Added generic JSON WAF bypass

doc/THANKS.md

@@ -789,6 +789,9 @@ x, <deep_freeze(at)mail.ru>
 zhouhx, <zhouhx(at)knownsec.com>
 * for contributing a minor patch
 
+Noam Moshe Claroty Team82
+* for contributing WAF scripts json_waf_bypass_postgres.py, json_waf_bypass_sqlite.py, json_waf_bypass_mysql.py
+
 # Organizations
 
 Black Hat team, <info(at)blackhat.com>

tamper/json_waf_bypass_mysql.py

@@ -95,13 +95,8 @@ def generate_random_payload():
 
 def tamper(payload, **kwargs):
     """
-    This SQLMap tamper script was written by Noam Moshe of Claroty Team82. To read more about this novel
-    WAF bypass, read our blog:
-        https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
         
-    Bypasses generic WAFs using JSON SQL Syntax. For more details, see our talk in BH EU 2022
-    https://www.blackhat.com/eu-22/briefings/schedule/#js-on-security-off-abusing-json-based-sql-queries-28774
-
+    Bypasses generic WAFs using JSON SQL Syntax.
     For more details about JSON in MySQL - https://dev.mysql.com/doc/refman/5.7/en/json-function-reference.html
 
     Tested against:
@@ -111,6 +106,9 @@ def tamper(payload, **kwargs):
         python3 sqlmap.py <TARGET> --tamper json_waf_bypass_mysql.py
 
     Notes:
+        * References: 
+            * https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf 
+            * https://www.blackhat.com/eu-22/briefings/schedule/#js-on-security-off-abusing-json-based-sql-queries-28774
         * Usefull for bypassing any JSON-unaware WAFs with minor-to-no adjusments
         * JSON techniques were tested againts the following WAF vendors:
             * Amazon AWS ELB

tamper/json_waf_bypass_postgres.py

@@ -140,12 +140,8 @@ def generate_random_payload():
 
 def tamper(payload, **kwargs):
     """
-    This SQLMap tamper script was written by Noam Moshe of Claroty Team82. To read more about this novel
-    WAF bypass, read our blog:
-        https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
-        
-    Bypasses generic WAFs using JSON SQL Syntax. For more details, see our talk in BH EU 2022
-    https://www.blackhat.com/eu-22/briefings/schedule/#js-on-security-off-abusing-json-based-sql-queries-28774
+    
+    Bypasses generic WAFs using JSON SQL Syntax.
 
     For more details about JSON in PostgreSQL - https://www.postgresql.org/docs/9.3/functions-json.html
 
@@ -156,6 +152,10 @@ def tamper(payload, **kwargs):
         python3 sqlmap.py <TARGET> --tamper json_waf_bypass_postgres.py
 
     Notes:
+
+        * References: 
+            * https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf 
+            * https://www.blackhat.com/eu-22/briefings/schedule/#js-on-security-off-abusing-json-based-sql-queries-28774
         * Usefull for bypassing any JSON-unaware WAFs with minor-to-no adjusments
         * JSON techniques were tested againts the following WAF vendors:
             * Amazon AWS ELB

tamper/json_waf_bypass_sqlite.py

@@ -112,12 +112,8 @@ def generate_random_payload():
 
 def tamper(payload, **kwargs):
 	"""
-    This SQLMap tamper script was written by Noam Moshe of Claroty Team82. To read more about this novel
-    WAF bypass, read our blog:
-        https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf
         
-    Bypasses generic WAFs using JSON SQL Syntax. For more details, see our talk in BH EU 2022
-    https://www.blackhat.com/eu-22/briefings/schedule/#js-on-security-off-abusing-json-based-sql-queries-28774
+    Bypasses generic WAFs using JSON SQL Syntax. 
 
     For more details about JSON in SQLite - https://www.sqlite.org/json1.html
 
@@ -128,6 +124,10 @@ def tamper(payload, **kwargs):
         python3 sqlmap.py <TARGET> --tamper json_waf_bypass_sqlite.py
 
     Notes:
+
+    	* References: 
+            * https://claroty.com/team82/research/js-on-security-off-abusing-json-based-sql-to-bypass-waf 
+            * https://www.blackhat.com/eu-22/briefings/schedule/#js-on-security-off-abusing-json-based-sql-queries-28774
         * Usefull for bypassing any JSON-unaware WAFs with minor-to-no adjusments
         * JSON techniques were tested againts the following WAF vendors:
             * Amazon AWS ELB