Re: [sqlmap-users] New feature
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New feature
|
From: Miroslav S. <mir...@gm...> - 2010-10-13 19:54:09
|
hi. that functionality is now added to './tamper/charencode.py' also, one more module is added './tamper/randomcase.py' which could be used for as a method for bypassing "shitty" IDSes. bye. On Wed, Oct 13, 2010 at 7:43 PM, Carlos Gabriel Vergara <car...@gm...> wrote: > For the last case, i mean to encode all the injection using %. > > For example: > > http://somehost/script.asp?id=SELECT%20FIELD%20FROM%20TABLE > > to > > http://somehost/script.asp?id=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45 > > This could be combined with the script that double encodes, since you > can stack tamper scripts. > By the way, a nice online tool to encode/decode can be found at: > > http://yehg.net/encoding/ > > Best regards, > > 2010/10/13 Miroslav Stampar <mir...@gm...>: >> On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara >> <car...@gm...> wrote: >>> Good work! >>> >>> Will try it as soon as i have a minute. >>> >>> Some examples of tamper functions: >>> >>> a) Replace chars with %, with double encoding... i mean: %20 to %2520 >> >> added ./tamper/doubleencode.py >> >>> b) Replace spaces with /**/ for mssql (i think theres already an >>> option for this in later versions) >> >> added ./tamper/space2comment.py >> >>> c) Related to a), replace all injection with encoding using % >> >> didn't understand this one. could you please explain it more. thx. >> >>> >>> If I remember something else, will post it. >>> >>> Best regards, >>> G >>> >>> 2010/10/13 Miroslav Stampar <mir...@gm...>: >>>> ...and yes, they can be stacked together: >>>> >>>> sample: >>>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py" >>>> >>>> bye >>>> >>>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar >>>> <mir...@gm...> wrote: >>>>> hello all. >>>>> >>>>> switch '--tamper' is now fully implemented in the latest SVN revision. >>>>> tampering modules must include function with declaration like 'def >>>>> tamper(place, value):'. argument 'place' states which injection place >>>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while >>>>> value represent the old query value (prior to return value of that >>>>> tampering function). >>>>> >>>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented >>>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own >>>>> tampering modules/functions too. >>>>> >>>>> sample usage is: >>>>> >>>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1" >>>>> --tamper="./tamper/ifnull2ifisnull.py" >>>>> >>>>> if you have any other suggestions for other useful tampering functions >>>>> please say and i'll try to implement it/them if it makes sense. >>>>> >>>>> kind regards. >>>>> >>>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar >>>>> <mir...@gm...> wrote: >>>>>> hi. >>>>>> >>>>>> now, there is an option "--tamper=<file>" which does this. >>>>>> >>>>>> you can play around with it using for example: >>>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py" >>>>>> >>>>>> for "practical" examples please wait for working version of >>>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting >>>>>> parenthesis in regular expression i use for recognizing parts of >>>>>> ifnull. >>>>>> >>>>>> kind regards. >>>>>> >>>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara >>>>>> <car...@gm...> wrote: >>>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i >>>>>>> found the need of "touch" the urls that the tool crafts to send to the >>>>>>> server. >>>>>>> Most of the times this happens because all scenarios are some sort of >>>>>>> unique, even if they share the same DMBS. >>>>>>> In this cases i spend a lot of time programming pseudo proxys (quick >>>>>>> and dirty coding in python) to solve the obstacle. >>>>>>> I have some free time now, and want to make a module for sqlmap that >>>>>>> "tampers" the data to be send, let me introduce some logic to modify >>>>>>> it, and then send it to the server. >>>>>>> For example: i need to replace blanks with /**/ for a mssql server. I >>>>>>> will be using sqlmap like this: >>>>>>> >>>>>>> sqlmap -u "http://host/script.py?id=15" -p id >>>>>>> --tamper-script="/home/kaleb/script.py" >>>>>>> >>>>>>> In script.py, some sort of code that picks the GET/POST about to be >>>>>>> sent to the server, search for the blanks in the query, replace them >>>>>>> with /**/, and then give it back to sqlmap to be sended. >>>>>>> >>>>>>> Another example (mentioned in a previous thread): i need to replace >>>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of >>>>>>> string manipulation, made in a mini proxy, losting performance in the >>>>>>> middle. >>>>>>> >>>>>>> The question: which part of sqlmap code i need to start reviewing? >>>>>>> Thus i used it a lot, never looked into the code. In need a little >>>>>>> tip, just to start with something in mind. >>>>>>> >>>>>>> Thanks a lot. >>>>>>> >>>>>>> PD: excuse my rusty english, by the way =) >>>>>>> >>>>>>> -- >>>>>>> --------8<-------- >>>>>>> Carlos Gabriel Vergara >>>>>>> http://www.ThorSecurity.com.ar >>>>>>> >>>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>>>>>> -------->8-------- >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>>>>> Spend less time writing and rewriting code and more time creating great >>>>>>> experiences on the web. Be a part of the beta today. >>>>>>> http://p.sf.net/sfu/beautyoftheweb >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> >>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>>> Mobile: +385921010204 (HR 0921010204) >>>>>> PGP Key ID: 0xB5397B1B >>>>>> Location: Zagreb, Croatia >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> >>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>> Mobile: +385921010204 (HR 0921010204) >>>>> PGP Key ID: 0xB5397B1B >>>>> Location: Zagreb, Croatia >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> --------8<-------- >>> Carlos Gabriel Vergara >>> http://www.ThorSecurity.com.ar >>> >>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>> -------->8-------- >>> >>> ------------------------------------------------------------------------------ >>> Beautiful is writing same markup. Internet Explorer 9 supports >>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>> Spend less time writing and rewriting code and more time creating great >>> experiences on the web. Be a part of the beta today. >>> http://p.sf.net/sfu/beautyoftheweb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
