@ -5,10 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file ' doc/COPYING ' for copying permission See the file ' doc/COPYING ' for copying permission
""" """
from lib . core . compat import xrange from lib . core . compat import xrange # 导入兼容库中的xrange函数,
from lib . core . enums import PRIORITY from lib . core . enums import PRIORITY # 从核心库导入优先级枚举
from lib . core . settings import REPLACEMENT_MARKER from lib . core . settings import REPLACEMENT_MARKER # 从核心设置导入替换标记
# 设置优先级为最高
__priority__ = PRIORITY . HIGHEST __priority__ = PRIORITY . HIGHEST
def dependencies ( ) : def dependencies ( ) :
@ -16,56 +17,60 @@ def dependencies():
def tamper ( payload , * * kwargs ) : def tamper ( payload , * * kwargs ) :
"""
"""
Replaces instances like ' IF(A, B, C) ' with ' CASE WHEN (A) THEN (B) ELSE (C) END ' counterpart
这个函数用于篡改( tamper ) 输入的payload , 将 ' IF(A, B, C) ' 语句替换为其等效的 ' CASE WHEN (A) THEN (B) ELSE (C) END ' 形式 。
Requirement :
参数 :
* MySQL
payload : 要篡改的原始payload 。
* SQLite ( possibly )
* * kwargs : 其他可选参数 ( 在本函数中未使用 ) 。
* SAP MaxDB ( possibly )
Tested against :
要求:
* MySQL 5.0 and 5.5
* 适用于MySQL、 SQLite ( 可能 ) 和SAP MaxDB ( 可能 ) 数据库 。
Notes :
测试情况 :
* Useful to bypass very weak and bespoke web application firewalls
* MySQL 5.0 和 5.5
that filter the IF ( ) functions
注意 :
* 这个篡改方法对于绕过那些过滤IF ( ) 函数的非常弱的定制Web应用防火墙很有用 。
示例 :
>> > tamper ( ' IF(1, 2, 3) ' )
>> > tamper ( ' IF(1, 2, 3) ' )
' CASE WHEN (1) THEN (2) ELSE (3) END '
' CASE WHEN (1) THEN (2) ELSE (3) END '
>> > tamper ( ' SELECT IF((1=1), (SELECT " foo " ), NULL) ' )
>> > tamper ( ' SELECT IF((1=1), (SELECT " foo " ), NULL) ' )
' SELECT CASE WHEN (1=1) THEN (SELECT " foo " ) ELSE (NULL) END '
' SELECT CASE WHEN (1=1) THEN (SELECT " foo " ) ELSE (NULL) END '
"""
"""
if payload and payload . find ( " IF " ) > - 1 :
if payload and payload . find ( " IF " ) > - 1 : # 如果payload不为空且包含'IF'
payload = payload . replace ( " () " , REPLACEMENT_MARKER )
payload = payload . replace ( " () " , REPLACEMENT_MARKER ) # 替换空括号为替换标记
while payload . find ( " IF( " ) > - 1 :
while payload . find ( " IF( " ) > - 1 : # 遍历所有'IF'语句
index = payload . find ( " IF( " )
index = payload . find ( " IF( " ) # 找到'IF'的位置
depth = 1
depth = 1 # 初始化括号深度
commas , end = [ ] , None
commas , end = [ ] , None # 初始化逗号位置列表和结束位置
# 遍历payload以找到'IF'语句的结束位置
for i in xrange ( index + len ( " IF( " ) , len ( payload ) ) :
for i in xrange ( index + len ( " IF( " ) , len ( payload ) ) :
if depth == 1 and payload [ i ] == ' , ' :
if depth == 1 and payload [ i ] == ' , ' :
commas . append ( i )
commas . append ( i ) # 记录逗号位置
elif depth == 1 and payload [ i ] == ' ) ' :
elif depth == 1 and payload [ i ] == ' ) ' :
end = i
end = i # 记录结束位置
break
break
elif payload [ i ] == ' ( ' :
elif payload [ i ] == ' ( ' :
depth + = 1
depth + = 1 # 增加括号深度
elif payload [ i ] == ' ) ' :
elif payload [ i ] == ' ) ' :
depth - = 1
depth - = 1
# 如果找到两个逗号且有结束位置,则进行替换
if len ( commas ) == 2 and end :
if len ( commas ) == 2 and end :
a = payload [ index + len ( " IF( " ) : commas [ 0 ] ] . strip ( " () " )
a = payload [ index + len ( " IF( " ) : commas [ 0 ] ] . strip ( " () " ) # 提取条件A
b = payload [ commas [ 0 ] + 1 : commas [ 1 ] ] . lstrip ( ) . strip ( " () " )
b = payload [ commas [ 0 ] + 1 : commas [ 1 ] ] . lstrip ( ) . strip ( " () " ) # 提取结果B
c = payload [ commas [ 1 ] + 1 : end ] . lstrip ( ) . strip ( " () " )
c = payload [ commas [ 1 ] + 1 : end ] . lstrip ( ) . strip ( " () " ) # 提取结果C
newVal = " CASE WHEN ( %s ) THEN ( %s ) ELSE ( %s ) END " % ( a , b , c )
newVal = " CASE WHEN ( %s ) THEN ( %s ) ELSE ( %s ) END " % ( a , b , c ) # 构造新的CASE语句
payload = payload [ : index ] + newVal + payload [ end + 1 : ]
payload = payload [ : index ] + newVal + payload [ end + 1 : ] # 替换原IF语句
else :
else :
break
break # 如果不符合条件,则终止循环
payload = payload . replace ( REPLACEMENT_MARKER , " () " )
payload = payload . replace ( REPLACEMENT_MARKER , " () " ) # 恢复替换标记为空括号
return payload
return payload
