sqlmapproject/sqlmap
1
1
Fork 0
mirror of https://github.com/sqlmapproject/sqlmap.git synced 2024-11-22 09:36:35 +03:00
Code Issues Packages Projects Releases Wiki Activity

Adding plus2fnconcat tamper script (Issue #2396)

Browse Source
This commit is contained in:
Miroslav Stampar 2017-02-17 10:26:25 +01:00
parent 9acf122ba6
commit 98e449e38c
4 changed files with 96 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
lib/core/settings.py
View File

@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
from lib.core.enums import OS from lib.core.enums import OS
# sqlmap version (<major>.<minor>.<month>.<monthly commit>) # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
VERSION = "1.1.2.9" VERSION = "1.1.2.10"
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)

3
tamper/plus2concat.py
View File

@ -30,6 +30,9 @@ def tamper(payload, **kwargs):
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL') >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL' 'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
""" """
retVal = payload retVal = payload

89
tamper/plus2fnconcat.py Normal file
View File

@ -0,0 +1,89 @@
#!/usr/bin/env python
"""
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
import re
from lib.core.common import zeroDepthSearch
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces plus ('+') character with ODBC function {fn CONCAT()}
Tested against:
* Microsoft SQL Server 2008
Requirements:
* Microsoft SQL Server 2008+
Notes:
* Useful in case ('+') character is filtered
* https://msdn.microsoft.com/en-us/library/bb630290.aspx
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
"""
retVal = payload
if payload:
while True:
indexes = zeroDepthSearch(retVal, '+')
if indexes:
first, last = 0, 0
for i in xrange(1, len(indexes)):
if ' ' in retVal[indexes[0]:indexes[i]]:
break
else:
last = i
start = retVal[:indexes[first]].rfind(' ') + 1
end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1
count = 0
chars = [char for char in retVal]
for index in indexes[first:last + 1]:
if count == 0:
chars[index] = ','
else:
chars[index] = '\x01'
count += 1
retVal = "%s%s%s)}%s" % (retVal[:start], "{fn CONCAT(" * count, ''.join(chars)[start:end].replace('\x01', ")},"), retVal[end:])
else:
match = re.search(r"\((CHAR\(\d+.+CHAR\(\d+\))\)", retVal)
if match:
part = match.group(0)
indexes = set(zeroDepthSearch(match.group(1), '+'))
if not indexes:
break
count = 0
chars = [char for char in part]
for i in xrange(1, len(chars)):
if i - 1 in indexes:
if count == 0:
chars[i] = ','
else:
chars[i] = '\x01'
count += 1
replacement = "%s%s}" % (("{fn CONCAT(" * count)[:-1], "".join(chars).replace('\x01', ")},"))
retVal = retVal.replace(part, replacement)
else:
break
return retVal

5
txt/checksum.md5
View File

@ -45,7 +45,7 @@ e544108e2238d756c94a240e8a1ce061 lib/core/optiondict.py
d8e9250f3775119df07e9070eddccd16 lib/core/replication.py d8e9250f3775119df07e9070eddccd16 lib/core/replication.py
785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py
40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py
f108158ecd5c238a5f94f6f80d5f4c1a lib/core/settings.py 001e41795dfa7fe8c8cea3dfba9f7d60 lib/core/settings.py
d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py
2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py
afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py
@ -252,7 +252,8 @@ a3a0e76922b4f40f422a0daca4e71af3 tamper/htmlencode.py
54e1793f30c755202ee1acaacfac45fb tamper/nonrecursivereplacement.py 54e1793f30c755202ee1acaacfac45fb tamper/nonrecursivereplacement.py
00ba60e5869055aaa7ba0cd23b5ed1f4 tamper/overlongutf8.py 00ba60e5869055aaa7ba0cd23b5ed1f4 tamper/overlongutf8.py
3cadacb0f39de03e0f8612c656104e03 tamper/percentage.py 3cadacb0f39de03e0f8612c656104e03 tamper/percentage.py
dfaa889d125c34c7b2b468012d2b5279 tamper/plus2concat.py 3e09fc9f1a6f3fee03f9213aaee97191 tamper/plus2concat.py
7a18480b27d62eb574cf0150a57e81b1 tamper/plus2fnconcat.py
24753ed4e8ceab6f1a1fc13ee621943b tamper/randomcase.py 24753ed4e8ceab6f1a1fc13ee621943b tamper/randomcase.py
4d5fdfe77668fa44967e1d44f8a50ce7 tamper/randomcomments.py 4d5fdfe77668fa44967e1d44f8a50ce7 tamper/randomcomments.py
22561b429f41fc0bdd23e36b9a8de9e5 tamper/securesphere.py 22561b429f41fc0bdd23e36b9a8de9e5 tamper/securesphere.py