ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'main'
${ noResults }
sqlmap/src/sqlmap-master/tamper/charunicodeencode.py

71 lines
2.6 KiB
Raw Permalink Blame History Escape

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

#!/usr/bin/env python
"""
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import os
import string
from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
__priority__ = PRIORITY.LOWEST # 设置优先级为最低
def dependencies():
"""
这个函数用于在运行时检查依赖关系,并给出警告信息。
功能:
- 显示一条单次警告消息指出当前的tamper脚本仅适用于ASP或ASP.NET Web应用程序。
"""
singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])
def tamper(payload, **kwargs):
"""
这个函数用于篡改tamper输入的payload通过Unicode-URL编码所有字符不处理已经编码的字符
参数:
payload要篡改的原始payload。
**kwargs其他可选参数在本函数中未使用
功能:
- 将输入的payload中的字符转换为Unicode-URL编码格式例如'SELECT'转换为'%u0053%u0045%u004C%u0045%u0043%u0054')。
要求:
* 仅适用于ASP和ASP.NET环境。
测试情况:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
注意:
* 这个篡改方法对于绕过那些在处理请求前不进行Unicode URL解码的弱Web应用防火墙很有用。
示例:
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
"""
retVal = payload # 初始化返回值为输入的payload
if payload: # 如果payload不为空
retVal = "" # 初始化返回值字符串
i = 0 # 初始化索引
# 遍历payload中的每个字符
while i < len(payload):
# 如果当前字符是%且后面两个字符是十六进制数字已编码的字符则进行Unicode-URL编码
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += "%%u00%s" % payload[i + 1:i + 3]
i += 3
else:
# 对未编码的字符进行Unicode-URL编码并添加到返回值
retVal += '%%u%.4X' % ord(payload[i])
i += 1
return retVal
Reference in new issue View Git Blame Copy Permalink