mirror of
https://github.com/mgeeky/Penetration-Testing-Tools.git
synced 2024-11-21 18:11:37 +01:00
Added sqlmap tamper scripts evaluation cheatsheet and modified readmes.
This commit is contained in:
parent
1b9a6a6eae
commit
6978c3d405
@ -23,6 +23,8 @@ CDP counters :
|
|||||||
|
|
||||||
- **`nmap-grep-to-table.sh`** - Script converting nmap's greppable output (-oG) into a printable per-host tables. ([gist](https://gist.github.com/mgeeky/cd3092cf60fd513d786286a21c6fa915))
|
- **`nmap-grep-to-table.sh`** - Script converting nmap's greppable output (-oG) into a printable per-host tables. ([gist](https://gist.github.com/mgeeky/cd3092cf60fd513d786286a21c6fa915))
|
||||||
|
|
||||||
|
- **`nmap-scan-all.sh`** - Simple script to launch nmap scans against given target, using specific options and scripts set.
|
||||||
|
|
||||||
- **`pingsweep.py`** - Quick Python Scapy-based ping-sweeper. ([gist](https://gist.github.com/mgeeky/a360e4a124ddb9ef6a9ac1557b47d14c))
|
- **`pingsweep.py`** - Quick Python Scapy-based ping-sweeper. ([gist](https://gist.github.com/mgeeky/a360e4a124ddb9ef6a9ac1557b47d14c))
|
||||||
|
|
||||||
- **`sshbrute.py`** - ripped out from Violent Python - by TJ O'Connor. ([gist](https://gist.github.com/mgeeky/70606be7249a61ac26b34b1ef3b07553))
|
- **`sshbrute.py`** - ripped out from Violent Python - by TJ O'Connor. ([gist](https://gist.github.com/mgeeky/70606be7249a61ac26b34b1ef3b07553))
|
||||||
|
@ -134,6 +134,8 @@ Node('/None/Base64/URLEncoder', decoded='AAAA')
|
|||||||
(3) ENCODED FORM: "Rk9PJTIwQUFBQSUyMEJBUg=="
|
(3) ENCODED FORM: "Rk9PJTIwQUFBQSUyMEJBUg=="
|
||||||
```
|
```
|
||||||
|
|
||||||
|
- **`sqlmap-tamper-scripts-evaluation.md`** - Results of my evaluation of **sqlmap**'s tamper scripts against detectability and rating used in F5 Big-IP ASM WAF.
|
||||||
|
|
||||||
- **`oRTC-leak-internal-ip.js`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/03f0871fb88c64b3d6d3a725c3ba38bf))
|
- **`oRTC-leak-internal-ip.js`** - Internal IP address leakage via Object RTC (ORTC) interface implemented in Microsoft Edge. ([gist](https://gist.github.com/mgeeky/03f0871fb88c64b3d6d3a725c3ba38bf))
|
||||||
|
|
||||||
|
|
||||||
|
89
web/sqlmap-tamper-scripts-evaluation.md
Normal file
89
web/sqlmap-tamper-scripts-evaluation.md
Normal file
@ -0,0 +1,89 @@
|
|||||||
|
## SQLMap Tamper scripts evaluation against F5 Big-IP ASM WAF
|
||||||
|
|
||||||
|
The below table represents results of tests launched against F5 Big-IP ASM WAF appliance in it's XX version of YY and ZZ version of XY
|
||||||
|
|
||||||
|
Below names are to be passed to the `--tamper=` parameter of `sqlmap`.
|
||||||
|
|
||||||
|
The column **Violation Rating** represents most dominant rating of topmost 20 Requests observed by F5 in it's `Security>>Event Logs:Application:Requests` view.
|
||||||
|
|
||||||
|
The scale is **0-5**.
|
||||||
|
|
||||||
|
Tamper script(s) used | Violation Rating
|
||||||
|
--- | ---
|
||||||
|
`apostrophemask` | 3-5
|
||||||
|
`apostrophenullencode` | 4
|
||||||
|
`appendnullbyte` | 5
|
||||||
|
`base64encode` | 3
|
||||||
|
`between` | 4
|
||||||
|
`bluecoat` | 4
|
||||||
|
`chardoubleencode` | 4
|
||||||
|
`charencode` | 4
|
||||||
|
`charunicodeencode` | 4
|
||||||
|
`charunicodeescape` | 4
|
||||||
|
`commalesslimit` | 3-4
|
||||||
|
`commalessmid` | 4
|
||||||
|
`concat2concatws` | 4
|
||||||
|
`equaltolike` | 4
|
||||||
|
`greatest` | 4
|
||||||
|
`halfversionedmorekeywords` | 4
|
||||||
|
`htmlencode` | 4
|
||||||
|
`ifnull2ifisnull` | 4
|
||||||
|
`informationschemacomment` | 4
|
||||||
|
`least` | 4
|
||||||
|
`lowercase` | 4
|
||||||
|
`modsecurityversioned` | 4
|
||||||
|
`modsecurityzeroversioned` | 3-4
|
||||||
|
`multiplespaces` | 4
|
||||||
|
**`nonrecursivereplacement`** | **1-3**
|
||||||
|
`overlongutf8` | 3
|
||||||
|
`overlongutf8more` | 3
|
||||||
|
`percentage` | 2
|
||||||
|
`plus2concat` | 4
|
||||||
|
`plus2fnconcat` | 4
|
||||||
|
`randomcase` | 4
|
||||||
|
`randomcomments` | 2-3
|
||||||
|
`securesphere` | 4
|
||||||
|
`space2comment` | 4
|
||||||
|
`space2dash` | 3-4
|
||||||
|
**`space2hash`** | **1-3**
|
||||||
|
`space2morecomment` | 4
|
||||||
|
**`space2morehash`** | **1**
|
||||||
|
`space2mssqlblank` | 2-4
|
||||||
|
`space2mssqlhash` | 4
|
||||||
|
`space2mysqlblank` | 3-4
|
||||||
|
`space2mysqldash` | 4
|
||||||
|
`space2plus` | 3-4
|
||||||
|
`space2randomblank` | 4
|
||||||
|
`symboliclogical` | 4
|
||||||
|
`sp_password` | 4
|
||||||
|
`unionalltounion` | 4
|
||||||
|
`unmagicquotes` | 4
|
||||||
|
`uppercase` | 4
|
||||||
|
`varnish` | 4
|
||||||
|
`versionedkeywords` | 2
|
||||||
|
`versionedmorekeywords` | 4
|
||||||
|
`xforwardedfor` | 4
|
||||||
|
`nonrecursivereplacement,space2morehash,space2hash` | 1
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
Among longer combinations:
|
||||||
|
|
||||||
|
|
||||||
|
Tamper script(s) used | Violation Rating
|
||||||
|
--- | ---
|
||||||
|
`apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzerovers` | 1
|
||||||
|
**`between,bluecoat,charencode,charunicodeencode,concat2concatws,equaltolike,greatest,halfversionedmorekeywords,ifnull2ifisnull,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2hash,space2morehash,space2mysqldash,space2plus,space2randomblank,unionalltounion,unmagicquotes,versionedkeywords,versionedmorekeywords,xforwardedfor`** | **1**
|
||||||
|
`apostrophemask,apostrophenullencode,base64encode,between,chardoubleencode,charencode,charunicodeencode,equaltolike,greatest,ifnull2ifisnull,multiplespaces,nonrecursivereplacement,percentage,randomcase,securesphere,space2comment,space2plus,space2randomblank,unionalltounion,unmagicquotes` | 1
|
||||||
|
`apostrophemask,apostrophenullencode,appendnullbyte,base64encode,between,bluecoat,chardoubleencode,charencode,charunicodeencode,charunicodeescape,commalesslimit,commalessmid,commentbeforeparentheses,concat2concatws,equaltolike,escapequotes,greatest,halfversionedmorekeywords,htmlencode,ifnull2casewhenisnull,ifnull2ifisnull,informationschemacomment,least,lowercase,modsecurityversioned,modsecurityzeroversioned,multiplespaces,nonrecursivereplacement,overlongutf8,overlongutf8more,percentage,plus2concat,plus2fnconcat,randomcase,randomcomments,securesphere,sp_password,space2comment,space2dash,space2hash,space2morecomment,space2morehash,space2mssqlblank,space2mssqlhash,space2mysqlblank,space2mysqldash,space2plus,space2randomblank,symboliclogical,unionalltounion,unmagicquotes,uppercase,varnish,versionedkeywords,versionedmorekeywords,xforwardedfor` | 5
|
||||||
|
|
||||||
|
---
|
||||||
|
|
||||||
|
The last row represents _all of tamper scripts used at once_ score. It looks like, it's not a good idea to use them all at once.
|
||||||
|
|
||||||
|
From tamper scripts that did best in this evaluation, we can point out:
|
||||||
|
- `nonrecursivereplacement`
|
||||||
|
- `space2morehash`
|
||||||
|
- `space2hash`
|
||||||
|
|
||||||
|
Although, they had **not been tested** against actual vulnerability, therefore this evalution does not take in account whether SQLMap was able to attack the vulnerability at all.
|
Loading…
Reference in New Issue
Block a user