|
|
#!/usr/bin/env python
|
|
|
|
|
|
"""
|
|
|
Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
|
|
|
See the file 'doc/COPYING' for copying permission
|
|
|
"""
|
|
|
|
|
|
from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数
|
|
|
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
|
|
|
|
|
|
# 设置优先级为最高
|
|
|
__priority__ = PRIORITY.HIGHEST
|
|
|
|
|
|
def dependencies():
|
|
|
pass
|
|
|
|
|
|
def tamper(payload, **kwargs):
|
|
|
"""
|
|
|
Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart
|
|
|
|
|
|
Requirement:
|
|
|
* MySQL
|
|
|
* SQLite (possibly)
|
|
|
* SAP MaxDB (possibly)
|
|
|
|
|
|
Tested against:
|
|
|
* MySQL 5.0 and 5.5
|
|
|
|
|
|
Notes:
|
|
|
* Useful to bypass very weak and bespoke web application firewalls
|
|
|
that filter the IFNULL() functions
|
|
|
|
|
|
>>> tamper('IFNULL(1, 2)')
|
|
|
'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'
|
|
|
"""
|
|
|
|
|
|
if payload and payload.find("IFNULL") > -1: # 如果payload不为空且包含'IFNULL'
|
|
|
while payload.find("IFNULL(") > -1: # 遍历所有'IFNULL'语句
|
|
|
index = payload.find("IFNULL(") # 找到'IFNULL'的位置
|
|
|
depth = 1 # 初始化括号深度
|
|
|
comma, end = None, None # 初始化逗号位置和结束位置
|
|
|
|
|
|
# 遍历payload以找到'IFNULL'语句的结束位置
|
|
|
for i in xrange(index + len("IFNULL("), len(payload)):
|
|
|
if depth == 1 and payload[i] == ',':
|
|
|
comma = i # 记录逗号位置
|
|
|
|
|
|
elif depth == 1 and payload[i] == ')':
|
|
|
end = i # 记录结束位置
|
|
|
break
|
|
|
|
|
|
elif payload[i] == '(':
|
|
|
depth += 1 # 增加括号深度
|
|
|
|
|
|
|
|
|
elif payload[i] == ')':
|
|
|
depth -= 1 # 减少括号深度
|
|
|
|
|
|
# 如果找到逗号和结束位置,则进行替换
|
|
|
if comma and end:
|
|
|
_ = payload[index + len("IFNULL("):comma] # 提取参数A
|
|
|
__ = payload[comma + 1:end].lstrip() # 提取参数B
|
|
|
newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) # 构造新的CASE语句
|
|
|
payload = payload[:index] + newVal + payload[end + 1:] # 替换原IFNULL语句
|
|
|
else:
|
|
|
break # 如果不符合条件,则终止循环
|
|
|
|
|
|
return payload
|
