diff --git a/src/sqlmap-master/tamper/if2case.py b/src/sqlmap-master/tamper/if2case.py index 2e3a01f..125f66d 100644 --- a/src/sqlmap-master/tamper/if2case.py +++ b/src/sqlmap-master/tamper/if2case.py @@ -5,18 +5,19 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY -from lib.core.settings import REPLACEMENT_MARKER +from lib.core.compat import xrange # 用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 导入优先级枚举 +from lib.core.settings import REPLACEMENT_MARKER # 导入替换标记 -__priority__ = PRIORITY.HIGHEST +__priority__ = PRIORITY.HIGHEST # 设置优先级为最高 def dependencies(): + """此函数用于定义此tamper函数的依赖项。当前实现为空,根据需要可以添加具体的依赖项""" pass def tamper(payload, **kwargs): """ - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart + 替换IF条件表达式为CASE表达式 Requirement: * MySQL @@ -27,45 +28,43 @@ def tamper(payload, **kwargs): * MySQL 5.0 and 5.5 Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IF() functions + * 适用于绕过非常弱且定制的web应用程序防火墙,该防火墙过滤了IF()函数 - >>> tamper('IF(1, 2, 3)') - 'CASE WHEN (1) THEN (2) ELSE (3) END' - >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') - 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' - """ - - if payload and payload.find("IF") > -1: - payload = payload.replace("()", REPLACEMENT_MARKER) - while payload.find("IF(") > -1: - index = payload.find("IF(") - depth = 1 - commas, end = [], None - - for i in xrange(index + len("IF("), len(payload)): - if depth == 1 and payload[i] == ',': - commas.append(i) + Examples: + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' - elif depth == 1 and payload[i] == ')': - end = i - break - - elif payload[i] == '(': - depth += 1 - - elif payload[i] == ')': - depth -= 1 + >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') + 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' + """ - if len(commas) == 2 and end: - a = payload[index + len("IF("):commas[0]].strip("()") - b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") - c = payload[commas[1] + 1:end].lstrip().strip("()") - newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) - payload = payload[:index] + newVal + payload[end + 1:] + if payload and payload.find("IF") > -1: # 检查payload是否包含IF + payload = payload.replace("()", REPLACEMENT_MARKER) # 替换空的()为REPLACEMENT_MARKER + while payload.find("IF(") > -1: # 检查payload中是否还包含IF( + index = payload.find("IF(") # 找到IF(的位置 + depth = 1 # 初始化深度计数器 + commas, end = [], None # 初始化逗号列表和结束位置 + + for i in xrange(index + len("IF("), len(payload)): # 遍历IF(后的子串 + if depth == 1 and payload[i] == ',': # 如果深度为1且遇到逗号 + commas.append(i) # 记录逗号位置 + elif depth == 1 and payload[i] == ')': # 如果深度为1且遇到右括号 + end = i # 记录结束位置 + break # 结束循环 + elif payload[i] == '(': # 如果遇到左括号 + depth += 1 # 增加深度 + elif payload[i] == ')': # 如果遇到右括号 + depth -= 1 # 减少深度 + + if len(commas) == 2 and end: # 如果有2个逗号并且有结束位置 + a = payload[index + len("IF("):commas[0]].strip("()") # 提取第一个参数 + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 提取第二个参数 + c = payload[commas[1] + 1:end].lstrip().strip("()") # 提取第三个参数 + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 构造CASE表达式 + payload = payload[:index] + newVal + payload[end + 1:] # 替换IF()为CASE else: - break + break # 如果不符合条件,跳出循环 - payload = payload.replace(REPLACEMENT_MARKER, "()") + payload = payload.replace(REPLACEMENT_MARKER, "()") # 将REPLACEMENT_MARKER替换回(),防止影响其他部分 - return payload + return payload \ No newline at end of file