Implementation for an Issue #3108

2026-01-01 12:29:04 +00:00 · 2018-07-31 02:18:33 +02:00
parent f0e4c20004
commit 1f9bf587b5
42 changed files with 113 additions and 99 deletions
--- a/tamper/apostrophemask.py
+++ b/tamper/apostrophemask.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces apostrophe character (') with its UTF-8 full width counterpart
+    Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)

    References:
        * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
--- a/tamper/apostrophenullencode.py
+++ b/tamper/apostrophenullencode.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces apostrophe character (') with its illegal double unicode counterpart
+    Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)

    >>> tamper("1 AND '1'='1")
    '1 AND %00%271%00%27=%00%271'
--- a/tamper/appendnullbyte.py
+++ b/tamper/appendnullbyte.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Appends encoded NULL byte character (%00) at the end of payload
+    Appends (Access) NULL byte character (%00) at the end of payload

    Requirement:
        * Microsoft Access
--- a/tamper/base64encode.py
+++ b/tamper/base64encode.py
@@ -17,7 +17,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Base64 all characters in a given payload
+    Base64-encodes all characters in a given payload

    >>> tamper("1' AND SLEEP(5)#")
    'MScgQU5EIFNMRUVQKDUpIw=='
--- a/tamper/bluecoat.py
+++ b/tamper/bluecoat.py
@@ -17,8 +17,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character after SQL statement with a valid random blank character.
-    Afterwards replace character '=' with operator LIKE
+    Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE

    Requirement:
        * Blue Coat SGOS with WAF activated as documented in
--- a/tamper/chardoubleencode.py
+++ b/tamper/chardoubleencode.py
@@ -16,7 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Double URL-encodes all characters in a given payload (not processing already encoded)
+    Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)

    Notes:
        * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset
--- a/tamper/charencode.py
+++ b/tamper/charencode.py
@@ -16,7 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    URL-encodes all characters in a given payload (not processing already encoded)
+    URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/charunicodeencode.py
+++ b/tamper/charunicodeencode.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Unicode-URL-encodes all characters in a given payload (not processing already encoded)
+    Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)

    Requirement:
        * ASP
--- a/tamper/charunicodeescape.py
+++ b/tamper/charunicodeescape.py
@@ -13,7 +13,7 @@ __priority__ = PRIORITY.NORMAL

 def tamper(payload, **kwargs):
    """
-    Unicode-escapes non-encoded characters in a given payload (not processing already encoded)
+    Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)

    Notes:
        * Useful to bypass weak filtering and/or WAFs in JSON contexes
--- a/tamper/ifnull2casewhenisnull.py
+++ b/tamper/ifnull2casewhenisnull.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END'
+    Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart

    Requirement:
        * MySQL
--- a/tamper/ifnull2ifisnull.py
+++ b/tamper/ifnull2ifisnull.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
+    Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart

    Requirement:
        * MySQL
--- a/tamper/informationschemacomment.py
+++ b/tamper/informationschemacomment.py
@@ -13,7 +13,7 @@ __priority__ = PRIORITY.NORMAL

 def tamper(payload, **kwargs):
    """
-    Add a comment to the end of all occurrences of (MySQL) "information_schema" identifier
+    Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier

    >>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
    'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
--- a/tamper/lowercase.py
+++ b/tamper/lowercase.py
@@ -17,7 +17,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces each keyword character with lower case value
+    Replaces each keyword character with lower case value (e.g. SELECT -> select)

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/overlongutf8.py
+++ b/tamper/overlongutf8.py
@@ -16,7 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Converts all (non-alphanum) characters in a given payload (not processing already encoded)
+    Converts all (non-alphanum) characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. ' -> %C0%A7)

    Reference:
        * https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
--- a/tamper/overlongutf8more.py
+++ b/tamper/overlongutf8more.py
@@ -16,7 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Converts all characters in a given payload (not processing already encoded)
+    Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)

    Reference:
        * https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
--- a/tamper/percentage.py
+++ b/tamper/percentage.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Adds a percentage sign ('%') infront of each character
+    Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)

    Requirement:
        * ASP
--- a/tamper/plus2concat.py
+++ b/tamper/plus2concat.py
@@ -20,7 +20,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces plus operator ('+') with (MsSQL) function CONCAT()
+    Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart

    Tested against:
        * Microsoft SQL Server 2012
--- a/tamper/plus2fnconcat.py
+++ b/tamper/plus2fnconcat.py
@@ -20,7 +20,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()}
+    Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart

    Tested against:
        * Microsoft SQL Server 2008
--- a/tamper/randomcase.py
+++ b/tamper/randomcase.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces each keyword character with random case value
+    Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/randomcomments.py
+++ b/tamper/randomcomments.py
@@ -15,7 +15,7 @@ __priority__ = PRIORITY.LOW

 def tamper(payload, **kwargs):
    """
-    Add random inline comments inside SQL keywords
+    Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT)

    >>> import random
    >>> random.seed(0)
--- a/tamper/space2dash.py
+++ b/tamper/space2dash.py
@@ -14,8 +14,7 @@ __priority__ = PRIORITY.LOW

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a dash comment ('--') followed by
-    a random string and a new line ('\n')
+    Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')

    Requirement:
        * MSSQL
--- a/tamper/space2hash.py
+++ b/tamper/space2hash.py
@@ -20,8 +20,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a pound character ('#') followed by
-    a random string and a new line ('\n')
+    Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

    Requirement:
        * MySQL
--- a/tamper/space2morecomment.py
+++ b/tamper/space2morecomment.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with comments '/**_**/'
+    Replaces (MySQL) instances of space character (' ') with comments '/**_**/'

    Tested against:
        * MySQL 5.0 and 5.5
--- a/tamper/space2morehash.py
+++ b/tamper/space2morehash.py
@@ -23,8 +23,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a pound character ('#') followed by
-    a random string and a new line ('\n')
+    Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

    Requirement:
        * MySQL >= 5.1.13
--- a/tamper/space2mssqlblank.py
+++ b/tamper/space2mssqlblank.py
@@ -19,8 +19,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a random blank character from a
-    valid set of alternate characters
+    Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters

    Requirement:
        * Microsoft SQL Server
--- a/tamper/space2mssqlhash.py
+++ b/tamper/space2mssqlhash.py
@@ -11,8 +11,7 @@ __priority__ = PRIORITY.LOW

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a pound character ('#') followed by
-    a new line ('\n')
+    Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')

    Requirement:
        * MSSQL
--- a/tamper/space2mysqlblank.py
+++ b/tamper/space2mysqlblank.py
@@ -19,8 +19,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a random blank character from a
-    valid set of alternate characters
+    Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters

    Requirement:
        * MySQL
--- a/tamper/space2mysqldash.py
+++ b/tamper/space2mysqldash.py
@@ -18,15 +18,12 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a dash comment ('--') followed by
-    a new line ('\n')
+    Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')

    Requirement:
        * MySQL
        * MSSQL

-    Tested against:
-
    Notes:
        * Useful to bypass several web application firewalls.

--- a/tamper/space2randomblank.py
+++ b/tamper/space2randomblank.py
@@ -16,8 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces space character (' ') with a random blank character from a
-    valid set of alternate characters
+    Replaces space character (' ') with a random blank character from a valid set of alternate characters

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/unionalltounion.py
+++ b/tamper/unionalltounion.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces UNION ALL SELECT with UNION SELECT
+    Replaces instances of UNION ALL SELECT with UNION SELECT counterpart

    >>> tamper('-1 UNION ALL SELECT')
    '-1 UNION SELECT'
--- a/tamper/uppercase.py
+++ b/tamper/uppercase.py
@@ -17,7 +17,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces each keyword character with upper case value
+    Replaces each keyword character with upper case value (e.g. select -> SELECT)

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/varnish.py
+++ b/tamper/varnish.py
@@ -14,12 +14,12 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Append a HTTP header 'X-originating-IP' to bypass
-    WAF Protection of Varnish Firewall
+    Appends a HTTP header 'X-originating-IP' to bypass Varnish Firewall
+
+    Reference:
+        * http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366

    Notes:
-        Reference: http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366
-
        Examples:
        >> X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
        >> X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
--- a/tamper/versionedkeywords.py
+++ b/tamper/versionedkeywords.py
@@ -20,7 +20,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Encloses each non-function keyword with versioned MySQL comment
+    Encloses each non-function keyword with (MySQL) versioned comment

    Requirement:
        * MySQL
--- a/tamper/versionedmorekeywords.py
+++ b/tamper/versionedmorekeywords.py
@@ -21,7 +21,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Encloses each keyword with versioned MySQL comment
+    Encloses each keyword with (MySQL) versioned comment

    Requirement:
        * MySQL >= 5.1.13
--- a/tamper/xforwardedfor.py
+++ b/tamper/xforwardedfor.py
@@ -20,8 +20,7 @@ def randomIP():

 def tamper(payload, **kwargs):
    """
-    Append a fake HTTP header 'X-Forwarded-For' to bypass
-    WAF (usually application based) protection
+    Append a fake HTTP header 'X-Forwarded-For'
    """

    headers = kwargs.get("headers", {})