sqlmap tamper脚本扩展开发(Bypass IPS)

tanrong 2019-12-16

首先先对比一下两个自带的tamper脚本,看看sqlmap调用tamper有没有依赖什么类库或者算法.

例如调用tamper是导入之后调用脚本里的某函数,那么我们开发的tamper脚本也应该有调用要用到的函数,主要看算法吧,咳咳

先来看看base64encode.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file ‘LICENSE‘ for copying permission
"""

from lib.core.convert import encodeBase64
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Base64-encodes all characters in a given payload

    >>> tamper("1‘ AND SLEEP(5)#")
    ‘MScgQU5EIFNMRUVQKDUpIw==‘
    """

    return encodeBase64(payload, binary=False) if payload else payload

再看看charencode.py

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file ‘LICENSE‘ for copying permission
"""

import string

from lib.core.enums import PRIORITY

__priority__ = PRIORITY.LOWEST

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset
        * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS

    >>> tamper(‘SELECT FIELD FROM%20TABLE‘)
    ‘%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45‘
    """

    retVal = payload

    if payload:
        retVal = ""
        i = 0

        while i < len(payload):
            if payload[i] == ‘%‘ and (i < len(payload) - 2) and payload[i + 1:i + 2] in string.hexdigits and payload[i + 2:i + 3] in string.hexdigits:
                retVal += payload[i:i + 3]
                i += 3
            else:
                retVal += ‘%%%.2X‘ % ord(payload[i])
                i += 1

    return retVal

发现脚本里面有一些共同点

1.都有导入PRIORITY类库该类库看样子是设置优先级的,来自lib.core.enums模块,参考

from lib.core.enums import PRIORITY

2.并且赋值了__priority__变量,该变量定义了优先级属性,参考

base64encode.py中

__priority__ = PRIORITY.LOW

charencode.py中

__priority__ = PRIORITY.LOWEST

3.都定义了一个名为dependencies的函数并且函数体code为pass,参考

def dependencies():
    pass

4.都定义了一个名为tamper的函数,函数接收两个参数,一个payload,还没处理过的payload,一个**kwargs,该参数接收键-值对数组,

我们接收payload之后做相应的算法处理之后,return 处理好的payload即可

共同点都列出来了,按着写就对了,示例:

#!/usr/bin/env python
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.LOW#这里可以自己定义优先级
def dependencies():
    pass
def tamper(payload, **kwargs):
    return #处理之后的string payload

写完之后放到sqlmap的tamper目录即可

相关推荐