Minor update of #3527

tamper/substring2leftright.py

@@ -24,23 +24,23 @@ def tamper(payload, **kwargs):
     Note:
         * Useful to bypass weak web application firewalls that filter SUBSTRING (but not LEFT and RIGHT)
 
-    >>> tamper('SUBSTRING((X FROM 1 FOR 1))')
-    'LEFT(X,1)'
-    >>> tamper('SUBSTRING((X FROM 5 FOR 1))')
-    'LEFT(RIGHT(X,-4),1)'
+    >>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1)')
+    'LEFT((SELECT usename FROM pg_user)::text,1)'
+    >>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1)')
+    'LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)'
     """
 
     retVal = payload
 
     if payload:
-        match = re.search(r"SUBSTRING\(\((.*)\sFROM\s(\d+)\sFOR\s1\)\)", payload)
+        match = re.search(r"SUBSTRING\((.+?)\s+FROM[^)]+(\d+)[^)]+FOR[^)]+1\)", payload)
 
         if match:
             pos = int(match.group(2))
             if pos == 1:
-                _ = "LEFT((%s,1))" % (match.group(1))
+                _ = "LEFT(%s,1)" % (match.group(1))
             else:
-                _ = "LEFT(RIGHT((%s,%d),1))" % (match.group(1), 1-pos)
+                _ = "LEFT(RIGHT(%s,%d),1)" % (match.group(1), 1 - pos)
 
             retVal = retVal.replace(match.group(0), _)