From 98e449e38c2c014b0793e48840e72fd4068c1853 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Fri, 17 Feb 2017 10:26:25 +0100
Subject: [PATCH] Adding plus2fnconcat tamper script (Issue #2396)

---
 lib/core/settings.py    |  2 +-
 tamper/plus2concat.py   |  3 ++
 tamper/plus2fnconcat.py | 89 +++++++++++++++++++++++++++++++++++++++++
 txt/checksum.md5        |  5 ++-
 4 files changed, 96 insertions(+), 3 deletions(-)
 create mode 100644 tamper/plus2fnconcat.py

diff --git a/lib/core/settings.py b/lib/core/settings.py
index d55ebe7ae..8f7353563 100755
--- a/lib/core/settings.py
+++ b/lib/core/settings.py
@@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
 from lib.core.enums import OS
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.1.2.9"
+VERSION = "1.1.2.10"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/tamper/plus2concat.py b/tamper/plus2concat.py
index 343391ffa..77f6c104c 100644
--- a/tamper/plus2concat.py
+++ b/tamper/plus2concat.py
@@ -30,6 +30,9 @@ def tamper(payload, **kwargs):
 
     >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
     'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
+
+    >>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
+    'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
     """
 
     retVal = payload
diff --git a/tamper/plus2fnconcat.py b/tamper/plus2fnconcat.py
new file mode 100644
index 000000000..a7b4fe9a8
--- /dev/null
+++ b/tamper/plus2fnconcat.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import re
+
+from lib.core.common import zeroDepthSearch
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.HIGHEST
+
+def dependencies():
+    pass
+
+def tamper(payload, **kwargs):
+    """
+    Replaces plus ('+') character with ODBC function {fn CONCAT()}
+
+    Tested against:
+        * Microsoft SQL Server 2008
+
+    Requirements:
+        * Microsoft SQL Server 2008+
+
+    Notes:
+        * Useful in case ('+') character is filtered
+        * https://msdn.microsoft.com/en-us/library/bb630290.aspx
+
+    >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
+    'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
+
+    >>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
+    'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
+    """
+
+    retVal = payload
+
+    if payload:
+        while True:
+            indexes = zeroDepthSearch(retVal, '+')
+
+            if indexes:
+                first, last = 0, 0
+                for i in xrange(1, len(indexes)):
+                    if ' ' in retVal[indexes[0]:indexes[i]]:
+                        break
+                    else:
+                        last = i
+
+                start = retVal[:indexes[first]].rfind(' ') + 1
+                end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1
+
+                count = 0
+                chars = [char for char in retVal]
+                for index in indexes[first:last + 1]:
+                    if count == 0:
+                        chars[index] = ','
+                    else:
+                        chars[index] = '\x01'
+                    count += 1
+
+                retVal = "%s%s%s)}%s" % (retVal[:start], "{fn CONCAT(" * count, ''.join(chars)[start:end].replace('\x01', ")},"), retVal[end:])
+            else:
+                match = re.search(r"\((CHAR\(\d+.+CHAR\(\d+\))\)", retVal)
+                if match:
+                    part = match.group(0)
+                    indexes = set(zeroDepthSearch(match.group(1), '+'))
+                    if not indexes:
+                        break
+
+                    count = 0
+                    chars = [char for char in part]
+                    for i in xrange(1, len(chars)):
+                        if i - 1 in indexes:
+                            if count == 0:
+                                chars[i] = ','
+                            else:
+                                chars[i] = '\x01'
+                            count += 1
+
+                    replacement = "%s%s}" % (("{fn CONCAT(" * count)[:-1], "".join(chars).replace('\x01', ")},"))
+                    retVal = retVal.replace(part, replacement)
+                else:
+                    break
+
+    return retVal
diff --git a/txt/checksum.md5 b/txt/checksum.md5
index fc74e9ff3..58ea87763 100644
--- a/txt/checksum.md5
+++ b/txt/checksum.md5
@@ -45,7 +45,7 @@ e544108e2238d756c94a240e8a1ce061  lib/core/optiondict.py
 d8e9250f3775119df07e9070eddccd16  lib/core/replication.py
 785f86e3f963fa3798f84286a4e83ff2  lib/core/revision.py
 40c80b28b3a5819b737a5a17d4565ae9  lib/core/session.py
-f108158ecd5c238a5f94f6f80d5f4c1a  lib/core/settings.py
+001e41795dfa7fe8c8cea3dfba9f7d60  lib/core/settings.py
 d91291997d2bd2f6028aaf371bf1d3b6  lib/core/shell.py
 2ad85c130cc5f2b3701ea85c2f6bbf20  lib/core/subprocessng.py
 afd0636d2e93c23f4f0a5c9b6023ea17  lib/core/target.py
@@ -252,7 +252,8 @@ a3a0e76922b4f40f422a0daca4e71af3  tamper/htmlencode.py
 54e1793f30c755202ee1acaacfac45fb  tamper/nonrecursivereplacement.py
 00ba60e5869055aaa7ba0cd23b5ed1f4  tamper/overlongutf8.py
 3cadacb0f39de03e0f8612c656104e03  tamper/percentage.py
-dfaa889d125c34c7b2b468012d2b5279  tamper/plus2concat.py
+3e09fc9f1a6f3fee03f9213aaee97191  tamper/plus2concat.py
+7a18480b27d62eb574cf0150a57e81b1  tamper/plus2fnconcat.py
 24753ed4e8ceab6f1a1fc13ee621943b  tamper/randomcase.py
 4d5fdfe77668fa44967e1d44f8a50ce7  tamper/randomcomments.py
 22561b429f41fc0bdd23e36b9a8de9e5  tamper/securesphere.py