Update for an Issue #835

2025-12-09 22:21:30 +00:00 · 2014-09-20 14:48:36 +02:00
parent 78965b8145
commit 46480d777a
4 changed files with 33 additions and 41 deletions
--- a/tamper/xforwardedfor.py
+++ b/tamper/xforwardedfor.py
@@ -0,0 +1,29 @@
+#!/usr/bin/env python
+
+"""
+Copyright (c) 2006-2014 sqlmap developers (http://sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+from lib.core.enums import PRIORITY
+from random import sample
+__priority__ = PRIORITY.NORMAL
+
+def dependencies():
+    pass
+
+def randomIP():
+    numbers = []
+    while not numbers or numbers[0] in (10, 172, 192):
+        numbers = sample(xrange(1, 255), 4)
+    return '.'.join(str(_) for _ in numbers)
+
+def tamper(payload, **kwargs):
+    """
+    Append a fake HTTP header 'X-Forwarded-For' to bypass
+    WAF (usually application based) protection
+    """
+
+    headers = kwargs.get("headers", {})
+    headers["X-Forwarded-For"] = randomIP()
+    return payload