Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Commit fa1cfa2

Browse files
stamparmstamparm
committed
Improvement to BlueCoat's tamper script
1 parent 13bf338 commit fa1cfa2

1 file changed

Lines changed: 12 additions & 3 deletions

File tree

tamper/bluecoat.py

Lines changed: 12 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@
77

88
import re
99

10+
from lib.core.data import kb
1011
from lib.core.enums import PRIORITY
1112

1213
__priority__ = PRIORITY.NORMAL
@@ -29,14 +30,22 @@ def tamper(payload, **kwargs):
2930
Notes:
3031
* Useful to bypass Blue Coat's recommended WAF rule configuration
3132
32-
>>> tamper('SELECT id FROM users where id = 1')
33-
'SELECT%09id FROM users where id LIKE 1'
33+
>>> tamper('SELECT id FROM users WHERE id = 1')
34+
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
3435
"""
3536

37+
def process(match):
38+
word = match.group('word')
39+
if word.upper() in kb.keywords:
40+
return match.group().replace(word, "%s%%09" % word)
41+
else:
42+
return match.group()
43+
3644
retVal = payload
3745

3846
if payload:
39-
retVal = re.sub(r"(?i)(SELECT|UPDATE|INSERT|DELETE)\s+", r"\g<1>%09", payload)
47+
retVal = re.sub(r"\b(?P<word>[A-Z_]+)(?=[^\w(]|\Z)", lambda match: process(match), retVal)
4048
retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)
49+
retVal = retVal.replace("%09 ", "%09")
4150

4251
return retVal

0 commit comments

Comments
 (0)