This commit is contained in:
europa 2017-10-04 12:22:31 +02:00 committed by GitHub
parent f1c102a020
commit 3fbe2f645a
1 changed files with 42 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
tamper/charunicodeescape.py Normal file
View File

@ -0,0 +1,42 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import os
import string
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
__priority__ = PRIORITY.LOWEST
def tamper(payload, **kwargs):
"""
Unicode-escapes non-encoded characters in a given payload (not
processing already encoded)
Notes:
* Useful to bypass weak filtering and/or WAFs in JSON contexes
>>> tamper('SELECT FIELD%20FROM TABLE')
'\u0053\u0045\u004C\u0045\u0043\u0054\u0020\u0046\u0049\u0045\u004C\u0044\u0020\u0046\u0052\u004F\u004D\u0020\u0054\u0041\u0042\u004C\u0045'
"""
retVal = payload
if payload:
retVal = ""
i = 0
while i < len(payload):
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += "\\u00%s" % payload[i + 1:i + 3]
i += 3
else:
retVal += '\\u%.4X' % ord(payload[i])
i += 1
return retVal