Skip to content
This repository
Browse code

important update regarding (Bug #209) - probably more will be needed

  • Loading branch information...
commit 5a38ac7ea94f73a1e1c0323f2fb4c1c0b4b6296c 1 parent a921fe0
Miroslav Stampar stamparm authored
1  lib/controller/checks.py
@@ -24,7 +24,6 @@
24 24 from lib.core.common import showStaticWords
25 25 from lib.core.common import wasLastRequestError
26 26 from lib.core.common import DynamicContentItem
27   -from lib.core.convert import urlencode
28 27 from lib.core.data import conf
29 28 from lib.core.data import kb
30 29 from lib.core.data import logger
76 lib/core/agent.py
@@ -11,6 +11,7 @@
11 11
12 12 from xml.etree import ElementTree as ET
13 13
  14 +from lib.core.common import getCompiledRegex
14 15 from lib.core.common import getInjectionCase
15 16 from lib.core.common import randomInt
16 17 from lib.core.common import randomStr
@@ -20,6 +21,7 @@
20 21 from lib.core.data import queries
21 22 from lib.core.datatype import advancedDict
22 23 from lib.core.exception import sqlmapNoneDataException
  24 +from lib.core.settings import PAYLOAD_DELIMITER
23 25
24 26 class Agent:
25 27 """
@@ -54,18 +56,17 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
54 56 falseValue = ""
55 57 negValue = ""
56 58 retValue = ""
57   - newValue = urlencode(newValue) if place != "URI" else newValue
58 59
59 60 if negative or kb.unionNegative:
60 61 negValue = "-"
61 62 elif falseCond or kb.unionFalseCond:
62 63 randInt = randomInt()
63   - falseValue = urlencode(" AND %d=%d" % (randInt, randInt + 1))
  64 + falseValue = " AND %d=%d" % (randInt, randInt + 1)
64 65
65 66 # After identifing the injectable parameter
66 67 if kb.injPlace == "User-Agent":
67 68 retValue = kb.injParameter.replace(kb.injParameter,
68   - "%s%s" % (negValue, kb.injParameter + falseValue + newValue))
  69 + self.addPayloadDelimiters("%s%s" % (negValue, kb.injParameter + falseValue + newValue)))
69 70 elif kb.injParameter:
70 71 paramString = conf.parameters[kb.injPlace]
71 72 paramDict = conf.paramDict[kb.injPlace]
@@ -76,21 +77,21 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
76 77 iterator = root.getiterator(kb.injParameter)
77 78
78 79 for child in iterator:
79   - child.text = "%s%s" % (negValue, value + falseValue + newValue)
  80 + child.text = self.addPayloadDelimiters(negValue + value + falseValue + newValue)
80 81
81 82 retValue = ET.tostring(root)
82 83 elif kb.injPlace == "URI":
83 84 retValue = paramString.replace("*",
84   - "%s%s" % (negValue, falseValue + newValue))
  85 + self.addPayloadDelimiters("%s%s" % (negValue, falseValue + newValue)))
85 86 else:
86 87 retValue = paramString.replace("%s=%s" % (kb.injParameter, value),
87   - "%s=%s%s" % (kb.injParameter, negValue, value + falseValue + newValue))
  88 + "%s=%s" % (kb.injParameter, self.addPayloadDelimiters(negValue + value + falseValue + newValue)))
88 89
89 90 # Before identifing the injectable parameter
90 91 elif parameter == "User-Agent":
91   - retValue = value.replace(value, newValue)
  92 + retValue = value.replace(value, self.addPayloadDelimiters(newValue))
92 93 elif place == "URI":
93   - retValue = value.replace("*", "%s" % newValue.replace(value, str()))
  94 + retValue = value.replace("*", self.addPayloadDelimiters("%s" % newValue.replace(value, str())))
94 95 else:
95 96 paramString = conf.parameters[place]
96 97
@@ -99,12 +100,12 @@ def payload(self, place=None, parameter=None, value=None, newValue=None, negativ
99 100 iterator = root.getiterator(parameter)
100 101
101 102 for child in iterator:
102   - child.text = newValue
  103 + child.text = self.addPayloadDelimiters(newValue)
103 104
104 105 retValue = ET.tostring(root)
105 106 else:
106 107 retValue = paramString.replace("%s=%s" % (parameter, value),
107   - "%s=%s" % (parameter, newValue))
  108 + "%s=%s" % (parameter, self.addPayloadDelimiters(newValue)))
108 109
109 110 return retValue
110 111
@@ -604,5 +605,60 @@ def forgeCaseStatement(self, expression):
604 605
605 606 return queries[kb.dbms].case.query % expression
606 607
  608 + def addPayloadDelimiters(self, inpStr):
  609 + """
  610 + Adds payload delimiters around the input string
  611 + """
  612 + retVal = inpStr
  613 +
  614 + if inpStr:
  615 + retVal = "%s%s%s" % (PAYLOAD_DELIMITER, inpStr, PAYLOAD_DELIMITER)
  616 +
  617 + return retVal
  618 +
  619 + def removePayloadDelimiters(self, inpStr, urlencode_=True):
  620 + """
  621 + Removes payload delimiters from inside the input string
  622 + """
  623 + retVal = inpStr
  624 +
  625 + if inpStr:
  626 + if urlencode_:
  627 + regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
  628 +
  629 + for match in regObj.finditer(inpStr):
  630 + retVal = retVal.replace(match.group("result"), urlencode(match.group("result")[1:-1]))
  631 + else:
  632 + retVal = retVal.replace(PAYLOAD_DELIMITER, '')
  633 +
  634 + return retVal
  635 +
  636 + def extractPayload(self, inpStr):
  637 + """
  638 + Extracts payload from inside of the input string
  639 + """
  640 + retVal = None
  641 +
  642 + if inpStr:
  643 + regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
  644 + match = regObj.search(inpStr)
  645 +
  646 + if match:
  647 + retVal = match.group("result")[1:-1]
  648 +
  649 + return retVal
  650 +
  651 + def replacePayload(self, inpStr, payload):
  652 + """
  653 + Replaces payload inside the input string with a given payload
  654 + """
  655 + retVal = inpStr
  656 +
  657 + if inpStr:
  658 + regObj = getCompiledRegex("(?P<result>%s.*?%s)" % (PAYLOAD_DELIMITER, PAYLOAD_DELIMITER))
  659 + retVal = regObj.sub("%s%s%s" % (PAYLOAD_DELIMITER, payload, PAYLOAD_DELIMITER), inpStr)
  660 +
  661 + return retVal
  662 +
607 663 # SQL agent
608 664 agent = Agent()
2  lib/core/common.py
@@ -1532,7 +1532,7 @@ def runningAsAdmin():
1532 1532 isAdmin = True
1533 1533 else:
1534 1534 errMsg = "sqlmap is not able to check if you are running it "
1535   - errMsg += "as an administrator accout on this platform. "
  1535 + errMsg += "as an administrator account on this platform. "
1536 1536 errMsg += "sqlmap will assume that you are an administrator "
1537 1537 errMsg += "which is mandatory for the requested takeover attack "
1538 1538 errMsg += "to work properly"
4 lib/core/option.py
@@ -556,14 +556,14 @@ def __setTamperingFunctions():
556 556 raise sqlmapSyntaxException, "can not import tamper script '%s' (%s)" % (filename[:-3], msg)
557 557
558 558 for name, function in inspect.getmembers(module, inspect.isfunction):
559   - if name == "tamper" and function.func_code.co_argcount == 2:
  559 + if name == "tamper" and function.func_code.co_argcount == 1:
560 560 kb.tamperFunctions.append(function)
561 561 found = True
562 562
563 563 break
564 564
565 565 if not found:
566   - raise sqlmapGenericException, "missing function 'tamper(place, value)' in tamper script '%s'" % tfile
  566 + raise sqlmapGenericException, "missing function 'tamper(value)' in tamper script '%s'" % tfile
567 567
568 568 def __setThreads():
569 569 if not isinstance(conf.threads, int) or conf.threads <= 0:
2  lib/core/settings.py
@@ -46,6 +46,8 @@
46 46 ERROR_START_CHAR = ":s:"
47 47 ERROR_END_CHAR = ":e:"
48 48
  49 +PAYLOAD_DELIMITER = "\x00"
  50 +
49 51 # System variables
50 52 IS_WIN = subprocess.mswindows
51 53 # The name of the operating system dependent module imported. The following
4 lib/parse/banner.py
@@ -92,7 +92,7 @@ def bannerParser(banner):
92 92 """
93 93
94 94 xmlfile = None
95   -
  95 +
96 96 if kb.dbms == "Microsoft SQL Server":
97 97 xmlfile = paths.MSSQL_XML
98 98 elif kb.dbms == "MySQL":
@@ -104,7 +104,7 @@ def bannerParser(banner):
104 104
105 105 if not xmlfile:
106 106 return
107   -
  107 +
108 108 checkFile(xmlfile)
109 109
110 110 if kb.dbms == "Microsoft SQL Server":
3  lib/request/basic.py
@@ -35,9 +35,6 @@ def forgeHeaders(cookie, ua):
35 35
36 36 for header, value in conf.httpHeaders:
37 37 if cookie and header == "Cookie":
38   - if conf.cookieUrlencode:
39   - cookie = urlEncodeCookieValues(cookie)
40   -
41 38 headers[header] = cookie
42 39 elif ua and header == "User-Agent":
43 40 headers[header] = ua
22 lib/request/connect.py
@@ -16,6 +16,7 @@
16 16 import traceback
17 17
18 18 from lib.contrib import multipartpost
  19 +from lib.core.agent import agent
19 20 from lib.core.common import readInput
20 21 from lib.core.common import getUnicode
21 22 from lib.core.convert import urlencode
@@ -107,7 +108,6 @@ def getPage(**kwargs):
107 108 get = conf.parameters["GET"]
108 109
109 110 if get:
110   - get = urlencode(get)
111 111 url = "%s?%s" % (url, get)
112 112 requestMsg += "?%s" % get
113 113
@@ -149,7 +149,7 @@ def getPage(**kwargs):
149 149 cookieStr += "%s; " % cookie[8:index]
150 150
151 151 conn = urllib2.urlopen(req)
152   -
  152 +
153 153 if not req.has_header("Accept-Encoding"):
154 154 requestHeaders += "Accept-Encoding: identity\n"
155 155
@@ -307,8 +307,22 @@ def queryPage(value=None, place=None, content=False, getSeqMatcher=False, silent
307 307 place = kb.injPlace
308 308
309 309 if kb.tamperFunctions:
310   - for function in kb.tamperFunctions:
311   - value = function(place, value)
  310 + payload = agent.extractPayload(value)
  311 + if payload:
  312 + for function in kb.tamperFunctions:
  313 + payload = function(payload)
  314 + value = agent.replacePayload(value, payload)
  315 +
  316 + if place == "GET":
  317 + value = agent.removePayloadDelimiters(value, True)
  318 + elif place == "POST":
  319 + value = agent.removePayloadDelimiters(value, False)
  320 + elif place == "Cookie":
  321 + value = agent.removePayloadDelimiters(value, conf.cookieUrlencode)
  322 + elif place == "User-Agent":
  323 + value = agent.removePayloadDelimiters(value, True)
  324 + elif place == "URI":
  325 + value = agent.removePayloadDelimiters(value, False)
312 326
313 327 if conf.checkPayload:
314 328 checkPayload(value)
1  lib/request/inject.py
@@ -22,7 +22,6 @@
22 22 from lib.core.common import randomInt
23 23 from lib.core.common import readInput
24 24 from lib.core.common import safeStringFormat
25   -from lib.core.convert import urlencode
26 25 from lib.core.data import conf
27 26 from lib.core.data import kb
28 27 from lib.core.data import logger
13 lib/techniques/blind/inference.py
@@ -22,7 +22,6 @@
22 22 from lib.core.common import readInput
23 23 from lib.core.common import replaceNewlineTabs
24 24 from lib.core.common import safeStringFormat
25   -from lib.core.convert import urlencode
26 25 from lib.core.data import conf
27 26 from lib.core.data import kb
28 27 from lib.core.data import logger
@@ -122,7 +121,7 @@ def tryHint(idx):
122 121
123 122 forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, posValue))
124 123 queriesCount[0] += 1
125   - result = Request.queryPage(urlencode(forgedPayload))
  124 + result = Request.queryPage(forgedPayload)
126 125
127 126 if result:
128 127 return hintValue[idx-1]
@@ -153,7 +152,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
153 152 if len(charTbl) == 1:
154 153 forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, charTbl[0]))
155 154 queriesCount[0] += 1
156   - result = Request.queryPage(urlencode(forgedPayload))
  155 + result = Request.queryPage(forgedPayload)
157 156
158 157 if result:
159 158 return chr(charTbl[0]) if charTbl[0] < 128 else unichr(charTbl[0])
@@ -174,7 +173,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
174 173 forgedPayload = safeStringFormat(payload, (expressionUnescaped, idx, posValue))
175 174
176 175 queriesCount[0] += 1
177   - result = Request.queryPage(urlencode(forgedPayload))
  176 + result = Request.queryPage(forgedPayload)
178 177
179 178 if kb.dbms in ("SQLite", "Microsoft Access", "SAP MaxDB"):
180 179 posValue = popValue()
@@ -226,7 +225,7 @@ def getChar(idx, charTbl=asciiTbl, continuousOrder=True, expand=charsetType is N
226 225 for retVal in (originalTbl[originalTbl.index(minValue)], originalTbl[originalTbl.index(minValue) + 1]):
227 226 forgedPayload = safeStringFormat(payload.replace('%3E', '%3D'), (expressionUnescaped, idx, retVal))
228 227 queriesCount[0] += 1
229   - result = Request.queryPage(urlencode(forgedPayload))
  228 + result = Request.queryPage(forgedPayload)
230 229
231 230 if result:
232 231 return chr(retVal) if retVal < 128 else unichr(retVal)
@@ -444,7 +443,7 @@ def downloadThread():
444 443 query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (expressionUnescaped, testValue)))
445 444 query = agent.postfixQuery(query)
446 445 queriesCount[0] += 1
447   - result = Request.queryPage(urlencode(agent.payload(newValue=query)))
  446 + result = Request.queryPage(agent.payload(newValue=query))
448 447
449 448 # Did we have luck?
450 449 if result:
@@ -468,7 +467,7 @@ def downloadThread():
468 467 query = agent.prefixQuery(safeStringFormat("AND (%s) = %s", (subquery, testValue)))
469 468 query = agent.postfixQuery(query)
470 469 queriesCount[0] += 1
471   - result = Request.queryPage(urlencode(agent.payload(newValue=query)))
  470 + result = Request.queryPage(agent.payload(newValue=query))
472 471
473 472 # Did we have luck?
474 473 if result:
3  lib/techniques/error/use.py
@@ -15,7 +15,6 @@
15 15 from lib.core.common import randomInt
16 16 from lib.core.common import replaceNewlineTabs
17 17 from lib.core.common import safeStringFormat
18   -from lib.core.convert import urlencode
19 18 from lib.core.data import conf
20 19 from lib.core.data import kb
21 20 from lib.core.data import logger
@@ -68,7 +67,7 @@ def errorUse(expression):
68 67 logger.debug(debugMsg)
69 68
70 69 payload = agent.payload(newValue=forgedQuery)
71   - result = Request.queryPage(urlencode(payload), content=True)
  70 + result = Request.queryPage(payload, content=True)
72 71 match = re.search('%s(?P<result>.*?)%s' % (ERROR_START_CHAR, ERROR_END_CHAR), result[0], re.DOTALL | re.IGNORECASE)
73 72
74 73 if match:
12 tamper/between.py
@@ -7,10 +7,7 @@
7 7 See the file 'doc/COPYING' for copying permission
8 8 """
9 9
10   -from lib.core.convert import urldecode
11   -from lib.core.convert import urlencode
12   -
13   -def tamper(place, value):
  10 +def tamper(value):
14 11 """
15 12 Replaces '>' with 'NOT BETWEEN 0 AND #'
16 13 Example: 'A > B' becomes 'A NOT BETWEEN 0 AND B'
@@ -19,14 +16,12 @@ def tamper(place, value):
19 16 retVal = value
20 17
21 18 if value:
22   - if place != "URI":
23   - value = urldecode(value)
24   -
25 19 retVal = ""
26 20 quote, doublequote, firstspace = False, False, False
27 21
28 22 for i in xrange(len(value)):
29 23 if not firstspace:
  24 +
30 25 if value[i].isspace():
31 26 firstspace = True
32 27 retVal += " "
@@ -47,8 +42,5 @@ def tamper(place, value):
47 42
48 43 retVal += value[i]
49 44
50   - if place != "URI":
51   - retVal = urlencode(retVal)
52   -
53 45 return retVal
54 46
25 tamper/charencode.py
@@ -11,7 +11,7 @@
11 11
12 12 from lib.core.exception import sqlmapUnsupportedFeatureException
13 13
14   -def tamper(place, value):
  14 +def tamper(value):
15 15 """
16 16 Replaces value with urlencode of non-encoded chars in value
17 17 Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes '%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45'
@@ -20,18 +20,15 @@ def tamper(place, value):
20 20 retVal = value
21 21
22 22 if value:
23   - if place != "URI":
24   - retVal = ""
25   - i = 0
26   -
27   - while i < len(value):
28   - if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
29   - retVal += value[i:i+3]
30   - i += 3
31   - else:
32   - retVal += '%%%X' % ord(value[i])
33   - i += 1
34   - else:
35   - raise sqlmapUnsupportedFeatureException, "can't use tamper script '%s' with 'URI' type injections" % __name__
  23 + retVal = ""
  24 + i = 0
  25 +
  26 + while i < len(value):
  27 + if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
  28 + retVal += value[i:i+3]
  29 + i += 3
  30 + else:
  31 + retVal += '%%%X' % ord(value[i])
  32 + i += 1
36 33
37 34 return retVal
25 tamper/charunicodeencode.py
@@ -11,7 +11,7 @@
11 11
12 12 from lib.core.exception import sqlmapUnsupportedFeatureException
13 13
14   -def tamper(place, value):
  14 +def tamper(value):
15 15 """
16 16 Replaces value with unicode-urlencode of non-encoded chars in value
17 17 Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes '%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
@@ -20,18 +20,15 @@ def tamper(place, value):
20 20 retVal = value
21 21
22 22 if value:
23   - if place != "URI":
24   - retVal = ""
25   - i = 0
26   -
27   - while i < len(value):
28   - if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
29   - retVal += "%%u00%s" % value[i+1:i+3]
30   - i += 3
31   - else:
32   - retVal += '%%u00%X' % ord(value[i])
33   - i += 1
34   - else:
35   - raise sqlmapUnsupportedFeatureException, "can't use tamper script '%s' with 'URI' type injections" % __name__
  23 + retVal = ""
  24 + i = 0
  25 +
  26 + while i < len(value):
  27 + if value[i] == '%' and (i < len(value) - 2) and value[i+1] in string.hexdigits and value[i+2] in string.hexdigits:
  28 + retVal += "%%u00%s" % value[i+1:i+3]
  29 + i += 3
  30 + else:
  31 + retVal += '%%u00%X' % ord(value[i])
  32 + i += 1
36 33
37 34 return retVal
7 tamper/doubleencode.py
@@ -10,16 +10,13 @@
10 10 from lib.core.convert import urlencode
11 11 from lib.core.exception import sqlmapUnsupportedFeatureException
12 12
13   -def tamper(place, value):
  13 +def tamper(value):
14 14 """
15 15 Replaces value with urlencode(value)
16 16 Example: 'SELECT%20FIELD%20FROM%20TABLE' becomes 'SELECT%25%20FIELD%25%20FROM%25%20TABLE'
17 17 """
18 18
19 19 if value:
20   - if place != "URI":
21   - value = urlencode(value, convall=True)
22   - else:
23   - raise sqlmapUnsupportedFeatureException, "can't use tamper script '%s' with 'URI' type injections" % __name__
  20 + value = urlencode(value, convall=True)
24 21
25 22 return value
13 tamper/ifnull2ifisnull.py
@@ -7,18 +7,13 @@
7 7 See the file 'doc/COPYING' for copying permission
8 8 """
9 9
10   -from lib.core.convert import urldecode
11   -from lib.core.convert import urlencode
12   -
13   -def tamper(place, value):
  10 +def tamper(value):
14 11 """
15 12 Replaces 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
16 13 Example: 'IFNULL(1, 2)' becomes 'IF(ISNULL(1), 2, 1)'
17 14 """
18 15
19 16 if value and value.find("IFNULL") > -1:
20   - if place != "URI":
21   - value = urldecode(value)
22 17
23 18 while value.find("IFNULL(") > -1:
24 19 index = value.find("IFNULL(")
@@ -28,11 +23,14 @@ def tamper(place, value):
28 23 for i in xrange(index + len("IFNULL("), len(value)):
29 24 if deepness == 1 and value[i] == ',':
30 25 comma = i
  26 +
31 27 elif deepness == 1 and value[i] == ')':
32 28 end = i
33 29 break
  30 +
34 31 elif value[i] == '(':
35 32 deepness += 1
  33 +
36 34 elif value[i] == ')':
37 35 deepness -= 1
38 36
@@ -44,7 +42,4 @@ def tamper(place, value):
44 42 else:
45 43 break
46 44
47   - if place != "URI":
48   - value = urlencode(value)
49   -
50 45 return value
8 tamper/randomcase.py
@@ -10,8 +10,6 @@
10 10 import re
11 11
12 12 from lib.core.common import randomRange
13   -from lib.core.convert import urldecode
14   -from lib.core.convert import urlencode
15 13 from lib.core.data import kb
16 14
17 15 def tamper(place, value):
@@ -23,9 +21,6 @@ def tamper(place, value):
23 21 retVal = value
24 22
25 23 if value:
26   - if place != "URI":
27   - retVal = urldecode(retVal)
28   -
29 24 for match in re.finditer(r"[A-Za-z_]+", retVal):
30 25 word = match.group()
31 26
@@ -37,7 +32,4 @@ def tamper(place, value):
37 32
38 33 retVal = retVal.replace(word, newWord)
39 34
40   - if place != "URI":
41   - retVal = urlencode(retVal)
42   -
43 35 return retVal
10 tamper/randomcomments.py
@@ -10,11 +10,9 @@
10 10 import re
11 11
12 12 from lib.core.common import randomRange
13   -from lib.core.convert import urldecode
14   -from lib.core.convert import urlencode
15 13 from lib.core.data import kb
16 14
17   -def tamper(place, value):
  15 +def tamper(value):
18 16 """
19 17 Add random comments to value
20 18 Example: 'INSERT' becomes 'IN/**/S/**/ERT'
@@ -23,9 +21,6 @@ def tamper(place, value):
23 21 retVal = value
24 22
25 23 if value:
26   - if place != "URI":
27   - retVal = urldecode(retVal)
28   -
29 24 for match in re.finditer(r"[A-Za-z_]+", retVal):
30 25 word = match.group()
31 26
@@ -41,7 +36,4 @@ def tamper(place, value):
41 36 newWord += word[-1]
42 37 retVal = retVal.replace(word, newWord)
43 38
44   - if place != "URI":
45   - retVal = urlencode(retVal)
46   -
47 39 return retVal
11 tamper/space2comment.py
@@ -7,10 +7,7 @@
7 7 See the file 'doc/COPYING' for copying permission
8 8 """
9 9
10   -from lib.core.convert import urldecode
11   -from lib.core.convert import urlencode
12   -
13   -def tamper(place, value):
  10 +def tamper(value):
14 11 """
15 12 Replaces ' ' with '/**/'
16 13 Example: 'SELECT id FROM users' becomes 'SELECT/**/id/**/FROM users'
@@ -19,9 +16,6 @@ def tamper(place, value):
19 16 retVal = value
20 17
21 18 if value:
22   - if place != "URI":
23   - value = urldecode(value)
24   -
25 19 retVal = ""
26 20 quote, doublequote, firstspace = False, False, False
27 21
@@ -44,8 +38,5 @@ def tamper(place, value):
44 38
45 39 retVal += value[i]
46 40
47   - if place != "URI":
48   - retVal = urlencode(retVal)
49   -
50 41 return retVal
51 42
11 tamper/space2plus.py
@@ -7,10 +7,7 @@
7 7 See the file 'doc/COPYING' for copying permission
8 8 """
9 9
10   -from lib.core.convert import urldecode
11   -from lib.core.convert import urlencode
12   -
13   -def tamper(place, value):
  10 +def tamper(value):
14 11 """
15 12 Replaces ' ' with '/**/'
16 13 Example: 'SELECT id FROM users' becomes 'SELECT+id+FROM+users'
@@ -19,9 +16,6 @@ def tamper(place, value):
19 16 retVal = value
20 17
21 18 if value:
22   - if place != "URI":
23   - value = urldecode(value)
24   -
25 19 retVal = ""
26 20 quote, doublequote, firstspace = False, False, False
27 21
@@ -44,8 +38,5 @@ def tamper(place, value):
44 38
45 39 retVal += value[i]
46 40
47   - if place != "URI":
48   - retVal = urlencode(retVal)
49   -
50 41 return retVal
51 42
11 tamper/space2randomblank.py
@@ -9,10 +9,7 @@
9 9
10 10 import random
11 11
12   -from lib.core.convert import urldecode
13   -from lib.core.convert import urlencode
14   -
15   -def tamper(place, value):
  12 +def tamper(value):
16 13 """
17 14 Replaces ' ' with a random blank char from a set ('\r', '\n', '\t')
18 15 Example: 'SELECT id FROM users' becomes 'SELECT\rid\tFROM\nusers'
@@ -22,9 +19,6 @@ def tamper(place, value):
22 19 retVal = value
23 20
24 21 if value:
25   - if place != "URI":
26   - value = urldecode(value)
27   -
28 22 retVal = ""
29 23 quote, doublequote, firstspace = False, False, False
30 24
@@ -47,8 +41,5 @@ def tamper(place, value):
47 41
48 42 retVal += value[i]
49 43
50   - if place != "URI":
51   - retVal = urlencode(retVal)
52   -
53 44 return retVal
54 45

0 comments on commit 5a38ac7

Please sign in to comment.
Something went wrong with that request. Please try again.