SQLMap의 Tamper script 관련하여 정리해둡니다.
보통 많이 사용하는 Tamper script
--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes
--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords
e.g
#> sqlmap -u "http://127.0.0.1?q=target" --dbs --no-cast --level 3 --tamper=apostrophemask,apostrophenullencode,base64encode,between
Tamper scripts
apostrophemask: utf8로 인코딩 처리
apostrophenullencode: ‘(quot) 앞에 (null) 붙여줌
- ’ 입력 시 %27로 들어감
base64encode: Base64로 인코딩
between: NOT BETWEEN 0 AND 구문 사용(
- Mysql(4,5,5.5), Mssql2005, Oracle 10g, PostgreSQL 8.3~4, 9.0) 전용
chardoubleencode: 공백을 %09 인코딩
charencode: URl 인코딩 두번(보편적으로 Double URL Encoding 이라고 부르는 것들)
- ’ 가 %2527 형태로..
charunicodeencode: URL 인코딩인데 between 처럼 버전 제한
- Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
- SELECT FIELD%20FROM TABLE ==> %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045
equaltolike: equal 구문 대신 LIKE 구문으로 처리
- Mssql 2005、MySQL 4, 5.0 and 5.5
- SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1
greatest:
- MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
- 1 AND A > B ==> 1 AND GREATEST(A,B+1)=A
ifnull2ifisnull:
- MySQL 5.0 and 5.5
- IFNULL(1, 2) ==> IF(ISNULL(1),2,1)
multiplespaces: 공백 여러개 넣음
nonrecursivereplacement: 중복구문 처리
- 1 UNION SELECT 2 - ==> 1 UNION SELESELECTCT 2-
percentage: 구문 사이에 % 삽입
- SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E
randomcase: 대소문자 랜덤 삽입
- INSERT ==> InseRt
securesphere: ????
- 1 AND 1=1 ==> 1 AND 1=1 and ‘zzz’=’zzz’
space2comment: 공백 자리를 주석 처리
- SELECT id FROM users ==> SELECT//id//FROM/**/users
space2plus: 공백 자리를 + 처리
- SELECT id FROM users ==> SELECT+id+FROM+users
space2randomblank: CRLF(%0d%a) 삽입
- SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers
unionalltounion: ALL SELECT를 그냥 SELECT로 변경
- 1 UNION ALL SELECT ==> -1 UNION SELECT
unmagicquotes:
- 1’ AND 1=1 ==> 1%bf%27 -
이외에도 추가로 더 있는데, 아래 링크 참고해주세요 https://github.com/sqlmapproject/sqlmap/tree/master/tamper