Table of contents
Write a bypass script for sqlmap
1. Theoretical knowledge 1
Write a bypass script for sqlmap
Write a simple WAF bypass script for sqlmap
#!/usr/bin/env python
"""
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.compat import xrange
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
hex_str = ''.join([r'~' + hex(ord(c))[2:].zfill(2) for c in payload])
return hex_strPick the key points to tell about:
Core code:
hex_str = ''.join([r'~' + hex(ord(c))[2:].zfill(2) for c in payload])
Realize the function:
Convert the given payload string to a hexadecimal string using a list comprehension. It iterates over each character in the payload, converts it to its ASCII hexadecimal representation, and prepends it with a ~ sign and padding with appropriate zeros. Finally, use the ''.join() method to concatenate all converted hex strings into one string
Function meaning:
1、hex_str = ''
Defines an empty string to store the final hexadecimal representation.
2、[r'~' + hex(ord(c))[2:].zfill(2) for c in payload]
This is a list comprehension that iterates over payloadeach character in the string and processes it. For each character cit does the following:
ord(c): Convert the character to the corresponding ASCII value.hex(...): Convert an ASCII value to a hexadecimal string.[2:]: slice operation, remove the prefix part in the hexadecimal string.zfill(2): If the hexadecimal string is less than two digits long, zeros are left-padded to make it two digits long.r'~' + ...~: Characters to prefix the processed hex string with .
Ultimately, this list comprehension will produce a list containing the hexadecimal representation of each character.
3. ''.join(...): Use an empty string as a connector to connect the elements in the list to form a string. That is, the hexadecimal representation of each character is concatenated together.
2. Theoretical knowledge 2
Tamper script for sqlmap
More scripts in sqlmap's tamper
| serial number | Screenplay name | note |
|---|---|---|
| 1 | 0x2char | Convert each encoded character to its equivalent representation |
| 2 | apostrophemask | Single quotes are replaced with Utf8 characters |
| 3 | apostrophenullencode | Replace double quotes with %00%27 |
| 4 | appendnullbyte | Add %00 after valid code |
| 5 | base64encode | Use base64 encoding |
| 6 | between | The comparator is replaced with between |
| 7 | bluecoat | Spaces are replaced with random blank characters, equal signs are replaced with like |
| 8 | chardoubleencode | double url encoding |
| 9 | charencode | Encode the url |
| 10 | charunicodeencode | use unicode encoding |
| 11 | charunicodeescape | Reverse encode unencoded characters with the specified payload |
| 12 | commalesslimit | Change the wording of the limit statement |
| 13 | commalessmid | Change the wording of the mid statement |
| 14 | commentbeforeparentheses | Inline comments before parentheses |
| 15 | concat2concatws | Replace CONCAT with CONCAT_WS |
| 16 | equaltolike | Replace the equal sign with like |
| 17 | escapequotes | Double quotes are replaced with \\\\ |
| 18 | greatest | The greater than sign is replaced by greatest |
| 19 | halfversionedmorekeywords | Add a comment before each keyword |
| 20 | htmlencode | html encode all non-alphanumeric characters |
| 21 | ifnull2casewhenisnull | Changing the way the ifnull statement is written |
| 22 | ifnull2ifisnull | Replace ifnull with if(isnull(A)) |
| 23 | informationschemacomment | Add a comment after the identifier |
| 24 | least | Replace the greater than sign with least |
| 25 | lowercase | Replace all with lowercase values |
| 26 | modsecurityversioned | Spaces are replaced with comments for the query version |
| 27 | modsecurityzeroversioned | Add a comment for the full query version |
| 28 | multiplespaces | add multiple spaces |
| 29 | nonrecursivereplacement | Replace predefined keywords |
| 30 | overlongutf8 | escape all characters to utf8 |
| 31 | overlongutf8more | Convert all characters with the specified payload |
| 32 | percentage | 每个字符前添加% |
| 33 | plus2concat | 将加号替换为concat函数 |
| 34 | plus2fnconcat | 将加号替换为ODBC函数{fn CONCAT()} |
| 35 | randomcase | 字符大小写随机替换 |
| 36 | randomcomments | /**/分割关键字 |
| 37 | securesphere | 添加某字符串 |
| 38 | sp_password | 追加sp_password字符串 |
| 39 | space2comment | 空格替换为/**/ |
| 40 | space2dash | 空格替换为--加随机字符 |
| 41 | space2hash | 空格替换为#加随机字符 |
| 42 | space2morecomment | 空格替换为/**_**/ |
| 43 | space2morehash | 空格替换为#加随机字符及换行符 |
| 44 | space2mssqlblank | 空格替换为其他空符号 |
| 45 | space2mssqlhash | 空格替换为%23%0A |
| 46 | space2mysqlblank | 空格替换为其他空白符号 |
| 47 | space2mysqldash | 空格替换为--%0A |
| 48 | space2plus | 空格替换为加号 |
| 49 | space2randomblank | 空格替换为备选字符集中的随机字符 |
| 50 | symboliclogical | AND和OR替换为&&和|| |
| 51 | unionalltounion | union all select替换为union select |
| 52 | unmagicquotes | 宽字符绕过GPC |
| 53 | uppercase | 全部替换为大写值 |
| 54 | varnish | 添加HTTP头 |
| 55 | versionedkeywords | 用注释封装每个非函数的关键字 |
| 56 | versionedmorekeywords | 使用注释绕过 |
| 57 | xforwardedfor | 添加伪造的HTTP头 |
注:不同的脚本可以针对不同的数据库、不同的版本进行使用
三、实战部分
