Replaces each keyword character with random case value (e.g. SELECT -> SEleCt) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 * SQLite 3 Notes: * Useful to bypass very weak and
(payload, **kwargs)
| 18 | pass |
| 19 | |
| 20 | def tamper(payload, **kwargs): |
| 21 | """ |
| 22 | Replaces each keyword character with random case value (e.g. SELECT -> SEleCt) |
| 23 | |
| 24 | Tested against: |
| 25 | * Microsoft SQL Server 2005 |
| 26 | * MySQL 4, 5.0 and 5.5 |
| 27 | * Oracle 10g |
| 28 | * PostgreSQL 8.3, 8.4, 9.0 |
| 29 | * SQLite 3 |
| 30 | |
| 31 | Notes: |
| 32 | * Useful to bypass very weak and bespoke web application firewalls |
| 33 | that has poorly written permissive regular expressions |
| 34 | * This tamper script should work against all (?) databases |
| 35 | |
| 36 | >>> import random |
| 37 | >>> random.seed(0) |
| 38 | >>> tamper('INSERT') |
| 39 | 'InSeRt' |
| 40 | >>> tamper('f()') |
| 41 | 'f()' |
| 42 | >>> tamper('function()') |
| 43 | 'FuNcTiOn()' |
| 44 | >>> tamper('SELECT id FROM `user`') |
| 45 | 'SeLeCt id FrOm `user`' |
| 46 | """ |
| 47 | |
| 48 | retVal = payload |
| 49 | |
| 50 | if payload: |
| 51 | for match in re.finditer(r"\b[A-Za-z_]{2,}\b", retVal): |
| 52 | word = match.group() |
| 53 | |
| 54 | if (word.upper() in kb.keywords and re.search(r"(?i)[`\"'\[]%s[`\"'\]]" % word, retVal) is None) or ("%s(" % word) in payload: |
| 55 | while True: |
| 56 | _ = "" |
| 57 | |
| 58 | for i in xrange(len(word)): |
| 59 | _ += word[i].upper() if randomRange(0, 1) else word[i].lower() |
| 60 | |
| 61 | if len(_) > 1 and _ not in (_.lower(), _.upper()): |
| 62 | break |
| 63 | |
| 64 | retVal = retVal.replace(word, _) |
| 65 | |
| 66 | return retVal |
nothing calls this directly
no test coverage detected
searching dependent graphs…