mirror of
https://github.com/sqlmapproject/sqlmap.git
synced 2026-02-10 15:36:35 +00:00
Stabilizing DREI
This commit is contained in:
Miroslav Stampar
@@ -5,10 +5,8 @@ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
|
||||
See the file 'LICENSE' for copying permission
|
||||
"""
|
||||
|
||||
import base64
|
||||
|
||||
from lib.core.convert import encodeBase64
|
||||
from lib.core.enums import PRIORITY
|
||||
from lib.core.settings import UNICODE_ENCODING
|
||||
|
||||
__priority__ = PRIORITY.LOW
|
||||
|
||||
@@ -23,4 +21,4 @@ def tamper(payload, **kwargs):
|
||||
'MScgQU5EIFNMRUVQKDUpIw=='
|
||||
"""
|
||||
|
||||
return base64.b64encode(payload.encode(UNICODE_ENCODING)) if payload else payload
|
||||
return encodeBase64(payload, binary=False) if payload else payload
|
||||
|
||||
@@ -7,8 +7,8 @@ See the file 'LICENSE' for copying permission
|
||||
|
||||
import re
|
||||
|
||||
from lib.core.common import decodeHex
|
||||
from lib.core.common import getOrds
|
||||
from lib.core.convert import decodeHex
|
||||
from lib.core.convert import getOrds
|
||||
from lib.core.enums import PRIORITY
|
||||
|
||||
__priority__ = PRIORITY.NORMAL
|
||||
|
||||
@@ -26,7 +26,7 @@ def tamper(payload, **kwargs):
|
||||
* Lua-Nginx WAFs do not support processing of more than 100 parameters
|
||||
|
||||
>>> random.seed(0); hints={}; payload = tamper("1 AND 2>1", hints=hints); "%s&%s" % (hints[HINT.PREPEND], payload)
|
||||
'0U=&Aq=&Fz=&Ws=&DK=&4F=&rU=&Mp=&48=&Y3=&tT=&3Q=&Dg=&AL=&47=&D1=&qX=&Ia=&Sy=&ZP=&aE=&1p=&u1=&lJ=&o7=&XB=&et=&F5=&gI=&RH=&YH=&7L=&KB=&Kx=&Js=&lL=&OD=&fU=&25=&03=&5H=&yR=&rY=&03=&K6=&JB=&O9=&4X=&fL=&EN=&0p=&Th=&nX=&uY=&gj=&Rc=&J4=&HQ=&bN=&LJ=&yw=&8c=&b7=&lh=&nX=&6b=&Ag=&qn=&Ov=&lF=&cg=&9m=&wT=&Z4=&kP=&7d=&P0=&vp=&LB=&kD=&zJ=&Ft=&wZ=&pI=&aT=&uc=&ro=&7v=&rw=&6N=&MS=&yz=&Oa=&lu=&oN=&x2=&Jz=&yR=&zP=&cB=&qj=&GE=&IU=&2E=&tC=&Y2=&Yl=&9N=&fS=&9y=&Qt=&nS=&aZ=&Gg=&hO=&2r=&8g=&0y=&fr=&CX=&1i=&GO=&v2=&rb=&cQ=&I6=&64=&cU=&RO=&S3=&Nx=&Hm=&Ka=&ju=&WS=&uM=&ck=&8r=&yI=&sD=&oc=&lG=&ey=&uz=&g4=&D0=&8v=&DR=&As=&T3=&5M=&x8=&Ne=&fU=&da=&yG=&BE=&KQ=&Aw=&9q=&WA=&wd=&1R=&3B=&Ph=&ym=&c6=&nj=&mx=&Hj=&98=&jz=&Q2=&E4=&tE=&EP=&mL=&nv=&73=&Yc=&jp=&W0=&KS=&Ye=&f1=&cn=&ca=&0u=&jO=&8F=&3F=&JQ=&XU=&9U=&4m=&HL=&ZD=&Xy=&K0=&XO=&al=&Fp=&e1=&6s=&zY=&dN=&hr=&Zd=&cz=&E1=&SP=&j9=&zL=&xc=&Dj=&cM=&Ng=&Iv=&xW=&E2=&LC=&Nu=&hQ=&MW=&h4=&X4=&2Q=&YG=&Wl=&WB=&UC=&We=&c5=&E3=&6P=&Jn=&fY=&3W=&RA=&sh=&AJ=&56=&zg=&VT=&bB=&Qb=&47=&Se=&ew=&bv=&a8=&Ye=&3m=&mP=&6h=&aw=&bL=&1l=&gv=&7i=&7w=&Ds=&67=&Nl=&9g=&Kj=&36=&Xt=&pU=&sA=&ci=&be=&eA=&IT=&iA=&Nf=&Bw=&6d=&zT=&tm=&sD=&6X=&rI=&QX=&By=&VA=&pC=&6i=&CN=&Dm=&aR=&Ma=&sV=&MH=&jR=&DQ=&Vo=&Vr=&9h=&2c=&pG=&Ky=&gp=&rU=&4K=&cX=&sv=&Gp=&5k=&zr=&GJ=&MG=&zN=&zW=&Ws=&xM=&jR=&xK=&iP=&vD=&zD=&Rt=&Od=&sU=&dM=&bD=&3a=&Ge=&1Q=&UP=&ac=&M9=&2R=&To=&Ur=&gC=&uk=&A3=&AB=&RG=&i4=&BW=&yY=&yn=&m6=&Kd=&yo=&fl=&dN=&kL=&LR=&Fr=&2v=&CN=&F7=&75=&5K=&ER=&nq=&ck=&aO=&iW=&Q8=&y5=&Cv=&g2=&Xu=&Cu=&bc=&wm=&Gl=&mP=&Tt=&1p=&vS=&c5=&eC=&Sc=&Y8=&Ch=&fg=&Vz=&4B=&eA=&UZ=&cl=&Eh=&25=&tA=&Ir=&Hm=&sB=&LH=&qo=&hW=&gT=&pr=&TO=&TF=&1h=&Oh=&Tw=&PR=&On=&Zo=&GP=&oM=&rk=&YI=&uK=&bi=&y8=&Fe=&VW=&WJ=&Rn=&TY=&Vv=&KM=&3g=&ZG=&wC=&an=&OE=&7D=&t0=&qL=&RY=&Wx=&dc=&T7=&vB=&SO=&qP=&sw=&HT=&jb=&Mb=&cn=&Oe=&d8=&A3=&nA=&wk=&u9=&Ux=&zq=>=&QC=&c5=&zy=&ai=&1F=&Tj=&u0=&Yp=&bY=&kW=&Qk=&e5=&LM=&Cj=&Lp=&XT=&b5=&cf=&sj=&ow=&Tz=&qE=&yt=&3I=&8V=&Jq=&QC=&Sz=&Eb=&Tc=&QK=&Wr=&Qm=&Gv=&8m=&Ju=&85=&KS=&Qv=&43=&uU=&aY=&J7=&wM=&uW=&L9=&ai=&ch=&56=&D6=&YW=&Ul=&1 AND 2>1'
|
||||
'34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1'
|
||||
"""
|
||||
|
||||
hints = kwargs.get("hints", {})
|
||||
|
||||
@@ -33,7 +33,7 @@ def tamper(payload, **kwargs):
|
||||
>>> import random
|
||||
>>> random.seed(0)
|
||||
>>> tamper('1 AND 2>1--')
|
||||
'1 /*!30874AND 2>1*/--'
|
||||
'1 /*!30963AND 2>1*/--'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
||||
@@ -10,6 +10,7 @@ import re
|
||||
|
||||
from lib.core.data import kb
|
||||
from lib.core.enums import PRIORITY
|
||||
from lib.core.datatype import OrderedSet
|
||||
|
||||
__priority__ = PRIORITY.NORMAL
|
||||
|
||||
@@ -28,13 +29,13 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('1 UNION SELECT foobar')
|
||||
'1 UNION SELECT foobar'
|
||||
'1 UNION SELECT foobar'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
||||
if payload:
|
||||
words = set()
|
||||
words = OrderedSet()
|
||||
|
||||
for match in re.finditer(r"\b[A-Za-z_]+\b", payload):
|
||||
word = match.group()
|
||||
@@ -43,7 +44,7 @@ def tamper(payload, **kwargs):
|
||||
words.add(word)
|
||||
|
||||
for word in words:
|
||||
retVal = re.sub(r"(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randrange(1, 4), word, ' ' * random.randrange(1, 4)), retVal)
|
||||
retVal = re.sub(r"(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randrange(1, 4), word), retVal)
|
||||
retVal = re.sub(r"(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randint(1, 4), word, ' ' * random.randint(1, 4)), retVal)
|
||||
retVal = re.sub(r"(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randint(1, 4), word), retVal)
|
||||
|
||||
return retVal
|
||||
|
||||
@@ -36,7 +36,7 @@ def tamper(payload, **kwargs):
|
||||
>>> import random
|
||||
>>> random.seed(0)
|
||||
>>> tamper('INSERT')
|
||||
'INseRt'
|
||||
'InSeRt'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
||||
@@ -21,7 +21,7 @@ def tamper(payload, **kwargs):
|
||||
>>> import random
|
||||
>>> random.seed(0)
|
||||
>>> tamper('INSERT')
|
||||
'I/**/N/**/SERT'
|
||||
'I/**/NS/**/ERT'
|
||||
"""
|
||||
|
||||
retVal = payload
|
||||
|
||||
@@ -28,7 +28,7 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('1 AND 9227=9227')
|
||||
'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
|
||||
'1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227'
|
||||
"""
|
||||
|
||||
retVal = ""
|
||||
|
||||
@@ -36,7 +36,7 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('1 AND 9227=9227')
|
||||
'1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'
|
||||
'1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227'
|
||||
"""
|
||||
|
||||
retVal = ""
|
||||
|
||||
@@ -39,7 +39,7 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('1 AND 9227=9227')
|
||||
'1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'
|
||||
'1%23RcDKhIr%0AAND%23upgPydUzKpMX%0A%23lgbaxYjWJ%0A9227=9227'
|
||||
"""
|
||||
|
||||
def process(match):
|
||||
|
||||
@@ -34,7 +34,7 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('SELECT id FROM users')
|
||||
'SELECT%0Eid%0DFROM%07users'
|
||||
'SELECT%0Did%0DFROM%04users'
|
||||
"""
|
||||
|
||||
# ASCII table:
|
||||
|
||||
@@ -33,7 +33,7 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('SELECT id FROM users')
|
||||
'SELECT%A0id%0BFROM%0Cusers'
|
||||
'SELECT%A0id%0CFROM%0Dusers'
|
||||
"""
|
||||
|
||||
# ASCII table:
|
||||
|
||||
@@ -30,7 +30,7 @@ def tamper(payload, **kwargs):
|
||||
|
||||
>>> random.seed(0)
|
||||
>>> tamper('SELECT id FROM users')
|
||||
'SELECT%0Did%0DFROM%0Ausers'
|
||||
'SELECT%0Did%0CFROM%0Ausers'
|
||||
"""
|
||||
|
||||
# ASCII table:
|
||||
|
||||
Reference in New Issue
Block a user