首先先对比一下两个自带的tamper脚本,看看sqlmap调用tamper有没有依赖什么类库或者算法.
例如调用tamper是导入之后调用脚本里的某函数,那么我们开发的tamper脚本也应该有调用要用到的函数,主要看算法吧,咳咳
先来看看base64encode.py
#!/usr/bin/env python """ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file ‘LICENSE‘ for copying permission """ from lib.core.convert import encodeBase64 from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW def dependencies(): pass def tamper(payload, **kwargs): """ Base64-encodes all characters in a given payload >>> tamper("1‘ AND SLEEP(5)#") ‘MScgQU5EIFNMRUVQKDUpIw==‘ """ return encodeBase64(payload, binary=False) if payload else payload
再看看charencode.py
#!/usr/bin/env python """ Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/) See the file ‘LICENSE‘ for copying permission """ import string from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOWEST def dependencies(): pass def tamper(payload, **kwargs): """ URL-encodes all characters in a given payload (not processing already encoded) (e.g. SELECT -> SELECT) Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass very weak web application firewalls that do not url-decode the request before processing it through their ruleset * The web server will anyway pass the url-decoded version behind, hence it should work against any DBMS >>> tamper(‘SELECT FIELD FROM TABLE‘) ‘SELECT FIELD FROM TABLE‘ """ retVal = payload if payload: retVal = "" i = 0 while i < len(payload): if payload[i] == ‘%‘ and (i < len(payload) - 2) and payload[i 1:i 2] in string.hexdigits and payload[i 2:i 3] in string.hexdigits: retVal = payload[i:i 3] i = 3 else: retVal = ‘%%%.2X‘ % ord(payload[i]) i = 1 return retVal
发现脚本里面有一些共同点
1.都有导入PRIORITY类库该类库看样子是设置优先级的,来自lib.core.enums模块,参考
from lib.core.enums import PRIORITY
2.并且赋值了__priority__变量,该变量定义了优先级属性,参考
base64encode.py中
__priority__ = PRIORITY.LOW
charencode.py中
__priority__ = PRIORITY.LOWEST
3.都定义了一个名为dependencies的函数并且函数体code为pass,参考
def dependencies(): pass
4.都定义了一个名为tamper的函数,函数接收两个参数,一个payload,还没处理过的payload,一个**kwargs,该参数接收键-值对数组,
我们接收payload之后做相应的算法处理之后,return 处理好的payload即可
共同点都列出来了,按着写就对了,示例:
#!/usr/bin/env python from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW#这里可以自己定义优先级 def dependencies(): pass def tamper(payload, **kwargs): return #处理之后的string payload
写完之后放到sqlmap的tamper目录即可