Re: [sqlmap-users] New feature
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] New feature
|
From: Carlos G. V. <car...@gm...> - 2010-10-13 20:16:02
|
I was looking into the space2comment.py tamper script. I think this lines...
while value.find(" ") > -1:
value = value.replace(" ", "/**/")
... could be replaced just with value = value.replace(...), no need of
while (unless value is of a type that i don't know and requires it).
Just a tip. Tested in my box with python 2.6.5, this is the result:
$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> s_in="this is a string with spaces"
>>> s_in.replace(" ", "/**/")
'this/**/is/**/a/**/string/**/with/**/spaces'
Cya!
2010/10/13 Miroslav Stampar <mir...@gm...>:
> hi.
>
> that functionality is now added to './tamper/charencode.py'
>
> also, one more module is added './tamper/randomcase.py' which could be
> used for as a method for bypassing "shitty" IDSes.
>
> bye.
>
> On Wed, Oct 13, 2010 at 7:43 PM, Carlos Gabriel Vergara
> <car...@gm...> wrote:
>> For the last case, i mean to encode all the injection using %.
>>
>> For example:
>>
>> http://somehost/script.asp?id=SELECT%20FIELD%20FROM%20TABLE
>>
>> to
>>
>> http://somehost/script.asp?id=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
>>
>> This could be combined with the script that double encodes, since you
>> can stack tamper scripts.
>> By the way, a nice online tool to encode/decode can be found at:
>>
>> http://yehg.net/encoding/
>>
>> Best regards,
>>
>> 2010/10/13 Miroslav Stampar <mir...@gm...>:
>>> On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara
>>> <car...@gm...> wrote:
>>>> Good work!
>>>>
>>>> Will try it as soon as i have a minute.
>>>>
>>>> Some examples of tamper functions:
>>>>
>>>> a) Replace chars with %, with double encoding... i mean: %20 to %2520
>>>
>>> added ./tamper/doubleencode.py
>>>
>>>> b) Replace spaces with /**/ for mssql (i think theres already an
>>>> option for this in later versions)
>>>
>>> added ./tamper/space2comment.py
>>>
>>>> c) Related to a), replace all injection with encoding using %
>>>
>>> didn't understand this one. could you please explain it more. thx.
>>>
>>>>
>>>> If I remember something else, will post it.
>>>>
>>>> Best regards,
>>>> G
>>>>
>>>> 2010/10/13 Miroslav Stampar <mir...@gm...>:
>>>>> ...and yes, they can be stacked together:
>>>>>
>>>>> sample:
>>>>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py"
>>>>>
>>>>> bye
>>>>>
>>>>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar
>>>>> <mir...@gm...> wrote:
>>>>>> hello all.
>>>>>>
>>>>>> switch '--tamper' is now fully implemented in the latest SVN revision.
>>>>>> tampering modules must include function with declaration like 'def
>>>>>> tamper(place, value):'. argument 'place' states which injection place
>>>>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while
>>>>>> value represent the old query value (prior to return value of that
>>>>>> tampering function).
>>>>>>
>>>>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented
>>>>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own
>>>>>> tampering modules/functions too.
>>>>>>
>>>>>> sample usage is:
>>>>>>
>>>>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1"
>>>>>> --tamper="./tamper/ifnull2ifisnull.py"
>>>>>>
>>>>>> if you have any other suggestions for other useful tampering functions
>>>>>> please say and i'll try to implement it/them if it makes sense.
>>>>>>
>>>>>> kind regards.
>>>>>>
>>>>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar
>>>>>> <mir...@gm...> wrote:
>>>>>>> hi.
>>>>>>>
>>>>>>> now, there is an option "--tamper=<file>" which does this.
>>>>>>>
>>>>>>> you can play around with it using for example:
>>>>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py"
>>>>>>>
>>>>>>> for "practical" examples please wait for working version of
>>>>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting
>>>>>>> parenthesis in regular expression i use for recognizing parts of
>>>>>>> ifnull.
>>>>>>>
>>>>>>> kind regards.
>>>>>>>
>>>>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara
>>>>>>> <car...@gm...> wrote:
>>>>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i
>>>>>>>> found the need of "touch" the urls that the tool crafts to send to the
>>>>>>>> server.
>>>>>>>> Most of the times this happens because all scenarios are some sort of
>>>>>>>> unique, even if they share the same DMBS.
>>>>>>>> In this cases i spend a lot of time programming pseudo proxys (quick
>>>>>>>> and dirty coding in python) to solve the obstacle.
>>>>>>>> I have some free time now, and want to make a module for sqlmap that
>>>>>>>> "tampers" the data to be send, let me introduce some logic to modify
>>>>>>>> it, and then send it to the server.
>>>>>>>> For example: i need to replace blanks with /**/ for a mssql server. I
>>>>>>>> will be using sqlmap like this:
>>>>>>>>
>>>>>>>> sqlmap -u "http://host/script.py?id=15" -p id
>>>>>>>> --tamper-script="/home/kaleb/script.py"
>>>>>>>>
>>>>>>>> In script.py, some sort of code that picks the GET/POST about to be
>>>>>>>> sent to the server, search for the blanks in the query, replace them
>>>>>>>> with /**/, and then give it back to sqlmap to be sended.
>>>>>>>>
>>>>>>>> Another example (mentioned in a previous thread): i need to replace
>>>>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of
>>>>>>>> string manipulation, made in a mini proxy, losting performance in the
>>>>>>>> middle.
>>>>>>>>
>>>>>>>> The question: which part of sqlmap code i need to start reviewing?
>>>>>>>> Thus i used it a lot, never looked into the code. In need a little
>>>>>>>> tip, just to start with something in mind.
>>>>>>>>
>>>>>>>> Thanks a lot.
>>>>>>>>
>>>>>>>> PD: excuse my rusty english, by the way =)
>>>>>>>>
>>>>>>>> --
>>>>>>>> --------8<--------
>>>>>>>> Carlos Gabriel Vergara
>>>>>>>> http://www.ThorSecurity.com.ar
>>>>>>>>
>>>>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>>>>>>> -------->8--------
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>>>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>>>>>>> Spend less time writing and rewriting code and more time creating great
>>>>>>>> experiences on the web. Be a part of the beta today.
>>>>>>>> http://p.sf.net/sfu/beautyoftheweb
>>>>>>>> _______________________________________________
>>>>>>>> sqlmap-users mailing list
>>>>>>>> sql...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Miroslav Stampar
>>>>>>>
>>>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>>>> PGP Key ID: 0xB5397B1B
>>>>>>> Location: Zagreb, Croatia
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>>
>>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>>> PGP Key ID: 0xB5397B1B
>>>>>> Location: Zagreb, Croatia
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>>
>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>> PGP Key ID: 0xB5397B1B
>>>>> Location: Zagreb, Croatia
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> --------8<--------
>>>> Carlos Gabriel Vergara
>>>> http://www.ThorSecurity.com.ar
>>>>
>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>>> -------->8--------
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>>> Spend less time writing and rewriting code and more time creating great
>>>> experiences on the web. Be a part of the beta today.
>>>> http://p.sf.net/sfu/beautyoftheweb
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> --------8<--------
>> Carlos Gabriel Vergara
>> http://www.ThorSecurity.com.ar
>>
>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>> -------->8--------
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
--------8<--------
Carlos Gabriel Vergara
http://www.ThorSecurity.com.ar
PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
-------->8--------
|
