Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
sqlmapproject
GitHub Repository: sqlmapproject/sqlmap
 Path: blob/master/tamper/chardoubleencode.py
2983 views
1
#!/usr/bin/env python

2


3
"""

4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)

5
See the file 'LICENSE' for copying permission

6
"""

7


8
import string

9


10
from lib.core.enums import PRIORITY

11


12
__priority__ = PRIORITY.LOW

13


14
def dependencies():

15
    pass

16


17
def tamper(payload, **kwargs):

18
    """

19
    Double URL-encodes each character in the payload (ignores already encoded ones) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)

20


21
    Notes:

22
        * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset

23


24
    >>> tamper('SELECT FIELD FROM%20TABLE')

25
    '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'

26
    """

27


28
    retVal = payload

29


30
    if payload:

31
        retVal = ""

32
        i = 0

33


34
        while i < len(payload):

35
            if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:

36
                retVal += '%%25%s' % payload[i + 1:i + 3]

37
                i += 3

38
            else:

39
                retVal += '%%25%.2X' % ord(payload[i])

40
                i += 1

41


42
    return retVal

43


44