Re: [sqlmap-users] New feature
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New feature
|
From: Carlos G. V. <car...@gm...> - 2010-10-13 17:43:21
|
For the last case, i mean to encode all the injection using %. For example: http://somehost/script.asp?id=SELECT%20FIELD%20FROM%20TABLE to http://somehost/script.asp?id=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45 This could be combined with the script that double encodes, since you can stack tamper scripts. By the way, a nice online tool to encode/decode can be found at: http://yehg.net/encoding/ Best regards, 2010/10/13 Miroslav Stampar <mir...@gm...>: > On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara > <car...@gm...> wrote: >> Good work! >> >> Will try it as soon as i have a minute. >> >> Some examples of tamper functions: >> >> a) Replace chars with %, with double encoding... i mean: %20 to %2520 > > added ./tamper/doubleencode.py > >> b) Replace spaces with /**/ for mssql (i think theres already an >> option for this in later versions) > > added ./tamper/space2comment.py > >> c) Related to a), replace all injection with encoding using % > > didn't understand this one. could you please explain it more. thx. > >> >> If I remember something else, will post it. >> >> Best regards, >> G >> >> 2010/10/13 Miroslav Stampar <mir...@gm...>: >>> ...and yes, they can be stacked together: >>> >>> sample: >>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py" >>> >>> bye >>> >>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar >>> <mir...@gm...> wrote: >>>> hello all. >>>> >>>> switch '--tamper' is now fully implemented in the latest SVN revision. >>>> tampering modules must include function with declaration like 'def >>>> tamper(place, value):'. argument 'place' states which injection place >>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while >>>> value represent the old query value (prior to return value of that >>>> tampering function). >>>> >>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented >>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own >>>> tampering modules/functions too. >>>> >>>> sample usage is: >>>> >>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1" >>>> --tamper="./tamper/ifnull2ifisnull.py" >>>> >>>> if you have any other suggestions for other useful tampering functions >>>> please say and i'll try to implement it/them if it makes sense. >>>> >>>> kind regards. >>>> >>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar >>>> <mir...@gm...> wrote: >>>>> hi. >>>>> >>>>> now, there is an option "--tamper=<file>" which does this. >>>>> >>>>> you can play around with it using for example: >>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py" >>>>> >>>>> for "practical" examples please wait for working version of >>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting >>>>> parenthesis in regular expression i use for recognizing parts of >>>>> ifnull. >>>>> >>>>> kind regards. >>>>> >>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara >>>>> <car...@gm...> wrote: >>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i >>>>>> found the need of "touch" the urls that the tool crafts to send to the >>>>>> server. >>>>>> Most of the times this happens because all scenarios are some sort of >>>>>> unique, even if they share the same DMBS. >>>>>> In this cases i spend a lot of time programming pseudo proxys (quick >>>>>> and dirty coding in python) to solve the obstacle. >>>>>> I have some free time now, and want to make a module for sqlmap that >>>>>> "tampers" the data to be send, let me introduce some logic to modify >>>>>> it, and then send it to the server. >>>>>> For example: i need to replace blanks with /**/ for a mssql server. I >>>>>> will be using sqlmap like this: >>>>>> >>>>>> sqlmap -u "http://host/script.py?id=15" -p id >>>>>> --tamper-script="/home/kaleb/script.py" >>>>>> >>>>>> In script.py, some sort of code that picks the GET/POST about to be >>>>>> sent to the server, search for the blanks in the query, replace them >>>>>> with /**/, and then give it back to sqlmap to be sended. >>>>>> >>>>>> Another example (mentioned in a previous thread): i need to replace >>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of >>>>>> string manipulation, made in a mini proxy, losting performance in the >>>>>> middle. >>>>>> >>>>>> The question: which part of sqlmap code i need to start reviewing? >>>>>> Thus i used it a lot, never looked into the code. In need a little >>>>>> tip, just to start with something in mind. >>>>>> >>>>>> Thanks a lot. >>>>>> >>>>>> PD: excuse my rusty english, by the way =) >>>>>> >>>>>> -- >>>>>> --------8<-------- >>>>>> Carlos Gabriel Vergara >>>>>> http://www.ThorSecurity.com.ar >>>>>> >>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>>>>> -------->8-------- >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>>>> Spend less time writing and rewriting code and more time creating great >>>>>> experiences on the web. Be a part of the beta today. >>>>>> http://p.sf.net/sfu/beautyoftheweb >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> >>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>> Mobile: +385921010204 (HR 0921010204) >>>>> PGP Key ID: 0xB5397B1B >>>>> Location: Zagreb, Croatia >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> --------8<-------- >> Carlos Gabriel Vergara >> http://www.ThorSecurity.com.ar >> >> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >> -------->8-------- >> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today. >> http://p.sf.net/sfu/beautyoftheweb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
