Fixing shitty concat2concatws tamper script

stamparm · stamparm · commit d373eeaea583 · 2026-06-04T19:40:58.000+02:00
diff --git a/data/txt/sha256sums.txt b/data/txt/sha256sums.txt
@@ -188,7 +188,7 @@ c65ce3cd38ee85c443c6619cfea84920390bad171f2999b95149485c0d1bc4a2  lib/core/patch
 48797d6c34dd9bb8a53f7f3794c85f4288d82a9a1d6be7fcf317d388cb20d4b3  lib/core/replication.py
 0b8c38a01bb01f843d94a6c5f2075ee47520d0c4aa799cecea9c3e2c5a4a23a6  lib/core/revision.py
 888daba83fd4a34e9503fe21f01fef4cc730e5cde871b1d40e15d4cbc847d56c  lib/core/session.py
-3fea7262bc40f5a7cf31ae81c1f2d1a12361d7b7e1d45411d6617475bd691608  lib/core/settings.py
+d4b1e774a78d8b4f71701dbacc25ab78adfa4bed785588a1946ae6230685f4ae  lib/core/settings.py
 cd5a66deee8963ba8e7e9af3dd36eb5e8127d4d68698811c29e789655f507f82  lib/core/shell.py
 bcb5d8090d5e3e0ef2a586ba09ba80eef0c6d51feb0f611ed25299fbb254f725  lib/core/subprocessng.py
 70ea3768f1b3062b22d20644df41c86238157ec80dd43da40545c620714273c6  lib/core/target.py
@@ -508,7 +508,7 @@ c7892bff56b2b85dfdf9f24c783c569edac57a3fd5a254cf4554987a374206c9  tamper/charenc
 d0d8f2df2c29d81315a867ecb6baa9ca430e8f98d04f4df3879f2bcd697fac16  tamper/commalesslimit.py
 1aee4e920b8ffa4a79b2ac9a42e2d7de13434970b3d1e0c6911c26bdd0c7b4e7  tamper/commalessmid.py
 ff8d05da2c5a123a231671c97ee80bb77b6631d7e5356d836cfe15ef212b73e5  tamper/commentbeforeparentheses.py
-66cad47087c78a5658445f8a00f2e1cd533a6d7c57aec2d1eb1fe486956aa3ea  tamper/concat2concatws.py
+27f74b1c007713f753e0278bc056b09cd715c364847977962d6a198ecefa14ff  tamper/concat2concatws.py
 b5a5ba94a78cf83b35cdb0b08d9d69dbf1f33c07cc5152c560ae5aee54a4c066  tamper/decentities.py
 1d6bcc5ffe235840370cd9738b5e8067f8b24e8c0e2bb629d330a7e5c379328a  tamper/dunion.py
 99c59e6fd7cafc9238c53e037eff457823854eef7cb0c5ea05941e0223229209  tamper/equaltolike.py
diff --git a/lib/core/settings.py b/lib/core/settings.py
@@ -20,7 +20,7 @@
 from thirdparty import six
 
 # sqlmap version (<major>.<minor>.<month>.<monthly commit>)
-VERSION = "1.10.6.12"
+VERSION = "1.10.6.13"
 TYPE = "dev" if VERSION.count('.') > 2 and VERSION.split('.')[-1] != '0' else "stable"
 TYPE_COLORS = {"dev": 33, "stable": 90, "pip": 34}
 VERSION_STRING = "sqlmap/%s#%s" % ('.'.join(VERSION.split('.')[:-1]) if VERSION.count('.') > 2 and VERSION.split('.')[-1] == '0' else VERSION, TYPE)
diff --git a/tamper/concat2concatws.py b/tamper/concat2concatws.py
@@ -6,6 +6,7 @@
 """
 
 import os
+import re
 
 from lib.core.common import singleTimeWarnMessage
 from lib.core.enums import DBMS
@@ -35,6 +36,6 @@ def tamper(payload, **kwargs):
     """
 
     if payload:
-        payload = payload.replace("CONCAT(", "CONCAT_WS(MID(CHAR(0),0,0),")
+        payload = re.sub(r"(?i)(?<!GROUP_)CONCAT\(", "CONCAT_WS(MID(CHAR(0),0,0),", payload)
 
     return payload
