1
#!/usr/bin/env python
2

3
"""
4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)
5
See the file 'LICENSE' for copying permission
6
"""
7

8
import string
9

10
from lib.core.enums import PRIORITY
11

12
__priority__ = PRIORITY.LOWEST
13

14
def dependencies():
15
    pass
16

17
def tamper(payload, **kwargs):
18
    """
19
    URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
20

21
    Tested against:
22
        * Microsoft SQL Server 2005
23
        * MySQL 4, 5.0 and 5.5
24
        * Oracle 10g
25
        * PostgreSQL 8.3, 8.4, 9.0
26

27
    Notes:
28
        * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
29
        * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS
30

31
    >>> tamper('SELECT FIELD FROM%20TABLE')
32
    '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
33
    """
34

35
    retVal = payload
36

37
    if payload:
38
        retVal = ""
39
        i = 0
40

41
        while i < len(payload):
42
            if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
43
                retVal += payload[i:i + 3]
44
                i += 3
45
            else:
46
                retVal += '%%%.2X' % ord(payload[i])
47
                i += 1
48

49
    return retVal
50

51