Blame: tamper/htmlencode.py - sqlmapproject/sqlmap

Automatic SQL injection and database takeover tool

36950 0 0 Python

Last preparations for DREI 2019-05-08 12:47:52 +02:00			`#!/usr/bin/env python`
Adding new tamper script (on request from @MilanGabor) 2016-09-15 17:58:37 +02:00
			`"""`
Patch for #5897 2025-05-08 23:54:39 +02:00			`Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)`
Replacing doc/COPYING to LICENSE 2017-10-11 14:50:46 +02:00			`See the file 'LICENSE' for copying permission`
Adding new tamper script (on request from @MilanGabor) 2016-09-15 17:58:37 +02:00			`"""`

			`import re`

			`from lib.core.enums import PRIORITY`

			`__priority__ = PRIORITY.LOW`

			`def dependencies():`
			`pass`

			`def tamper(payload, **kwargs):`
			`"""`
First commit related to the #3108 2018-07-31 01:17:11 +02:00			`HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> ')`
Adding new tamper script (on request from @MilanGabor) 2016-09-15 17:58:37 +02:00
			`>>> tamper("1' AND SLEEP(5)#")`
			`'1' AND SLEEP(5)#'`
Fixes #5203 2022-10-17 12:21:47 +02:00			`>>> tamper("1' AND SLEEP(5)#")`
			`'1' AND SLEEP(5)#'`
Adding new tamper script (on request from @MilanGabor) 2016-09-15 17:58:37 +02:00			`"""`

Fixes #5203 2022-10-17 12:21:47 +02:00			`if payload:`
			`payload = re.sub(r"&#(\d+);", lambda match: chr(int(match.group(1))), payload) # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5203`
			`payload = re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload)`

			`return payload`