|
| 1 | +#!/usr/bin/env python |
| 2 | + |
| 3 | +""" |
| 4 | +Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/) |
| 5 | +See the file 'doc/COPYING' for copying permission |
| 6 | +""" |
| 7 | + |
| 8 | +from lib.core.enums import PRIORITY |
| 9 | + |
| 10 | +__priority__ = PRIORITY.HIGHEST |
| 11 | + |
| 12 | +def dependencies(): |
| 13 | + pass |
| 14 | + |
| 15 | +def tamper(payload, **kwargs): |
| 16 | + """ |
| 17 | + Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' |
| 18 | +
|
| 19 | + Requirement: |
| 20 | + * MySQL |
| 21 | + * SQLite (possibly) |
| 22 | + * SAP MaxDB (possibly) |
| 23 | +
|
| 24 | + Tested against: |
| 25 | + * MySQL 5.0 and 5.5 |
| 26 | +
|
| 27 | + Notes: |
| 28 | + * Useful to bypass very weak and bespoke web application firewalls |
| 29 | + that filter the IFNULL() and IF() functions |
| 30 | +
|
| 31 | + >>> tamper('IFNULL(1, 2)') |
| 32 | + 'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END' |
| 33 | + """ |
| 34 | + |
| 35 | + if payload and payload.find("IFNULL") > -1: |
| 36 | + while payload.find("IFNULL(") > -1: |
| 37 | + index = payload.find("IFNULL(") |
| 38 | + depth = 1 |
| 39 | + comma, end = None, None |
| 40 | + |
| 41 | + for i in xrange(index + len("IFNULL("), len(payload)): |
| 42 | + if depth == 1 and payload[i] == ',': |
| 43 | + comma = i |
| 44 | + |
| 45 | + elif depth == 1 and payload[i] == ')': |
| 46 | + end = i |
| 47 | + break |
| 48 | + |
| 49 | + elif payload[i] == '(': |
| 50 | + depth += 1 |
| 51 | + |
| 52 | + elif payload[i] == ')': |
| 53 | + depth -= 1 |
| 54 | + |
| 55 | + if comma and end: |
| 56 | + _ = payload[index + len("IFNULL("):comma] |
| 57 | + __ = payload[comma + 1:end].lstrip() |
| 58 | + newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) |
| 59 | + payload = payload[:index] + newVal + payload[end + 1:] |
| 60 | + else: |
| 61 | + break |
| 62 | + |
| 63 | + return payload |
| 64 | + |
| 65 | + |
0 commit comments