File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 1+ #!/usr/bin/env python
2+
3+ """
4+ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.org/)
5+ See the file 'doc/COPYING' for copying permission
6+ """
7+
8+ import os
9+ import string
10+
11+ from lib .core .enums import PRIORITY
12+ from lib .core .common import singleTimeWarnMessage
13+
14+ __priority__ = PRIORITY .LOWEST
15+
16+ def tamper (payload , ** kwargs ):
17+ """
18+ Unicode-escapes non-encoded characters in a given payload (not
19+ processing already encoded)
20+
21+ Notes:
22+ * Useful to bypass weak filtering and/or WAFs in JSON contexes
23+
24+ >>> tamper('SELECT FIELD%20FROM TABLE')
25+ '\u0053 \u0045 \u004C \u0045 \u0043 \u0054 \u0020 \u0046 \u0049 \u0045 \u004C \u0044 \u0020 \u0046 \u0052 \u004F \u004D \u0020 \u0054 \u0041 \u0042 \u004C \u0045 '
26+ """
27+
28+ retVal = payload
29+
30+ if payload :
31+ retVal = ""
32+ i = 0
33+
34+ while i < len (payload ):
35+ if payload [i ] == '%' and (i < len (payload ) - 2 ) and payload [i + 1 :i + 2 ] in string .hexdigits and payload [i + 2 :i + 3 ] in string .hexdigits :
36+ retVal += "\\ u00%s" % payload [i + 1 :i + 3 ]
37+ i += 3
38+ else :
39+ retVal += '\\ u%.4X' % ord (payload [i ])
40+ i += 1
41+
42+ return retVal
You can’t perform that action at this time.
0 commit comments