Added new tamper script, tamper/space2mssqlblank.py from RS

2024-11-22 09:36:35 +03:00 · 2011-07-11 09:49:58 +00:00 · 2011-07-11 09:49:58 +00:00 · c9e6fc7695
commit c9e6fc7695
parent e47f873fa4
2 changed files with 96 additions and 5 deletions
--- a/tamper/space2mssqlblank.py
+++ b/tamper/space2mssqlblank.py
@ -0,0 +1,91 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+import random
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def dependencies():
+    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))
+
+def tamper(payload):
+    """
+    Replaces space character (' ') with a random blank character from a
+    valid set of alternate characters
+
+    Example:
+        * Input: SELECT id FROM users
+        * Output: SELECT%08id%02FROM%0Fusers
+
+    Requirement:
+        * Microsoft SQL Server
+
+    Tested against:
+        * Microsoft SQL Server 2000
+        * Microsoft SQL Server 2005
+
+    Notes:
+        * Useful to bypass several web application firewalls
+    """
+
+    # ASCII table:
+    #   SOH     01      start of heading
+    #   STX     02      start of text
+    #   ETX     03      end of text
+    #   EOT     04      end of transmission
+    #   ENQ     05      enquiry     
+    #   ACK     06      acknowledge              
+    #   BEL     07      bell
+    #   BS      08      backspace
+    #   TAB     09      horizontal tab
+    #   LF      0A      new line
+    #   VT      0B      vertical TAB     
+    #   FF      0C      new page   
+    #   CR      0D      carriage return                
+    #   SO      0E      shift out 
+    #   SI      0F      shift in
+    blanks = ['%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A']
+    retVal = payload
+
+    if payload:
+        retVal = ""
+        quote, doublequote, firstspace, end = False, False, False, False
+
+        for i in xrange(len(payload)):
+            if not firstspace:
+                if payload[i].isspace():
+                    firstspace = True
+                    retVal += random.choice(blanks)
+                    continue
+
+            elif payload[i] == '\'':
+                quote = not quote
+
+            elif payload[i] == '"':
+                doublequote = not doublequote
+
+            elif payload[i] == '#' or payload[i:i+3] == '-- ':
+                end = True
+
+            elif payload[i] == " " and not doublequote and not quote:
+                if end:
+                    retVal += random.choice(blanks[:-1])
+                else:
+                    retVal += random.choice(blanks)
+
+                continue        
+                
+            retVal += payload[i]
+
+    return retVal
--- a/tamper/space2randomblank.py
+++ b/tamper/space2randomblank.py
@ -36,10 +36,10 @@ def tamper(payload):
    """

    # ASCII table:
-    #   \t      09      horizontal TAB
-    #   \n      0A      new line
-    #   -       0C      new page
-    #   \r      0D      carriage return
+    #   TAB     09      horizontal TAB
+    #   LF      0A      new line
+    #   FF      0C      new page
+    #   CR      0D      carriage return
    blanks = ['%09', '%0A', '%0C', '%0D']
    retVal = payload

@ -60,7 +60,7 @@ def tamper(payload):
            elif payload[i] == '"':
                doublequote = not doublequote

-            elif payload[i]==" " and not doublequote and not quote:
+            elif payload[i] == " " and not doublequote and not quote:
                retVal += random.choice(blanks)
                continue