1#!/usr/bin/env python 2 3""" 4Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) 5See the file 'LICENSE' for copying permission 6""" 7 8import os 9import re 10 11from lib.core.common import singleTimeWarnMessage 12from lib.core.enums import DBMS 13from lib.core.enums import PRIORITY 14 15__priority__ = PRIORITY.HIGHEST 16 17def dependencies(): 18 singleTimeWarnMessage("tamper script '%s' is unlikely to work against %s" % (os.path.basename(__file__).split(".")[0], DBMS.PGSQL)) 19 20def tamper(payload, **kwargs): 21 """ 22 Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart 23 24 Tested against: 25 * Microsoft SQL Server 2005 26 * MySQL 4, 5.0 and 5.5 27 28 Notes: 29 * Useful to bypass weak and bespoke web application firewalls that 30 filter the equal character ('=') 31 * The LIKE operator is SQL standard. Hence, this tamper script 32 should work against all (?) databases 33 34 >>> tamper('SELECT * FROM users WHERE id=1') 35 'SELECT * FROM users WHERE id LIKE 1' 36 """ 37 38 retVal = payload 39 40 if payload: 41 retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) 42 43 return retVal 44