From 694b5bb5c028c7e7d38b1c94f8788036b54dd737 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Wed, 30 May 2018 15:48:16 +0200
Subject: [PATCH] New tamper script (per user request)

---
 lib/core/settings.py |  2 +-
 tamper/0x2char.py    | 42 ++++++++++++++++++++++++++++++++++++++++++
 txt/checksum.md5     |  3 ++-
 3 files changed, 45 insertions(+), 2 deletions(-)
 create mode 100644 tamper/0x2char.py

diff --git a/lib/core/settings.py b/lib/core/settings.py
index 65c3e8f97..624222b07 100644
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.2.5.23"
+VERSION = "1.2.5.24"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/tamper/0x2char.py b/tamper/0x2char.py
new file mode 100644
index 000000000..f08a434e5
--- /dev/null
+++ b/tamper/0x2char.py
@@ -0,0 +1,42 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
+See the file 'LICENSE' for copying permission
+"""
+
+import re
+
+from lib.core.data import kb
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),...) counterpart
+
+    Tested against:
+        * MySQL 4, 5.0 and 5.5
+
+    Notes:
+        * Useful in cases when web application does the upper casing
+
+    >>> tamper('SELECT 0xdeadbeef')
+    'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))'
+    """
+
+    retVal = payload
+
+    if payload:
+        for match in re.finditer(r"\b0x([0-9a-f]+)\b", retVal):
+            if len(match.group(1)) > 2:
+                result = "CONCAT(%s)" % ','.join("CHAR(%d)" % ord(_) for _ in match.group(1).decode("hex"))
+            else:
+                result = "CHAR(%d)" % ord(match.group(1).decode("hex"))
+            retVal = retVal.replace(match.group(0), result)
+
+    return retVal
diff --git a/txt/checksum.md5 b/txt/checksum.md5
index 24ec8962f..aa08dc707 100644
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@@ -47,7 +47,7 @@ c9a56e58984420a5abb7a3f7aadc196d  lib/core/optiondict.py
 0c3eef46bdbf87e29a3f95f90240d192  lib/core/replication.py
 a7db43859b61569b601b97f187dd31c5  lib/core/revision.py
 fcb74fcc9577523524659ec49e2e964b  lib/core/session.py
-dbf72e4b82773ade88cc34a53f80abcb  lib/core/settings.py
+dcdc0a7179010067fdbf8ad1fa9ab09e  lib/core/settings.py
 0dfc2ed40adf72e302291f6ecd4406f6  lib/core/shell.py
 a7edc9250d13af36ac0108f259859c19  lib/core/subprocessng.py
 6306284edcccc185b2df085438572b0d  lib/core/target.py
@@ -226,6 +226,7 @@ ec2ba8c757ac96425dcd2b97970edd3a  shell/stagers/stager.asp_
 2f9e459a4cf6a58680978cdce5ff7971  shell/stagers/stager.php_
 4eaeef94314956e4517e5310a28d579a  sqlmapapi.py
 5c8583dd47f92935ceb41210a10eeebf  sqlmap.py
+b2c2cc55ba4e31bea94494dcafe5d8cc  tamper/0x2char.py
 4c3b8a7daa4bff52e01d4168be0eedbe  tamper/apostrophemask.py
 4115a55b8aba464723d645b7d3156b6e  tamper/apostrophenullencode.py
 d7e9a979eff4d7315d804a181e66fc93  tamper/appendnullbyte.py