From ef5f6eee11b29f232ba5e3951e1fe60266c0ca4a Mon Sep 17 00:00:00 2001 From: sck <2238502556@qq.com> Date: Mon, 30 Dec 2024 10:25:22 +0800 Subject: [PATCH] sck --- src/sqlmap-master/tamper/commalesslimit.py | 42 +++++++---- src/sqlmap-master/tamper/commalessmid.py | 31 +++++--- .../tamper/commentbeforeparentheses.py | 7 +- src/sqlmap-master/tamper/concat2concatws.py | 32 ++++---- src/sqlmap-master/tamper/decentities.py | 27 +++++-- src/sqlmap-master/tamper/dunion.py | 32 ++++---- src/sqlmap-master/tamper/equaltolike.py | 33 +++++---- src/sqlmap-master/tamper/equaltorlike.py | 29 +++++--- src/sqlmap-master/tamper/escapequotes.py | 18 ++++- src/sqlmap-master/tamper/greatest.py | 37 ++++++---- .../tamper/halfversionedmorekeywords.py | 44 ++++++----- src/sqlmap-master/tamper/hex2char.py | 43 ++++++----- src/sqlmap-master/tamper/hexentities.py | 22 ++++-- src/sqlmap-master/tamper/htmlencode.py | 25 +++++-- src/sqlmap-master/tamper/if2case.py | 73 ++++++++++--------- .../tamper/ifnull2casewhenisnull.py | 36 +++++---- 16 files changed, 329 insertions(+), 202 deletions(-) diff --git a/src/sqlmap-master/tamper/commalesslimit.py b/src/sqlmap-master/tamper/commalesslimit.py index 0561b2f..c5a5799 100644 --- a/src/sqlmap-master/tamper/commalesslimit.py +++ b/src/sqlmap-master/tamper/commalesslimit.py @@ -5,13 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os -import re +import os # 导入操作系统接口模块 +import re # 导入正则表达式模块 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为高 __priority__ = PRIORITY.HIGH def dependencies(): @@ -19,22 +20,33 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart + 这个函数用于篡改(tamper)输入的payload,将MySQL中的'LIMIT M, N'语句替换为其等效的'LIMIT N OFFSET M'形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 5.0 and 5.5 + 要求: + * 仅适用于MySQL数据库。 - >>> tamper('LIMIT 2, 3') - 'LIMIT 3 OFFSET 2' + 测试情况: + * MySQL 5.0 和 5.5 + + 注意: + * 这个篡改方法对于绕过某些针对'LIMIT M, N'形式的防御机制很有用。 + + 示例: + >>> tamper('LIMIT 2, 3') + 'LIMIT 3 OFFSET 2' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + + # 使用正则表达式查找'LIMIT M, N'形式的语句 match = re.search(r"(?i)LIMIT\s*(\d+),\s*(\d+)", payload or "") - if match: + if match: # 如果找到匹配项 + # 替换为'LIMIT N OFFSET M'形式 retVal = retVal.replace(match.group(0), "LIMIT %s OFFSET %s" % (match.group(2), match.group(1))) - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/commalessmid.py b/src/sqlmap-master/tamper/commalessmid.py index b6f4e7f..d8c368b 100644 --- a/src/sqlmap-master/tamper/commalessmid.py +++ b/src/sqlmap-master/tamper/commalessmid.py @@ -19,26 +19,37 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart + 这个函数用于篡改(tamper)输入的payload,将MySQL中的'MID(A, B, C)'语句替换为其等效的'MID(A FROM B FOR C)'形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 5.0 and 5.5 + 要求: + * 仅适用于MySQL数据库。 - >>> tamper('MID(VERSION(), 1, 1)') - 'MID(VERSION() FROM 1 FOR 1)' + 测试情况: + * MySQL 5.0 和 5.5 + + 注意: + * 使用这个tamper脚本时,你可能需要考虑使用'--no-cast'选项,以避免类型转换问题。 + + 示例: + >>> tamper('MID(VERSION(), 1, 1)') + 'MID(VERSION() FROM 1 FOR 1)' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + # 构建警告信息,提示用户可能需要使用'--no-cast'选项 warnMsg = "you should consider usage of switch '--no-cast' along with " warnMsg += "tamper script '%s'" % os.path.basename(__file__).split(".")[0] singleTimeWarnMessage(warnMsg) + # 使用正则表达式查找'MID(A, B, C)'形式的语句 match = re.search(r"(?i)MID\((.+?)\s*,\s*(\d+)\s*\,\s*(\d+)\s*\)", payload or "") - if match: + if match: # 如果找到匹配项 + # 替换为'MID(A FROM B FOR C)'形式 retVal = retVal.replace(match.group(0), "MID(%s FROM %s FOR %s)" % (match.group(1), match.group(2), match.group(3))) - return retVal + return retVal # 返回篡改后的payload diff --git a/src/sqlmap-master/tamper/commentbeforeparentheses.py b/src/sqlmap-master/tamper/commentbeforeparentheses.py index d5e471d..b4d4162 100644 --- a/src/sqlmap-master/tamper/commentbeforeparentheses.py +++ b/src/sqlmap-master/tamper/commentbeforeparentheses.py @@ -5,11 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import re +import re # 导入正则表达式模块 from lib.core.enums import PRIORITY -__priority__ = PRIORITY.NORMAL +__priority__ = PRIORITY.NORMAL # 设置优先级为普通 def dependencies(): pass @@ -32,9 +32,10 @@ def tamper(payload, **kwargs): 'SELECT ABS/**/(1)' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload if payload: + # 使用正则表达式查找单词后紧跟'('的模式,并在'('前添加内联注释'/**/' retVal = re.sub(r"\b(\w+)\(", r"\g<1>/**/(", retVal) return retVal diff --git a/src/sqlmap-master/tamper/concat2concatws.py b/src/sqlmap-master/tamper/concat2concatws.py index 7c66c88..3fbc8d6 100644 --- a/src/sqlmap-master/tamper/concat2concatws.py +++ b/src/sqlmap-master/tamper/concat2concatws.py @@ -5,12 +5,13 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os +import os # 导入操作系统模块,用于获取文件路径等信息 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -18,23 +19,28 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart + 这个函数用于篡改(tamper)输入的payload,将MySQL中的'CONCAT(A, B)'函数替换为其等效的'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: + 要求: + * 仅适用于MySQL数据库。 + + 测试情况: * MySQL 5.0 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the CONCAT() function + 注意: + * 这个篡改方法对于绕过那些过滤CONCAT()函数的非常弱的定制Web应用防火墙很有用。 - >>> tamper('CONCAT(1,2)') - 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' + 示例: + >>> tamper('CONCAT(1,2)') + 'CONCAT_WS(MID(CHAR(0),0,0),1,2)' """ if payload: + # 将payload中的'CONCAT('替换为'CONCAT_WS(MID(CHAR(0),0,0),' payload = payload.replace("CONCAT(", "CONCAT_WS(MID(CHAR(0),0,0),") return payload diff --git a/src/sqlmap-master/tamper/decentities.py b/src/sqlmap-master/tamper/decentities.py index aaed22f..7457579 100644 --- a/src/sqlmap-master/tamper/decentities.py +++ b/src/sqlmap-master/tamper/decentities.py @@ -5,8 +5,9 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -14,19 +15,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode in decimal (using code points) all characters (e.g. ' -> ') + 这个函数用于篡改(tamper)输入的payload,将所有字符转换为HTML实体(使用十进制代码点)。 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 遍历payload中的每个字符,并将每个字符转换为其对应的HTML实体形式(例如,' -> ')。 + + 示例: + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: - retVal = "" - i = 0 + if payload: # 如果payload不为空 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 + # 遍历payload中的每个字符 while i < len(payload): + # 将当前字符转换为其对应的HTML实体形式,并添加到返回值字符串 retVal += "&#%s;" % ord(payload[i]) i += 1 diff --git a/src/sqlmap-master/tamper/dunion.py b/src/sqlmap-master/tamper/dunion.py index 2717268..58a4607 100644 --- a/src/sqlmap-master/tamper/dunion.py +++ b/src/sqlmap-master/tamper/dunion.py @@ -5,13 +5,14 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'LICENSE' for copying permission """ -import os -import re +import os # 导入操作系统模块,用于获取文件路径等信息 +import re # 导入正则表达式模块 -from lib.core.common import singleTimeWarnMessage -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -19,16 +20,21 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances of UNION with DUNION + 这个函数用于篡改(tamper)输入的payload,将其中的'UNION'关键字替换为'DUNION'。 - Requirement: - * Oracle + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Notes: - * Reference: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + 要求: + * 仅适用于Oracle数据库。 - >>> tamper('1 UNION ALL SELECT') - '1DUNION ALL SELECT' - """ + 注意: + * 参考文档:https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf + 示例: + >>> tamper('1 UNION ALL SELECT') + '1DUNION ALL SELECT' + """ + # 如果payload不为空,使用正则表达式替换其中的UNION关键字 return re.sub(r"(?i)(\d+)\s+(UNION )", r"\g<1>D\g<2>", payload) if payload else payload diff --git a/src/sqlmap-master/tamper/equaltolike.py b/src/sqlmap-master/tamper/equaltolike.py index ddc237b..6f77ef4 100644 --- a/src/sqlmap-master/tamper/equaltolike.py +++ b/src/sqlmap-master/tamper/equaltolike.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,25 +17,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart + 这个函数用于篡改(tamper)输入的payload,将所有的等号('=')操作符替换为'LIKE'操作符。 - Tested against: + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 测试情况: * Microsoft SQL Server 2005 - * MySQL 4, 5.0 and 5.5 + * MySQL 4, 5.0 和 5.5 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the equal character ('=') - * The LIKE operator is SQL standard. Hence, this tamper script - should work against all (?) databases + 注意: + * 这个篡改方法对于绕过那些过滤等号('=')字符的弱Web应用防火墙很有用。 + * LIKE操作符是SQL标准操作符,因此这个tamper脚本应该适用于所有数据库。 - >>> tamper('SELECT * FROM users WHERE id=1') - 'SELECT * FROM users WHERE id LIKE 1' + 示例: + >>> tamper('SELECT * FROM users WHERE id=1') + 'SELECT * FROM users WHERE id LIKE 1' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + - if payload: - retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) + if payload: # 如果payload不为空 + retVal = re.sub(r"\s*=\s*", " LIKE ", retVal) # 使用正则表达式替换payload中的等号('=')为'LIKE' return retVal diff --git a/src/sqlmap-master/tamper/equaltorlike.py b/src/sqlmap-master/tamper/equaltorlike.py index 097adfc..3e8efb8 100644 --- a/src/sqlmap-master/tamper/equaltorlike.py +++ b/src/sqlmap-master/tamper/equaltorlike.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,22 +17,30 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart + 这个函数用于篡改(tamper)输入的payload,将所有的等号('=')操作符替换为'RLIKE'操作符。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the equal character ('=') + 测试情况: + * MySQL 4, 5.0 和 5.5 - >>> tamper('SELECT * FROM users WHERE id=1') - 'SELECT * FROM users WHERE id RLIKE 1' + 注意: + * 这个篡改方法对于绕过那些过滤等号('=')字符的弱Web应用防火墙很有用。 + + 示例: + >>> tamper('SELECT * FROM users WHERE id=1') + 'SELECT * FROM users WHERE id RLIKE 1' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload if payload: + # 使用正则表达式替换payload中的等号('=')为'RLIKE' + # \s* 匹配任意数量的空白字符(包括0个) + # = 匹配等号字符 + # \s* 匹配等号后的任意数量的空白字符 retVal = re.sub(r"\s*=\s*", " RLIKE ", retVal) return retVal diff --git a/src/sqlmap-master/tamper/escapequotes.py b/src/sqlmap-master/tamper/escapequotes.py index 778b693..f29e8e7 100644 --- a/src/sqlmap-master/tamper/escapequotes.py +++ b/src/sqlmap-master/tamper/escapequotes.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -14,10 +15,19 @@ def dependencies(): def tamper(payload, **kwargs): """ - Slash escape single and double quotes (e.g. ' -> \') + 这个函数用于篡改(tamper)输入的payload,通过斜杠转义单引号和双引号。 - >>> tamper('1" AND SLEEP(5)#') - '1\\\\" AND SLEEP(5)#' - """ + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 将payload中的单引号(')替换为转义形式(\\')。 + - 将payload中的双引号(")替换为转义形式(\\")。 + 示例: + >>> tamper('1" AND SLEEP(5)#') + '1\\\\" AND SLEEP(5)#' + """ + # 替换payload中的单引号和双引号为它们的转义形式 return payload.replace("'", "\\'").replace('"', '\\"') diff --git a/src/sqlmap-master/tamper/greatest.py b/src/sqlmap-master/tamper/greatest.py index 5801355..cb9a15b 100644 --- a/src/sqlmap-master/tamper/greatest.py +++ b/src/sqlmap-master/tamper/greatest.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,30 +17,36 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces greater than operator ('>') with 'GREATEST' counterpart + 这个函数用于篡改(tamper)输入的payload,将大于操作符('>')替换为'GREATEST'函数的等效形式。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 测试情况: + * MySQL 4, 5.0 和 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 - Notes: - * Useful to bypass weak and bespoke web application firewalls that - filter the greater than character - * The GREATEST clause is a widespread SQL command. Hence, this - tamper script should work against majority of databases + 注意: + * 这个篡改方法对于绕过那些过滤大于字符('>')的弱Web应用防火墙很有用。 + * GREATEST函数是一个广泛使用的SQL命令。因此,这个tamper脚本应该适用于大多数数据库。 - >>> tamper('1 AND A > B') - '1 AND GREATEST(A,B+1)=A' + 示例: + >>> tamper('1 AND A > B') + '1 AND GREATEST(A,B+1)=A' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload + - if payload: + if payload: # 如果payload不为空 + # 使用正则表达式查找'A > B'形式的语句 match = re.search(r"(?i)(\b(AND|OR)\b\s+)([^>]+?)\s*>\s*(\w+|'[^']+')", payload) - if match: + if match: # 如果找到匹配项 + # 构造GREATEST函数形式的语句,并替换原语句 _ = "%sGREATEST(%s,%s+1)=%s" % (match.group(1), match.group(3), match.group(4), match.group(3)) - retVal = retVal.replace(match.group(0), _) + retVal = retVal.replace(match.group(0), _) # 替换原语句为GREATEST函数形式 return retVal diff --git a/src/sqlmap-master/tamper/halfversionedmorekeywords.py b/src/sqlmap-master/tamper/halfversionedmorekeywords.py index f4dd455..f922076 100644 --- a/src/sqlmap-master/tamper/halfversionedmorekeywords.py +++ b/src/sqlmap-master/tamper/halfversionedmorekeywords.py @@ -8,12 +8,13 @@ See the file 'LICENSE' for copying permission import os import re -from lib.core.common import singleTimeWarnMessage -from lib.core.data import kb -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY -from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS +from lib.core.common import singleTimeWarnMessage # 从核心库导入单次警告消息函数 +from lib.core.data import kb # 从核心库导入知识库,包含SQL关键字等信息 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +from lib.core.settings import IGNORE_SPACE_AFFECTED_KEYWORDS # 从核心设置导入忽略空格影响的关键字列表 +# 设置优先级为较高 __priority__ = PRIORITY.HIGHER def dependencies(): @@ -21,35 +22,44 @@ def dependencies(): def tamper(payload, **kwargs): """ - Adds (MySQL) versioned comment before each keyword + 这个函数用于篡改(tamper)输入的payload,通过在每个关键字前添加MySQL版本注释。 - Requirement: - * MySQL < 5.1 + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: + 要求: + * 仅适用于MySQL版本小于5.1的数据库。 + + 测试情况: * MySQL 4.0.18, 5.0.22 - Notes: - * Useful to bypass several web application firewalls when the - back-end database management system is MySQL - * Used during the ModSecurity SQL injection challenge, - http://modsecurity.org/demo/challenge.html + 注意: + * 这个篡改方法对于绕过Web应用防火墙很有用,特别是当后端数据库管理系统是MySQL时。 + * 在ModSecurity SQL注入挑战中使用过,链接:http://modsecurity.org/demo/challenge.html - >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") - "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" + 示例: + >>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa") + "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa" """ def process(match): + """ + 辅助函数,用于处理正则匹配的结果。 + 将匹配到的关键字替换为带有版本注释的关键字。 + """ word = match.group('word') if word.upper() in kb.keywords and word.upper() not in IGNORE_SPACE_AFFECTED_KEYWORDS: return match.group().replace(word, "/*!0%s" % word) else: return match.group() - retVal = payload + retVal = payload # 初始化返回值为输入的payload if payload: + # 使用正则表达式查找并替换关键字 retVal = re.sub(r"(?<=\W)(?P[A-Za-z_]+)(?=\W|\Z)", process, retVal) + # 替换多余的空格 retVal = retVal.replace(" /*!0", "/*!0") return retVal diff --git a/src/sqlmap-master/tamper/hex2char.py b/src/sqlmap-master/tamper/hex2char.py index 267124d..fafc134 100644 --- a/src/sqlmap-master/tamper/hex2char.py +++ b/src/sqlmap-master/tamper/hex2char.py @@ -9,11 +9,12 @@ import os import re from lib.core.common import singleTimeWarnMessage -from lib.core.convert import decodeHex -from lib.core.convert import getOrds -from lib.core.enums import DBMS -from lib.core.enums import PRIORITY +from lib.core.convert import decodeHex # 从核心库导入十六进制解码函数 +from lib.core.convert import getOrds # 从核心库导入获取字符ASCII值的函数 +from lib.core.enums import DBMS # 从核心库导入数据库管理系统枚举 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为普通 __priority__ = PRIORITY.NORMAL def dependencies(): @@ -21,29 +22,37 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),...) counterpart + 这个函数用于篡改(tamper)输入的payload,将每个MySQL的0x编码字符串替换为其等效的CONCAT(CHAR(),...)形式。 - Requirement: - * MySQL + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 4, 5.0 and 5.5 + 要求: + * 仅适用于MySQL数据库。 - Notes: - * Useful in cases when web application does the upper casing + 测试情况: + * MySQL 4, 5.0 和 5.5 - >>> tamper('SELECT 0xdeadbeef') - 'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))' + 注意: + * 当Web应用程序执行大写转换时,这个篡改方法很有用。 + + 示例: + >>> tamper('SELECT 0xdeadbeef') + 'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))' """ - retVal = payload + retVal = payload # 初始化返回值为输入的payload - if payload: + if payload: # 如果payload不为空 + # 遍历payload中所有匹配0x模式的字符串 for match in re.finditer(r"\b0x([0-9a-f]+)\b", retVal): - if len(match.group(1)) > 2: + if len(match.group(1)) > 2: # 如果匹配的十六进制字符串长度大于2 + # 将十六进制字符串解码为ASCII值,并构造CONCAT(CHAR(),...)形式的字符串 result = "CONCAT(%s)" % ','.join("CHAR(%d)" % _ for _ in getOrds(decodeHex(match.group(1)))) - else: + else: # 如果长度不超过2,直接构造CHAR()形式的字符串 result = "CHAR(%d)" % ord(decodeHex(match.group(1))) + # 将原0x字符串替换为新构造的字符串 retVal = retVal.replace(match.group(0), result) return retVal diff --git a/src/sqlmap-master/tamper/hexentities.py b/src/sqlmap-master/tamper/hexentities.py index d36923e..2b2c849 100644 --- a/src/sqlmap-master/tamper/hexentities.py +++ b/src/sqlmap-master/tamper/hexentities.py @@ -7,6 +7,7 @@ See the file 'LICENSE' for copying permission from lib.core.enums import PRIORITY +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -14,20 +15,29 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode in hexadecimal (using code points) all characters (e.g. ' -> 1) + 这个函数用于篡改(tamper)输入的payload,将所有字符转换为十六进制形式的HTML实体编码(例如,' -> 1)。 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 遍历payload中的每个字符,并将每个字符转换为其对应的十六进制HTML实体形式。 + + 示例: + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ retVal = payload if payload: - retVal = "" - i = 0 + retVal = "" # 初始化返回值字符串 + i = 0 # 初始化索引 while i < len(payload): + # 将当前字符转换为其对应的十六进制HTML实体形式,并添加到返回值字符串 retVal += "&#x%s;" % format(ord(payload[i]), "x") - i += 1 + i += 1 # 移动索引,处理下一个字符 return retVal diff --git a/src/sqlmap-master/tamper/htmlencode.py b/src/sqlmap-master/tamper/htmlencode.py index 6cd5507..2a86822 100644 --- a/src/sqlmap-master/tamper/htmlencode.py +++ b/src/sqlmap-master/tamper/htmlencode.py @@ -7,8 +7,9 @@ See the file 'LICENSE' for copying permission import re -from lib.core.enums import PRIORITY +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为低 __priority__ = PRIORITY.LOW def dependencies(): @@ -16,16 +17,26 @@ def dependencies(): def tamper(payload, **kwargs): """ - HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> ') + 这个函数用于篡改(tamper)输入的payload,将所有非字母数字字符转换为HTML实体编码(使用代码点)。 - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' - >>> tamper("1' AND SLEEP(5)#") - '1' AND SLEEP(5)#' + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 + + 功能: + - 遍历payload中的每个字符,并将非字母数字字符转换为其对应的HTML实体形式。 + + 示例: + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' + >>> tamper("1' AND SLEEP(5)#") + '1' AND SLEEP(5)#' """ - if payload: + if payload: # 如果payload不为空 + # 替换已经编码的HTML实体 payload = re.sub(r"&#(\d+);", lambda match: chr(int(match.group(1))), payload) # NOTE: https://github.com/sqlmapproject/sqlmap/issues/5203 + # 将非字母数字字符转换为HTML实体编码 payload = re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload) return payload diff --git a/src/sqlmap-master/tamper/if2case.py b/src/sqlmap-master/tamper/if2case.py index 2e3a01f..b6381ea 100644 --- a/src/sqlmap-master/tamper/if2case.py +++ b/src/sqlmap-master/tamper/if2case.py @@ -5,10 +5,11 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY -from lib.core.settings import REPLACEMENT_MARKER +from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +from lib.core.settings import REPLACEMENT_MARKER # 从核心设置导入替换标记 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -16,56 +17,60 @@ def dependencies(): def tamper(payload, **kwargs): """ - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart + 这个函数用于篡改(tamper)输入的payload,将'IF(A, B, C)'语句替换为其等效的'CASE WHEN (A) THEN (B) ELSE (C) END'形式。 - Requirement: - * MySQL - * SQLite (possibly) - * SAP MaxDB (possibly) + 参数: + payload:要篡改的原始payload。 + **kwargs:其他可选参数(在本函数中未使用)。 - Tested against: - * MySQL 5.0 and 5.5 + 要求: + * 适用于MySQL、SQLite(可能)和SAP MaxDB(可能)数据库。 - Notes: - * Useful to bypass very weak and bespoke web application firewalls - that filter the IF() functions + 测试情况: + * MySQL 5.0 和 5.5 - >>> tamper('IF(1, 2, 3)') - 'CASE WHEN (1) THEN (2) ELSE (3) END' - >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') - 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' + 注意: + * 这个篡改方法对于绕过那些过滤IF()函数的非常弱的定制Web应用防火墙很有用。 + + 示例: + >>> tamper('IF(1, 2, 3)') + 'CASE WHEN (1) THEN (2) ELSE (3) END' + >>> tamper('SELECT IF((1=1), (SELECT "foo"), NULL)') + 'SELECT CASE WHEN (1=1) THEN (SELECT "foo") ELSE (NULL) END' """ - if payload and payload.find("IF") > -1: - payload = payload.replace("()", REPLACEMENT_MARKER) - while payload.find("IF(") > -1: - index = payload.find("IF(") - depth = 1 - commas, end = [], None + if payload and payload.find("IF") > -1: # 如果payload不为空且包含'IF' + payload = payload.replace("()", REPLACEMENT_MARKER) # 替换空括号为替换标记 + while payload.find("IF(") > -1: # 遍历所有'IF'语句 + index = payload.find("IF(") # 找到'IF'的位置 + depth = 1 # 初始化括号深度 + commas, end = [], None # 初始化逗号位置列表和结束位置 + # 遍历payload以找到'IF'语句的结束位置 for i in xrange(index + len("IF("), len(payload)): if depth == 1 and payload[i] == ',': - commas.append(i) + commas.append(i) # 记录逗号位置 elif depth == 1 and payload[i] == ')': - end = i + end = i # 记录结束位置 break elif payload[i] == '(': - depth += 1 + depth += 1 # 增加括号深度 + elif payload[i] == ')': depth -= 1 - + # 如果找到两个逗号且有结束位置,则进行替换 if len(commas) == 2 and end: - a = payload[index + len("IF("):commas[0]].strip("()") - b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") - c = payload[commas[1] + 1:end].lstrip().strip("()") - newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) - payload = payload[:index] + newVal + payload[end + 1:] + a = payload[index + len("IF("):commas[0]].strip("()") # 提取条件A + b = payload[commas[0] + 1:commas[1]].lstrip().strip("()") # 提取结果B + c = payload[commas[1] + 1:end].lstrip().strip("()") # 提取结果C + newVal = "CASE WHEN (%s) THEN (%s) ELSE (%s) END" % (a, b, c) # 构造新的CASE语句 + payload = payload[:index] + newVal + payload[end + 1:] # 替换原IF语句 else: - break + break # 如果不符合条件,则终止循环 - payload = payload.replace(REPLACEMENT_MARKER, "()") + payload = payload.replace(REPLACEMENT_MARKER, "()") # 恢复替换标记为空括号 return payload diff --git a/src/sqlmap-master/tamper/ifnull2casewhenisnull.py b/src/sqlmap-master/tamper/ifnull2casewhenisnull.py index f439d9d..dd8e6e1 100644 --- a/src/sqlmap-master/tamper/ifnull2casewhenisnull.py +++ b/src/sqlmap-master/tamper/ifnull2casewhenisnull.py @@ -5,9 +5,10 @@ Copyright (c) 2006-2024 sqlmap developers (https://sqlmap.org/) See the file 'doc/COPYING' for copying permission """ -from lib.core.compat import xrange -from lib.core.enums import PRIORITY +from lib.core.compat import xrange # 导入兼容库中的xrange函数,用于兼容Python 2和3的range函数 +from lib.core.enums import PRIORITY # 从核心库导入优先级枚举 +# 设置优先级为最高 __priority__ = PRIORITY.HIGHEST def dependencies(): @@ -33,32 +34,35 @@ def tamper(payload, **kwargs): 'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END' """ - if payload and payload.find("IFNULL") > -1: - while payload.find("IFNULL(") > -1: - index = payload.find("IFNULL(") - depth = 1 - comma, end = None, None + if payload and payload.find("IFNULL") > -1: # 如果payload不为空且包含'IFNULL' + while payload.find("IFNULL(") > -1: # 遍历所有'IFNULL'语句 + index = payload.find("IFNULL(") # 找到'IFNULL'的位置 + depth = 1 # 初始化括号深度 + comma, end = None, None # 初始化逗号位置和结束位置 + # 遍历payload以找到'IFNULL'语句的结束位置 for i in xrange(index + len("IFNULL("), len(payload)): if depth == 1 and payload[i] == ',': - comma = i + comma = i # 记录逗号位置 elif depth == 1 and payload[i] == ')': - end = i + end = i # 记录结束位置 break elif payload[i] == '(': - depth += 1 + depth += 1 # 增加括号深度 + elif payload[i] == ')': - depth -= 1 + depth -= 1 # 减少括号深度 + # 如果找到逗号和结束位置,则进行替换 if comma and end: - _ = payload[index + len("IFNULL("):comma] - __ = payload[comma + 1:end].lstrip() - newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) - payload = payload[:index] + newVal + payload[end + 1:] + _ = payload[index + len("IFNULL("):comma] # 提取参数A + __ = payload[comma + 1:end].lstrip() # 提取参数B + newVal = "CASE WHEN ISNULL(%s) THEN (%s) ELSE (%s) END" % (_, __, _) # 构造新的CASE语句 + payload = payload[:index] + newVal + payload[end + 1:] # 替换原IFNULL语句 else: - break + break # 如果不符合条件,则终止循环 return payload