前言

截止目前最新版本为 1.7.10.1#dev 版本.系统自带 tamper 共计 69个.相较笔者早期的文章 SQLMAP tamper WAF 绕过脚本列表注释,变化还是较大,因此记录下,下面分别是英文和中文翻译.

英文

使用如下命令获取 sqlmap 自带所有的 tamper 列表

python3 sqlmap.py --list-tampers

* 0eunion.py - Replaces instances of <int> UNION with <int>e0UNION
* apostrophemask.py - Replaces apostrophe character (') with its UTF-8 full width counterpart (e.g. ' -> %EF%BC%87)
* apostrophenullencode.py - Replaces apostrophe character (') with its illegal double unicode counterpart (e.g. ' -> %00%27)
* appendnullbyte.py - Appends (Access) NULL byte character (%00) at the end of payload
* base64encode.py - Base64-encodes all characters in a given payload
* between.py - Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' and equals operator ('=') with 'BETWEEN # AND #'
* binary.py - Injects keyword binary where possible
* bluecoat.py - Replaces space character after SQL statement with a valid random blank character. Afterwards replace character '=' with operator LIKE
* chardoubleencode.py - Double URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %2553%2545%254C%2545%2543%2554)
* charencode.py - URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %53%45%4C%45%43%54)
* charunicodeencode.py - Unicode-URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054)
* charunicodeescape.py - Unicode-escapes non-encoded characters in a given payload (not processing already encoded) (e.g. SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054)
* commalesslimit.py - Replaces (MySQL) instances like 'LIMIT M, N' with 'LIMIT N OFFSET M' counterpart
* commalessmid.py - Replaces (MySQL) instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)' counterpart
* commentbeforeparentheses.py - Prepends (inline) comment before parentheses (e.g. ( -> /**/()
* concat2concatws.py - Replaces (MySQL) instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)' counterpart
* decentities.py - HTML encode in decimal (using code points) all characters (e.g. ' -> &#39;)
* dunion.py - Replaces instances of <int> UNION with <int>DUNION
* equaltolike.py - Replaces all occurrences of operator equal ('=') with 'LIKE' counterpart
* equaltorlike.py - Replaces all occurrences of operator equal ('=') with 'RLIKE' counterpart
* escapequotes.py - Slash escape single and double quotes (e.g. ' -> \')
* greatest.py - Replaces greater than operator ('>') with 'GREATEST' counterpart
* halfversionedmorekeywords.py - Adds (MySQL) versioned comment before each keyword
* hex2char.py - Replaces each (MySQL) 0x<hex> encoded string with equivalent CONCAT(CHAR(),...) counterpart
* hexentities.py - HTML encode in hexadecimal (using code points) all characters (e.g. ' -> &#x31;)
* htmlencode.py - HTML encode (using code points) all non-alphanumeric characters (e.g. ' -> &#39;)
* if2case.py - Replaces instances like 'IF(A, B, C)' with 'CASE WHEN (A) THEN (B) ELSE (C) END' counterpart
* ifnull2casewhenisnull.py - Replaces instances like 'IFNULL(A, B)' with 'CASE WHEN ISNULL(A) THEN (B) ELSE (A) END' counterpart
* ifnull2ifisnull.py - Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)' counterpart
* informationschemacomment.py - Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
* least.py - Replaces greater than operator ('>') with 'LEAST' counterpart
* lowercase.py - Replaces each keyword character with lower case value (e.g. SELECT -> select)
* luanginx.py - LUA-Nginx WAFs Bypass (e.g. Cloudflare)
* misunion.py - Replaces instances of UNION with -.1UNION
* modsecurityversioned.py - Embraces complete query with (MySQL) versioned comment
* modsecurityzeroversioned.py - Embraces complete query with (MySQL) zero-versioned comment
* multiplespaces.py - Adds multiple spaces (' ') around SQL keywords
* ord2ascii.py - Replaces ORD() occurences with equivalent ASCII() calls
* overlongutf8.py - Converts all (non-alphanum) characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. ' -> %C0%A7)
* overlongutf8more.py - Converts all characters in a given payload to overlong UTF8 (not processing already encoded) (e.g. SELECT -> %C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94)
* percentage.py - Adds a percentage sign ('%') infront of each character (e.g. SELECT -> %S%E%L%E%C%T)
* plus2concat.py - Replaces plus operator ('+') with (MsSQL) function CONCAT() counterpart
* plus2fnconcat.py - Replaces plus operator ('+') with (MsSQL) ODBC function {fn CONCAT()} counterpart
* randomcase.py - Replaces each keyword character with random case value (e.g. SELECT -> SEleCt)
* randomcomments.py - Add random inline comments inside SQL keywords (e.g. SELECT -> S/**/E/**/LECT)
* schemasplit.py - Splits FROM schema identifiers (e.g. 'testdb.users') with whitespace (e.g. 'testdb 9.e.users')
* scientific.py - Abuses MySQL scientific notation
* sleep2getlock.py - Replaces instances like 'SLEEP(5)' with (e.g.) "GET_LOCK('ETgP',5)"
* sp_password.py - Appends (MsSQL) function 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs
* space2comment.py - Replaces space character (' ') with comments '/**/'
* space2dash.py - Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n')
* space2hash.py - Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
* space2morecomment.py - Replaces (MySQL) instances of space character (' ') with comments '/**_**/'
* space2morehash.py - Replaces (MySQL) instances of space character (' ') with a pound character ('#') followed by a random string and a new line ('\n')
* space2mssqlblank.py - Replaces (MsSQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
* space2mssqlhash.py - Replaces space character (' ') with a pound character ('#') followed by a new line ('\n')
* space2mysqlblank.py - Replaces (MySQL) instances of space character (' ') with a random blank character from a valid set of alternate characters
* space2mysqldash.py - Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n')
* space2plus.py - Replaces space character (' ') with plus ('+')
* space2randomblank.py - Replaces space character (' ') with a random blank character from a valid set of alternate characters
* substring2leftright.py - Replaces PostgreSQL SUBSTRING with LEFT and RIGHT
* symboliclogical.py - Replaces AND and OR logical operators with their symbolic counterparts (&& and ||)
* unionalltounion.py - Replaces instances of UNION ALL SELECT with UNION SELECT counterpart
* unmagicquotes.py - Replaces quote character (') with a multi-byte combo %BF%27 together with generic comment at the end (to make it work)
* uppercase.py - Replaces each keyword character with upper case value (e.g. select -> SELECT)
* varnish.py - Appends a HTTP header 'X-originating-IP' to bypass Varnish Firewall
* versionedkeywords.py - Encloses each non-function keyword with (MySQL) versioned comment
* versionedmorekeywords.py - Encloses each keyword with (MySQL) versioned comment
* xforwardedfor.py - Append a fake HTTP header 'X-Forwarded-For' (and alike)

中文

0eunion.py - 将 <int> UNION 替换为 <int>e0UNION
apostrophemask.py - 将单引号字符（'）替换为其UTF-8全角对应字符（例如 ' -> %EF%BC%87）
apostrophenullencode.py - 将单引号字符（'）替换为其非法的双Unicode对应字符（例如 ' -> %00%27）
appendnullbyte.py - 在Payload末尾添加（Access）NULL字节字符（%00）
base64encode.py - 对给定Payload中的所有字符进行Base64编码
between.py - 将大于运算符（'>'）替换为 'NOT BETWEEN 0 AND #'，将等于运算符（'='）替换为 'BETWEEN # AND #'。
binary.py - 在可能的情况下注入关键字binary
bluecoat.py - 将SQL语句后的空格字符替换为有效的随机空白字符。然后将字符“=”替换为操作符LIKE。
chardoubleencode.py - 对给定Payload中的所有字符进行双URL编码（不处理已经编码的内容）（例如SELECT -> %2553%2545%254C%2545%2543%2554）
charencode.py - 对给定Payload中的所有字符进行URL编码（不处理已经编码的内容）（例如SELECT -> %53%45%4C%45%43%54）
charunicodeencode.py - 对给定Payload中的所有字符进行Unicode-URL编码（不处理已经编码的内容）（例如SELECT -> %u0053%u0045%u004C%u0045%u0043%u0054）
charunicodeescape.py - 在给定的负载中Unicode转义非编码字符（不处理已经编码的内容）（例如SELECT -> \u0053\u0045\u004C\u0045\u0043\u0054）
commalesslimit.py - 将（MySQL）实例如'LIMIT M，N'替换为'LIMIT N OFFSET M'对应项
commalessmid.py - 将（MySQL）实例如'MID（A，B，C）'替换为'MID（A FROM B FOR C）'对应项
commentbeforeparentheses.py - 在括号（例如（））前添加（内联）注释（例如（-> / ** /（））
concat2concatws.py - 将（MySQL）实例如'CONCAT（A，B）'替换为'CONCAT_WS（MID（CHAR（0），0，0），A，B）'对应项
decentities.py - 使用代码点将所有字符进行HTML十进制编码（例如'-> '）
dunion.py - 将<int> UNION替换为<int>DUNION
equaltolike.py - 将等于运算符（'='）的所有出现替换为LIKE对应项
equaltorlike.py - 将等于运算符（'='）的所有出现替换为RLIKE对应项
escapequotes.py - 反斜杠转义单引号和双引号（例如'->\ '）
greatest.py - 将大于运算符（'>'）替换为GREATEST对应项
halfversionedmorekeywords.py - 在每个关键字之前添加（MySQL）有版本的注释
hex2char.py - 将每个（MySQL）0x <hex>编码的字符串替换为等效的CONCAT（CHAR（），...）对应项
hexentities.py - 使用代码点将所有字符进行HTML十六进制编码（例如'-> 1）
htmlencode.py - 使用代码点将所有非字母数字字符进行HTML编码（例如'-> '）
if2case.py - 将实例如'IF（A，B，C）'替换为'CASE WHEN（A）THEN（B）ELSE（C）END'对应项
ifnull2casewhenisnull.py - 将实例如'IFNULL（A，B）'替换为'CASE WHEN ISNULL（A）THEN（B）ELSE（A）END'对应项
ifnull2ifisnull.py - 将实例如'IFNULL（A，B）'替换为'IF（ISNULL（A），B，A）'对应项
informationschemacomment.py - 在（MySQL）“information_schema”标识符的所有出现之后添加内联注释（/ ** /）
least.py - 将大于运算符（'>'）替换为LEAST对应项
lowercase.py - 将每个关键字字符替换为小写值（例如SELECT-> select）
luanginx.py - LUA-Nginx WAFs绕过（例如Cloudflare）
misunion.py - 将UNION实例替换为-.1UNION
modsecurityversioned.py - 使用（MySQL）有版本的注释括起来完整的查询
modsecurityzeroversioned.py - 使用（MySQL）零版本的注释括起来完整的查询
multiplespaces.py - 在SQL关键字周围添加多个空格（' '）
ord2ascii.py - 将ORD（）出现替换为等效的ASCII（）调用
overlongutf8.py - 将给定负载中的所有（非字母数字）字符转换为过长的UTF8（不处理已经编码的内容）（例如'->%C0%A7）
overlongutf8more.py - 将给定负载中的所有字符转换为过长的UTF8（不处理已经编码的内容）（例如SELECT->%C1%93%C1%85%C1%8C%C1%85%C1%83%C1%94）
percentage.py - 在每个字符（例如SELECT->%S%E%L%E%C%T）前面添加一个百分比符号（'％'）
plus2concat.py - 将加号运算符（'+'）替换为（MsSQL）函数CONCAT（）对应项
plus2fnconcat.py - 将加号运算符（'+'）替换为（MsSQL）ODBC函数{fn CONCAT（）}对应项
randomcase.py - 将每个关键字字符替换为随机情况值（例如SELECT->SEleCt）
randomcomments.py - 在SQL关键字中添加随机内联注释（例如SELECT->S / ** / E / ** / LECT）
schemasplit.py - 将FROM模式标识符（例如'testdb.users'）与空格（例如'testdb 9.e.users'）拆分
scientific.py - 滥用MySQL的科学计数法
sleep2getlock.py - 将实例如'SLEEP（5）'替换为“GET_LOCK（'ETgP'，5）”之类的内容
sp_password.py - 将（MsSQL）函数'sp_password'附加到有效负载的末尾，以自动混淆来自DBMS日志的内容
space2comment.py - 将空格字符（' '）替换为注释'/ ** /'
space2dash.py - 将空格字符（' '）替换为破折号注释（'--'）后跟随一个随机字符串和一个新行（'\n'）
space2hash.py - 将（MySQL）空格字符（' '）的实例替换为井字符（'#'），后跟随一个随机字符串和一个新行（'\n'）
space2morecomment.py - 将（MySQL）空格字符（' '）的实例替换为注释'/ _ /'
space2morehash.py - 将（MySQL）空格字符（' '）的实例替换为井字符（'#'），后跟随一个随机字符串和一个新行（'\n'）
space2mssqlblank.py - 将（MsSQL）空格字符（' '）的实例替换为来自有效备选字符集的随机空白字符
space2mssqlhash.py - 将空格字符（' '）替换为井字符（'#'），后跟随一个新行（'\n'）
space2mysqlblank.py - 将（MySQL）空格字符（' '）的实例替换为来自有效备选字符集的随机空白字符
space2mysqldash.py - 将空格字符（' '）替换为破折号注释（'--'）后跟随一个新行（'\n'）
space2plus.py - 将空格字符（' '）替换为加号（'+'）
space2randomblank.py - 将空格字符（' '）替换为来自有效备选字符集的随机空白字符
substring2leftright.py - 将PostgreSQL SUBSTRING替换为LEFT和RIGHT
symboliclogical.py - 将AND和OR逻辑运算符替换为其符号对应项（&&和||）
unionalltounion.py - 将UNION ALL SELECT实例替换为UNION SELECT对应项
unmagicquotes.py - 将引号字符（'）替换为多字节组合%BF%27，同时在末尾添加通用注释（使其起作用）
uppercase.py - 将每个关键字字符替换为大写值（例如select->SELECT）
varnish.py - 添加HTTP头'X-originating-IP'以绕过Varnish防火墙
versionedkeywords.py - 使用（MySQL）有版本的注释括起来每个非函数关键字
versionedmorekeywords.py - 使用（MySQL）有版本的注释括起来每个关键字
xforwardedfor.py - 添加假HTTP头'X-Forwarded-For'（等等）

后记

小 Tips : 在对 mssql 数据时,不要使用 randomcomments !
有时候合理组合使用这些 tamper 可以大大提高我们发现 SQL 注入的机率.本文为笔记系列.
如有不妥之处或不错的 tamper ,欢迎指出交流.