From 01d9031e655358e3482dc3514dca07999fa7ac63 Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 30 Dec 2024 10:28:11 +0800 Subject: [PATCH] sck --- src/sqlmap-master/tamper/randomcomments.py | 15 ++++++++++----- src/sqlmap-master/tamper/schemasplit.py | 3 ++- src/sqlmap-master/tamper/scientific.py | 4 +++- src/sqlmap-master/tamper/sleep2getlock.py | 1 + src/sqlmap-master/tamper/sp_password.py | 3 +++ src/sqlmap-master/tamper/space2comment.py | 14 ++++++++------ src/sqlmap-master/tamper/space2dash.py | 16 ++++++++++++++-- src/sqlmap-master/tamper/space2hash.py | 13 +++++++++++++ src/sqlmap-master/tamper/space2morecomment.py | 6 ++++++ 9 files changed, 60 insertions(+), 15 deletions(-) diff --git a/src/sqlmap-master/tamper/randomcomments.py b/src/sqlmap-master/tamper/randomcomments.py index edf4cba..b0963a3 100644 --- a/src/sqlmap-master/tamper/randomcomments.py +++ b/src/sqlmap-master/tamper/randomcomments.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission import re +# 从sqlmap的库中导入随机范围函数、兼容模块中的xrange函数、知识库和优先级枚举 from lib.core.common import randomRange from lib.core.compat import xrange from lib.core.data import kb @@ -27,24 +28,28 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用正则表达式找到payload中的所有单词(至少一个字母或下划线) for match in re.finditer(r"\b[A-Za-z_]+\b", payload): word = match.group() + # 跳过长度小于2的单词 if len(word) < 2: continue + # 如果单词是SQL关键字 if word.upper() in kb.keywords: - _ = word[0] - + _ = word[0] # 从单词的第一个字符开始构造新的字符串 + # 遍历单词的每个字符(除了第一个和最后一个) for i in xrange(1, len(word) - 1): + # 随机决定是否插入注释 _ += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i]) - + # 添加单词的最后一个字符 _ += word[-1] - + # 如果没有插入任何注释,则随机选择一个位置插入注释 if "/**/" not in _: index = randomRange(1, len(word) - 1) _ = word[:index] + "/**/" + word[index:] - + # 将原始的单词替换为插入了注释的新字符串 retVal = retVal.replace(word, _) return retVal diff --git a/src/sqlmap-master/tamper/schemasplit.py b/src/sqlmap-master/tamper/schemasplit.py index 07ad37d..8245f08 100644 --- a/src/sqlmap-master/tamper/schemasplit.py +++ b/src/sqlmap-master/tamper/schemasplit.py @@ -27,5 +27,6 @@ def tamper(payload, **kwargs): >>> tamper('SELECT id FROM testdb.users') 'SELECT id FROM testdb 9.e.users' """ - + # 如果payload不为空,则使用正则表达式替换FROM后面数据库表名的点操作符为一个空格加上'9.e.' + # 这是一种绕过某些WAF规则的技术,通过插入一个看似无害的字符串'9.e.'来分割数据库名和表名 return re.sub(r"(?i)( FROM \w+)\.(\w+)", r"\g<1> 9.e.\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/scientific.py b/src/sqlmap-master/tamper/scientific.py index 9b0ecf7..514b582 100644 --- a/src/sqlmap-master/tamper/scientific.py +++ b/src/sqlmap-master/tamper/scientific.py @@ -29,7 +29,9 @@ def tamper(payload, **kwargs): """ if payload: + # 将闭合括号、逗号、点、星号、正斜杠、反斜杠、竖线、位运算符和逻辑运算符替换为" 1.e" + 原字符 payload = re.sub(r"[),.*^/|&]", r" 1.e\g<0>", payload) + # 将函数名后跟左括号替换为" 函数名 1.e(",除非函数名是MID、CAST、FROM、COUNT payload = re.sub(r"(\w+)\(", lambda match: "%s 1.e(" % match.group(1) if not re.search(r"(?i)\A(MID|CAST|FROM|COUNT)\Z", match.group(1)) else match.group(0), payload) # NOTE: MID and CAST don't work for sure - + # 返回修改后的payload return payload diff --git a/src/sqlmap-master/tamper/sleep2getlock.py b/src/sqlmap-master/tamper/sleep2getlock.py index f0b3a54..a3e35e1 100644 --- a/src/sqlmap-master/tamper/sleep2getlock.py +++ b/src/sqlmap-master/tamper/sleep2getlock.py @@ -34,6 +34,7 @@ def tamper(payload, **kwargs): """ if payload: + # 将payload中的'SLEEP('替换为'GET_LOCK('%s',,其中'%s'会被kb.aliasName替换 payload = payload.replace("SLEEP(", "GET_LOCK('%s'," % kb.aliasName) return payload diff --git a/src/sqlmap-master/tamper/sp_password.py b/src/sqlmap-master/tamper/sp_password.py index d23c0d5..30cc2bf 100644 --- a/src/sqlmap-master/tamper/sp_password.py +++ b/src/sqlmap-master/tamper/sp_password.py @@ -27,6 +27,9 @@ def tamper(payload, **kwargs): retVal = "" if payload: + # 构造返回的payload字符串 + # 如果payload中已经包含注释符号('#'或'--'),则直接添加sp_password函数 + # 否则,在sp_password前添加一个'-- '作为注释 retVal = "%s%ssp_password" % (payload, "-- " if not any(_ if _ in payload else None for _ in ('#', "-- ")) else "") return retVal diff --git a/src/sqlmap-master/tamper/space2comment.py b/src/sqlmap-master/tamper/space2comment.py index 3229a5c..231bb1b 100644 --- a/src/sqlmap-master/tamper/space2comment.py +++ b/src/sqlmap-master/tamper/space2comment.py @@ -4,7 +4,7 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ - +# 从sqlmap的库中导入兼容模块中的xrange函数和优先级枚举 from lib.core.compat import xrange from lib.core.enums import PRIORITY @@ -33,26 +33,28 @@ def tamper(payload, **kwargs): retVal = payload if payload: - retVal = "" + retVal = "" # 初始化引号状态标记 quote, doublequote, firstspace = False, False, False + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果是第一个空格且之前没有遇到过空格 if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**/" continue - + # 如果是单引号 elif payload[i] == '\'': quote = not quote - + # 如果是双引号 elif payload[i] == '"': doublequote = not doublequote - + # 如果是空格且之前没有遇到过双引号和单引号 elif payload[i] == " " and not doublequote and not quote: retVal += "/**/" continue - + # 添加当前字符到retVal retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2dash.py b/src/sqlmap-master/tamper/space2dash.py index 5ecb814..298d26f 100644 --- a/src/sqlmap-master/tamper/space2dash.py +++ b/src/sqlmap-master/tamper/space2dash.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import random import string +# 从sqlmap的库中导入兼容模块中的xrange函数和优先级枚举 from lib.core.compat import xrange from lib.core.enums import PRIORITY @@ -30,18 +31,29 @@ def tamper(payload, **kwargs): >>> tamper('1 AND 9227=9227') '1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227' """ - + retVal = "" if payload: + # 遍历payload中的每个字符 for i in xrange(len(payload)): - if payload[i].isspace(): + # 如果当前字符是空格 + if payload[i].isspace(): + # 生成一个随机字符串 randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 将随机字符串和换行符添加到retVal中 retVal += "--%s%%0A" % randomStr + + # 如果当前字符是#或者#后面跟着两个空格 + # 如果payload[i]等于#或者payload[i:i + 3]等于-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 将payload[i:]添加到retVal中 retVal += payload[i:] + # 跳出循环 break + # 否则,将payload[i]添加到retVal中 else: retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2hash.py b/src/sqlmap-master/tamper/space2hash.py index 2cef84d..348fd20 100644 --- a/src/sqlmap-master/tamper/space2hash.py +++ b/src/sqlmap-master/tamper/space2hash.py @@ -16,7 +16,9 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 定义一个函数,用于检查脚本依赖 def dependencies(): + # 输出警告信息,提示脚本只能运行在MySQL数据库上 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -41,15 +43,26 @@ def tamper(payload, **kwargs): retVal = "" + # 如果payload不为空 if payload: + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果字符是空格 if payload[i].isspace(): + # 生成一个随机字符串 randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 将随机字符串添加到retVal中 retVal += "%%23%s%%0A" % randomStr + # 如果字符是#或者字符是-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 将payload的剩余部分添加到retVal中 retVal += payload[i:] + # 跳出循环 break + # 否则 else: + # 将字符添加到retVal中 retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2morecomment.py b/src/sqlmap-master/tamper/space2morecomment.py index c5d7ec4..7cffc12 100644 --- a/src/sqlmap-master/tamper/space2morecomment.py +++ b/src/sqlmap-master/tamper/space2morecomment.py @@ -33,23 +33,29 @@ def tamper(payload, **kwargs): retVal = "" quote, doublequote, firstspace = False, False, False + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果第一个字符不是空格,则将firstspace设置为True,并将retVal添加"/**_**/" if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**_**/" continue + # 如果字符是单引号,则将quote取反 elif payload[i] == '\'': quote = not quote + # 如果字符是双引号,则将doublequote取反 elif payload[i] == '"': doublequote = not doublequote + # 如果字符是空格,且不是在双引号或单引号中,则将retVal添加"/**_**/" elif payload[i] == " " and not doublequote and not quote: retVal += "/**_**/" continue + # 将字符添加到retVal中 retVal += payload[i] return retVal