From 45852431754c95be3c6fc03b8de990bb13deaef6 Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Wed, 1 Feb 2023 13:53:19 +0100 Subject: [PATCH] Implements tamper script if2case (#5301) --- lib/core/settings.py | 2 +- tamper/if2case.py | 67 ++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 tamper/if2case.py diff --git a/lib/core/settings.py b/lib/core/settings.py index 93a8da31e..54160a195 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -20,7 +20,7 @@ from thirdparty import six from thirdparty.six import unichr as _unichr # sqlmap version (...) -VERSION = "1.7.1.12" +VERSION = "1.7.2.0" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/tamper/if2case.py b/tamper/if2case.py new file mode 100644 index 000000000..9e82459fa --- /dev/null +++ b/tamper/if2case.py @@ -0,0 +1,67 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +from lib.core.compat import xrange +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.HIGHEST + +def dependencies(): + pass + +def tamper(payload, **kwargs): + """ + Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart + + Requirement: + * MySQL + * SQLite (possibly) + * SAP MaxDB (possibly) + + Tested against: + * MySQL 5.0 and 5.5 + + Notes: + * Useful to bypass very weak and bespoke web application firewalls + that filter the IF() functions + + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' + >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') + 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' + """ + + if payload and payload.find("IF") > -1: + while payload.find("IF(") > -1: + index = payload.find("IF(") + depth = 1 + commas, end = [], None + + for i in xrange(index + len("IF("), len(payload)): + if depth == 1 and payload[i] == ',': + commas.append(i) + + elif depth == 1 and payload[i] == ')': + end = i + break + + elif payload[i] == '(': + depth += 1 + + elif payload[i] == ')': + depth -= 1 + + if len(commas) == 2 and end: + a = payload[index + len("IF("):commas[0]].strip("()") + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") + c = payload[commas[1] + 1:end].lstrip().strip("()") + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) + payload = payload[:index] + newVal + payload[end + 1:] + else: + break + + return payload