Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too.

2026-01-22 22:29:05 +00:00 · 2011-07-06 21:04:45 +00:00
parent 0d28c1e9e7
commit 23b4efdcaf
18 changed files with 399 additions and 45 deletions
--- a/tamper/charencode.py
+++ b/tamper/charencode.py
@@ -14,10 +14,29 @@ from lib.core.exception import sqlmapUnsupportedFeatureException

 __priority__ = PRIORITY.LOWEST

+def dependencies():
+    pass
+
 def tamper(payload):
    """
-    Urlencodes all characters in a given payload (not processing already encoded)
-    Example: 'SELECT FIELD FROM%20TABLE' becomes '%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45'
+    Url-encodes all characters in a given payload (not processing already
+    encoded)
+
+    Example:
+        * Input: SELECT FIELD FROM%20TABLE
+        * Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
+
+    Tested against:
+        * Microsoft SQL Server 2005
+        * MySQL 4, 5.0 and 5.5
+        * Oracle 10g
+        * PostgreSQL 8.3, 8.4, 9.0
+
+    Notes:
+        * Useful to bypass very weak web application firewalls that do not
+          url-decode the request before processing it through their ruleset
+        * The web server will anyway pass the url-decoded version behind,
+          hence it should work against any DBMS
    """

    retVal = payload