From 6978c3d405c75b5e341000acd1af8b4a9d1324ae Mon Sep 17 00:00:00 2001 From: Mariusz B Date: Thu, 8 Mar 2018 14:50:38 +0100 Subject: [PATCH] Added sqlmap tamper scripts evaluation cheatsheet and modified readmes. --- networks/README.md | 2 + web/README.md | 2 + web/sqlmap-tamper-scripts-evaluation.md | 89 +++++++++++++++++++++++++ 3 files changed, 93 insertions(+) create mode 100644 web/sqlmap-tamper-scripts-evaluation.md diff --git a/networks/README.md b/networks/README.md index f7f0ed3..58a3665 100644 --- a/networks/README.md +++ b/networks/README.md @@ -23,6 +23,8 @@ CDP counters : - **`nmap-grep-to-table.sh`** - Script converting nmap's greppable output (-oG) into a printable per-host tables. ([gist](https://gist.github.com/mgeeky/cd3092cf60fd513d786286a21c6fa915)) +- **`nmap-scan-all.sh`** - Simple script to launch nmap scans against given target, using specific options and scripts set. + - **`pingsweep.py`** - Quick Python Scapy-based ping-sweeper. ([gist](https://gist.github.com/mgeeky/a360e4a124ddb9ef6a9ac1557b47d14c)) - **`sshbrute.py`** - ripped out from Violent Python - by TJ O'Connor. ([gist](https://gist.github.com/mgeeky/70606be7249a61ac26b34b1ef3b07553)) diff --git a/web/README.md b/web/README.md index a8ac6d6..be99286 100644 --- a/web/README.md +++ b/web/README.md @@ -134,6 +134,8 @@ Node('/None/Base64/URLEncoder', decoded='AAAA') (3) ENCODED FORM: "Rk9PJTIwQUFBQSUyMEJBUg==" ``` +- **`sqlmap-tamper-scripts-evaluation.md`** - Results of my evaluation of **sqlmap**'s tamper scripts against detectability and rating used in F5 Big-IP ASM WAF. + - **`oRTC-leak-internal-ip.js`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/03f0871fb88c64b3d6d3a725c3ba38bf)) diff --git a/web/sqlmap-tamper-scripts-evaluation.md b/web/sqlmap-tamper-scripts-evaluation.md new file mode 100644 index 0000000..aab1bed --- /dev/null +++ b/web/sqlmap-tamper-scripts-evaluation.md @@ -0,0 +1,89 @@ +## SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF + +The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY + +Below names are to be passed to the `--tamper=` parameter of `sqlmap`. + +The column **Violation Rating** represents most dominant rating of topmost 20 Requests observed by F5 in it's `Security>>Event Logs:Application:Requests` view. + +The scale is **0-5**. + +Tamper script(s) used | Violation Rating +--- | --- +`apostrophemask` | 3-5 +`apostrophenullencode` | 4 +`appendnullbyte` | 5 +`base64encode` | 3 +`between` | 4 +`bluecoat` | 4 +`chardoubleencode` | 4 +`charencode` | 4 +`charunicodeencode` | 4 +`charunicodeescape` | 4 +`commalesslimit` | 3-4 +`commalessmid` | 4 +`concat2concatws` | 4 +`equaltolike` | 4 +`greatest` | 4 +`halfversionedmorekeywords` | 4 +`htmlencode` | 4 +`ifnull2ifisnull` | 4 +`informationschemacomment` | 4 +`least` | 4 +`lowercase` | 4 +`modsecurityversioned` | 4 +`modsecurityzeroversioned` | 3-4 +`multiplespaces` | 4 +**`nonrecursivereplacement`** | **1-3** +`overlongutf8` | 3 +`overlongutf8more` | 3 +`percentage` | 2 +`plus2concat` | 4 +`plus2fnconcat` | 4 +`randomcase` | 4 +`randomcomments` | 2-3 +`securesphere` | 4 +`space2comment` | 4 +`space2dash` | 3-4 +**`space2hash`** | **1-3** +`space2morecomment` | 4 +**`space2morehash`** | **1** +`space2mssqlblank` | 2-4 +`space2mssqlhash` | 4 +`space2mysqlblank` | 3-4 +`space2mysqldash` | 4 +`space2plus` | 3-4 +`space2randomblank` | 4 +`symboliclogical` | 4 +`sp_password` | 4 +`unionalltounion` | 4 +`unmagicquotes` | 4 +`uppercase` | 4 +`varnish` | 4 +`versionedkeywords` | 2 +`versionedmorekeywords` | 4 +`xforwardedfor` | 4 +`nonrecursivereplacement,space2morehash,space2hash` | 1 + +--- + +Among longer combinations: + + +Tamper script(s) used | Violation Rating +--- | --- +`apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzerovers` | 1 +**`between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor`** | **1** +`apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes` | 1 +`apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,charunicodeescape,commalesslimit,commalessmid,commentbeforeparentheses,concat2concatws,equaltolike,escapequotes,greatest,halfversionedmorekeywords,htmlencode,ifnull2casewhenisnull,ifnull2ifisnull,informationschemacomment,least,lowercase,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,overlongutf8,overlongutf8more,percentage,plus2concat,plus2fnconcat,randomcase,randomcomments,securesphere,sp_password,space2comment,space2dash,space2hash,space2morecomment,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,symboliclogical,unionalltounion,unmagicquotes,uppercase,varnish,versionedkeywords,versionedmorekeywords,xforwardedfor` | 5 + +--- + +The last row represents _all of tamper scripts used at once_ score. It looks like, it's not a good idea to use them all at once. + +From tamper scripts that did best in this evaluation, we can point out: +- `nonrecursivereplacement` +- `space2morehash` +- `space2hash` + +Although, they had **not been tested** against actual vulnerability, therefore this evalution does not take in account whether SQLMap was able to attack the vulnerability at all. \ No newline at end of file