First commit related to the #3108

2026-01-09 08:09:01 +00:00 · 2018-07-31 01:17:11 +02:00
parent cef416559a
commit f0e4c20004
32 changed files with 72 additions and 85 deletions
--- a/tamper/apostrophemask.py
+++ b/tamper/apostrophemask.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces apostrophe character with its UTF-8 full width counterpart
+    Replaces apostrophe character (') with its UTF-8 full width counterpart

    References:
        * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
--- a/tamper/apostrophenullencode.py
+++ b/tamper/apostrophenullencode.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces apostrophe character with its illegal double unicode counterpart
+    Replaces apostrophe character (') with its illegal double unicode counterpart

    >>> tamper("1 AND '1'='1")
    '1 AND %00%271%00%27=%00%271'
--- a/tamper/appendnullbyte.py
+++ b/tamper/appendnullbyte.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Appends encoded NULL byte character at the end of payload
+    Appends encoded NULL byte character (%00) at the end of payload

    Requirement:
        * Microsoft Access
--- a/tamper/between.py
+++ b/tamper/between.py
@@ -16,8 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
-    Replaces equals operator ('=') with 'BETWEEN # AND #'
+    Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/chardoubleencode.py
+++ b/tamper/chardoubleencode.py
@@ -16,13 +16,10 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Double url-encodes all characters in a given payload (not processing
-    already encoded)
+    Double URL-encodes all characters in a given payload (not processing already encoded)

    Notes:
-        * Useful to bypass some weak web application firewalls that do not
-          double url-decode the request before processing it through their
-          ruleset
+        * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset

    >>> tamper('SELECT FIELD FROM%20TABLE')
    '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
--- a/tamper/charencode.py
+++ b/tamper/charencode.py
@@ -16,8 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Url-encodes all characters in a given payload (not processing already
-    encoded)
+    URL-encodes all characters in a given payload (not processing already encoded)

    Tested against:
        * Microsoft SQL Server 2005
@@ -26,10 +25,8 @@ def tamper(payload, **kwargs):
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
-        * Useful to bypass very weak web application firewalls that do not
-          url-decode the request before processing it through their ruleset
-        * The web server will anyway pass the url-decoded version behind,
-          hence it should work against any DBMS
+        * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
+        * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS

    >>> tamper('SELECT FIELD FROM%20TABLE')
    '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
--- a/tamper/charunicodeencode.py
+++ b/tamper/charunicodeencode.py
@@ -18,8 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Unicode-url-encodes non-encoded characters in a given payload (not
-    processing already encoded)
+    Unicode-URL-encodes all characters in a given payload (not processing already encoded)

    Requirement:
        * ASP
@@ -32,9 +31,7 @@ def tamper(payload, **kwargs):
        * PostgreSQL 9.0.3

    Notes:
-        * Useful to bypass weak web application firewalls that do not
-          unicode url-decode the request before processing it through their
-          ruleset
+        * Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset

    >>> tamper('SELECT FIELD%20FROM TABLE')
    '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
--- a/tamper/charunicodeescape.py
+++ b/tamper/charunicodeescape.py
@@ -13,8 +13,7 @@ __priority__ = PRIORITY.NORMAL

 def tamper(payload, **kwargs):
    """
-    Unicode-escapes non-encoded characters in a given payload (not
-    processing already encoded)
+    Unicode-escapes non-encoded characters in a given payload (not processing already encoded)

    Notes:
        * Useful to bypass weak filtering and/or WAFs in JSON contexes
--- a/tamper/commalesslimit.py
+++ b/tamper/commalesslimit.py
@@ -19,7 +19,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'
+    Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart

    Requirement:
        * MySQL
--- a/tamper/commalessmid.py
+++ b/tamper/commalessmid.py
@@ -19,7 +19,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'
+    Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart

    Requirement:
        * MySQL
--- a/tamper/commentbeforeparentheses.py
+++ b/tamper/commentbeforeparentheses.py
@@ -16,7 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Prepends (inline) comment before parentheses
+    Prepends (inline) comment before parentheses (e.g. ( -> /**/()

    Tested against:
        * Microsoft SQL Server
--- a/tamper/concat2concatws.py
+++ b/tamper/concat2concatws.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'
+    Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart

    Requirement:
        * MySQL
--- a/tamper/equaltolike.py
+++ b/tamper/equaltolike.py
@@ -19,7 +19,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces all occurrences of operator equal ('=') with operator 'LIKE'
+    Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart

    Tested against:
        * Microsoft SQL Server 2005
--- a/tamper/escapequotes.py
+++ b/tamper/escapequotes.py
@@ -14,7 +14,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Slash escape quotes (' and ")
+    Slash escape single and double quotes (e.g. ' -> \')

    >>> tamper('1" AND SLEEP(5)#')
    '1\\\\" AND SLEEP(5)#'
--- a/tamper/halfversionedmorekeywords.py
+++ b/tamper/halfversionedmorekeywords.py
@@ -21,7 +21,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Adds versioned MySQL comment before each keyword
+    Adds (MySQL) versioned comment before each keyword

    Requirement:
        * MySQL < 5.1
--- a/tamper/htmlencode.py
+++ b/tamper/htmlencode.py
@@ -16,7 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    HTML encode (using code points) all non-alphanumeric characters
+    HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> &#39;)

    >>> tamper("1' AND SLEEP(5)#")
    '1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'
--- a/tamper/informationschemacomment.py
+++ b/tamper/informationschemacomment.py
@@ -13,7 +13,7 @@ __priority__ = PRIORITY.NORMAL

 def tamper(payload, **kwargs):
    """
-    Add a comment to the end of all occurrences of (blacklisted) "information_schema" identifier
+    Add a comment to the end of all occurrences of (MySQL) "information_schema" identifier

    >>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
    'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
--- a/tamper/modsecurityversioned.py
+++ b/tamper/modsecurityversioned.py
@@ -19,7 +19,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Embraces complete query with versioned comment
+    Embraces complete query with (MySQL) versioned comment

    Requirement:
        * MySQL
--- a/tamper/modsecurityzeroversioned.py
+++ b/tamper/modsecurityzeroversioned.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Embraces complete query with zero-versioned comment
+    Embraces complete query with (MySQL) zero-versioned comment

    Requirement:
        * MySQL
--- a/tamper/multiplespaces.py
+++ b/tamper/multiplespaces.py
@@ -18,7 +18,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Adds multiple spaces around SQL keywords
+    Adds multiple spaces (' ') around SQL keywords

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
--- a/tamper/nonrecursivereplacement.py
+++ b/tamper/nonrecursivereplacement.py
@@ -15,8 +15,7 @@ __priority__ = PRIORITY.NORMAL

 def tamper(payload, **kwargs):
    """
-    Replaces predefined SQL keywords with representations
-    suitable for replacement (e.g. .replace("SELECT", "")) filters
+    Replaces predefined SQL keywords with representations suitable for replacement filters (e.g. SELECT -> SELSELECTECT)

    Notes:
        * Useful to bypass very weak custom filters
--- a/tamper/overlongutf8.py
+++ b/tamper/overlongutf8.py
@@ -18,8 +18,9 @@ def tamper(payload, **kwargs):
    """
    Converts all (non-alphanum) characters in a given payload (not processing already encoded)

-    Reference: https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
-    Reference: https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/
+    Reference:
+        * https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
+        * https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/

    >>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
    'SELECT%C0%A0FIELD%C0%A0FROM%C0%A0TABLE%C0%A0WHERE%C0%A02%C0%BE1'
--- a/tamper/overlongutf8more.py
+++ b/tamper/overlongutf8more.py
@@ -18,8 +18,9 @@ def tamper(payload, **kwargs):
    """
    Converts all characters in a given payload (not processing already encoded)

-    Reference: https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
-    Reference: https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/
+    Reference:
+        * https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
+        * https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/

    >>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
    '%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1'
--- a/tamper/plus2concat.py
+++ b/tamper/plus2concat.py
@@ -20,7 +20,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces plus ('+') character with function CONCAT()
+    Replaces plus operator ('+') with (MsSQL) function CONCAT()

    Tested against:
        * Microsoft SQL Server 2012
--- a/tamper/plus2fnconcat.py
+++ b/tamper/plus2fnconcat.py
@@ -20,7 +20,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces plus ('+') character with ODBC function {fn CONCAT()}
+    Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()}

    Tested against:
        * Microsoft SQL Server 2008
--- a/tamper/randomcomments.py
+++ b/tamper/randomcomments.py
@@ -15,7 +15,7 @@ __priority__ = PRIORITY.LOW

 def tamper(payload, **kwargs):
    """
-    Add random comments to SQL keywords
+    Add random inline comments inside SQL keywords

    >>> import random
    >>> random.seed(0)
--- a/tamper/securesphere.py
+++ b/tamper/securesphere.py
@@ -14,11 +14,10 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Appends special crafted string
+    Appends special crafted string for bypassing Imperva SecureSphere WAF

-    Notes:
-        * Useful for bypassing Imperva SecureSphere WAF
-        * Reference: http://seclists.org/fulldisclosure/2011/May/163
+    Reference:
+        * http://seclists.org/fulldisclosure/2011/May/163

    >>> tamper('1 AND 1=1')
    "1 AND 1=1 and '0having'='0having'"
--- a/tamper/sp_password.py
+++ b/tamper/sp_password.py
@@ -11,7 +11,7 @@ __priority__ = PRIORITY.HIGH

 def tamper(payload, **kwargs):
    """
-    Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
+    Appends (MsSQL) function 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

    Requirement:
        * MSSQL
--- a/tamper/space2plus.py
+++ b/tamper/space2plus.py
@@ -17,8 +17,7 @@ def tamper(payload, **kwargs):
    Replaces space character (' ') with plus ('+')

    Notes:
-        * Is this any useful? The plus get's url-encoded by sqlmap engine
-          invalidating the query afterwards
+        * Is this any useful? The plus get's url-encoded by sqlmap engine invalidating the query afterwards
        * This tamper script works against all databases

    >>> tamper('SELECT id FROM users')
--- a/tamper/unmagicquotes.py
+++ b/tamper/unmagicquotes.py
@@ -16,8 +16,7 @@ def dependencies():

 def tamper(payload, **kwargs):
    """
-    Replaces quote character (') with a multi-byte combo %bf%27 together with
-    generic comment at the end (to make it work)
+    Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)

    Notes:
        * Useful for bypassing magic_quotes/addslashes feature