sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2025-07-27 08:30:10 +03:00
Code Issues Packages Projects Releases Wiki Activity

new tamper script

Browse Source 
works with time-based queries
This commit is contained in:
antichown 2020-09-16 23:23:09 +03:00 committed by GitHub
parent 192ca02c41
commit 8900993205
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 40 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
tamper/sleepgetlock.py Normal file
View File

@ -0,0 +1,40 @@
#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces instances like 'SLEEP(A)' with "get_lock('do9gy',A)"
Requirement:
* MySQL
Tested against:
* MySQL 5.0 and 5.5
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that filter the SLEEP() and BENCHMARK() functions
>>> tamper('SLEEP(2)')
"get_lock('do9gy',2)"
"""
if payload and payload.find("SLEEP") > -1:
while payload.find("SLEEP(") > -1:
index = payload.find("SLEEP(")
depth = 1
num = payload[index+6]
newVal = "get_lock('do9gy',%s)" % (num)
payload = payload[:index] + newVal + payload[index+8:]
return payload