sqlmap中tamper中的脚本分析

space2randomblank

注释：空格替换为备选字符集中的随机字符

使用平台：Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0

举例：SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers

"""  //python 的多行注释符
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import random

from lib.core.compat import xrange //导入sqlmap中的lib/core/compat中的xrange函数
from lib.core.enums import PRIORITY//

__priority__ = PRIORITY.LOW//定义优先级，此处级别为一般

def dependencies():  //定义dependencies() ，此处是为了和整体脚本的结构保持一致
    pass  //不做任何事情，一般用做站位语句，为了保证程序的完整性

def tamper(payload, **kwargs)://定义tamper  脚本，payload, **kwargs为定义的参数
    """  //多行注释符
    Replaces space character (' ') with a random blank character from a valid set of alternate characters  //此处为tamper说明，以便使用该脚本

    Tested against:  //用于多种数据库，并且作用与弱防护效果的防火墙
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass several web application firewalls

    >>> random.seed(0)
    >>> tamper('SELECT id FROM users')
    'SELECT%0Did%0CFROM%0Ausers'
    """

    # ASCII table:
    #   TAB     09      horizontal TAB
    #   LF      0A      new line
    #   FF      0C      new page
    #   CR      0D      carriage return
    blanks = ("%09", "%0A", "%0C", "%0D")
    retVal = payload

    if payload: //判断payload
        retVal = "" //将retVal 赋值为空语句
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload))://xrange为一个生成器
            if not firstspace:
                if payload[i].isspace()://检测字符串是否只由空格组成
                    firstspace = True//将true 赋给firstspace
                    retVal += random.choice(blanks)//返回一个列表，元组或字符串的随机项
                    continue//跳出本次循环

            elif payload[i] == '\''://判断字符是否为'\'
                quote = not quote

            elif payload[i] == '"'://判断字符是否为"
                doublequote = not doublequote

            elif payload[i] == ' ' and not doublequote and not quote:
                retVal += random.choice(blanks)//返回一个列表，元组或字符串的随机项
                continue//跳出本次循环

            retVal += payload[i]

    return retVal//返回随机字符

symboliclogical

注释：用 && 替换 and ，用 || 替换 or ，用于这些关键字被过滤的情况

平台：All

举例：1 and 1=1 ==> 1 %26%26 1=1

1 or 1=1 ==> 1 %7c%7c 1=1、

​
#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOWEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

    >>> tamper("1 AND '1'='1")
    "1 %26%26 '1'='1"
    """

    retVal = payload//将payload赋值给retVal

    if payload:
        retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload))//判断是否为AND和OR，将其替换为&&和||

    return retVal

​

uppercase

注释：将payload中的小写字母全部转为大写格式

平台：Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0

举例：insert ==> INSERT

​
#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.data import kb
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces each keyword character with upper case value (e.g. select -> SELECT)

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions
        * This tamper script should work against all (?) databases

    >>> tamper('insert')
    'INSERT'
    """

    retVal = payload

    if payload:
        for match in re.finditer(r"[A-Za-z_]+", retVal)://对retVal payload 进行大写查找
            word = match.group()//将查找内容赋值给word

            if word.upper() in kb.keywords://如果在攻击载荷中有小写字母
                retVal = retVal.replace(word, word.upper())//将小写字母转化成大写字母

    return retVal//返回大写字母


​

informationschemacomment

注释：

在 information_schema 后面加上 /**/ ，用于绕过对 information_schema 的情况

retVal = re.sub(r"(?i)(information_schema).", "g<1>/**/.", payload)

平台：All

举例：select table_name from information_schema.tables ==> select table_name from information_schema/**/.tables

​
#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def tamper(payload, **kwargs):
    """
    Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier

    >>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
    'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
    """

    retVal = payload

    if payload://判断payload
        retVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload)//赋值遇见information_schema  

    return retVal//返回


​

lowercase

注释：将 payload 里的大写转为小写

平台：Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0

举例：SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> select table_name from information_schema.tables

#!/usr/bin/env Python #此处用法为：程序到env设置里查找python的安装路径，再调用对应路径下的解释器程序完成操作。这是非常好的做法
"""                   #python2.7的多行注释符，此处为三个双引号，因为是其中也有单引号，并且该说明为一般文档说明，故用三个双引号
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""                #python的多行注释符，此处为三个双引号，因为是其中也有单引号，并且该说明为一般文档说明，故用三个双引号
import re          #导入python中的re 字符替换包，方便下面的字符替换
from lib.core.data import kb #导入sqlmap中lib\core\data中的kb函数,测试SQL注入的过程中,使用的配置文件事先全部被加载到了conf和kb
from lib.core.enums import PRIORITY  #导入sqlmap中lib\core\enums中的PRIORITY函数， LOWEST = -100，LOWER = -50，. 详细见enums.py
__priority__ = PRIORITY.NORMAL       #定义优先级，此处为级别为【一般】
def dependencies():                  #定义dependencies():此处是为了和整体脚本的结构保持一致。
    pass                             #pass 不做任何事情，一般用做占位语句。为了保持程序结构的完整性。
def tamper(payload, **kwargs): #定义tamper脚本,payload,**kwargs为定义的参数,其中**kwargs为字典存储,类似于{'a':1,'c':3,'b':2}
    """                              #python的多行注释符，此处为三个双引号，因为是其中也有单引号，并且该说明为一般文档说明，故用三个双引号
    Replaces each keyword character with lower case value  #此处为tamper说明 ，以便使用该脚本。在本例中，该脚本可以
    Tested against:                                        #用于多种数据库。并且作用于弱防护效果的防火墙
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0
    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions
        * This tamper script should work against all (?) databases
    >>> tamper('INSERT')
    'insert'
    """                       #python的多行注释符，此处为三个双引号，因为是其中也有单引号，并且该说明为一般文档说明，故用三个双引号        
    retVal = payload          #将payload赋值给  retVal ，以便中间转换。
    if payload:                                                 # 进行判断payload
        for match in re.finditer(r"[A-Za-z_]+", retVal):        # 对 retVal 【payload】进行小写查找
            word = match.group()                                #将查找到的字母赋值给word
            if word.upper() in kb.keywords:                     #如果在攻击载荷中有大写字母
                retVal = retVal.replace(word, word.lower())     #将大写字母转换成小写字母。
    return retVal                                               #返回小写字母