You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
|
|
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
|
|
|
|
"""
|
|
|
|
|
|
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
|
|
|
|
|
|
See the file 'LICENSE' for copying permission
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
import os
|
|
|
|
|
|
import string
|
|
|
|
|
|
|
|
|
|
|
|
from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数
|
|
|
|
|
|
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
|
|
|
|
|
|
|
|
|
|
|
|
__priority__ = PRIORITY.LOWEST # 设置优先级为最低
|
|
|
|
|
|
|
|
|
|
|
|
def dependencies():
|
|
|
|
|
|
"""
|
|
|
|
|
|
这个函数用于在运行时检查依赖关系,并给出警告信息。
|
|
|
|
|
|
|
|
|
|
|
|
功能:
|
|
|
|
|
|
- 显示一条单次警告消息,指出当前的tamper脚本仅适用于ASP或ASP.NET Web应用程序。
|
|
|
|
|
|
"""
|
|
|
|
|
|
singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])
|
|
|
|
|
|
|
|
|
|
|
|
def tamper(payload, **kwargs):
|
|
|
|
|
|
"""
|
|
|
|
|
|
这个函数用于篡改(tamper)输入的payload,通过Unicode-URL编码所有字符(不处理已经编码的字符)。
|
|
|
|
|
|
|
|
|
|
|
|
参数:
|
|
|
|
|
|
payload:要篡改的原始payload。
|
|
|
|
|
|
**kwargs:其他可选参数(在本函数中未使用)。
|
|
|
|
|
|
|
|
|
|
|
|
功能:
|
|
|
|
|
|
- 将输入的payload中的字符转换为Unicode-URL编码格式(例如,'SELECT'转换为'%u0053%u0045%u004C%u0045%u0043%u0054')。
|
|
|
|
|
|
|
|
|
|
|
|
要求:
|
|
|
|
|
|
* 仅适用于ASP和ASP.NET环境。
|
|
|
|
|
|
|
|
|
|
|
|
测试情况:
|
|
|
|
|
|
* Microsoft SQL Server 2000
|
|
|
|
|
|
* Microsoft SQL Server 2005
|
|
|
|
|
|
* MySQL 5.1.56
|
|
|
|
|
|
* PostgreSQL 9.0.3
|
|
|
|
|
|
|
|
|
|
|
|
注意:
|
|
|
|
|
|
* 这个篡改方法对于绕过那些在处理请求前不进行Unicode URL解码的弱Web应用防火墙很有用。
|
|
|
|
|
|
|
|
|
|
|
|
示例:
|
|
|
|
|
|
>>> tamper('SELECT FIELD%20FROM TABLE')
|
|
|
|
|
|
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
|
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
retVal = payload # 初始化返回值为输入的payload
|
|
|
|
|
|
|
|
|
|
|
|
if payload: # 如果payload不为空
|
|
|
|
|
|
retVal = "" # 初始化返回值字符串
|
|
|
|
|
|
i = 0 # 初始化索引
|
|
|
|
|
|
|
|
|
|
|
|
# 遍历payload中的每个字符
|
|
|
|
|
|
while i < len(payload):
|
|
|
|
|
|
# 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行Unicode-URL编码
|
|
|
|
|
|
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
|
|
|
|
|
|
retVal += "%%u00%s" % payload[i + 1:i + 3]
|
|
|
|
|
|
i += 3
|
|
|
|
|
|
else:
|
|
|
|
|
|
# 对未编码的字符进行Unicode-URL编码,并添加到返回值
|
|
|
|
|
|
retVal += '%%u%.4X' % ord(payload[i])
|
|
|
|
|
|
i += 1
|
|
|
|
|
|
|
|
|
|
|
|
return retVal
|
