diff --git a/tamper/randomsession.py b/tamper/randomsession.py new file mode 100644 index 000000000..e66642b78 --- /dev/null +++ b/tamper/randomsession.py @@ -0,0 +1,30 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/) +See the file 'LICENSE' for copying permission +author: 3H34N +""" +import string +import random +from lib.core.enums import PRIORITY +__priority__ = PRIORITY.NORMAL + +def dependencies(): + pass + +def randomsession(): + length = 32 + chars = string.ascii_letters.lower() + string.digits + password = ''.join(random.choice(chars) for i in range(length)) + return "PHPSESSID="+password + +def tamper(payload, **kwargs): + """ + Append a random session HTTP header 'PHPSESSID' to bypass + WAF (usually application based) protection + """ + + headers = kwargs.get("headers", {}) + headers["Cookie"] = randomsession() + return payload