Thread: [sqlmap-users] New feature
Brought to you by:
inquisb
Menu
▾
▴
sqlmap-users
|
From: Carlos G. V. <car...@gm...> - 2010-10-12 18:02:25
|
Hi! I was using sqlmap for a year or two, and in a lot of scenarios i found the need of "touch" the urls that the tool crafts to send to the server. Most of the times this happens because all scenarios are some sort of unique, even if they share the same DMBS. In this cases i spend a lot of time programming pseudo proxys (quick and dirty coding in python) to solve the obstacle. I have some free time now, and want to make a module for sqlmap that "tampers" the data to be send, let me introduce some logic to modify it, and then send it to the server. For example: i need to replace blanks with /**/ for a mssql server. I will be using sqlmap like this: sqlmap -u "http://host/script.py?id=15" -p id --tamper-script="/home/kaleb/script.py" In script.py, some sort of code that picks the GET/POST about to be sent to the server, search for the blanks in the query, replace them with /**/, and then give it back to sqlmap to be sended. Another example (mentioned in a previous thread): i need to replace IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of string manipulation, made in a mini proxy, losting performance in the middle. The question: which part of sqlmap code i need to start reviewing? Thus i used it a lot, never looked into the code. In need a little tip, just to start with something in mind. Thanks a lot. PD: excuse my rusty english, by the way =) -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
|
From: Miroslav S. <mir...@gm...> - 2010-10-12 19:52:57
|
hi Carlos. i've understood the problem and i will try to make something out (no need for you to code it). kind regards. On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara <car...@gm...> wrote: > Hi! I was using sqlmap for a year or two, and in a lot of scenarios i > found the need of "touch" the urls that the tool crafts to send to the > server. > Most of the times this happens because all scenarios are some sort of > unique, even if they share the same DMBS. > In this cases i spend a lot of time programming pseudo proxys (quick > and dirty coding in python) to solve the obstacle. > I have some free time now, and want to make a module for sqlmap that > "tampers" the data to be send, let me introduce some logic to modify > it, and then send it to the server. > For example: i need to replace blanks with /**/ for a mssql server. I > will be using sqlmap like this: > > sqlmap -u "http://host/script.py?id=15" -p id > --tamper-script="/home/kaleb/script.py" > > In script.py, some sort of code that picks the GET/POST about to be > sent to the server, search for the blanks in the query, replace them > with /**/, and then give it back to sqlmap to be sended. > > Another example (mentioned in a previous thread): i need to replace > IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of > string manipulation, made in a mini proxy, losting performance in the > middle. > > The question: which part of sqlmap code i need to start reviewing? > Thus i used it a lot, never looked into the code. In need a little > tip, just to start with something in mind. > > Thanks a lot. > > PD: excuse my rusty english, by the way =) > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-10-13 07:43:40
|
hi. now, there is an option "--tamper=<file>" which does this. you can play around with it using for example: ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py" for "practical" examples please wait for working version of ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting parenthesis in regular expression i use for recognizing parts of ifnull. kind regards. On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara <car...@gm...> wrote: > Hi! I was using sqlmap for a year or two, and in a lot of scenarios i > found the need of "touch" the urls that the tool crafts to send to the > server. > Most of the times this happens because all scenarios are some sort of > unique, even if they share the same DMBS. > In this cases i spend a lot of time programming pseudo proxys (quick > and dirty coding in python) to solve the obstacle. > I have some free time now, and want to make a module for sqlmap that > "tampers" the data to be send, let me introduce some logic to modify > it, and then send it to the server. > For example: i need to replace blanks with /**/ for a mssql server. I > will be using sqlmap like this: > > sqlmap -u "http://host/script.py?id=15" -p id > --tamper-script="/home/kaleb/script.py" > > In script.py, some sort of code that picks the GET/POST about to be > sent to the server, search for the blanks in the query, replace them > with /**/, and then give it back to sqlmap to be sended. > > Another example (mentioned in a previous thread): i need to replace > IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of > string manipulation, made in a mini proxy, losting performance in the > middle. > > The question: which part of sqlmap code i need to start reviewing? > Thus i used it a lot, never looked into the code. In need a little > tip, just to start with something in mind. > > Thanks a lot. > > PD: excuse my rusty english, by the way =) > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > > ------------------------------------------------------------------------------ > Beautiful is writing same markup. Internet Explorer 9 supports > standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. > Spend less time writing and rewriting code and more time creating great > experiences on the web. Be a part of the beta today. > http://p.sf.net/sfu/beautyoftheweb > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Miroslav S. <mir...@gm...> - 2010-10-13 13:16:01
|
hello all.
switch '--tamper' is now fully implemented in the latest SVN revision.
tampering modules must include function with declaration like 'def
tamper(place, value):'. argument 'place' states which injection place
('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while
value represent the old query value (prior to return value of that
tampering function).
tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented
so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own
tampering modules/functions too.
sample usage is:
./sqlmap.py -u "http://www.site.com/index.php?id=1"
--tamper="./tamper/ifnull2ifisnull.py"
if you have any other suggestions for other useful tampering functions
please say and i'll try to implement it/them if it makes sense.
kind regards.
On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar
<mir...@gm...> wrote:
> hi.
>
> now, there is an option "--tamper=<file>" which does this.
>
> you can play around with it using for example:
> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py"
>
> for "practical" examples please wait for working version of
> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting
> parenthesis in regular expression i use for recognizing parts of
> ifnull.
>
> kind regards.
>
> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara
> <car...@gm...> wrote:
>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i
>> found the need of "touch" the urls that the tool crafts to send to the
>> server.
>> Most of the times this happens because all scenarios are some sort of
>> unique, even if they share the same DMBS.
>> In this cases i spend a lot of time programming pseudo proxys (quick
>> and dirty coding in python) to solve the obstacle.
>> I have some free time now, and want to make a module for sqlmap that
>> "tampers" the data to be send, let me introduce some logic to modify
>> it, and then send it to the server.
>> For example: i need to replace blanks with /**/ for a mssql server. I
>> will be using sqlmap like this:
>>
>> sqlmap -u "http://host/script.py?id=15" -p id
>> --tamper-script="/home/kaleb/script.py"
>>
>> In script.py, some sort of code that picks the GET/POST about to be
>> sent to the server, search for the blanks in the query, replace them
>> with /**/, and then give it back to sqlmap to be sended.
>>
>> Another example (mentioned in a previous thread): i need to replace
>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of
>> string manipulation, made in a mini proxy, losting performance in the
>> middle.
>>
>> The question: which part of sqlmap code i need to start reviewing?
>> Thus i used it a lot, never looked into the code. In need a little
>> tip, just to start with something in mind.
>>
>> Thanks a lot.
>>
>> PD: excuse my rusty english, by the way =)
>>
>> --
>> --------8<--------
>> Carlos Gabriel Vergara
>> http://www.ThorSecurity.com.ar
>>
>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>> -------->8--------
>>
>> ------------------------------------------------------------------------------
>> Beautiful is writing same markup. Internet Explorer 9 supports
>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>> Spend less time writing and rewriting code and more time creating great
>> experiences on the web. Be a part of the beta today.
>> http://p.sf.net/sfu/beautyoftheweb
>> _______________________________________________
>> sqlmap-users mailing list
>> sql...@li...
>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Miroslav S. <mir...@gm...> - 2010-10-13 13:18:37
|
...and yes, they can be stacked together:
sample:
--tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py"
bye
On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar
<mir...@gm...> wrote:
> hello all.
>
> switch '--tamper' is now fully implemented in the latest SVN revision.
> tampering modules must include function with declaration like 'def
> tamper(place, value):'. argument 'place' states which injection place
> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while
> value represent the old query value (prior to return value of that
> tampering function).
>
> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented
> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own
> tampering modules/functions too.
>
> sample usage is:
>
> ./sqlmap.py -u "http://www.site.com/index.php?id=1"
> --tamper="./tamper/ifnull2ifisnull.py"
>
> if you have any other suggestions for other useful tampering functions
> please say and i'll try to implement it/them if it makes sense.
>
> kind regards.
>
> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hi.
>>
>> now, there is an option "--tamper=<file>" which does this.
>>
>> you can play around with it using for example:
>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py"
>>
>> for "practical" examples please wait for working version of
>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting
>> parenthesis in regular expression i use for recognizing parts of
>> ifnull.
>>
>> kind regards.
>>
>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara
>> <car...@gm...> wrote:
>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i
>>> found the need of "touch" the urls that the tool crafts to send to the
>>> server.
>>> Most of the times this happens because all scenarios are some sort of
>>> unique, even if they share the same DMBS.
>>> In this cases i spend a lot of time programming pseudo proxys (quick
>>> and dirty coding in python) to solve the obstacle.
>>> I have some free time now, and want to make a module for sqlmap that
>>> "tampers" the data to be send, let me introduce some logic to modify
>>> it, and then send it to the server.
>>> For example: i need to replace blanks with /**/ for a mssql server. I
>>> will be using sqlmap like this:
>>>
>>> sqlmap -u "http://host/script.py?id=15" -p id
>>> --tamper-script="/home/kaleb/script.py"
>>>
>>> In script.py, some sort of code that picks the GET/POST about to be
>>> sent to the server, search for the blanks in the query, replace them
>>> with /**/, and then give it back to sqlmap to be sended.
>>>
>>> Another example (mentioned in a previous thread): i need to replace
>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of
>>> string manipulation, made in a mini proxy, losting performance in the
>>> middle.
>>>
>>> The question: which part of sqlmap code i need to start reviewing?
>>> Thus i used it a lot, never looked into the code. In need a little
>>> tip, just to start with something in mind.
>>>
>>> Thanks a lot.
>>>
>>> PD: excuse my rusty english, by the way =)
>>>
>>> --
>>> --------8<--------
>>> Carlos Gabriel Vergara
>>> http://www.ThorSecurity.com.ar
>>>
>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>> -------->8--------
>>>
>>> ------------------------------------------------------------------------------
>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>> Spend less time writing and rewriting code and more time creating great
>>> experiences on the web. Be a part of the beta today.
>>> http://p.sf.net/sfu/beautyoftheweb
>>> _______________________________________________
>>> sqlmap-users mailing list
>>> sql...@li...
>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Carlos G. V. <car...@gm...> - 2010-10-13 13:55:39
|
Good work!
Will try it as soon as i have a minute.
Some examples of tamper functions:
a) Replace chars with %, with double encoding... i mean: %20 to %2520
b) Replace spaces with /**/ for mssql (i think theres already an
option for this in later versions)
c) Related to a), replace all injection with encoding using %
If I remember something else, will post it.
Best regards,
G
2010/10/13 Miroslav Stampar <mir...@gm...>:
> ...and yes, they can be stacked together:
>
> sample:
> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py"
>
> bye
>
> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar
> <mir...@gm...> wrote:
>> hello all.
>>
>> switch '--tamper' is now fully implemented in the latest SVN revision.
>> tampering modules must include function with declaration like 'def
>> tamper(place, value):'. argument 'place' states which injection place
>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while
>> value represent the old query value (prior to return value of that
>> tampering function).
>>
>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented
>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own
>> tampering modules/functions too.
>>
>> sample usage is:
>>
>> ./sqlmap.py -u "http://www.site.com/index.php?id=1"
>> --tamper="./tamper/ifnull2ifisnull.py"
>>
>> if you have any other suggestions for other useful tampering functions
>> please say and i'll try to implement it/them if it makes sense.
>>
>> kind regards.
>>
>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> hi.
>>>
>>> now, there is an option "--tamper=<file>" which does this.
>>>
>>> you can play around with it using for example:
>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py"
>>>
>>> for "practical" examples please wait for working version of
>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting
>>> parenthesis in regular expression i use for recognizing parts of
>>> ifnull.
>>>
>>> kind regards.
>>>
>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara
>>> <car...@gm...> wrote:
>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i
>>>> found the need of "touch" the urls that the tool crafts to send to the
>>>> server.
>>>> Most of the times this happens because all scenarios are some sort of
>>>> unique, even if they share the same DMBS.
>>>> In this cases i spend a lot of time programming pseudo proxys (quick
>>>> and dirty coding in python) to solve the obstacle.
>>>> I have some free time now, and want to make a module for sqlmap that
>>>> "tampers" the data to be send, let me introduce some logic to modify
>>>> it, and then send it to the server.
>>>> For example: i need to replace blanks with /**/ for a mssql server. I
>>>> will be using sqlmap like this:
>>>>
>>>> sqlmap -u "http://host/script.py?id=15" -p id
>>>> --tamper-script="/home/kaleb/script.py"
>>>>
>>>> In script.py, some sort of code that picks the GET/POST about to be
>>>> sent to the server, search for the blanks in the query, replace them
>>>> with /**/, and then give it back to sqlmap to be sended.
>>>>
>>>> Another example (mentioned in a previous thread): i need to replace
>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of
>>>> string manipulation, made in a mini proxy, losting performance in the
>>>> middle.
>>>>
>>>> The question: which part of sqlmap code i need to start reviewing?
>>>> Thus i used it a lot, never looked into the code. In need a little
>>>> tip, just to start with something in mind.
>>>>
>>>> Thanks a lot.
>>>>
>>>> PD: excuse my rusty english, by the way =)
>>>>
>>>> --
>>>> --------8<--------
>>>> Carlos Gabriel Vergara
>>>> http://www.ThorSecurity.com.ar
>>>>
>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>>> -------->8--------
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>>> Spend less time writing and rewriting code and more time creating great
>>>> experiences on the web. Be a part of the beta today.
>>>> http://p.sf.net/sfu/beautyoftheweb
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
--------8<--------
Carlos Gabriel Vergara
http://www.ThorSecurity.com.ar
PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
-------->8--------
|
|
From: Miroslav S. <mir...@gm...> - 2010-10-13 14:31:30
|
On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara
<car...@gm...> wrote:
> Good work!
>
> Will try it as soon as i have a minute.
>
> Some examples of tamper functions:
>
> a) Replace chars with %, with double encoding... i mean: %20 to %2520
added ./tamper/doubleencode.py
> b) Replace spaces with /**/ for mssql (i think theres already an
> option for this in later versions)
added ./tamper/space2comment.py
> c) Related to a), replace all injection with encoding using %
didn't understand this one. could you please explain it more. thx.
>
> If I remember something else, will post it.
>
> Best regards,
> G
>
> 2010/10/13 Miroslav Stampar <mir...@gm...>:
>> ...and yes, they can be stacked together:
>>
>> sample:
>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py"
>>
>> bye
>>
>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar
>> <mir...@gm...> wrote:
>>> hello all.
>>>
>>> switch '--tamper' is now fully implemented in the latest SVN revision.
>>> tampering modules must include function with declaration like 'def
>>> tamper(place, value):'. argument 'place' states which injection place
>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while
>>> value represent the old query value (prior to return value of that
>>> tampering function).
>>>
>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented
>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own
>>> tampering modules/functions too.
>>>
>>> sample usage is:
>>>
>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1"
>>> --tamper="./tamper/ifnull2ifisnull.py"
>>>
>>> if you have any other suggestions for other useful tampering functions
>>> please say and i'll try to implement it/them if it makes sense.
>>>
>>> kind regards.
>>>
>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar
>>> <mir...@gm...> wrote:
>>>> hi.
>>>>
>>>> now, there is an option "--tamper=<file>" which does this.
>>>>
>>>> you can play around with it using for example:
>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py"
>>>>
>>>> for "practical" examples please wait for working version of
>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting
>>>> parenthesis in regular expression i use for recognizing parts of
>>>> ifnull.
>>>>
>>>> kind regards.
>>>>
>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara
>>>> <car...@gm...> wrote:
>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i
>>>>> found the need of "touch" the urls that the tool crafts to send to the
>>>>> server.
>>>>> Most of the times this happens because all scenarios are some sort of
>>>>> unique, even if they share the same DMBS.
>>>>> In this cases i spend a lot of time programming pseudo proxys (quick
>>>>> and dirty coding in python) to solve the obstacle.
>>>>> I have some free time now, and want to make a module for sqlmap that
>>>>> "tampers" the data to be send, let me introduce some logic to modify
>>>>> it, and then send it to the server.
>>>>> For example: i need to replace blanks with /**/ for a mssql server. I
>>>>> will be using sqlmap like this:
>>>>>
>>>>> sqlmap -u "http://host/script.py?id=15" -p id
>>>>> --tamper-script="/home/kaleb/script.py"
>>>>>
>>>>> In script.py, some sort of code that picks the GET/POST about to be
>>>>> sent to the server, search for the blanks in the query, replace them
>>>>> with /**/, and then give it back to sqlmap to be sended.
>>>>>
>>>>> Another example (mentioned in a previous thread): i need to replace
>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of
>>>>> string manipulation, made in a mini proxy, losting performance in the
>>>>> middle.
>>>>>
>>>>> The question: which part of sqlmap code i need to start reviewing?
>>>>> Thus i used it a lot, never looked into the code. In need a little
>>>>> tip, just to start with something in mind.
>>>>>
>>>>> Thanks a lot.
>>>>>
>>>>> PD: excuse my rusty english, by the way =)
>>>>>
>>>>> --
>>>>> --------8<--------
>>>>> Carlos Gabriel Vergara
>>>>> http://www.ThorSecurity.com.ar
>>>>>
>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>>>> -------->8--------
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>>>> Spend less time writing and rewriting code and more time creating great
>>>>> experiences on the web. Be a part of the beta today.
>>>>> http://p.sf.net/sfu/beautyoftheweb
>>>>> _______________________________________________
>>>>> sqlmap-users mailing list
>>>>> sql...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Miroslav Stampar
>>>>
>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>> Mobile: +385921010204 (HR 0921010204)
>>>> PGP Key ID: 0xB5397B1B
>>>> Location: Zagreb, Croatia
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> Miroslav Stampar
>>
>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>> Mobile: +385921010204 (HR 0921010204)
>> PGP Key ID: 0xB5397B1B
>> Location: Zagreb, Croatia
>>
>
>
>
> --
> --------8<--------
> Carlos Gabriel Vergara
> http://www.ThorSecurity.com.ar
>
> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
> -------->8--------
>
> ------------------------------------------------------------------------------
> Beautiful is writing same markup. Internet Explorer 9 supports
> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
> Spend less time writing and rewriting code and more time creating great
> experiences on the web. Be a part of the beta today.
> http://p.sf.net/sfu/beautyoftheweb
> _______________________________________________
> sqlmap-users mailing list
> sql...@li...
> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>
--
Miroslav Stampar
E-mail / Jabber: miroslav.stampar (at) gmail.com
Mobile: +385921010204 (HR 0921010204)
PGP Key ID: 0xB5397B1B
Location: Zagreb, Croatia
|
|
From: Carlos G. V. <car...@gm...> - 2010-10-13 17:43:21
|
For the last case, i mean to encode all the injection using %. For example: http://somehost/script.asp?id=SELECT%20FIELD%20FROM%20TABLE to http://somehost/script.asp?id=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45 This could be combined with the script that double encodes, since you can stack tamper scripts. By the way, a nice online tool to encode/decode can be found at: http://yehg.net/encoding/ Best regards, 2010/10/13 Miroslav Stampar <mir...@gm...>: > On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara > <car...@gm...> wrote: >> Good work! >> >> Will try it as soon as i have a minute. >> >> Some examples of tamper functions: >> >> a) Replace chars with %, with double encoding... i mean: %20 to %2520 > > added ./tamper/doubleencode.py > >> b) Replace spaces with /**/ for mssql (i think theres already an >> option for this in later versions) > > added ./tamper/space2comment.py > >> c) Related to a), replace all injection with encoding using % > > didn't understand this one. could you please explain it more. thx. > >> >> If I remember something else, will post it. >> >> Best regards, >> G >> >> 2010/10/13 Miroslav Stampar <mir...@gm...>: >>> ...and yes, they can be stacked together: >>> >>> sample: >>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py" >>> >>> bye >>> >>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar >>> <mir...@gm...> wrote: >>>> hello all. >>>> >>>> switch '--tamper' is now fully implemented in the latest SVN revision. >>>> tampering modules must include function with declaration like 'def >>>> tamper(place, value):'. argument 'place' states which injection place >>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while >>>> value represent the old query value (prior to return value of that >>>> tampering function). >>>> >>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented >>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own >>>> tampering modules/functions too. >>>> >>>> sample usage is: >>>> >>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1" >>>> --tamper="./tamper/ifnull2ifisnull.py" >>>> >>>> if you have any other suggestions for other useful tampering functions >>>> please say and i'll try to implement it/them if it makes sense. >>>> >>>> kind regards. >>>> >>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar >>>> <mir...@gm...> wrote: >>>>> hi. >>>>> >>>>> now, there is an option "--tamper=<file>" which does this. >>>>> >>>>> you can play around with it using for example: >>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py" >>>>> >>>>> for "practical" examples please wait for working version of >>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting >>>>> parenthesis in regular expression i use for recognizing parts of >>>>> ifnull. >>>>> >>>>> kind regards. >>>>> >>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara >>>>> <car...@gm...> wrote: >>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i >>>>>> found the need of "touch" the urls that the tool crafts to send to the >>>>>> server. >>>>>> Most of the times this happens because all scenarios are some sort of >>>>>> unique, even if they share the same DMBS. >>>>>> In this cases i spend a lot of time programming pseudo proxys (quick >>>>>> and dirty coding in python) to solve the obstacle. >>>>>> I have some free time now, and want to make a module for sqlmap that >>>>>> "tampers" the data to be send, let me introduce some logic to modify >>>>>> it, and then send it to the server. >>>>>> For example: i need to replace blanks with /**/ for a mssql server. I >>>>>> will be using sqlmap like this: >>>>>> >>>>>> sqlmap -u "http://host/script.py?id=15" -p id >>>>>> --tamper-script="/home/kaleb/script.py" >>>>>> >>>>>> In script.py, some sort of code that picks the GET/POST about to be >>>>>> sent to the server, search for the blanks in the query, replace them >>>>>> with /**/, and then give it back to sqlmap to be sended. >>>>>> >>>>>> Another example (mentioned in a previous thread): i need to replace >>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of >>>>>> string manipulation, made in a mini proxy, losting performance in the >>>>>> middle. >>>>>> >>>>>> The question: which part of sqlmap code i need to start reviewing? >>>>>> Thus i used it a lot, never looked into the code. In need a little >>>>>> tip, just to start with something in mind. >>>>>> >>>>>> Thanks a lot. >>>>>> >>>>>> PD: excuse my rusty english, by the way =) >>>>>> >>>>>> -- >>>>>> --------8<-------- >>>>>> Carlos Gabriel Vergara >>>>>> http://www.ThorSecurity.com.ar >>>>>> >>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>>>>> -------->8-------- >>>>>> >>>>>> ------------------------------------------------------------------------------ >>>>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>>>> Spend less time writing and rewriting code and more time creating great >>>>>> experiences on the web. Be a part of the beta today. >>>>>> http://p.sf.net/sfu/beautyoftheweb >>>>>> _______________________________________________ >>>>>> sqlmap-users mailing list >>>>>> sql...@li... >>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> >>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>> Mobile: +385921010204 (HR 0921010204) >>>>> PGP Key ID: 0xB5397B1B >>>>> Location: Zagreb, Croatia >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> Miroslav Stampar >>> >>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>> Mobile: +385921010204 (HR 0921010204) >>> PGP Key ID: 0xB5397B1B >>> Location: Zagreb, Croatia >>> >> >> >> >> -- >> --------8<-------- >> Carlos Gabriel Vergara >> http://www.ThorSecurity.com.ar >> >> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >> -------->8-------- >> >> ------------------------------------------------------------------------------ >> Beautiful is writing same markup. Internet Explorer 9 supports >> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >> Spend less time writing and rewriting code and more time creating great >> experiences on the web. Be a part of the beta today. >> http://p.sf.net/sfu/beautyoftheweb >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> > > > > -- > Miroslav Stampar > > E-mail / Jabber: miroslav.stampar (at) gmail.com > Mobile: +385921010204 (HR 0921010204) > PGP Key ID: 0xB5397B1B > Location: Zagreb, Croatia > -- --------8<-------- Carlos Gabriel Vergara http://www.ThorSecurity.com.ar PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp -------->8-------- |
|
From: Miroslav S. <mir...@gm...> - 2010-10-13 19:54:09
|
hi. that functionality is now added to './tamper/charencode.py' also, one more module is added './tamper/randomcase.py' which could be used for as a method for bypassing "shitty" IDSes. bye. On Wed, Oct 13, 2010 at 7:43 PM, Carlos Gabriel Vergara <car...@gm...> wrote: > For the last case, i mean to encode all the injection using %. > > For example: > > http://somehost/script.asp?id=SELECT%20FIELD%20FROM%20TABLE > > to > > http://somehost/script.asp?id=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45 > > This could be combined with the script that double encodes, since you > can stack tamper scripts. > By the way, a nice online tool to encode/decode can be found at: > > http://yehg.net/encoding/ > > Best regards, > > 2010/10/13 Miroslav Stampar <mir...@gm...>: >> On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara >> <car...@gm...> wrote: >>> Good work! >>> >>> Will try it as soon as i have a minute. >>> >>> Some examples of tamper functions: >>> >>> a) Replace chars with %, with double encoding... i mean: %20 to %2520 >> >> added ./tamper/doubleencode.py >> >>> b) Replace spaces with /**/ for mssql (i think theres already an >>> option for this in later versions) >> >> added ./tamper/space2comment.py >> >>> c) Related to a), replace all injection with encoding using % >> >> didn't understand this one. could you please explain it more. thx. >> >>> >>> If I remember something else, will post it. >>> >>> Best regards, >>> G >>> >>> 2010/10/13 Miroslav Stampar <mir...@gm...>: >>>> ...and yes, they can be stacked together: >>>> >>>> sample: >>>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py" >>>> >>>> bye >>>> >>>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar >>>> <mir...@gm...> wrote: >>>>> hello all. >>>>> >>>>> switch '--tamper' is now fully implemented in the latest SVN revision. >>>>> tampering modules must include function with declaration like 'def >>>>> tamper(place, value):'. argument 'place' states which injection place >>>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while >>>>> value represent the old query value (prior to return value of that >>>>> tampering function). >>>>> >>>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented >>>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own >>>>> tampering modules/functions too. >>>>> >>>>> sample usage is: >>>>> >>>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1" >>>>> --tamper="./tamper/ifnull2ifisnull.py" >>>>> >>>>> if you have any other suggestions for other useful tampering functions >>>>> please say and i'll try to implement it/them if it makes sense. >>>>> >>>>> kind regards. >>>>> >>>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar >>>>> <mir...@gm...> wrote: >>>>>> hi. >>>>>> >>>>>> now, there is an option "--tamper=<file>" which does this. >>>>>> >>>>>> you can play around with it using for example: >>>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py" >>>>>> >>>>>> for "practical" examples please wait for working version of >>>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting >>>>>> parenthesis in regular expression i use for recognizing parts of >>>>>> ifnull. >>>>>> >>>>>> kind regards. >>>>>> >>>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara >>>>>> <car...@gm...> wrote: >>>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i >>>>>>> found the need of "touch" the urls that the tool crafts to send to the >>>>>>> server. >>>>>>> Most of the times this happens because all scenarios are some sort of >>>>>>> unique, even if they share the same DMBS. >>>>>>> In this cases i spend a lot of time programming pseudo proxys (quick >>>>>>> and dirty coding in python) to solve the obstacle. >>>>>>> I have some free time now, and want to make a module for sqlmap that >>>>>>> "tampers" the data to be send, let me introduce some logic to modify >>>>>>> it, and then send it to the server. >>>>>>> For example: i need to replace blanks with /**/ for a mssql server. I >>>>>>> will be using sqlmap like this: >>>>>>> >>>>>>> sqlmap -u "http://host/script.py?id=15" -p id >>>>>>> --tamper-script="/home/kaleb/script.py" >>>>>>> >>>>>>> In script.py, some sort of code that picks the GET/POST about to be >>>>>>> sent to the server, search for the blanks in the query, replace them >>>>>>> with /**/, and then give it back to sqlmap to be sended. >>>>>>> >>>>>>> Another example (mentioned in a previous thread): i need to replace >>>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of >>>>>>> string manipulation, made in a mini proxy, losting performance in the >>>>>>> middle. >>>>>>> >>>>>>> The question: which part of sqlmap code i need to start reviewing? >>>>>>> Thus i used it a lot, never looked into the code. In need a little >>>>>>> tip, just to start with something in mind. >>>>>>> >>>>>>> Thanks a lot. >>>>>>> >>>>>>> PD: excuse my rusty english, by the way =) >>>>>>> >>>>>>> -- >>>>>>> --------8<-------- >>>>>>> Carlos Gabriel Vergara >>>>>>> http://www.ThorSecurity.com.ar >>>>>>> >>>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>>>>>> -------->8-------- >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> Beautiful is writing same markup. Internet Explorer 9 supports >>>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>>>>>> Spend less time writing and rewriting code and more time creating great >>>>>>> experiences on the web. Be a part of the beta today. >>>>>>> http://p.sf.net/sfu/beautyoftheweb >>>>>>> _______________________________________________ >>>>>>> sqlmap-users mailing list >>>>>>> sql...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Miroslav Stampar >>>>>> >>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>>> Mobile: +385921010204 (HR 0921010204) >>>>>> PGP Key ID: 0xB5397B1B >>>>>> Location: Zagreb, Croatia >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Miroslav Stampar >>>>> >>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>>> Mobile: +385921010204 (HR 0921010204) >>>>> PGP Key ID: 0xB5397B1B >>>>> Location: Zagreb, Croatia >>>>> >>>> >>>> >>>> >>>> -- >>>> Miroslav Stampar >>>> >>>> E-mail / Jabber: miroslav.stampar (at) gmail.com >>>> Mobile: +385921010204 (HR 0921010204) >>>> PGP Key ID: 0xB5397B1B >>>> Location: Zagreb, Croatia >>>> >>> >>> >>> >>> -- >>> --------8<-------- >>> Carlos Gabriel Vergara >>> http://www.ThorSecurity.com.ar >>> >>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp >>> -------->8-------- >>> >>> ------------------------------------------------------------------------------ >>> Beautiful is writing same markup. Internet Explorer 9 supports >>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3. >>> Spend less time writing and rewriting code and more time creating great >>> experiences on the web. Be a part of the beta today. >>> http://p.sf.net/sfu/beautyoftheweb >>> _______________________________________________ >>> sqlmap-users mailing list >>> sql...@li... >>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >>> >> >> >> >> -- >> Miroslav Stampar >> >> E-mail / Jabber: miroslav.stampar (at) gmail.com >> Mobile: +385921010204 (HR 0921010204) >> PGP Key ID: 0xB5397B1B >> Location: Zagreb, Croatia >> > > > > -- > --------8<-------- > Carlos Gabriel Vergara > http://www.ThorSecurity.com.ar > > PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp > -------->8-------- > -- Miroslav Stampar E-mail / Jabber: miroslav.stampar (at) gmail.com Mobile: +385921010204 (HR 0921010204) PGP Key ID: 0xB5397B1B Location: Zagreb, Croatia |
|
From: Carlos G. V. <car...@gm...> - 2010-10-13 20:16:02
|
I was looking into the space2comment.py tamper script. I think this lines...
while value.find(" ") > -1:
value = value.replace(" ", "/**/")
... could be replaced just with value = value.replace(...), no need of
while (unless value is of a type that i don't know and requires it).
Just a tip. Tested in my box with python 2.6.5, this is the result:
$ python
Python 2.6.5 (r265:79063, Apr 16 2010, 13:09:56)
[GCC 4.4.3] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> s_in="this is a string with spaces"
>>> s_in.replace(" ", "/**/")
'this/**/is/**/a/**/string/**/with/**/spaces'
Cya!
2010/10/13 Miroslav Stampar <mir...@gm...>:
> hi.
>
> that functionality is now added to './tamper/charencode.py'
>
> also, one more module is added './tamper/randomcase.py' which could be
> used for as a method for bypassing "shitty" IDSes.
>
> bye.
>
> On Wed, Oct 13, 2010 at 7:43 PM, Carlos Gabriel Vergara
> <car...@gm...> wrote:
>> For the last case, i mean to encode all the injection using %.
>>
>> For example:
>>
>> http://somehost/script.asp?id=SELECT%20FIELD%20FROM%20TABLE
>>
>> to
>>
>> http://somehost/script.asp?id=%53%45%4c%45%43%54%20%46%49%45%4c%44%20%46%52%4f%4d%20%54%41%42%4c%45
>>
>> This could be combined with the script that double encodes, since you
>> can stack tamper scripts.
>> By the way, a nice online tool to encode/decode can be found at:
>>
>> http://yehg.net/encoding/
>>
>> Best regards,
>>
>> 2010/10/13 Miroslav Stampar <mir...@gm...>:
>>> On Wed, Oct 13, 2010 at 3:55 PM, Carlos Gabriel Vergara
>>> <car...@gm...> wrote:
>>>> Good work!
>>>>
>>>> Will try it as soon as i have a minute.
>>>>
>>>> Some examples of tamper functions:
>>>>
>>>> a) Replace chars with %, with double encoding... i mean: %20 to %2520
>>>
>>> added ./tamper/doubleencode.py
>>>
>>>> b) Replace spaces with /**/ for mssql (i think theres already an
>>>> option for this in later versions)
>>>
>>> added ./tamper/space2comment.py
>>>
>>>> c) Related to a), replace all injection with encoding using %
>>>
>>> didn't understand this one. could you please explain it more. thx.
>>>
>>>>
>>>> If I remember something else, will post it.
>>>>
>>>> Best regards,
>>>> G
>>>>
>>>> 2010/10/13 Miroslav Stampar <mir...@gm...>:
>>>>> ...and yes, they can be stacked together:
>>>>>
>>>>> sample:
>>>>> --tamper="./tamper/ifnull2ifisnull.py;./tamper/dummy.py"
>>>>>
>>>>> bye
>>>>>
>>>>> On Wed, Oct 13, 2010 at 3:15 PM, Miroslav Stampar
>>>>> <mir...@gm...> wrote:
>>>>>> hello all.
>>>>>>
>>>>>> switch '--tamper' is now fully implemented in the latest SVN revision.
>>>>>> tampering modules must include function with declaration like 'def
>>>>>> tamper(place, value):'. argument 'place' states which injection place
>>>>>> ('POST', 'GET', 'URI' or 'User-Agent') is query being used for, while
>>>>>> value represent the old query value (prior to return value of that
>>>>>> tampering function).
>>>>>>
>>>>>> tampering function for IFNULL(A,B) -> IF(ISNULL(A),B,A) is implemented
>>>>>> so far (./sqlmap/tamper/ifnull2ifisnull.py) but you can make your own
>>>>>> tampering modules/functions too.
>>>>>>
>>>>>> sample usage is:
>>>>>>
>>>>>> ./sqlmap.py -u "http://www.site.com/index.php?id=1"
>>>>>> --tamper="./tamper/ifnull2ifisnull.py"
>>>>>>
>>>>>> if you have any other suggestions for other useful tampering functions
>>>>>> please say and i'll try to implement it/them if it makes sense.
>>>>>>
>>>>>> kind regards.
>>>>>>
>>>>>> On Wed, Oct 13, 2010 at 9:43 AM, Miroslav Stampar
>>>>>> <mir...@gm...> wrote:
>>>>>>> hi.
>>>>>>>
>>>>>>> now, there is an option "--tamper=<file>" which does this.
>>>>>>>
>>>>>>> you can play around with it using for example:
>>>>>>> ./sqlmap.py -u "www.test.com" --tamper="./tamper/dummy.py"
>>>>>>>
>>>>>>> for "practical" examples please wait for working version of
>>>>>>> ./tamper/ifnull2ifisnull.py. i need to solve the problem of counting
>>>>>>> parenthesis in regular expression i use for recognizing parts of
>>>>>>> ifnull.
>>>>>>>
>>>>>>> kind regards.
>>>>>>>
>>>>>>> On Tue, Oct 12, 2010 at 8:02 PM, Carlos Gabriel Vergara
>>>>>>> <car...@gm...> wrote:
>>>>>>>> Hi! I was using sqlmap for a year or two, and in a lot of scenarios i
>>>>>>>> found the need of "touch" the urls that the tool crafts to send to the
>>>>>>>> server.
>>>>>>>> Most of the times this happens because all scenarios are some sort of
>>>>>>>> unique, even if they share the same DMBS.
>>>>>>>> In this cases i spend a lot of time programming pseudo proxys (quick
>>>>>>>> and dirty coding in python) to solve the obstacle.
>>>>>>>> I have some free time now, and want to make a module for sqlmap that
>>>>>>>> "tampers" the data to be send, let me introduce some logic to modify
>>>>>>>> it, and then send it to the server.
>>>>>>>> For example: i need to replace blanks with /**/ for a mssql server. I
>>>>>>>> will be using sqlmap like this:
>>>>>>>>
>>>>>>>> sqlmap -u "http://host/script.py?id=15" -p id
>>>>>>>> --tamper-script="/home/kaleb/script.py"
>>>>>>>>
>>>>>>>> In script.py, some sort of code that picks the GET/POST about to be
>>>>>>>> sent to the server, search for the blanks in the query, replace them
>>>>>>>> with /**/, and then give it back to sqlmap to be sended.
>>>>>>>>
>>>>>>>> Another example (mentioned in a previous thread): i need to replace
>>>>>>>> IFNULL(A,B) sentence with IF(ISNULL(A), B, A). It needed a lot of
>>>>>>>> string manipulation, made in a mini proxy, losting performance in the
>>>>>>>> middle.
>>>>>>>>
>>>>>>>> The question: which part of sqlmap code i need to start reviewing?
>>>>>>>> Thus i used it a lot, never looked into the code. In need a little
>>>>>>>> tip, just to start with something in mind.
>>>>>>>>
>>>>>>>> Thanks a lot.
>>>>>>>>
>>>>>>>> PD: excuse my rusty english, by the way =)
>>>>>>>>
>>>>>>>> --
>>>>>>>> --------8<--------
>>>>>>>> Carlos Gabriel Vergara
>>>>>>>> http://www.ThorSecurity.com.ar
>>>>>>>>
>>>>>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>>>>>>> -------->8--------
>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>>>>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>>>>>>> Spend less time writing and rewriting code and more time creating great
>>>>>>>> experiences on the web. Be a part of the beta today.
>>>>>>>> http://p.sf.net/sfu/beautyoftheweb
>>>>>>>> _______________________________________________
>>>>>>>> sqlmap-users mailing list
>>>>>>>> sql...@li...
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> Miroslav Stampar
>>>>>>>
>>>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>>>> PGP Key ID: 0xB5397B1B
>>>>>>> Location: Zagreb, Croatia
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Miroslav Stampar
>>>>>>
>>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>>> PGP Key ID: 0xB5397B1B
>>>>>> Location: Zagreb, Croatia
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Miroslav Stampar
>>>>>
>>>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>>>> Mobile: +385921010204 (HR 0921010204)
>>>>> PGP Key ID: 0xB5397B1B
>>>>> Location: Zagreb, Croatia
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> --------8<--------
>>>> Carlos Gabriel Vergara
>>>> http://www.ThorSecurity.com.ar
>>>>
>>>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>>>> -------->8--------
>>>>
>>>> ------------------------------------------------------------------------------
>>>> Beautiful is writing same markup. Internet Explorer 9 supports
>>>> standards for HTML5, CSS3, SVG 1.1, ECMAScript5, and DOM L2 & L3.
>>>> Spend less time writing and rewriting code and more time creating great
>>>> experiences on the web. Be a part of the beta today.
>>>> http://p.sf.net/sfu/beautyoftheweb
>>>> _______________________________________________
>>>> sqlmap-users mailing list
>>>> sql...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/sqlmap-users
>>>>
>>>
>>>
>>>
>>> --
>>> Miroslav Stampar
>>>
>>> E-mail / Jabber: miroslav.stampar (at) gmail.com
>>> Mobile: +385921010204 (HR 0921010204)
>>> PGP Key ID: 0xB5397B1B
>>> Location: Zagreb, Croatia
>>>
>>
>>
>>
>> --
>> --------8<--------
>> Carlos Gabriel Vergara
>> http://www.ThorSecurity.com.ar
>>
>> PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
>> -------->8--------
>>
>
>
>
> --
> Miroslav Stampar
>
> E-mail / Jabber: miroslav.stampar (at) gmail.com
> Mobile: +385921010204 (HR 0921010204)
> PGP Key ID: 0xB5397B1B
> Location: Zagreb, Croatia
>
--
--------8<--------
Carlos Gabriel Vergara
http://www.ThorSecurity.com.ar
PGP: http://www.ThorSecurity.com.ar/gabrielvergara.pgp
-------->8--------
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X