ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

sck

Browse Source
shichengkun_branch
sck 2 months ago
parent 951c2d6d9c
commit 2f377ec379
16 changed files with 146 additions and 9 deletions
Show Stats Download Patch File Download Diff File

7
src/sqlmap-master/tamper/misunion.py
Unescape View File

@ -8,12 +8,14 @@ See the file 'LICENSE' for copying permission
import os
import re
# 从sqlmap的库中导入一些枚举和函数
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
# 定义dependencies函数用于在运行tamper脚本时显示警告信息
def dependencies():
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
@ -32,5 +34,8 @@ def tamper(payload, **kwargs):
>>> tamper('1" UNION ALL SELECT')
'1"-.1UNION ALL SELECT'
"""
# 使用正则表达式替换payload中的UNION关键字前面加上-.1
# 这样做是为了绕过某些WAFWeb Application Firewall的检测
# 正则表达式(?i)\s+(UNION )匹配UNION关键字并且忽略大小写
# \g<1>是反向引用表示替换时保留匹配到的UNION关键字
return re.sub(r"(?i)\s+(UNION )", r"-.1\g<1>", payload) if payload else payload

10
src/sqlmap-master/tamper/modsecurityversioned.py
Unescape View File

@ -7,16 +7,22 @@ See the file 'LICENSE' for copying permission
import os
# 从sqlmap的库中导入随机数生成函数和单次警告消息函数
from lib.core.common import randomInt
from lib.core.common import singleTimeWarnMessage
# 导入数据库管理系统枚举和优先级枚举
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
# 设置这个tamper脚本的优先级
__priority__ = PRIORITY.HIGHER
# 定义dependencies函数用于在运行tamper脚本时显示警告信息
def dependencies():
# 显示单次警告消息告知用户这个tamper脚本只针对MySQL数据库
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
# 定义tamper函数这是脚本的主要功能函数用于修改payload
def tamper(payload, **kwargs):
"""
Embraces complete query with (MySQL) versioned comment
@ -38,14 +44,18 @@ def tamper(payload, **kwargs):
retVal = payload
# 如果payload不为空
if payload:
postfix = ''
# 遍历可能的注释符号找到payload中的第一个注释符号
for comment in ('#', '--', '/*'):
if comment in payload:
postfix = payload[payload.find(comment):]
payload = payload[:payload.find(comment)]
break
# 如果payload中包含空格说明可以插入versioned comment
if ' ' in payload:
# 构造新的payload插入versioned comment
retVal = "%s /*!30%s%s*/%s" % (payload[:payload.find(' ')], randomInt(3), payload[payload.find(' ') + 1:], postfix)
return retVal

9
src/sqlmap-master/tamper/modsecurityzeroversioned.py
Unescape View File

@ -7,15 +7,21 @@ See the file 'LICENSE' for copying permission
import os
# 从sqlmap的库中导入单次警告消息函数
from lib.core.common import singleTimeWarnMessage
# 导入数据库管理系统枚举和优先级枚举
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
# 设置这个tamper脚本的优先级
__priority__ = PRIORITY.HIGHER
# 定义dependencies函数用于在运行tamper脚本时显示警告信息
def dependencies():
# 显示单次警告消息告知用户这个tamper脚本只针对MySQL数据库
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
# 定义tamper函数这是脚本的主要功能函数用于修改payload
def tamper(payload, **kwargs):
"""
Embraces complete query with (MySQL) zero-versioned comment
@ -37,12 +43,15 @@ def tamper(payload, **kwargs):
if payload:
postfix = ''
# 遍历可能的注释符号找到payload中的第一个注释符号
for comment in ('#', '--', '/*'):
if comment in payload:
postfix = payload[payload.find(comment):]
payload = payload[:payload.find(comment)]
break
# 如果payload中包含空格说明可以插入zero-versioned comment
if ' ' in payload:
# 构造新的payload插入zero-versioned comment
retVal = "%s /*!00000%s*/%s" % (payload[:payload.find(' ')], payload[payload.find(' ') + 1:], postfix)
return retVal

11
src/sqlmap-master/tamper/multiplespaces.py
Unescape View File

@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
import random
import re
# 从sqlmap的库中导入知识库和数据类型
from lib.core.data import kb
from lib.core.datatype import OrderedSet
from lib.core.enums import PRIORITY
@ -35,16 +36,22 @@ def tamper(payload, **kwargs):
retVal = payload
if payload:
# 使用OrderedSet存储找到的SQL关键字确保关键字的唯一性
words = OrderedSet()
# 使用正则表达式找到payload中的所有单词SQL关键字
for match in re.finditer(r"\b[A-Za-z_]+\b", payload):
word = match.group()
# 如果单词是SQL关键字则添加到OrderedSet中
if word.upper() in kb.keywords:
words.add(word)
# 对于OrderedSet中的每个SQL关键字
for word in words:
# 在关键字前后添加1到4个随机数量的空格
# (?<=\W)确保我们在非单词字符后替换
# (?=[^A-Za-z_(]|\Z)确保我们在非单词字符前替换或字符串末尾
retVal = re.sub(r"(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randint(1, 4), word, ' ' * random.randint(1, 4)), retVal)
# 对于后面紧跟着括号的关键字,只添加左边的空格
retVal = re.sub(r"(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randint(1, 4), word), retVal)
return retVal

2
src/sqlmap-master/tamper/ord2ascii.py
Unescape View File

@ -28,6 +28,8 @@ def tamper(payload, **kwargs):
retVal = payload
if payload:
# 使用正则表达式将所有的ORD()函数调用替换为ASCII()函数调用
# 正则表达式(?i)\bORD\( 匹配ORD关键字忽略大小写并且确保是完整的单词边界
retVal = re.sub(r"(?i)\bORD\(", "ASCII(", payload)
return retVal

5
src/sqlmap-master/tamper/overlongutf8.py
Unescape View File

@ -32,14 +32,19 @@ def tamper(payload, **kwargs):
retVal = ""
i = 0
# 遍历payload中的每个字符
while i < len(payload):
# 如果当前字符是%,并且后面两个字符是十六进制数字,则认为这是一个已经编码的字符
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += payload[i:i + 3]
i += 3
else:
# 如果当前字符不是字母或数字则将其转换为overlong UTF8编码
if payload[i] not in (string.ascii_letters + string.digits):
# 计算并添加overlong UTF8编码
retVal += "%%%.2X%%%.2X" % (0xc0 + (ord(payload[i]) >> 6), 0x80 + (ord(payload[i]) & 0x3f))
else:
# 如果是字母或数字,则直接添加到结果中
retVal += payload[i]
i += 1

3
src/sqlmap-master/tamper/overlongutf8more.py
Unescape View File

@ -33,10 +33,13 @@ def tamper(payload, **kwargs):
i = 0
while i < len(payload):
# 如果当前字符是%,并且后面两个字符是十六进制数字,则认为这是一个已经编码的字符
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += payload[i:i + 3]
i += 3
else:
# 将当前字符转换为overlong UTF8编码
# 每个字符被编码为两个字节第一个字节的高位设置为100xC0第二个字节的高位设置为100x80
retVal += "%%%.2X%%%.2X" % (0xc0 + (ord(payload[i]) >> 6), 0x80 + (ord(payload[i]) & 0x3f))
i += 1

4
src/sqlmap-master/tamper/percentage.py
Unescape View File

@ -13,7 +13,9 @@ from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
# 定义dependencies函数用于在运行tamper脚本时显示警告信息
def dependencies():
# 显示单次警告消息告知用户这个tamper脚本只针对ASP web应用程序
singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP web applications" % os.path.basename(__file__).split(".")[0])
def tamper(payload, **kwargs):
@ -40,10 +42,12 @@ def tamper(payload, **kwargs):
i = 0
while i < len(payload):
# 如果当前字符是%,并且后面两个字符是十六进制数字,则认为这是一个已经编码的字符
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += payload[i:i + 3]
i += 3
elif payload[i] != ' ':
# 如果当前字符不是空格,则在其前面添加百分号
retVal += '%%%s' % payload[i]
i += 1
else:

9
src/sqlmap-master/tamper/plus2concat.py
Unescape View File

@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
import os
import re
# 从sqlmap的库中导入单次警告消息函数、零深度搜索函数、数据库管理系统枚举和优先级枚举
from lib.core.common import singleTimeWarnMessage
from lib.core.common import zeroDepthSearch
from lib.core.enums import DBMS
@ -16,6 +17,7 @@ from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
# 显示单次警告消息告知用户这个tamper脚本只针对Microsoft SQL Server数据库
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))
def tamper(payload, **kwargs):
@ -41,15 +43,20 @@ def tamper(payload, **kwargs):
retVal = payload
if payload:
# 使用正则表达式搜索payload中由'+'连接的CHAR()函数或单引号字符串
match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal)
if match:
part = match.group(0)
# 将匹配的部分拆分为字符列表
chars = [char for char in part]
# 使用zeroDepthSearch函数找到所有的'+'字符位置
for index in zeroDepthSearch(part, '+'):
# 将'+'字符替换为','字符
chars[index] = ','
# 构造CONCAT函数的字符串表示
replacement = "CONCAT(%s)" % "".join(chars)
# 将原始的由'+'连接的部分替换为CONCAT函数
retVal = retVal.replace(part, replacement)
return retVal

10
src/sqlmap-master/tamper/plus2fnconcat.py
Unescape View File

@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission
import os
import re
# 从sqlmap的库中导入单次警告消息函数、零深度搜索函数、兼容模块中的xrange函数、数据库管理系统枚举和优先级枚举
from lib.core.common import singleTimeWarnMessage
from lib.core.common import zeroDepthSearch
from lib.core.compat import xrange
@ -17,6 +18,7 @@ from lib.core.enums import PRIORITY
__priority__ = PRIORITY.HIGHEST
def dependencies():
# 显示单次警告消息告知用户这个tamper脚本只针对Microsoft SQL Server数据库
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))
def tamper(payload, **kwargs):
@ -43,22 +45,26 @@ def tamper(payload, **kwargs):
retVal = payload
if payload:
# 使用正则表达式搜索payload中由'+'连接的CHAR()函数或单引号字符串
match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal)
if match:
old = match.group(0)
parts = []
last = 0
# 使用zeroDepthSearch函数找到所有的'+'字符位置
for index in zeroDepthSearch(old, '+'):
# 将每个'+'字符之间的部分作为单独的部分存储
parts.append(old[last:index].strip('+'))
last = index
# 将最后一个'+'字符之后的部分也加入到parts列表中
parts.append(old[last:].strip('+'))
replacement = parts[0]
# 遍历parts列表构造{fn CONCAT()}函数的嵌套调用
for i in xrange(1, len(parts)):
replacement = "{fn CONCAT(%s,%s)}" % (replacement, parts[i])
# 将原始的由'+'连接的部分替换为{fn CONCAT()}函数
retVal = retVal.replace(old, replacement)
return retVal

10
src/sqlmap-master/tamper/randomcase.py
Unescape View File

@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission
import re
# 从sqlmap的库中导入随机范围函数、兼容模块中的xrange函数、知识库和优先级枚举
from lib.core.common import randomRange
from lib.core.compat import xrange
from lib.core.data import kb
@ -48,19 +49,22 @@ def tamper(payload, **kwargs):
retVal = payload
if payload:
# 使用正则表达式找到payload中的所有关键字至少两个字母或下划线的单词
for match in re.finditer(r"\b[A-Za-z_]{2,}\b", retVal):
word = match.group()
# 如果单词是SQL关键字并且不是被引号或括号包围的或者是一个函数名
if (word.upper() in kb.keywords and re.search(r"(?i)[`\"'\[]%s[`\"'\]]" % word, retVal) is None) or ("%s(" % word) in payload:
# 生成一个随机大小写混合的单词
while True:
_ = ""
for i in xrange(len(word)):
# 随机选择大写或小写
_ += word[i].upper() if randomRange(0, 1) else word[i].lower()
# 确保生成的单词不是全大写或全小写,并退出循环
if len(_) > 1 and _ not in (_.lower(), _.upper()):
break
# 将原始的单词替换为随机大小写混合的单词
retVal = retVal.replace(word, _)
return retVal

13
src/sqlmap-master/tamper/space2morehash.py
Unescape View File

@ -20,6 +20,10 @@ from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS
__priority__ = PRIORITY.LOW
def dependencies():
"""
检查是否满足脚本运行的条件
"""
# 输出警告信息提示tamper脚本只适用于MySQL版本大于5.1.13
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s > 5.1.13" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
def tamper(payload, **kwargs):
@ -43,9 +47,13 @@ def tamper(payload, **kwargs):
"""
def process(match):
"""
处理匹配到的单词
"""
word = match.group('word')
randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12)))
# 如果匹配到的单词在关键词列表中,并且不在忽略空格影响的关键词列表中,则替换为随机字符串
if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS:
return match.group().replace(word, "%s%%23%s%%0A" % (word, randomStr))
else:
@ -53,16 +61,21 @@ def tamper(payload, **kwargs):
retVal = ""
# 如果payload存在则进行替换
if payload:
payload = re.sub(r"(?<=\W)(?P<word>[A-Za-z_]+)(?=\W|\Z)", process, payload)
# 遍历payload中的每个字符
for i in xrange(len(payload)):
# 如果字符是空格,则替换为随机字符串
if payload[i].isspace():
randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12)))
retVal += "%%23%s%%0A" % randomStr
# 如果字符是#或者字符是--则将payload中剩余的字符添加到retVal中并跳出循环
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
retVal += payload[i:]
break
# 否则将字符添加到retVal中
else:
retVal += payload[i]

16
src/sqlmap-master/tamper/space2mssqlblank.py
Unescape View File

@ -8,14 +8,20 @@ See the file 'LICENSE' for copying permission
import os
import random
# 导入lib.core.common模块中的singleTimeWarnMessage函数
from lib.core.common import singleTimeWarnMessage
# 导入lib.core.compat模块中的xrange函数
from lib.core.compat import xrange
# 导入lib.core.enums模块中的DBMS枚举
from lib.core.enums import DBMS
# 导入lib.core.enums模块中的PRIORITY枚举
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
# 定义一个函数,用于检查脚本依赖
def dependencies():
# 输出警告信息,说明该脚本只能用于特定数据库
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL))
def tamper(payload, **kwargs):
@ -53,29 +59,38 @@ def tamper(payload, **kwargs):
# CR 0D carriage return
# SO 0E shift out
# SI 0F shift in
# 定义一个元组,包含一些字符串
blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A')
# 将payload赋值给retVal
retVal = payload
if payload:
retVal = ""
quote, doublequote, firstspace, end = False, False, False, False
# 遍历payload中的每个字符
for i in xrange(len(payload)):
# 如果当前字符不是空格则将firstspace设置为True
if not firstspace:
if payload[i].isspace():
firstspace = True
# 在retVal中添加一个随机选择的空格
retVal += random.choice(blanks)
continue
# 如果当前字符是单引号则将quote取反
elif payload[i] == '\'':
quote = not quote
# 如果当前字符是双引号则将doublequote取反
elif payload[i] == '"':
doublequote = not doublequote
# 如果当前字符是#或者--则将end设置为True
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
end = True
# 如果当前字符是空格且不是在双引号或单引号中则根据end的值添加一个随机选择的空格
elif payload[i] == " " and not doublequote and not quote:
if end:
retVal += random.choice(blanks[:-1])
@ -84,6 +99,7 @@ def tamper(payload, **kwargs):
continue
# 将当前字符添加到retVal中
retVal += payload[i]
return retVal

10
src/sqlmap-master/tamper/space2mssqlhash.py
Unescape View File

@ -27,14 +27,24 @@ def tamper(payload, **kwargs):
retVal = ""
# 如果payload不为空
if payload:
# 遍历payload的每个字符
for i in xrange(len(payload)):
# 如果字符是空格
if payload[i].isspace():
# 将%23%0A添加到retVal中
retVal += "%23%0A"
# 如果字符是#或者字符是--
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
# 将payload的剩余部分添加到retVal中
retVal += payload[i:]
# 跳出循环
break
# 否则
else:
# 将字符添加到retVal中
retVal += payload[i]
# 返回retVal
return retVal

20
src/sqlmap-master/tamper/space2mysqlblank.py
Unescape View File

@ -43,30 +43,50 @@ def tamper(payload, **kwargs):
# CR 0D carriage return
# VT 0B vertical TAB (MySQL and Microsoft SQL Server only)
# A0 non-breaking space
# 定义一个包含特殊字符的元组
blanks = ('%09', '%0A', '%0C', '%0D', '%0B', '%A0')
# 将payload赋值给retVal
retVal = payload
# 如果payload不为空
if payload:
# 将retVal置为空字符串
retVal = ""
# 定义三个布尔变量,分别表示是否在引号内、双引号内和第一个空格
quote, doublequote, firstspace = False, False, False
# 遍历payload的每个字符
for i in xrange(len(payload)):
# 如果第一个空格为假
if not firstspace:
# 如果当前字符是空格
if payload[i].isspace():
# 将第一个空格置为真
firstspace = True
# 将一个随机选择的特殊字符添加到retVal中
retVal += random.choice(blanks)
# 继续下一次循环
continue
# 如果当前字符是单引号
elif payload[i] == '\'':
# 将quote取反
quote = not quote
# 如果当前字符是双引号
elif payload[i] == '"':
# 将doublequote取反
doublequote = not doublequote
# 如果当前字符是空格,且不在双引号内和单引号内
elif payload[i] == " " and not doublequote and not quote:
# 将一个随机选择的特殊字符添加到retVal中
retVal += random.choice(blanks)
# 继续下一次循环
continue
# 将当前字符添加到retVal中
retVal += payload[i]
# 返回retVal
return retVal

16
src/sqlmap-master/tamper/space2mysqldash.py
Unescape View File

@ -7,14 +7,20 @@ See the file 'LICENSE' for copying permission
import os
# 从lib.core.common模块中导入singleTimeWarnMessage函数
from lib.core.common import singleTimeWarnMessage
# 从lib.core.compat模块中导入xrange函数
from lib.core.compat import xrange
# 从lib.core.enums模块中导入DBMS枚举和PRIORITY枚举
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
# 设置脚本的优先级为LOW
__priority__ = PRIORITY.LOW
# 定义dependencies函数用于检查脚本依赖
def dependencies():
# 输出警告信息说明该脚本只能用于MySQL数据库
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))
def tamper(payload, **kwargs):
@ -34,14 +40,24 @@ def tamper(payload, **kwargs):
retVal = ""
# 如果payload不为空
if payload:
# 遍历payload的每个字符
for i in xrange(len(payload)):
# 如果字符是空格
if payload[i].isspace():
# 将"--%0A"添加到retVal中
retVal += "--%0A"
# 如果字符是#或者字符是--
elif payload[i] == '#' or payload[i:i + 3] == '-- ':
# 将payload的剩余部分添加到retVal中
retVal += payload[i:]
# 跳出循环
break
# 否则
else:
# 将字符添加到retVal中
retVal += payload[i]
# 返回retVal
return retVal

Write Preview
Loading…
Cancel
Save