|
|
|
|
@ -5,19 +5,32 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
|
|
|
|
|
See the file 'doc/COPYING' for copying permission
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
<<<<<<< HEAD
|
|
|
|
|
from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数
|
|
|
|
|
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
|
|
|
|
|
from lib.core.settings import REPLACEMENT_MARKER # 从核心设置导入替换标记
|
|
|
|
|
|
|
|
|
|
# 设置优先级为最高
|
|
|
|
|
__priority__ = PRIORITY.HIGHEST
|
|
|
|
|
=======
|
|
|
|
|
from lib.core.compat import xrange # 用于兼容Python 2和3的range函数
|
|
|
|
|
from lib.core.enums import PRIORITY # 导入优先级枚举
|
|
|
|
|
from lib.core.settings import REPLACEMENT_MARKER # 导入替换标记
|
|
|
|
|
|
|
|
|
|
__priority__ = PRIORITY.HIGHEST # 设置优先级为最高
|
|
|
|
|
>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f
|
|
|
|
|
|
|
|
|
|
def dependencies():
|
|
|
|
|
"""此函数用于定义此tamper函数的依赖项。当前实现为空,根据需要可以添加具体的依赖项"""
|
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
def tamper(payload, **kwargs):
|
|
|
|
|
"""
|
|
|
|
|
<<<<<<< HEAD
|
|
|
|
|
这个函数用于篡改(tamper)输入的payload,将'IF(A, B, C)'语句替换为其等效的'CASE WHEN (A) THEN (B) ELSE (C) END'形式。
|
|
|
|
|
=======
|
|
|
|
|
替换IF条件表达式为CASE表达式
|
|
|
|
|
>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f
|
|
|
|
|
|
|
|
|
|
参数:
|
|
|
|
|
payload:要篡改的原始payload。
|
|
|
|
|
@ -26,6 +39,7 @@ def tamper(payload, **kwargs):
|
|
|
|
|
要求:
|
|
|
|
|
* 适用于MySQL、SQLite(可能)和SAP MaxDB(可能)数据库。
|
|
|
|
|
|
|
|
|
|
<<<<<<< HEAD
|
|
|
|
|
测试情况:
|
|
|
|
|
* MySQL 5.0 和 5.5
|
|
|
|
|
|
|
|
|
|
@ -35,10 +49,20 @@ def tamper(payload, **kwargs):
|
|
|
|
|
示例:
|
|
|
|
|
>>> tamper('IF(1, 2, 3)')
|
|
|
|
|
'CASE WHEN (1) THEN (2) ELSE (3) END'
|
|
|
|
|
=======
|
|
|
|
|
Notes:
|
|
|
|
|
* 适用于绕过非常弱且定制的web应用程序防火墙,该防火墙过滤了IF()函数
|
|
|
|
|
|
|
|
|
|
Examples:
|
|
|
|
|
>>> tamper('IF(1, 2, 3)')
|
|
|
|
|
'CASE WHEN (1) THEN (2) ELSE (3) END'
|
|
|
|
|
|
|
|
|
|
>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f
|
|
|
|
|
>>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)')
|
|
|
|
|
'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END'
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
<<<<<<< HEAD
|
|
|
|
|
if payload and payload.find("IF") > -1: # 如果payload不为空且包含'IF'
|
|
|
|
|
payload = payload.replace("()", REPLACEMENT_MARKER) # 替换空括号为替换标记
|
|
|
|
|
while payload.find("IF(") > -1: # 遍历所有'IF'语句
|
|
|
|
|
@ -72,5 +96,35 @@ def tamper(payload, **kwargs):
|
|
|
|
|
break # 如果不符合条件,则终止循环
|
|
|
|
|
|
|
|
|
|
payload = payload.replace(REPLACEMENT_MARKER, "()") # 恢复替换标记为空括号
|
|
|
|
|
=======
|
|
|
|
|
if payload and payload.find("IF") > -1: # 检查payload是否包含IF
|
|
|
|
|
payload = payload.replace("()", REPLACEMENT_MARKER) # 替换空的()为REPLACEMENT_MARKER
|
|
|
|
|
while payload.find("IF(") > -1: # 检查payload中是否还包含IF(
|
|
|
|
|
index = payload.find("IF(") # 找到IF(的位置
|
|
|
|
|
depth = 1 # 初始化深度计数器
|
|
|
|
|
commas, end = [], None # 初始化逗号列表和结束位置
|
|
|
|
|
|
|
|
|
|
for i in xrange(index + len("IF("), len(payload)): # 遍历IF(后的子串
|
|
|
|
|
if depth == 1 and payload[i] == ',': # 如果深度为1且遇到逗号
|
|
|
|
|
commas.append(i) # 记录逗号位置
|
|
|
|
|
elif depth == 1 and payload[i] == ')': # 如果深度为1且遇到右括号
|
|
|
|
|
end = i # 记录结束位置
|
|
|
|
|
break # 结束循环
|
|
|
|
|
elif payload[i] == '(': # 如果遇到左括号
|
|
|
|
|
depth += 1 # 增加深度
|
|
|
|
|
elif payload[i] == ')': # 如果遇到右括号
|
|
|
|
|
depth -= 1 # 减少深度
|
|
|
|
|
|
|
|
|
|
if len(commas) == 2 and end: # 如果有2个逗号并且有结束位置
|
|
|
|
|
a = payload[index + len("IF("):commas[0]].strip("()") # 提取第一个参数
|
|
|
|
|
b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 提取第二个参数
|
|
|
|
|
c = payload[commas[1] + 1:end].lstrip().strip("()") # 提取第三个参数
|
|
|
|
|
newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 构造CASE表达式
|
|
|
|
|
payload = payload[:index] + newVal + payload[end + 1:] # 替换IF()为CASE
|
|
|
|
|
else:
|
|
|
|
|
break # 如果不符合条件,跳出循环
|
|
|
|
|
|
|
|
|
|
payload = payload.replace(REPLACEMENT_MARKER, "()") # 将REPLACEMENT_MARKER替换回(),防止影响其他部分
|
|
|
|
|
>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f
|
|
|
|
|
|
|
|
|
|
return payload
|
|
|
|
|
return payload
|
