mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2024-11-25 11:03:47 +03:00
Adding plus2fnconcat tamper script (Issue #2396)
This commit is contained in:
parent
9acf122ba6
commit
98e449e38c
|
@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME
|
|||
from lib.core.enums import OS
|
||||
|
||||
# sqlmap version (<major>.<minor>.<month>.<monthly commit>)
|
||||
VERSION = "1.1.2.9"
|
||||
VERSION = "1.1.2.10"
|
||||
TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
|
||||
TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
|
||||
VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
|
||||
|
|
|
@ -30,6 +30,9 @@ def tamper(payload, **kwargs):
|
|||
|
||||
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
|
||||
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
|
||||
|
||||
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
|
||||
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
|
89
tamper/plus2fnconcat.py
Normal file
89
tamper/plus2fnconcat.py
Normal file
|
@ -0,0 +1,89 @@
|
|||
#!/usr/bin/env python
|
||||
|
||||
"""
|
||||
Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'doc/COPYING' for copying permission
|
||||
"""
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.common import zeroDepthSearch
|
||||
from lib.core.enums import PRIORITY
|
||||
|
||||
__priority__ = PRIORITY.HIGHEST
|
||||
|
||||
def dependencies():
|
||||
pass
|
||||
|
||||
def tamper(payload, **kwargs):
|
||||
"""
|
||||
Replaces plus ('+') character with ODBC function {fn CONCAT()}
|
||||
|
||||
Tested against:
|
||||
* Microsoft SQL Server 2008
|
||||
|
||||
Requirements:
|
||||
* Microsoft SQL Server 2008+
|
||||
|
||||
Notes:
|
||||
* Useful in case ('+') character is filtered
|
||||
* https://msdn.microsoft.com/en-us/library/bb630290.aspx
|
||||
|
||||
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
|
||||
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
|
||||
|
||||
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
|
||||
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
||||
if payload:
|
||||
while True:
|
||||
indexes = zeroDepthSearch(retVal, '+')
|
||||
|
||||
if indexes:
|
||||
first, last = 0, 0
|
||||
for i in xrange(1, len(indexes)):
|
||||
if ' ' in retVal[indexes[0]:indexes[i]]:
|
||||
break
|
||||
else:
|
||||
last = i
|
||||
|
||||
start = retVal[:indexes[first]].rfind(' ') + 1
|
||||
end = (retVal[indexes[last] + 1:].find(' ') + indexes[last] + 1) if ' ' in retVal[indexes[last] + 1:] else len(retVal) - 1
|
||||
|
||||
count = 0
|
||||
chars = [char for char in retVal]
|
||||
for index in indexes[first:last + 1]:
|
||||
if count == 0:
|
||||
chars[index] = ','
|
||||
else:
|
||||
chars[index] = '\x01'
|
||||
count += 1
|
||||
|
||||
retVal = "%s%s%s)}%s" % (retVal[:start], "{fn CONCAT(" * count, ''.join(chars)[start:end].replace('\x01', ")},"), retVal[end:])
|
||||
else:
|
||||
match = re.search(r"\((CHAR\(\d+.+CHAR\(\d+\))\)", retVal)
|
||||
if match:
|
||||
part = match.group(0)
|
||||
indexes = set(zeroDepthSearch(match.group(1), '+'))
|
||||
if not indexes:
|
||||
break
|
||||
|
||||
count = 0
|
||||
chars = [char for char in part]
|
||||
for i in xrange(1, len(chars)):
|
||||
if i - 1 in indexes:
|
||||
if count == 0:
|
||||
chars[i] = ','
|
||||
else:
|
||||
chars[i] = '\x01'
|
||||
count += 1
|
||||
|
||||
replacement = "%s%s}" % (("{fn CONCAT(" * count)[:-1], "".join(chars).replace('\x01', ")},"))
|
||||
retVal = retVal.replace(part, replacement)
|
||||
else:
|
||||
break
|
||||
|
||||
return retVal
|
|
@ -45,7 +45,7 @@ e544108e2238d756c94a240e8a1ce061 lib/core/optiondict.py
|
|||
d8e9250f3775119df07e9070eddccd16 lib/core/replication.py
|
||||
785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py
|
||||
40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py
|
||||
f108158ecd5c238a5f94f6f80d5f4c1a lib/core/settings.py
|
||||
001e41795dfa7fe8c8cea3dfba9f7d60 lib/core/settings.py
|
||||
d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py
|
||||
2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py
|
||||
afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py
|
||||
|
@ -252,7 +252,8 @@ a3a0e76922b4f40f422a0daca4e71af3 tamper/htmlencode.py
|
|||
54e1793f30c755202ee1acaacfac45fb tamper/nonrecursivereplacement.py
|
||||
00ba60e5869055aaa7ba0cd23b5ed1f4 tamper/overlongutf8.py
|
||||
3cadacb0f39de03e0f8612c656104e03 tamper/percentage.py
|
||||
dfaa889d125c34c7b2b468012d2b5279 tamper/plus2concat.py
|
||||
3e09fc9f1a6f3fee03f9213aaee97191 tamper/plus2concat.py
|
||||
7a18480b27d62eb574cf0150a57e81b1 tamper/plus2fnconcat.py
|
||||
24753ed4e8ceab6f1a1fc13ee621943b tamper/randomcase.py
|
||||
4d5fdfe77668fa44967e1d44f8a50ce7 tamper/randomcomments.py
|
||||
22561b429f41fc0bdd23e36b9a8de9e5 tamper/securesphere.py
|
||||
|
|
Loading…
Reference in New Issue
Block a user