diff --git a/lib/core/settings.py b/lib/core/settings.py index b5be58feb..1f5fd3341 100755 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.1.4.18" +VERSION = "1.1.4.19" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/tamper/commentbeforeparentheses.py b/tamper/commentbeforeparentheses.py new file mode 100644 index 000000000..59185002a --- /dev/null +++ b/tamper/commentbeforeparentheses.py @@ -0,0 +1,40 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +import re + +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def dependencies(): + pass + +def tamper(payload, **kwargs): + """ + Prepends (inline) comment before parentheses + + Tested against: + * Microsoft SQL Server + * MySQL + * Oracle + * PostgreSQL + + Notes: + * Useful to bypass web application firewalls that block usage + of function calls + + >>> tamper('SELECT ABS(1)') + 'SELECT ABS/**/(1)' + """ + + retVal = payload + + if payload: + retVal = re.sub(r"\b(\w+)\(", "\g<1>/**/(", retVal) + + return retVal diff --git a/txt/checksum.md5 b/txt/checksum.md5 index 407b84f38..4eaf7bfd5 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -45,7 +45,7 @@ dd19b4d930d418f8aef498941346ab2d lib/core/option.py d8e9250f3775119df07e9070eddccd16 lib/core/replication.py 785f86e3f963fa3798f84286a4e83ff2 lib/core/revision.py 40c80b28b3a5819b737a5a17d4565ae9 lib/core/session.py -78ce748dd65ba204321cb74c53ec55e3 lib/core/settings.py +a69ceaa3f1d3c59bc4678777218ae334 lib/core/settings.py d91291997d2bd2f6028aaf371bf1d3b6 lib/core/shell.py 2ad85c130cc5f2b3701ea85c2f6bbf20 lib/core/subprocessng.py afd0636d2e93c23f4f0a5c9b6023ea17 lib/core/target.py @@ -236,6 +236,7 @@ e6e3ae32bc3c3d5acb4b93289e3fe698 tamper/bluecoat.py 893e7d907bcd370394b70a30d502be2b tamper/charunicodeencode.py 596883203fbdd81ee760e4a00071bf39 tamper/commalesslimit.py f341a48112354a50347546fa73f4f531 tamper/commalessmid.py +1a368a32530c04a11a531cd21d587682 tamper/commentbeforeparentheses.py 28c21fd9c9801d398698c646bb894260 tamper/concat2concatws.py d496b8abd40ea1a86c771d9d20174f61 tamper/equaltolike.py fb3c31b72675f6ef27fa420a4e974a55 tamper/escapequotes.py