Update for an Issue #835

This commit is contained in:
Miroslav Stampar 2014-09-20 14:48:36 +02:00
parent 78965b8145
commit 46480d777a
4 changed files with 33 additions and 41 deletions

View File

@ -226,6 +226,9 @@ Daniel Huckmann, <sanitybit@gmail.com>
Daliev Ilya, <daliser@yandex.ru> Daliev Ilya, <daliser@yandex.ru>
* for reporting a bug * for reporting a bug
Mehmet İnce, <mehmet@mehmetince.net>
* for contributing a tamper script xforwardedfor.py
Jovon Itwaru, <jovon.itwaru@gmail.com> Jovon Itwaru, <jovon.itwaru@gmail.com>
* for reporting a minor bug * for reporting a minor bug

View File

@ -1,40 +0,0 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.enums import PRIORITY
from random import randrange
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def generateIP():
blockOne = randrange(0, 255, 1)
blockTwo = randrange(0, 255, 1)
blockThree = randrange(0, 255, 1)
blockFour = randrange(0, 255, 1)
if blockOne == 10:
return generateIP()
elif blockOne == 172:
return generateIP()
elif blockOne == 192:
return generateIP()
else:
return str(blockOne) + '.' + str(blockTwo) + '.' + str(blockThree) + '.' + str(blockFour)
def tamper(payload, **kwargs):
"""
Append a HTTP Request Parameter to bypass
WAF (usually application based ) Ban
protection bypass.
Mehmet INCE
"""
headers = kwargs.get("headers", {})
headers["X-Forwarded-For"] = generateIP()
return payload

View File

@ -14,7 +14,7 @@ def dependencies():
def tamper(payload, **kwargs): def tamper(payload, **kwargs):
""" """
Append a HTTP Request Parameter to bypass Append a HTTP header 'X-originating-IP' to bypass
WAF Protection of Varnish Firewall WAF Protection of Varnish Firewall
Notes: Notes:

29
tamper/xforwardedfor.py Normal file
View File

@ -0,0 +1,29 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.enums import PRIORITY
from random import sample
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def randomIP():
numbers = []
while not numbers or numbers[0] in (10, 172, 192):
numbers = sample(xrange(1, 255), 4)
return '.'.join(str(_) for _ in numbers)
def tamper(payload, **kwargs):
"""
Append a fake HTTP header 'X-Forwarded-For' to bypass
WAF (usually application based) protection
"""
headers = kwargs.get("headers", {})
headers["X-Forwarded-For"] = randomIP()
return payload