Added two tamper scripts contributed by Roberto Salgado

2025-02-23 15:10:50 +03:00 · 2011-07-07 18:45:07 +00:00 · 2011-07-07 18:45:07 +00:00 · 736327c893
commit 736327c893
parent 067354b97f
3 changed files with 125 additions and 23 deletions
--- a/doc/THANKS
+++ b/doc/THANKS
@ -39,7 +39,8 @@ Daniele Bellucci <daniele.bellucci@gmail.com>

 Sebastian Bittig <s.bittig@r-tec.net> and the rest of the team at
 r-tec IT Systeme GmbH
-    for providing with the DB2 fingerprint and enumeration support patch
+    for contributing the DB2 support initial patch: fingerprint and
+    enumeration

 Anthony Boynes <aboynes@gmail.com>
    for reporting several bugs
@ -54,7 +55,7 @@ Gianluca Brindisi <g@brindi.si>
    for reporting a couple of bugs

 Jack Butler <fattredd@hotmail.com>
-    for providing me with the sqlmap site favicon
+    for contributing the sqlmap site favicon

 Ulisses Castro <uss.thebug@gmail.com>
    for reporting a bug
@ -70,7 +71,7 @@ Cesar Cerrudo <cesar@argeniss.com>
    http://www.argeniss.com/research/TokenKidnapping.pdf

 Karl Chen <quarl@cs.berkeley.edu>
-    for providing with the multithreading patch for the inference
+    for contributing the initial multi-threading patch for the inference
    algorithm

 Y P Chien <ypchien@cox.net>
@ -113,9 +114,9 @@ Adam Faheem <faheem.adam@is.co.za>
    for reporting a few bugs

 James Fisher <www@sittinglittleduck.com>
-    for providing me with two very good feature requests
+    for contributing two very good feature requests
    for his great tool too brute force directories and files names on
-    web/application servers, Dir Buster, http://tinyurl.com/dirbuster
+    web/application servers, DirBuster, http://tinyurl.com/dirbuster

 Jim Forster <jimforster@goldenwest.com>
    for reporting a bug
@ -161,7 +162,7 @@ Nico Golde <nico@ngolde.de>

 Oliver Gruskovnjak <oliver.gruskovnjak@gmail.com>
    for reporting a bug
-    for providing me with a minor patch
+    for contributing a minor patch

 Davide Guerri <d.guerri@caspur.it>
    for suggesting an enhancement
@ -227,7 +228,7 @@ Sven Klemm <sven@c3d2.de>
    for reporting two minor bugs with PostgreSQL

 Anant Kochhar <anant.kochhar@secureyes.net>
-    for providing me with feedback on the user's manual
+    for providing with feedback on the user's manual

 Alexander Kornbrust <ak@red-database-security.com>
    for reporting a couple of bugs
@ -239,10 +240,10 @@ Nicolas Krassas <krasn@deventum.com>
    for reporting a couple of bugs

 Oliver Kuckertz <oliver.kuckertz@mologie.de>
-    for providing a minor patch
+    for contributing a minor patch

 Alex Landa <landa.alex86@gmail.com>
-    for providing a patch adding support for XML output
+    for contributing a patch adding beta support for XML output

 Guido Landi <lists@keamera.org>
    for reporting a couple of bugs
@ -262,7 +263,7 @@ John J. Lee <jjl@pobox.com> & others
    forms when --forms switch is specified

 Nico Leidecker <nico@leidecker.info>
-    for providing me with feedback on a few features
+    for providing with feedback on a few features
    for reporting a couple of bugs
    for his great tool icmpsh included in sqlmap tree to get a command
    prompt via an out-of-band tunnel over ICMP,
@ -289,8 +290,7 @@ Michael Majchrowicz <mmajchrowicz@gmail.com>
    for suggesting a lot of ideas and features

 Ferruh Mavituna <ferruh@mavituna.com>
-    for providing me with ideas on the implementation of a couple of
-    new features
+    for sharing ideas on the implementation of a couple of features

 David McNab <david@conscious.co.nz>
    for his XMLObject module that allows XML files to be operated on 
@ -300,11 +300,11 @@ Spencer J. McIntyre <smcintyre@securestate.com>
    for reporting a minor bug

 Ahmad Maulana <matdhule@gmail.com>
-    for providing one tamper scripts, halfversionedmorekeywords.py
+    for contributing one tamper scripts, halfversionedmorekeywords.py

 Enrico Milanese <enricomilanese@gmail.com>
-    for reporting a bugs when using (-a) a single line User-Agent file
-    for providing me with some ideas for the PHP backdoor
+    for reporting a minor bug
+    for sharing some ideas for the PHP backdoor

 Devon Mitchell <devon.mitchell1988@yahoo.com>
    for reporting a minor bug
@ -342,7 +342,7 @@ Shaohua Pan <pan@knownsec.com>
    for suggesting a few features

 Antonio Parata <s4tan@ictsc.it>
-    for providing me with some ideas for the PHP backdoor
+    for sharing some ideas for the PHP backdoor

 Adrian Pastor <ap@gnucitizen.org>
    for donating to sqlmap development
@ -358,7 +358,7 @@ Mark Pilgrim <mark@diveintomark.org>

 Steve Pinkham <steve.pinkham@gmail.com>
    for suggesting a feature
-    for providing a new sql injection vector (MSSQL time based)
+    for contributing a new SQL injection vector (MSSQL time-based blind)
    for donating to sqlmap development

 Adam Pridgen <adam.pridgen@gmail.com>
@ -402,6 +402,9 @@ Richard Safran <allapplyhere@yahoo.com>
 Tomoyuki Sakurai <cherry@trombik.org>
    for submitting to the FreeBSD project the sqlmap 0.5 port

+Roberto Salgado <lightos@gmail.com>
+    for contributing two tamper scripts
+
 Pedro Jacques Santos Santiago <pedro__jacques@hotmail.com>
    for reporting considerable amount of bugs

@ -415,7 +418,7 @@ Jorge Santos <jorge_a_santos@hotmail.com>
    for reporting a minor bug

 Sven Schluter <sschlueter@netzwerk.cc>
-    for providing with a patch for waiting a number of seconds between
+    for contributing a patch for waiting a number of seconds between
    each HTTP request

 Ryan Sears <rdsears@mtu.edu>
@ -433,8 +436,7 @@ Brian Shura <bshura@appsecconsulting.com>
    for reporting a bug

 Sumit Siddharth <sid@notsosecure.com>
-    for providing me with ideas on the implementation of a couple of
-    features
+    for sharing ideas on the implementation of a couple of features

 Andre Silva <andreoaz@gmail.com>
    for reporting a bug
@ -458,7 +460,7 @@ Jason Swan <jasoneswan@gmail.com>
    for suggesting a couple of improvements

 Chilik Tamir <phenoman@gmail.com>
-    for providing a patch for initial support SOAP requests
+    for contributing a patch for initial support SOAP requests

 Alessandro Tanasi <alessandro@tanasi.it>
    for extensively beta-testing sqlmap
@ -466,7 +468,7 @@ Alessandro Tanasi <alessandro@tanasi.it>
    for reviewing the documentation

 Andres Tarasco <atarasco@gmail.com>
-    for providing me with good feedback
+    for contributing good feedback

 Tom Thumb <k1971@live.co.uk>
    for reporting a major bug
@ -505,7 +507,7 @@ Carlos Gabriel Vergara <carlosgabrielvergara@gmail.com>
    for suggesting couple of good features

 Anthony Zboralski <anthony.zboralski@bellua.com>
-    for providing me with detailed feedback
+    for providing with detailed feedback
    for reporting a few minor bugs
    for donating to sqlmap development

--- a/tamper/chardoubleencode.py
+++ b/tamper/chardoubleencode.py
@ -0,0 +1,48 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import string
+
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def dependencies():
+    pass
+
+def tamper(payload):
+    """
+    Double url-encodes all characters in a given payload (not processing
+    already encoded)
+
+    Example:
+        * Input: SELECT FIELD FROM%20TABLE
+        * Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
+
+    Notes:
+        * Useful to bypass some weak web application firewalls that do not
+          double url-decode the request before processing it through their
+          ruleset
+    """
+
+    retVal = payload
+
+    if payload:
+        retVal = ""
+        i = 0
+
+        while i < len(payload):
+            if payload[i] == '%' and (i < len(payload) - 2) and payload[i+1] in string.hexdigits and payload[i+2] in string.hexdigits:
+                retVal += payload[i:i+3]
+                i += 3
+            else:
+                retVal += '%%25%X' % ord(payload[i])
+                i += 1
+
+    return retVal
--- a/tamper/space2pound.py
+++ b/tamper/space2pound.py
@ -0,0 +1,52 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+import random
+import string
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def dependencies():
+    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__)[:-3], DBMS.MYSQL))
+
+def tamper(payload):
+    """
+    Replaces space character (' ') with a pound character ('#') followed by
+    a random string and a new line ('\n')
+
+    Example:
+        * Input: 1 AND 9227=9227
+        * Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
+
+    Requirement:
+        * MySQL
+
+    Tested against:
+        * MySQL 5.0
+
+    Notes:
+        * Useful to bypass several web application firewalls
+    """
+
+    retVal = ""
+
+    if payload:
+        for i in xrange(len(payload)):
+            if payload[i].isspace():
+                randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for x in range(random.randint(6, 12)))
+                retVal += "%%23%s%%0A" % randomStr
+            else:
+                retVal += payload[i]
+
+    return retVal